Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-04-2021 19:26
Static task
static1
Behavioral task
behavioral1
Sample
SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe
Resource
win7v20210408
General
-
Target
SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe
-
Size
330KB
-
MD5
1978e8a34b5178485275e2200cde5d14
-
SHA1
4b69cd44159b1ed5e70686ca786162c7f164ae2f
-
SHA256
b4dd55d73615efe8f43238e5e4fa3f94ed16b00a054a4130be23b011ab948b4e
-
SHA512
995edd54459ac90c4c44a0d91fb21257e203f35cc9266a82bbd80863b20c2ca0475cfebabe7aa2435dce62f95cd02f381d2b6eb9625adb35ae52d91a08a7fbc4
Malware Config
Extracted
amadey
2.11
176.111.174.67/7Ndd3SnW/index.php
Extracted
remcos
resener.duckdns.org:3202
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 8 2032 rundll32.exe 11 864 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
rween.exeRN1.exechrome.exepid process 2008 rween.exe 1620 RN1.exe 1740 chrome.exe -
Loads dropped DLL 16 IoCs
Processes:
SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exerundll32.exerundll32.exerween.execmd.exepid process 1824 SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe 1824 SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe 2032 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe 864 rundll32.exe 864 rundll32.exe 864 rundll32.exe 864 rundll32.exe 2008 rween.exe 2008 rween.exe 2008 rween.exe 2008 rween.exe 1624 cmd.exe 1624 cmd.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
RN1.exechrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ RN1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome\\chrome.exe\"" RN1.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrome\\chrome.exe\"" chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 2032 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chrome.exepid process 1740 chrome.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exerween.execmd.exeRN1.exeWScript.execmd.exedescription pid process target process PID 1824 wrote to memory of 2008 1824 SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe rween.exe PID 1824 wrote to memory of 2008 1824 SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe rween.exe PID 1824 wrote to memory of 2008 1824 SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe rween.exe PID 1824 wrote to memory of 2008 1824 SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe rween.exe PID 2008 wrote to memory of 332 2008 rween.exe cmd.exe PID 2008 wrote to memory of 332 2008 rween.exe cmd.exe PID 2008 wrote to memory of 332 2008 rween.exe cmd.exe PID 2008 wrote to memory of 332 2008 rween.exe cmd.exe PID 332 wrote to memory of 1028 332 cmd.exe reg.exe PID 332 wrote to memory of 1028 332 cmd.exe reg.exe PID 332 wrote to memory of 1028 332 cmd.exe reg.exe PID 332 wrote to memory of 1028 332 cmd.exe reg.exe PID 2008 wrote to memory of 2032 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 2032 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 2032 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 2032 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 2032 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 2032 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 2032 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 864 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 864 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 864 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 864 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 864 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 864 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 864 2008 rween.exe rundll32.exe PID 2008 wrote to memory of 1620 2008 rween.exe RN1.exe PID 2008 wrote to memory of 1620 2008 rween.exe RN1.exe PID 2008 wrote to memory of 1620 2008 rween.exe RN1.exe PID 2008 wrote to memory of 1620 2008 rween.exe RN1.exe PID 2008 wrote to memory of 980 2008 rween.exe schtasks.exe PID 2008 wrote to memory of 980 2008 rween.exe schtasks.exe PID 2008 wrote to memory of 980 2008 rween.exe schtasks.exe PID 2008 wrote to memory of 980 2008 rween.exe schtasks.exe PID 1620 wrote to memory of 1028 1620 RN1.exe WScript.exe PID 1620 wrote to memory of 1028 1620 RN1.exe WScript.exe PID 1620 wrote to memory of 1028 1620 RN1.exe WScript.exe PID 1620 wrote to memory of 1028 1620 RN1.exe WScript.exe PID 1028 wrote to memory of 1624 1028 WScript.exe cmd.exe PID 1028 wrote to memory of 1624 1028 WScript.exe cmd.exe PID 1028 wrote to memory of 1624 1028 WScript.exe cmd.exe PID 1028 wrote to memory of 1624 1028 WScript.exe cmd.exe PID 1624 wrote to memory of 1740 1624 cmd.exe chrome.exe PID 1624 wrote to memory of 1740 1624 cmd.exe chrome.exe PID 1624 wrote to memory of 1740 1624 cmd.exe chrome.exe PID 1624 wrote to memory of 1740 1624 cmd.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe"C:\Users\Admin\AppData\Local\Temp\SEGURIDAD44691843410749597156161190242668039433797773842658464605841100935878.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\011ab573a3\rween.exe"C:\ProgramData\011ab573a3\rween.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\scr.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\RN1.exe"C:\Users\Admin\AppData\Local\Temp\RN1.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exeC:\Users\Admin\AppData\Roaming\Chrome\chrome.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN RN1.exe /TR "C:\Users\Admin\AppData\Local\Temp\RN1.exe" /F3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\011ab573a3\rween.exeMD5
1978e8a34b5178485275e2200cde5d14
SHA14b69cd44159b1ed5e70686ca786162c7f164ae2f
SHA256b4dd55d73615efe8f43238e5e4fa3f94ed16b00a054a4130be23b011ab948b4e
SHA512995edd54459ac90c4c44a0d91fb21257e203f35cc9266a82bbd80863b20c2ca0475cfebabe7aa2435dce62f95cd02f381d2b6eb9625adb35ae52d91a08a7fbc4
-
C:\ProgramData\152124553523681077083310MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\5eba991cccd123\cred.dllMD5
69b7615f2767c3435f2479efdca30177
SHA1a6d8c6d2bdef56a7197fef6fe79774338df50531
SHA2566f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64
SHA512749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee
-
C:\ProgramData\5eba991cccd123\scr.dllMD5
f1c71bbc5b99ab01a8ec7c63a2e12242
SHA1ad9b2fd325fff790b732be40d3b2182daa43cfa2
SHA2563d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644
SHA51250b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2
-
C:\Users\Admin\AppData\Local\Temp\RN1.exeMD5
813ab5994a1060ea8591e00923f7c73f
SHA1cf5cec935cdf310c996cf9d0b3a71d5747025430
SHA256e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab
SHA512c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48
-
C:\Users\Admin\AppData\Local\Temp\RN1.exeMD5
813ab5994a1060ea8591e00923f7c73f
SHA1cf5cec935cdf310c996cf9d0b3a71d5747025430
SHA256e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab
SHA512c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
fb3ccc6eb57452ab438c3d24d3a981d9
SHA1272e3387aa7f7664d25dab9038cc223378a8e23f
SHA2563dcd37f4d61b497d1145c1361ccd09dff5e9af2829f322b0b3231505fd8fa6db
SHA5127c079b262a3e1ab9202f4874dbcbc5de2eff0932c8cd1b9f2bc7283dd4c11ee528c849b3f3130bd3bd64d9af2b0b666c03fd173aabdb5b8a835d74623f7315a9
-
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exeMD5
813ab5994a1060ea8591e00923f7c73f
SHA1cf5cec935cdf310c996cf9d0b3a71d5747025430
SHA256e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab
SHA512c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48
-
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exeMD5
813ab5994a1060ea8591e00923f7c73f
SHA1cf5cec935cdf310c996cf9d0b3a71d5747025430
SHA256e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab
SHA512c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48
-
\ProgramData\011ab573a3\rween.exeMD5
1978e8a34b5178485275e2200cde5d14
SHA14b69cd44159b1ed5e70686ca786162c7f164ae2f
SHA256b4dd55d73615efe8f43238e5e4fa3f94ed16b00a054a4130be23b011ab948b4e
SHA512995edd54459ac90c4c44a0d91fb21257e203f35cc9266a82bbd80863b20c2ca0475cfebabe7aa2435dce62f95cd02f381d2b6eb9625adb35ae52d91a08a7fbc4
-
\ProgramData\011ab573a3\rween.exeMD5
1978e8a34b5178485275e2200cde5d14
SHA14b69cd44159b1ed5e70686ca786162c7f164ae2f
SHA256b4dd55d73615efe8f43238e5e4fa3f94ed16b00a054a4130be23b011ab948b4e
SHA512995edd54459ac90c4c44a0d91fb21257e203f35cc9266a82bbd80863b20c2ca0475cfebabe7aa2435dce62f95cd02f381d2b6eb9625adb35ae52d91a08a7fbc4
-
\ProgramData\5eba991cccd123\cred.dllMD5
69b7615f2767c3435f2479efdca30177
SHA1a6d8c6d2bdef56a7197fef6fe79774338df50531
SHA2566f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64
SHA512749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee
-
\ProgramData\5eba991cccd123\cred.dllMD5
69b7615f2767c3435f2479efdca30177
SHA1a6d8c6d2bdef56a7197fef6fe79774338df50531
SHA2566f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64
SHA512749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee
-
\ProgramData\5eba991cccd123\cred.dllMD5
69b7615f2767c3435f2479efdca30177
SHA1a6d8c6d2bdef56a7197fef6fe79774338df50531
SHA2566f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64
SHA512749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee
-
\ProgramData\5eba991cccd123\cred.dllMD5
69b7615f2767c3435f2479efdca30177
SHA1a6d8c6d2bdef56a7197fef6fe79774338df50531
SHA2566f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64
SHA512749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee
-
\ProgramData\5eba991cccd123\scr.dllMD5
f1c71bbc5b99ab01a8ec7c63a2e12242
SHA1ad9b2fd325fff790b732be40d3b2182daa43cfa2
SHA2563d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644
SHA51250b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2
-
\ProgramData\5eba991cccd123\scr.dllMD5
f1c71bbc5b99ab01a8ec7c63a2e12242
SHA1ad9b2fd325fff790b732be40d3b2182daa43cfa2
SHA2563d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644
SHA51250b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2
-
\ProgramData\5eba991cccd123\scr.dllMD5
f1c71bbc5b99ab01a8ec7c63a2e12242
SHA1ad9b2fd325fff790b732be40d3b2182daa43cfa2
SHA2563d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644
SHA51250b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2
-
\ProgramData\5eba991cccd123\scr.dllMD5
f1c71bbc5b99ab01a8ec7c63a2e12242
SHA1ad9b2fd325fff790b732be40d3b2182daa43cfa2
SHA2563d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644
SHA51250b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2
-
\Users\Admin\AppData\Local\Temp\RN1.exeMD5
813ab5994a1060ea8591e00923f7c73f
SHA1cf5cec935cdf310c996cf9d0b3a71d5747025430
SHA256e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab
SHA512c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48
-
\Users\Admin\AppData\Local\Temp\RN1.exeMD5
813ab5994a1060ea8591e00923f7c73f
SHA1cf5cec935cdf310c996cf9d0b3a71d5747025430
SHA256e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab
SHA512c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48
-
\Users\Admin\AppData\Local\Temp\RN1.exeMD5
813ab5994a1060ea8591e00923f7c73f
SHA1cf5cec935cdf310c996cf9d0b3a71d5747025430
SHA256e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab
SHA512c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48
-
\Users\Admin\AppData\Local\Temp\RN1.exeMD5
813ab5994a1060ea8591e00923f7c73f
SHA1cf5cec935cdf310c996cf9d0b3a71d5747025430
SHA256e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab
SHA512c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48
-
\Users\Admin\AppData\Roaming\Chrome\chrome.exeMD5
813ab5994a1060ea8591e00923f7c73f
SHA1cf5cec935cdf310c996cf9d0b3a71d5747025430
SHA256e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab
SHA512c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48
-
\Users\Admin\AppData\Roaming\Chrome\chrome.exeMD5
813ab5994a1060ea8591e00923f7c73f
SHA1cf5cec935cdf310c996cf9d0b3a71d5747025430
SHA256e584d9f51e69ea8ddb71d077559c5edbd7e271b18a79c1f2e9408a9db37430ab
SHA512c0886d08825fa38f0adacdd155fe7e49ad1253aa30ed635cc18f4facf73eacf4b419e84bd0a644868b43ca4bb726d8811e5bd21af58aff6dd2b6a32855189f48
-
memory/332-68-0x0000000000000000-mapping.dmp
-
memory/864-80-0x0000000000000000-mapping.dmp
-
memory/980-93-0x0000000000000000-mapping.dmp
-
memory/1028-97-0x0000000000000000-mapping.dmp
-
memory/1028-69-0x0000000000000000-mapping.dmp
-
memory/1620-95-0x0000000000220000-0x0000000000241000-memory.dmpFilesize
132KB
-
memory/1620-91-0x0000000000000000-mapping.dmp
-
memory/1620-100-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1624-101-0x0000000000000000-mapping.dmp
-
memory/1740-105-0x0000000000000000-mapping.dmp
-
memory/1740-109-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1824-59-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/1824-64-0x0000000000400000-0x0000000003DB5000-memory.dmpFilesize
57.7MB
-
memory/1824-61-0x0000000000230000-0x000000000025C000-memory.dmpFilesize
176KB
-
memory/2008-71-0x0000000000400000-0x0000000003DB5000-memory.dmpFilesize
57.7MB
-
memory/2008-63-0x0000000000000000-mapping.dmp
-
memory/2032-72-0x0000000000000000-mapping.dmp
-
memory/2032-79-0x0000000000700000-0x0000000000724000-memory.dmpFilesize
144KB