Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
02-12-2021 15:44
Behavioral task
behavioral1
Sample
tmp/7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
tmp/7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe
Resource
win10-en-20211014
General
-
Target
tmp/7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe
-
Size
586KB
-
MD5
a9550bde032467d9349ee48c79b41940
-
SHA1
4d320bd059ea70daf705c0e61c74953a559bf9c3
-
SHA256
7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d
-
SHA512
bf36ccb8ef0851b6db16a3503f0d67ceaa994cd1e6dce4831c3d5e71a92d8d705d6dc73f8c013b9659f9900a80f5eff0b5322a2f292c5d436f072e105148eeb5
Malware Config
Extracted
remcos
3.3.2 Pro
HAX
amlls.servegame.com:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Cortaned.exe
-
copy_folder
Cortaned
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
winsrar
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-6WFSKY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Cortaned
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2916-132-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/952-122-0x0000000000476274-mapping.dmp WebBrowserPassView behavioral2/memory/952-130-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule behavioral2/memory/952-122-0x0000000000476274-mapping.dmp Nirsoft behavioral2/memory/1180-128-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/952-130-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2916-132-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exeCortaned.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Cortaned = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cortaned\\Cortaned.exe\"" 7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Cortaned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Cortaned = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cortaned\\Cortaned.exe\"" Cortaned.exe -
Executes dropped EXE 6 IoCs
Processes:
Cortaned.exeCortaned.exeCortaned.exeCortaned.exeGoogle Crash.exeGoogle Crash.exepid process 1020 Cortaned.exe 952 Cortaned.exe 1180 Cortaned.exe 2916 Cortaned.exe 1832 Google Crash.exe 4092 Google Crash.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Google Crash.exe upx C:\Users\Admin\AppData\Roaming\Google Crash.exe upx C:\ProgramData\Google Crash\Google Crash.exe upx C:\ProgramData\Google Crash\Google Crash.exe upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
Cortaned.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Cortaned.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
Google Crash.exeGoogle Crash.exe7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exeCortaned.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce Google Crash.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce Google Crash.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortaned = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cortaned\\Cortaned.exe\"" 7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Cortaned.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ Cortaned.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortaned = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cortaned\\Cortaned.exe\"" Cortaned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cortaned = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cortaned\\Cortaned.exe\"" Cortaned.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Crash = "C:\\ProgramData\\Google Crash\\Google Crash.exe" Google Crash.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Crash = "C:\\ProgramData\\Google Crash\\Google Crash.exe" Google Crash.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cortaned = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cortaned\\Cortaned.exe\"" 7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Cortaned.exedescription pid process target process PID 1020 set thread context of 952 1020 Cortaned.exe Cortaned.exe PID 1020 set thread context of 1180 1020 Cortaned.exe Cortaned.exe PID 1020 set thread context of 2916 1020 Cortaned.exe Cortaned.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings 7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Cortaned.exeCortaned.exeCortaned.exepid process 1020 Cortaned.exe 1020 Cortaned.exe 952 Cortaned.exe 952 Cortaned.exe 1180 Cortaned.exe 1180 Cortaned.exe 952 Cortaned.exe 952 Cortaned.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Google Crash.exepid process 4092 Google Crash.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Cortaned.exeGoogle Crash.exeGoogle Crash.exedescription pid process Token: SeDebugPrivilege 1180 Cortaned.exe Token: SeShutdownPrivilege 1832 Google Crash.exe Token: SeDebugPrivilege 1832 Google Crash.exe Token: SeTcbPrivilege 1832 Google Crash.exe Token: SeShutdownPrivilege 4092 Google Crash.exe Token: SeDebugPrivilege 4092 Google Crash.exe Token: SeTcbPrivilege 4092 Google Crash.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Cortaned.exeGoogle Crash.exepid process 1020 Cortaned.exe 4092 Google Crash.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exeWScript.execmd.exeCortaned.exeGoogle Crash.exedescription pid process target process PID 2640 wrote to memory of 4044 2640 7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe WScript.exe PID 2640 wrote to memory of 4044 2640 7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe WScript.exe PID 2640 wrote to memory of 4044 2640 7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe WScript.exe PID 4044 wrote to memory of 3996 4044 WScript.exe cmd.exe PID 4044 wrote to memory of 3996 4044 WScript.exe cmd.exe PID 4044 wrote to memory of 3996 4044 WScript.exe cmd.exe PID 3996 wrote to memory of 1020 3996 cmd.exe Cortaned.exe PID 3996 wrote to memory of 1020 3996 cmd.exe Cortaned.exe PID 3996 wrote to memory of 1020 3996 cmd.exe Cortaned.exe PID 1020 wrote to memory of 3212 1020 Cortaned.exe iexplore.exe PID 1020 wrote to memory of 3212 1020 Cortaned.exe iexplore.exe PID 1020 wrote to memory of 952 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 952 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 952 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 952 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 952 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 952 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 952 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 1180 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 1180 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 1180 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 1180 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 1180 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 1180 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 1180 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 2916 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 2916 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 2916 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 2916 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 2916 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 2916 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 2916 1020 Cortaned.exe Cortaned.exe PID 1020 wrote to memory of 1832 1020 Cortaned.exe Google Crash.exe PID 1020 wrote to memory of 1832 1020 Cortaned.exe Google Crash.exe PID 1020 wrote to memory of 1832 1020 Cortaned.exe Google Crash.exe PID 1832 wrote to memory of 4092 1832 Google Crash.exe Google Crash.exe PID 1832 wrote to memory of 4092 1832 Google Crash.exe Google Crash.exe PID 1832 wrote to memory of 4092 1832 Google Crash.exe Google Crash.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe"C:\Users\Admin\AppData\Local\Temp\tmp\7296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exeC:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exe4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\program files\internet explorer\iexplore.exe"c:\program files\internet explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exeC:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exe /stext "C:\Users\Admin\AppData\Local\Temp\tqifnrujbttkm"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exeC:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exe /stext "C:\Users\Admin\AppData\Local\Temp\dsoxgjfloclpohpf"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exeC:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exe /stext "C:\Users\Admin\AppData\Local\Temp\ombigcpfckdczvdraetn"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Roaming\Google Crash.exe"C:\Users\Admin\AppData\Roaming\Google Crash.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Google Crash\Google Crash.exe"C:\ProgramData\Google Crash\Google Crash.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Google Crash\Google Crash.exeMD5
6217fe223315eefa8e2d1c7c1c9127fe
SHA1e5e0380b0c57fb7f6a260e9af8eee0fa2baddfff
SHA256b76ae56fc983d5bf90137961f7773fc365292afd7e646a420744ece4fa437089
SHA512c0b464e768b5419e2ceb57661f755ccbb64f2a40f1d1f4e43e18cd87d64ed41da851b4c584702c846ac3eb057341086286fcbcafc7b12ce9407b759f8a70767c
-
C:\ProgramData\Google Crash\Google Crash.exeMD5
6217fe223315eefa8e2d1c7c1c9127fe
SHA1e5e0380b0c57fb7f6a260e9af8eee0fa2baddfff
SHA256b76ae56fc983d5bf90137961f7773fc365292afd7e646a420744ece4fa437089
SHA512c0b464e768b5419e2ceb57661f755ccbb64f2a40f1d1f4e43e18cd87d64ed41da851b4c584702c846ac3eb057341086286fcbcafc7b12ce9407b759f8a70767c
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
008d4cf2659a5e8e8c8d69ef6e974725
SHA1c4b038c5488a98d720a8bc5ace6fd73fce983f82
SHA2562ea6012bbb8454696c1396d9ee2892a5d415b5cd3a07ff871be90acae1a9db25
SHA512470f07bb5bbe9f367a3db0ebe6473b7420f94fd5cf980238349373160e9afb7b6c307e9641b34eff861206a13ebd8afcd77c84f587fdbd5a18986f2bb0ca6b08
-
C:\Users\Admin\AppData\Local\Temp\tqifnrujbttkmMD5
5607a09fc866e8b1c39d38c0c9203c19
SHA1d8d31295162fe66ff99426de635a0fb9e7247fd2
SHA2562bb09a6f9850fd5353a5732b3909c92714d2b156fd30925ba8dee908a545fea9
SHA51266ae386094b396e0f50c6bacea88360b04339843f91e843082802727711ebd425551297fb320564a2285ab4199e18eff97a70d60a9f9903fed4111244a205565
-
C:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exeMD5
a9550bde032467d9349ee48c79b41940
SHA14d320bd059ea70daf705c0e61c74953a559bf9c3
SHA2567296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d
SHA512bf36ccb8ef0851b6db16a3503f0d67ceaa994cd1e6dce4831c3d5e71a92d8d705d6dc73f8c013b9659f9900a80f5eff0b5322a2f292c5d436f072e105148eeb5
-
C:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exeMD5
a9550bde032467d9349ee48c79b41940
SHA14d320bd059ea70daf705c0e61c74953a559bf9c3
SHA2567296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d
SHA512bf36ccb8ef0851b6db16a3503f0d67ceaa994cd1e6dce4831c3d5e71a92d8d705d6dc73f8c013b9659f9900a80f5eff0b5322a2f292c5d436f072e105148eeb5
-
C:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exeMD5
a9550bde032467d9349ee48c79b41940
SHA14d320bd059ea70daf705c0e61c74953a559bf9c3
SHA2567296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d
SHA512bf36ccb8ef0851b6db16a3503f0d67ceaa994cd1e6dce4831c3d5e71a92d8d705d6dc73f8c013b9659f9900a80f5eff0b5322a2f292c5d436f072e105148eeb5
-
C:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exeMD5
a9550bde032467d9349ee48c79b41940
SHA14d320bd059ea70daf705c0e61c74953a559bf9c3
SHA2567296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d
SHA512bf36ccb8ef0851b6db16a3503f0d67ceaa994cd1e6dce4831c3d5e71a92d8d705d6dc73f8c013b9659f9900a80f5eff0b5322a2f292c5d436f072e105148eeb5
-
C:\Users\Admin\AppData\Roaming\Cortaned\Cortaned.exeMD5
a9550bde032467d9349ee48c79b41940
SHA14d320bd059ea70daf705c0e61c74953a559bf9c3
SHA2567296c8e94ad4a0674983a5903323466eb380a337d100d092a82e767cc410627d
SHA512bf36ccb8ef0851b6db16a3503f0d67ceaa994cd1e6dce4831c3d5e71a92d8d705d6dc73f8c013b9659f9900a80f5eff0b5322a2f292c5d436f072e105148eeb5
-
C:\Users\Admin\AppData\Roaming\Google Crash.exeMD5
6217fe223315eefa8e2d1c7c1c9127fe
SHA1e5e0380b0c57fb7f6a260e9af8eee0fa2baddfff
SHA256b76ae56fc983d5bf90137961f7773fc365292afd7e646a420744ece4fa437089
SHA512c0b464e768b5419e2ceb57661f755ccbb64f2a40f1d1f4e43e18cd87d64ed41da851b4c584702c846ac3eb057341086286fcbcafc7b12ce9407b759f8a70767c
-
C:\Users\Admin\AppData\Roaming\Google Crash.exeMD5
6217fe223315eefa8e2d1c7c1c9127fe
SHA1e5e0380b0c57fb7f6a260e9af8eee0fa2baddfff
SHA256b76ae56fc983d5bf90137961f7773fc365292afd7e646a420744ece4fa437089
SHA512c0b464e768b5419e2ceb57661f755ccbb64f2a40f1d1f4e43e18cd87d64ed41da851b4c584702c846ac3eb057341086286fcbcafc7b12ce9407b759f8a70767c
-
memory/952-130-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/952-121-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/952-137-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/952-122-0x0000000000476274-mapping.dmp
-
memory/1020-118-0x0000000000000000-mapping.dmp
-
memory/1180-136-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1180-124-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1180-128-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1180-125-0x0000000000422206-mapping.dmp
-
memory/1832-133-0x0000000000000000-mapping.dmp
-
memory/2916-129-0x0000000000455238-mapping.dmp
-
memory/2916-138-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/2916-127-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/2916-132-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/3996-117-0x0000000000000000-mapping.dmp
-
memory/4044-115-0x0000000000000000-mapping.dmp
-
memory/4092-139-0x0000000000000000-mapping.dmp