Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
10-08-2022 19:52
Behavioral task
behavioral1
Sample
RtJT2FrE.exe
Resource
win7-20220718-en
General
-
Target
RtJT2FrE.exe
-
Size
128KB
-
MD5
648e9dc18a8bd5dda03ca12f4f2768e7
-
SHA1
efaefb940f47210dd0a3e9483aede0d9d5ce8a52
-
SHA256
e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
-
SHA512
6fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
Malware Config
Extracted
remcos
2.5.0 Pro
system
213.152.161.40:8733
109.202.103.170:8733
213.152.162.89:8733
213.152.162.109:8733
213.152.161.239:8733
213.152.162.69:8733
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
sys.exe
-
copy_folder
sys
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%\System32
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
system
-
keylog_path
%WinDir%\System32
-
mouse_option
false
-
mutex
system-UQU82S
-
screenshot_crypt
true
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%WinDir%\System32
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
https://online.mbank.pl/pl/Login;https://login.ingbank.pl/mojeing/app/#login;https://www.pekao24.pl/;https://online.santanderconsumer.pl/Authentication/;https://orangefinanse.com.pl/or/Login;https://login.aliorbank.pl/;https://www.ipko.pl/;https://secure.getinbank.pl/#index/index;https://www.bankmillennium.pl/logowanie;https://www.ideabank.pl/logowanie;https://www.bosbank.pl/#;https://www.bankbps.pl/;https://plusbank24.pl/;https://www.citibankonline.pl/apps/auth/signin/;https://e-bank.credit-agricole.pl/;https://moj.raiffeisenpolbank.com/;https://login.bgzbnpparibas.pl/login/Redirect?SAMLRequest=fZDBTsMwDIZfpcp9bdoG2lltpQouk%2BDCEPe09bZKbRJiB008PWET0uDA0fb3%2FZbdkF4XB33gk3nB94DEyXldDMFl0IrgDVhNM4HRKxLwCPv%2B%2BQmKVILzlu1oF3Gj%2FG9oIvQ8WyOS3WMryvupVnlZTbqUoyoHuVWYq8MW1aEqsFQieUNPEW9FtKNDFHBniLXh2JJ5vZHbTSFf8wLyCu5qkfQ%2FGx6sobCi36P%2FmMdoTXhuRQzpmf08BMYrMZvjX6Rrvi%2BByzbfnZgdZJlbtEFOh%2BPnYJzTMUJT6pYmu2Wv1e9%2Fdl8%3D;https://konto.toyotabank.pl/auth/login.jsp;https://online.eurobank.pl/nbi/bezpieczenstwo/logowanie;https://www.deutschebank.pl/;https://www.pocztowy.pl/;https://www.t-mobilebankowe.pl/;
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
RtJT2FrE.exesys.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" RtJT2FrE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" RtJT2FrE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" sys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" sys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" iexplore.exe -
Processes:
reg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
RtJT2FrE.exesys.exeiexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run RtJT2FrE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" RtJT2FrE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run sys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" sys.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" iexplore.exe -
Executes dropped EXE 1 IoCs
Processes:
sys.exepid process 1416 sys.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1616 cmd.exe 1616 cmd.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
RtJT2FrE.exesys.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" RtJT2FrE.exe Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\ sys.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ sys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" sys.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" iexplore.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\ RtJT2FrE.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ RtJT2FrE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" RtJT2FrE.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" sys.exe Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\ iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\sys\\sys.exe\"" iexplore.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
RtJT2FrE.exesys.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ RtJT2FrE.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ sys.exe -
Drops file in System32 directory 5 IoCs
Processes:
RtJT2FrE.exeiexplore.exedescription ioc process File created C:\Windows\SysWOW64\sys\sys.exe RtJT2FrE.exe File opened for modification C:\Windows\SysWOW64\sys\sys.exe RtJT2FrE.exe File opened for modification C:\Windows\SysWOW64\sys RtJT2FrE.exe File opened for modification C:\Windows\SysWOW64\system\logs.dat iexplore.exe File created C:\Windows\SysWOW64\system\logs.dat iexplore.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
sys.exeiexplore.exedescription pid process target process PID 1416 set thread context of 1412 1416 sys.exe iexplore.exe PID 1412 set thread context of 340 1412 iexplore.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
sys.exepid process 1416 sys.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1412 iexplore.exe -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
RtJT2FrE.execmd.exeWScript.execmd.exesys.execmd.exeiexplore.execmd.exedescription pid process target process PID 1860 wrote to memory of 1516 1860 RtJT2FrE.exe cmd.exe PID 1860 wrote to memory of 1516 1860 RtJT2FrE.exe cmd.exe PID 1860 wrote to memory of 1516 1860 RtJT2FrE.exe cmd.exe PID 1860 wrote to memory of 1516 1860 RtJT2FrE.exe cmd.exe PID 1516 wrote to memory of 1060 1516 cmd.exe reg.exe PID 1516 wrote to memory of 1060 1516 cmd.exe reg.exe PID 1516 wrote to memory of 1060 1516 cmd.exe reg.exe PID 1516 wrote to memory of 1060 1516 cmd.exe reg.exe PID 1860 wrote to memory of 1748 1860 RtJT2FrE.exe WScript.exe PID 1860 wrote to memory of 1748 1860 RtJT2FrE.exe WScript.exe PID 1860 wrote to memory of 1748 1860 RtJT2FrE.exe WScript.exe PID 1860 wrote to memory of 1748 1860 RtJT2FrE.exe WScript.exe PID 1748 wrote to memory of 1616 1748 WScript.exe cmd.exe PID 1748 wrote to memory of 1616 1748 WScript.exe cmd.exe PID 1748 wrote to memory of 1616 1748 WScript.exe cmd.exe PID 1748 wrote to memory of 1616 1748 WScript.exe cmd.exe PID 1616 wrote to memory of 1416 1616 cmd.exe sys.exe PID 1616 wrote to memory of 1416 1616 cmd.exe sys.exe PID 1616 wrote to memory of 1416 1616 cmd.exe sys.exe PID 1616 wrote to memory of 1416 1616 cmd.exe sys.exe PID 1416 wrote to memory of 468 1416 sys.exe cmd.exe PID 1416 wrote to memory of 468 1416 sys.exe cmd.exe PID 1416 wrote to memory of 468 1416 sys.exe cmd.exe PID 1416 wrote to memory of 468 1416 sys.exe cmd.exe PID 1416 wrote to memory of 1412 1416 sys.exe iexplore.exe PID 1416 wrote to memory of 1412 1416 sys.exe iexplore.exe PID 1416 wrote to memory of 1412 1416 sys.exe iexplore.exe PID 1416 wrote to memory of 1412 1416 sys.exe iexplore.exe PID 1416 wrote to memory of 1412 1416 sys.exe iexplore.exe PID 1416 wrote to memory of 1412 1416 sys.exe iexplore.exe PID 1416 wrote to memory of 1412 1416 sys.exe iexplore.exe PID 1416 wrote to memory of 1412 1416 sys.exe iexplore.exe PID 1416 wrote to memory of 1412 1416 sys.exe iexplore.exe PID 1416 wrote to memory of 1412 1416 sys.exe iexplore.exe PID 1416 wrote to memory of 1412 1416 sys.exe iexplore.exe PID 468 wrote to memory of 1312 468 cmd.exe reg.exe PID 468 wrote to memory of 1312 468 cmd.exe reg.exe PID 468 wrote to memory of 1312 468 cmd.exe reg.exe PID 468 wrote to memory of 1312 468 cmd.exe reg.exe PID 1412 wrote to memory of 1800 1412 iexplore.exe cmd.exe PID 1412 wrote to memory of 1800 1412 iexplore.exe cmd.exe PID 1412 wrote to memory of 1800 1412 iexplore.exe cmd.exe PID 1412 wrote to memory of 1800 1412 iexplore.exe cmd.exe PID 1800 wrote to memory of 392 1800 cmd.exe reg.exe PID 1800 wrote to memory of 392 1800 cmd.exe reg.exe PID 1800 wrote to memory of 392 1800 cmd.exe reg.exe PID 1800 wrote to memory of 392 1800 cmd.exe reg.exe PID 1412 wrote to memory of 340 1412 iexplore.exe svchost.exe PID 1412 wrote to memory of 340 1412 iexplore.exe svchost.exe PID 1412 wrote to memory of 340 1412 iexplore.exe svchost.exe PID 1412 wrote to memory of 340 1412 iexplore.exe svchost.exe PID 1412 wrote to memory of 340 1412 iexplore.exe svchost.exe PID 1412 wrote to memory of 340 1412 iexplore.exe svchost.exe PID 1412 wrote to memory of 340 1412 iexplore.exe svchost.exe PID 1412 wrote to memory of 340 1412 iexplore.exe svchost.exe PID 1412 wrote to memory of 340 1412 iexplore.exe svchost.exe PID 1412 wrote to memory of 340 1412 iexplore.exe svchost.exe PID 1412 wrote to memory of 340 1412 iexplore.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RtJT2FrE.exe"C:\Users\Admin\AppData\Local\Temp\RtJT2FrE.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\sys\sys.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sys\sys.exeC:\Windows\SysWOW64\sys\sys.exe4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- Modifies registry key
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe6⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
384B
MD5662f40cdb9d6399685c73db8fa6af55c
SHA1b4843af100dd7d5789d192982aaf7bc84972f781
SHA256fa133903e470717684b46478695d90b7832ce468da7eebfd468cd51dcd244280
SHA512bdd9a4dbc7fb1e7b2fce423dcd4d2cabe4a5027f12699d4caf9260304bd403c1099265c12975bac4bae2745a1f3d3804e184b35f5756f2aa5321f0cc109c3d0b
-
C:\Windows\SysWOW64\sys\sys.exeFilesize
128KB
MD5648e9dc18a8bd5dda03ca12f4f2768e7
SHA1efaefb940f47210dd0a3e9483aede0d9d5ce8a52
SHA256e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
SHA5126fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
-
C:\Windows\SysWOW64\sys\sys.exeFilesize
128KB
MD5648e9dc18a8bd5dda03ca12f4f2768e7
SHA1efaefb940f47210dd0a3e9483aede0d9d5ce8a52
SHA256e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
SHA5126fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
-
\Windows\SysWOW64\sys\sys.exeFilesize
128KB
MD5648e9dc18a8bd5dda03ca12f4f2768e7
SHA1efaefb940f47210dd0a3e9483aede0d9d5ce8a52
SHA256e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
SHA5126fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
-
\Windows\SysWOW64\sys\sys.exeFilesize
128KB
MD5648e9dc18a8bd5dda03ca12f4f2768e7
SHA1efaefb940f47210dd0a3e9483aede0d9d5ce8a52
SHA256e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
SHA5126fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
-
memory/340-76-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/340-71-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/340-86-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/340-77-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/340-81-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/340-85-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/340-74-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/340-82-0x0000000000413A84-mapping.dmp
-
memory/340-72-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/340-79-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/392-70-0x0000000000000000-mapping.dmp
-
memory/468-67-0x0000000000000000-mapping.dmp
-
memory/1060-56-0x0000000000000000-mapping.dmp
-
memory/1312-68-0x0000000000000000-mapping.dmp
-
memory/1416-64-0x0000000000000000-mapping.dmp
-
memory/1516-55-0x0000000000000000-mapping.dmp
-
memory/1616-60-0x0000000000000000-mapping.dmp
-
memory/1748-57-0x0000000000000000-mapping.dmp
-
memory/1800-69-0x0000000000000000-mapping.dmp
-
memory/1860-54-0x0000000075A81000-0x0000000075A83000-memory.dmpFilesize
8KB