Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 10:33
Static task
static1
General
-
Target
d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.exe
-
Size
631KB
-
MD5
4552a8146301b83f5f8d091433839864
-
SHA1
6595d711c0817e3539816a6613a0cebe1d3ae82e
-
SHA256
d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380
-
SHA512
af16319317e14e68941371654fe4003f615b0ea5b7e42d0e2e828a9e16b8f83e5471172f238a9f5430fe738fc51825beddd8ab6654621857ddc8a5e9ebeba656
-
SSDEEP
12288:MMr4y90J92gh4mAeHgcC1ToH6FGz+9UsdPWhsjkPJYqRHx5ARlNS9KlWbO:Ey9gmdelkGC9ZWhdRRaRzUbO
Malware Config
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Signatures
-
Processes:
mika.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mika.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vona.exemnolyk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation vona.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 7 IoCs
Processes:
cxun.exeaxux.exemika.exevona.exemnolyk.exemnolyk.exemnolyk.exepid process 5028 cxun.exe 4940 axux.exe 3628 mika.exe 4220 vona.exe 3176 mnolyk.exe 3556 mnolyk.exe 2292 mnolyk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 5064 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
mika.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mika.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.execxun.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cxun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" cxun.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1576 4940 WerFault.exe axux.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
axux.exemika.exepid process 4940 axux.exe 4940 axux.exe 3628 mika.exe 3628 mika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
axux.exemika.exedescription pid process Token: SeDebugPrivilege 4940 axux.exe Token: SeDebugPrivilege 3628 mika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.execxun.exevona.exemnolyk.execmd.exedescription pid process target process PID 3272 wrote to memory of 5028 3272 d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.exe cxun.exe PID 3272 wrote to memory of 5028 3272 d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.exe cxun.exe PID 3272 wrote to memory of 5028 3272 d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.exe cxun.exe PID 5028 wrote to memory of 4940 5028 cxun.exe axux.exe PID 5028 wrote to memory of 4940 5028 cxun.exe axux.exe PID 5028 wrote to memory of 4940 5028 cxun.exe axux.exe PID 5028 wrote to memory of 3628 5028 cxun.exe mika.exe PID 5028 wrote to memory of 3628 5028 cxun.exe mika.exe PID 3272 wrote to memory of 4220 3272 d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.exe vona.exe PID 3272 wrote to memory of 4220 3272 d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.exe vona.exe PID 3272 wrote to memory of 4220 3272 d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.exe vona.exe PID 4220 wrote to memory of 3176 4220 vona.exe mnolyk.exe PID 4220 wrote to memory of 3176 4220 vona.exe mnolyk.exe PID 4220 wrote to memory of 3176 4220 vona.exe mnolyk.exe PID 3176 wrote to memory of 2588 3176 mnolyk.exe schtasks.exe PID 3176 wrote to memory of 2588 3176 mnolyk.exe schtasks.exe PID 3176 wrote to memory of 2588 3176 mnolyk.exe schtasks.exe PID 3176 wrote to memory of 924 3176 mnolyk.exe cmd.exe PID 3176 wrote to memory of 924 3176 mnolyk.exe cmd.exe PID 3176 wrote to memory of 924 3176 mnolyk.exe cmd.exe PID 924 wrote to memory of 2740 924 cmd.exe cmd.exe PID 924 wrote to memory of 2740 924 cmd.exe cmd.exe PID 924 wrote to memory of 2740 924 cmd.exe cmd.exe PID 924 wrote to memory of 380 924 cmd.exe cacls.exe PID 924 wrote to memory of 380 924 cmd.exe cacls.exe PID 924 wrote to memory of 380 924 cmd.exe cacls.exe PID 924 wrote to memory of 2576 924 cmd.exe cacls.exe PID 924 wrote to memory of 2576 924 cmd.exe cacls.exe PID 924 wrote to memory of 2576 924 cmd.exe cacls.exe PID 924 wrote to memory of 1088 924 cmd.exe cmd.exe PID 924 wrote to memory of 1088 924 cmd.exe cmd.exe PID 924 wrote to memory of 1088 924 cmd.exe cmd.exe PID 924 wrote to memory of 4020 924 cmd.exe cacls.exe PID 924 wrote to memory of 4020 924 cmd.exe cacls.exe PID 924 wrote to memory of 4020 924 cmd.exe cacls.exe PID 924 wrote to memory of 4312 924 cmd.exe cacls.exe PID 924 wrote to memory of 4312 924 cmd.exe cacls.exe PID 924 wrote to memory of 4312 924 cmd.exe cacls.exe PID 3176 wrote to memory of 5064 3176 mnolyk.exe rundll32.exe PID 3176 wrote to memory of 5064 3176 mnolyk.exe rundll32.exe PID 3176 wrote to memory of 5064 3176 mnolyk.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.exe"C:\Users\Admin\AppData\Local\Temp\d3a0475ecad1704fc74830e9e7dcbbedc5da2eb04de4bd3b490acd65d3063380.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cxun.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cxun.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\axux.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\axux.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 14844⤵
- Program crash
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:2588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2740
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:380
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:2576
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1088
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵PID:4020
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵PID:4312
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:5064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4940 -ip 49401⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:3556
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:2292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cxun.exeFilesize
444KB
MD5b5b8417a7317a56899bb7155cb467106
SHA149771f3f1d03899ae715f3f9e0a7afa8787dc425
SHA256d80fc52401e25b18593f6e4a4fa5d901660bd3cc40499ea22a66546495a1875e
SHA5122084e64e54269796bc46b6611bc2c816798547432b9bdf2ccead54b0e22078a96289d5443d0627610de05e913c0b6c9eaa61c152e303deff745a4365e096b0d3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cxun.exeFilesize
444KB
MD5b5b8417a7317a56899bb7155cb467106
SHA149771f3f1d03899ae715f3f9e0a7afa8787dc425
SHA256d80fc52401e25b18593f6e4a4fa5d901660bd3cc40499ea22a66546495a1875e
SHA5122084e64e54269796bc46b6611bc2c816798547432b9bdf2ccead54b0e22078a96289d5443d0627610de05e913c0b6c9eaa61c152e303deff745a4365e096b0d3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\axux.exeFilesize
405KB
MD56bcacba2cf1856b068538f3259a1ba5f
SHA11a2888be54c1f1a5c2c29f53811563b23adb6c84
SHA2561d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5
SHA5122d3df3eb21e00385e28600e6910f1a07688622ae4d91e4a63221453f75abc11124db66c19cb548097f46a3ce5a58835fd941caea914ab9be99277409efc02d82
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\axux.exeFilesize
405KB
MD56bcacba2cf1856b068538f3259a1ba5f
SHA11a2888be54c1f1a5c2c29f53811563b23adb6c84
SHA2561d51e0964268b35afb43320513ad9837ec6b1c0bd0e56065ead5d99b385967b5
SHA5122d3df3eb21e00385e28600e6910f1a07688622ae4d91e4a63221453f75abc11124db66c19cb548097f46a3ce5a58835fd941caea914ab9be99277409efc02d82
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
memory/380-170-0x0000000000000000-mapping.dmp
-
memory/924-168-0x0000000000000000-mapping.dmp
-
memory/1088-172-0x0000000000000000-mapping.dmp
-
memory/2576-171-0x0000000000000000-mapping.dmp
-
memory/2588-167-0x0000000000000000-mapping.dmp
-
memory/2740-169-0x0000000000000000-mapping.dmp
-
memory/3176-164-0x0000000000000000-mapping.dmp
-
memory/3628-160-0x00007FFAB1670000-0x00007FFAB2131000-memory.dmpFilesize
10.8MB
-
memory/3628-155-0x0000000000000000-mapping.dmp
-
memory/3628-158-0x0000000000370000-0x000000000037A000-memory.dmpFilesize
40KB
-
memory/3628-159-0x00007FFAB1670000-0x00007FFAB2131000-memory.dmpFilesize
10.8MB
-
memory/4020-173-0x0000000000000000-mapping.dmp
-
memory/4220-161-0x0000000000000000-mapping.dmp
-
memory/4312-174-0x0000000000000000-mapping.dmp
-
memory/4940-143-0x0000000005760000-0x000000000586A000-memory.dmpFilesize
1.0MB
-
memory/4940-151-0x0000000008020000-0x0000000008096000-memory.dmpFilesize
472KB
-
memory/4940-144-0x0000000002820000-0x0000000002832000-memory.dmpFilesize
72KB
-
memory/4940-146-0x0000000005B60000-0x0000000005BC6000-memory.dmpFilesize
408KB
-
memory/4940-148-0x0000000006460000-0x0000000006622000-memory.dmpFilesize
1.8MB
-
memory/4940-153-0x00000000007A4000-0x00000000007D2000-memory.dmpFilesize
184KB
-
memory/4940-142-0x0000000005140000-0x0000000005758000-memory.dmpFilesize
6.1MB
-
memory/4940-152-0x00000000080A0000-0x00000000080F0000-memory.dmpFilesize
320KB
-
memory/4940-135-0x0000000000000000-mapping.dmp
-
memory/4940-145-0x0000000005870000-0x00000000058AC000-memory.dmpFilesize
240KB
-
memory/4940-141-0x0000000004B90000-0x0000000005134000-memory.dmpFilesize
5.6MB
-
memory/4940-150-0x00000000007A4000-0x00000000007D2000-memory.dmpFilesize
184KB
-
memory/4940-149-0x0000000006640000-0x0000000006B6C000-memory.dmpFilesize
5.2MB
-
memory/4940-147-0x0000000006220000-0x00000000062B2000-memory.dmpFilesize
584KB
-
memory/4940-154-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4940-140-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4940-138-0x00000000007A4000-0x00000000007D2000-memory.dmpFilesize
184KB
-
memory/4940-139-0x0000000000630000-0x000000000067B000-memory.dmpFilesize
300KB
-
memory/5028-132-0x0000000000000000-mapping.dmp
-
memory/5064-176-0x0000000000000000-mapping.dmp