Analysis
-
max time kernel
121s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 12:39
Static task
static1
General
-
Target
2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.exe
-
Size
642KB
-
MD5
07b1dca65ae2c495983b1d7af219b7d6
-
SHA1
c069063990788aa3d8d9b57fad3d0b5dacd8df7d
-
SHA256
2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2
-
SHA512
e23add5cada9afd5711807feeabac9f277c6467cdb2b9616ef1b1cf00f95e00a13d38782edb32c9dc9f0b8b1b4e9368185c2c6eb54408e96b246f33ff4c95817
-
SSDEEP
12288:yMrgy90/AI45VIPmJz0vFn+wpNx5MrIm8T30Erau9iz4byW/6/:WyAcV6m2pFSImc0avFekI
Malware Config
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Signatures
-
Processes:
mika.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mika.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mika.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vona.exemnolyk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation vona.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 7 IoCs
Processes:
crUn.exearUx.exemika.exevona.exemnolyk.exemnolyk.exemnolyk.exepid process 2740 crUn.exe 4820 arUx.exe 4648 mika.exe 2308 vona.exe 3796 mnolyk.exe 4240 mnolyk.exe 4500 mnolyk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2872 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
mika.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mika.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
crUn.exe2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" crUn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce crUn.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4984 4820 WerFault.exe arUx.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
arUx.exemika.exepid process 4820 arUx.exe 4820 arUx.exe 4648 mika.exe 4648 mika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
arUx.exemika.exedescription pid process Token: SeDebugPrivilege 4820 arUx.exe Token: SeDebugPrivilege 4648 mika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.execrUn.exevona.exemnolyk.execmd.exedescription pid process target process PID 3936 wrote to memory of 2740 3936 2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.exe crUn.exe PID 3936 wrote to memory of 2740 3936 2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.exe crUn.exe PID 3936 wrote to memory of 2740 3936 2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.exe crUn.exe PID 2740 wrote to memory of 4820 2740 crUn.exe arUx.exe PID 2740 wrote to memory of 4820 2740 crUn.exe arUx.exe PID 2740 wrote to memory of 4820 2740 crUn.exe arUx.exe PID 2740 wrote to memory of 4648 2740 crUn.exe mika.exe PID 2740 wrote to memory of 4648 2740 crUn.exe mika.exe PID 3936 wrote to memory of 2308 3936 2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.exe vona.exe PID 3936 wrote to memory of 2308 3936 2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.exe vona.exe PID 3936 wrote to memory of 2308 3936 2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.exe vona.exe PID 2308 wrote to memory of 3796 2308 vona.exe mnolyk.exe PID 2308 wrote to memory of 3796 2308 vona.exe mnolyk.exe PID 2308 wrote to memory of 3796 2308 vona.exe mnolyk.exe PID 3796 wrote to memory of 2828 3796 mnolyk.exe schtasks.exe PID 3796 wrote to memory of 2828 3796 mnolyk.exe schtasks.exe PID 3796 wrote to memory of 2828 3796 mnolyk.exe schtasks.exe PID 3796 wrote to memory of 4332 3796 mnolyk.exe cmd.exe PID 3796 wrote to memory of 4332 3796 mnolyk.exe cmd.exe PID 3796 wrote to memory of 4332 3796 mnolyk.exe cmd.exe PID 4332 wrote to memory of 2352 4332 cmd.exe cmd.exe PID 4332 wrote to memory of 2352 4332 cmd.exe cmd.exe PID 4332 wrote to memory of 2352 4332 cmd.exe cmd.exe PID 4332 wrote to memory of 1564 4332 cmd.exe cacls.exe PID 4332 wrote to memory of 1564 4332 cmd.exe cacls.exe PID 4332 wrote to memory of 1564 4332 cmd.exe cacls.exe PID 4332 wrote to memory of 4932 4332 cmd.exe cacls.exe PID 4332 wrote to memory of 4932 4332 cmd.exe cacls.exe PID 4332 wrote to memory of 4932 4332 cmd.exe cacls.exe PID 4332 wrote to memory of 1452 4332 cmd.exe cmd.exe PID 4332 wrote to memory of 1452 4332 cmd.exe cmd.exe PID 4332 wrote to memory of 1452 4332 cmd.exe cmd.exe PID 4332 wrote to memory of 1588 4332 cmd.exe cacls.exe PID 4332 wrote to memory of 1588 4332 cmd.exe cacls.exe PID 4332 wrote to memory of 1588 4332 cmd.exe cacls.exe PID 4332 wrote to memory of 2012 4332 cmd.exe cacls.exe PID 4332 wrote to memory of 2012 4332 cmd.exe cacls.exe PID 4332 wrote to memory of 2012 4332 cmd.exe cacls.exe PID 3796 wrote to memory of 2872 3796 mnolyk.exe rundll32.exe PID 3796 wrote to memory of 2872 3796 mnolyk.exe rundll32.exe PID 3796 wrote to memory of 2872 3796 mnolyk.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.exe"C:\Users\Admin\AppData\Local\Temp\2e86198ee03dfb022683b03bdb7be8b6492441cba6cda66b1478779bc9a7e8a2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crUn.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crUn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\arUx.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\arUx.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 13524⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4820 -ip 48201⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crUn.exeFilesize
455KB
MD51e3f813a1752f18c1e250f46cf1659f8
SHA1318e6deb1bd4b60f138cd7c597248bd6756be465
SHA256077c7f7ffa6e0408f2d4fcf6319a154bbcbb563fc10594d2bbedd28cca687c4f
SHA512d8df0a86a6599f3efb53a73a6a20f6ce78f5515103b26c9ae0a9b3663d0c612aca4632341867879c33d280d27a8ef9a35a750ac812f9f766a920cf48465efd8c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crUn.exeFilesize
455KB
MD51e3f813a1752f18c1e250f46cf1659f8
SHA1318e6deb1bd4b60f138cd7c597248bd6756be465
SHA256077c7f7ffa6e0408f2d4fcf6319a154bbcbb563fc10594d2bbedd28cca687c4f
SHA512d8df0a86a6599f3efb53a73a6a20f6ce78f5515103b26c9ae0a9b3663d0c612aca4632341867879c33d280d27a8ef9a35a750ac812f9f766a920cf48465efd8c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\arUx.exeFilesize
425KB
MD505f2dd3d2dacc8633d402e404d918e79
SHA14de9d36037feb708c3229dbeb2f202398fb4f221
SHA25666e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce
SHA512e9a50a7f48d1176725110cf2ae48d2990f0652fbfbcbc02e524de464a853aee7381286500d8ec4064920adee32eb38548c2f838a8c93ea683fa0cb305aa3efcd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\arUx.exeFilesize
425KB
MD505f2dd3d2dacc8633d402e404d918e79
SHA14de9d36037feb708c3229dbeb2f202398fb4f221
SHA25666e93e6252ac9c8f2a02c121abc6b4749c67b131ba0d21b39ef917e695ac84ce
SHA512e9a50a7f48d1176725110cf2ae48d2990f0652fbfbcbc02e524de464a853aee7381286500d8ec4064920adee32eb38548c2f838a8c93ea683fa0cb305aa3efcd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
memory/1452-172-0x0000000000000000-mapping.dmp
-
memory/1564-170-0x0000000000000000-mapping.dmp
-
memory/1588-173-0x0000000000000000-mapping.dmp
-
memory/2012-174-0x0000000000000000-mapping.dmp
-
memory/2308-161-0x0000000000000000-mapping.dmp
-
memory/2352-169-0x0000000000000000-mapping.dmp
-
memory/2740-132-0x0000000000000000-mapping.dmp
-
memory/2828-167-0x0000000000000000-mapping.dmp
-
memory/2872-176-0x0000000000000000-mapping.dmp
-
memory/3796-164-0x0000000000000000-mapping.dmp
-
memory/4332-168-0x0000000000000000-mapping.dmp
-
memory/4648-155-0x0000000000000000-mapping.dmp
-
memory/4648-158-0x0000000000290000-0x000000000029A000-memory.dmpFilesize
40KB
-
memory/4648-159-0x00007FFC57440000-0x00007FFC57F01000-memory.dmpFilesize
10.8MB
-
memory/4648-160-0x00007FFC57440000-0x00007FFC57F01000-memory.dmpFilesize
10.8MB
-
memory/4820-148-0x00000000006E4000-0x0000000000713000-memory.dmpFilesize
188KB
-
memory/4820-145-0x00000000059C0000-0x00000000059FC000-memory.dmpFilesize
240KB
-
memory/4820-152-0x0000000006E40000-0x0000000006E90000-memory.dmpFilesize
320KB
-
memory/4820-151-0x0000000006DA0000-0x0000000006E16000-memory.dmpFilesize
472KB
-
memory/4820-150-0x0000000006750000-0x0000000006C7C000-memory.dmpFilesize
5.2MB
-
memory/4820-149-0x0000000006570000-0x0000000006732000-memory.dmpFilesize
1.8MB
-
memory/4820-154-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/4820-147-0x0000000005D50000-0x0000000005DB6000-memory.dmpFilesize
408KB
-
memory/4820-146-0x0000000005CB0000-0x0000000005D42000-memory.dmpFilesize
584KB
-
memory/4820-153-0x00000000006E4000-0x0000000000713000-memory.dmpFilesize
188KB
-
memory/4820-135-0x0000000000000000-mapping.dmp
-
memory/4820-144-0x00000000059A0000-0x00000000059B2000-memory.dmpFilesize
72KB
-
memory/4820-143-0x0000000005860000-0x000000000596A000-memory.dmpFilesize
1.0MB
-
memory/4820-142-0x00000000051C0000-0x00000000057D8000-memory.dmpFilesize
6.1MB
-
memory/4820-141-0x0000000004B40000-0x00000000050E4000-memory.dmpFilesize
5.6MB
-
memory/4820-140-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/4820-139-0x00000000005F0000-0x000000000063B000-memory.dmpFilesize
300KB
-
memory/4820-138-0x00000000006E4000-0x0000000000713000-memory.dmpFilesize
188KB
-
memory/4932-171-0x0000000000000000-mapping.dmp