Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 16:45
Static task
static1
Behavioral task
behavioral1
Sample
5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.exe
Resource
win10v2004-20221111-en
General
-
Target
5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.exe
-
Size
574KB
-
MD5
37a08da112329a5622c949b94a78fdda
-
SHA1
fdb00d4c0a1742a9526fd4b2cc0c207c954ea9a5
-
SHA256
5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed
-
SHA512
fa4d14212c61a55bafb143fb8911137eb3a77c64bf38d68bdadc96b067a8d2044f47d0d19f461dba528d68dbc1e1b227134a11a53f13526a12e8b688cb353f64
-
SSDEEP
12288:DMrRy90hAEV1AO+C5sRqFKKK/0xt2FaUN0n/tpq0CfYA4A6d:yyq5bvczsxDu0n/W0RBd
Malware Config
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Signatures
-
Processes:
aPSx.exemika.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aPSx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aPSx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aPSx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection aPSx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aPSx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aPSx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mika.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vona.exemnolyk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation vona.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 7 IoCs
Processes:
cPSn.exeaPSx.exemika.exevona.exemnolyk.exemnolyk.exemnolyk.exepid process 1304 cPSn.exe 1928 aPSx.exe 4484 mika.exe 5116 vona.exe 116 mnolyk.exe 1004 mnolyk.exe 4996 mnolyk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2708 rundll32.exe -
Processes:
aPSx.exemika.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" aPSx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features aPSx.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.execPSn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cPSn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" cPSn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1640 1928 WerFault.exe aPSx.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
aPSx.exemika.exepid process 1928 aPSx.exe 1928 aPSx.exe 4484 mika.exe 4484 mika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aPSx.exemika.exedescription pid process Token: SeDebugPrivilege 1928 aPSx.exe Token: SeDebugPrivilege 4484 mika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.execPSn.exevona.exemnolyk.execmd.exedescription pid process target process PID 792 wrote to memory of 1304 792 5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.exe cPSn.exe PID 792 wrote to memory of 1304 792 5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.exe cPSn.exe PID 792 wrote to memory of 1304 792 5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.exe cPSn.exe PID 1304 wrote to memory of 1928 1304 cPSn.exe aPSx.exe PID 1304 wrote to memory of 1928 1304 cPSn.exe aPSx.exe PID 1304 wrote to memory of 1928 1304 cPSn.exe aPSx.exe PID 1304 wrote to memory of 4484 1304 cPSn.exe mika.exe PID 1304 wrote to memory of 4484 1304 cPSn.exe mika.exe PID 792 wrote to memory of 5116 792 5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.exe vona.exe PID 792 wrote to memory of 5116 792 5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.exe vona.exe PID 792 wrote to memory of 5116 792 5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.exe vona.exe PID 5116 wrote to memory of 116 5116 vona.exe mnolyk.exe PID 5116 wrote to memory of 116 5116 vona.exe mnolyk.exe PID 5116 wrote to memory of 116 5116 vona.exe mnolyk.exe PID 116 wrote to memory of 3772 116 mnolyk.exe schtasks.exe PID 116 wrote to memory of 3772 116 mnolyk.exe schtasks.exe PID 116 wrote to memory of 3772 116 mnolyk.exe schtasks.exe PID 116 wrote to memory of 1656 116 mnolyk.exe cmd.exe PID 116 wrote to memory of 1656 116 mnolyk.exe cmd.exe PID 116 wrote to memory of 1656 116 mnolyk.exe cmd.exe PID 1656 wrote to memory of 4396 1656 cmd.exe cmd.exe PID 1656 wrote to memory of 4396 1656 cmd.exe cmd.exe PID 1656 wrote to memory of 4396 1656 cmd.exe cmd.exe PID 1656 wrote to memory of 1840 1656 cmd.exe cacls.exe PID 1656 wrote to memory of 1840 1656 cmd.exe cacls.exe PID 1656 wrote to memory of 1840 1656 cmd.exe cacls.exe PID 1656 wrote to memory of 4132 1656 cmd.exe cacls.exe PID 1656 wrote to memory of 4132 1656 cmd.exe cacls.exe PID 1656 wrote to memory of 4132 1656 cmd.exe cacls.exe PID 1656 wrote to memory of 1908 1656 cmd.exe cmd.exe PID 1656 wrote to memory of 1908 1656 cmd.exe cmd.exe PID 1656 wrote to memory of 1908 1656 cmd.exe cmd.exe PID 1656 wrote to memory of 3360 1656 cmd.exe cacls.exe PID 1656 wrote to memory of 3360 1656 cmd.exe cacls.exe PID 1656 wrote to memory of 3360 1656 cmd.exe cacls.exe PID 1656 wrote to memory of 2240 1656 cmd.exe cacls.exe PID 1656 wrote to memory of 2240 1656 cmd.exe cacls.exe PID 1656 wrote to memory of 2240 1656 cmd.exe cacls.exe PID 116 wrote to memory of 2708 116 mnolyk.exe rundll32.exe PID 116 wrote to memory of 2708 116 mnolyk.exe rundll32.exe PID 116 wrote to memory of 2708 116 mnolyk.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.exe"C:\Users\Admin\AppData\Local\Temp\5cb07c79c2ba5c1294709acf3a3452251529600b4d61b51264f212c2c13480ed.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cPSn.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cPSn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aPSx.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aPSx.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 10364⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1928 -ip 19281⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cPSn.exeFilesize
386KB
MD5e2edd1228737dd8cf3d344e45858be3a
SHA188e9989b9fb22c2a35b0c758bf40789b54dd7558
SHA2569ff0d64f79b68f4ec578ea15260bdb5af3ea529f0aeaf88e94687d9a82ddcfbf
SHA512b3658433dc73fb6525692cf9a6e404bccd4f7d5bf9f6d78e8a93bf1039fe505320e1ab6b10520a664246c4f2b0d4ec716974d630c2ee5504cba58fa86a936174
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cPSn.exeFilesize
386KB
MD5e2edd1228737dd8cf3d344e45858be3a
SHA188e9989b9fb22c2a35b0c758bf40789b54dd7558
SHA2569ff0d64f79b68f4ec578ea15260bdb5af3ea529f0aeaf88e94687d9a82ddcfbf
SHA512b3658433dc73fb6525692cf9a6e404bccd4f7d5bf9f6d78e8a93bf1039fe505320e1ab6b10520a664246c4f2b0d4ec716974d630c2ee5504cba58fa86a936174
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aPSx.exeFilesize
363KB
MD501bc3df99ab67babcdc1577241e3ee87
SHA1c11c6465d4de6b6588b565c577a9eaad80d409d4
SHA256778bd7b213d42773deeb1df58089f30fc9310555a97a9654a90afb63208bbc9a
SHA512107ca576ed9599a079f9c2e90ede1f60313a59c0c46b99272665a5d8b56166dc7af422b9e8cd65c20fd7f878d03c64a06ed0af943b95967e92b8ccb4aabc6a95
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aPSx.exeFilesize
363KB
MD501bc3df99ab67babcdc1577241e3ee87
SHA1c11c6465d4de6b6588b565c577a9eaad80d409d4
SHA256778bd7b213d42773deeb1df58089f30fc9310555a97a9654a90afb63208bbc9a
SHA512107ca576ed9599a079f9c2e90ede1f60313a59c0c46b99272665a5d8b56166dc7af422b9e8cd65c20fd7f878d03c64a06ed0af943b95967e92b8ccb4aabc6a95
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
memory/116-153-0x0000000000000000-mapping.dmp
-
memory/1304-132-0x0000000000000000-mapping.dmp
-
memory/1656-157-0x0000000000000000-mapping.dmp
-
memory/1840-159-0x0000000000000000-mapping.dmp
-
memory/1908-161-0x0000000000000000-mapping.dmp
-
memory/1928-141-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/1928-142-0x00000000007E4000-0x0000000000804000-memory.dmpFilesize
128KB
-
memory/1928-135-0x0000000000000000-mapping.dmp
-
memory/1928-138-0x0000000004BD0000-0x0000000005174000-memory.dmpFilesize
5.6MB
-
memory/1928-139-0x00000000007E4000-0x0000000000804000-memory.dmpFilesize
128KB
-
memory/1928-140-0x0000000000770000-0x000000000079D000-memory.dmpFilesize
180KB
-
memory/1928-143-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/2240-163-0x0000000000000000-mapping.dmp
-
memory/2708-165-0x0000000000000000-mapping.dmp
-
memory/3360-162-0x0000000000000000-mapping.dmp
-
memory/3772-156-0x0000000000000000-mapping.dmp
-
memory/4132-160-0x0000000000000000-mapping.dmp
-
memory/4396-158-0x0000000000000000-mapping.dmp
-
memory/4484-144-0x0000000000000000-mapping.dmp
-
memory/4484-147-0x00000000007A0000-0x00000000007AA000-memory.dmpFilesize
40KB
-
memory/4484-148-0x00007FFD06F60000-0x00007FFD07A21000-memory.dmpFilesize
10.8MB
-
memory/4484-149-0x00007FFD06F60000-0x00007FFD07A21000-memory.dmpFilesize
10.8MB
-
memory/5116-150-0x0000000000000000-mapping.dmp