Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 16:59
Static task
static1
Behavioral task
behavioral1
Sample
bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.exe
Resource
win10v2004-20221111-en
General
-
Target
bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.exe
-
Size
573KB
-
MD5
2ef82913f6782c549d2b78be8fd45e48
-
SHA1
bd08831c1b52cc17b44c3d485a6a0b5f90450785
-
SHA256
bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9
-
SHA512
e8f778b2cc619332862bfb949e31ad0a1dbc62456127c8753ee80e0c6a65c496a024ab23349cff31dce85ab0257a49b963839983708eae4bf2ef9c822532fa6c
-
SSDEEP
12288:pMrJy90lfMHfeV2l6Zfxjr7O/0VtEFOrN0n/tUD1VJb:0yOkH2Va6Zfxv7OsVXZ0n/Gl
Malware Config
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Signatures
-
Processes:
aldx.exemika.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aldx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aldx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection aldx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aldx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aldx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aldx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mika.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mnolyk.exevona.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation mnolyk.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation vona.exe -
Executes dropped EXE 7 IoCs
Processes:
cldn.exealdx.exemika.exevona.exemnolyk.exemnolyk.exemnolyk.exepid process 4512 cldn.exe 3208 aldx.exe 4292 mika.exe 2736 vona.exe 396 mnolyk.exe 4612 mnolyk.exe 4764 mnolyk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4132 rundll32.exe -
Processes:
aldx.exemika.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features aldx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" aldx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mika.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.execldn.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" cldn.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 3944 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3288 3208 WerFault.exe aldx.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
aldx.exemika.exepid process 3208 aldx.exe 3208 aldx.exe 4292 mika.exe 4292 mika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aldx.exemika.exedescription pid process Token: SeDebugPrivilege 3208 aldx.exe Token: SeDebugPrivilege 4292 mika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.execldn.exevona.exemnolyk.execmd.exedescription pid process target process PID 4460 wrote to memory of 4512 4460 bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.exe cldn.exe PID 4460 wrote to memory of 4512 4460 bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.exe cldn.exe PID 4460 wrote to memory of 4512 4460 bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.exe cldn.exe PID 4512 wrote to memory of 3208 4512 cldn.exe aldx.exe PID 4512 wrote to memory of 3208 4512 cldn.exe aldx.exe PID 4512 wrote to memory of 3208 4512 cldn.exe aldx.exe PID 4512 wrote to memory of 4292 4512 cldn.exe mika.exe PID 4512 wrote to memory of 4292 4512 cldn.exe mika.exe PID 4460 wrote to memory of 2736 4460 bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.exe vona.exe PID 4460 wrote to memory of 2736 4460 bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.exe vona.exe PID 4460 wrote to memory of 2736 4460 bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.exe vona.exe PID 2736 wrote to memory of 396 2736 vona.exe mnolyk.exe PID 2736 wrote to memory of 396 2736 vona.exe mnolyk.exe PID 2736 wrote to memory of 396 2736 vona.exe mnolyk.exe PID 396 wrote to memory of 3812 396 mnolyk.exe schtasks.exe PID 396 wrote to memory of 3812 396 mnolyk.exe schtasks.exe PID 396 wrote to memory of 3812 396 mnolyk.exe schtasks.exe PID 396 wrote to memory of 3388 396 mnolyk.exe cmd.exe PID 396 wrote to memory of 3388 396 mnolyk.exe cmd.exe PID 396 wrote to memory of 3388 396 mnolyk.exe cmd.exe PID 3388 wrote to memory of 500 3388 cmd.exe cmd.exe PID 3388 wrote to memory of 500 3388 cmd.exe cmd.exe PID 3388 wrote to memory of 500 3388 cmd.exe cmd.exe PID 3388 wrote to memory of 4688 3388 cmd.exe cacls.exe PID 3388 wrote to memory of 4688 3388 cmd.exe cacls.exe PID 3388 wrote to memory of 4688 3388 cmd.exe cacls.exe PID 3388 wrote to memory of 4552 3388 cmd.exe cacls.exe PID 3388 wrote to memory of 4552 3388 cmd.exe cacls.exe PID 3388 wrote to memory of 4552 3388 cmd.exe cacls.exe PID 3388 wrote to memory of 3112 3388 cmd.exe cmd.exe PID 3388 wrote to memory of 3112 3388 cmd.exe cmd.exe PID 3388 wrote to memory of 3112 3388 cmd.exe cmd.exe PID 3388 wrote to memory of 3700 3388 cmd.exe cacls.exe PID 3388 wrote to memory of 3700 3388 cmd.exe cacls.exe PID 3388 wrote to memory of 3700 3388 cmd.exe cacls.exe PID 3388 wrote to memory of 940 3388 cmd.exe cacls.exe PID 3388 wrote to memory of 940 3388 cmd.exe cacls.exe PID 3388 wrote to memory of 940 3388 cmd.exe cacls.exe PID 396 wrote to memory of 4132 396 mnolyk.exe rundll32.exe PID 396 wrote to memory of 4132 396 mnolyk.exe rundll32.exe PID 396 wrote to memory of 4132 396 mnolyk.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.exe"C:\Users\Admin\AppData\Local\Temp\bc16d07b5e2c2d275ad3fc2b95dcb7a19ec21107b8972d75b989e1d64fa695a9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cldn.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cldn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aldx.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aldx.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 10804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3208 -ip 32081⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cldn.exeFilesize
386KB
MD5367f060ac56d297b89ff8b24764bb089
SHA1375465f74b36bb57bcd5d84c6eeedde46c0f7163
SHA256a77c2f23e8c9e9ed78c64a3b2979a848d604466f68b29da0f6fe1d020a9a5480
SHA512829d277bc7518291171b951baa6659e8f4269ad764c562bdddf887e8ae96db627cbcf46621f12e0e98dc03e2045c93a24e499f685d0ded69441d716028b8595f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cldn.exeFilesize
386KB
MD5367f060ac56d297b89ff8b24764bb089
SHA1375465f74b36bb57bcd5d84c6eeedde46c0f7163
SHA256a77c2f23e8c9e9ed78c64a3b2979a848d604466f68b29da0f6fe1d020a9a5480
SHA512829d277bc7518291171b951baa6659e8f4269ad764c562bdddf887e8ae96db627cbcf46621f12e0e98dc03e2045c93a24e499f685d0ded69441d716028b8595f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aldx.exeFilesize
363KB
MD501bc3df99ab67babcdc1577241e3ee87
SHA1c11c6465d4de6b6588b565c577a9eaad80d409d4
SHA256778bd7b213d42773deeb1df58089f30fc9310555a97a9654a90afb63208bbc9a
SHA512107ca576ed9599a079f9c2e90ede1f60313a59c0c46b99272665a5d8b56166dc7af422b9e8cd65c20fd7f878d03c64a06ed0af943b95967e92b8ccb4aabc6a95
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aldx.exeFilesize
363KB
MD501bc3df99ab67babcdc1577241e3ee87
SHA1c11c6465d4de6b6588b565c577a9eaad80d409d4
SHA256778bd7b213d42773deeb1df58089f30fc9310555a97a9654a90afb63208bbc9a
SHA512107ca576ed9599a079f9c2e90ede1f60313a59c0c46b99272665a5d8b56166dc7af422b9e8cd65c20fd7f878d03c64a06ed0af943b95967e92b8ccb4aabc6a95
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
memory/396-154-0x0000000000000000-mapping.dmp
-
memory/500-159-0x0000000000000000-mapping.dmp
-
memory/940-164-0x0000000000000000-mapping.dmp
-
memory/2736-151-0x0000000000000000-mapping.dmp
-
memory/3112-162-0x0000000000000000-mapping.dmp
-
memory/3208-141-0x0000000004AA0000-0x0000000005044000-memory.dmpFilesize
5.6MB
-
memory/3208-143-0x00000000005D4000-0x00000000005F4000-memory.dmpFilesize
128KB
-
memory/3208-140-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/3208-142-0x00000000005D4000-0x00000000005F4000-memory.dmpFilesize
128KB
-
memory/3208-138-0x00000000005D4000-0x00000000005F4000-memory.dmpFilesize
128KB
-
memory/3208-144-0x0000000000400000-0x0000000000476000-memory.dmpFilesize
472KB
-
memory/3208-135-0x0000000000000000-mapping.dmp
-
memory/3208-139-0x0000000000520000-0x000000000054D000-memory.dmpFilesize
180KB
-
memory/3388-158-0x0000000000000000-mapping.dmp
-
memory/3700-163-0x0000000000000000-mapping.dmp
-
memory/3812-157-0x0000000000000000-mapping.dmp
-
memory/4132-166-0x0000000000000000-mapping.dmp
-
memory/4292-145-0x0000000000000000-mapping.dmp
-
memory/4292-148-0x0000000000A40000-0x0000000000A4A000-memory.dmpFilesize
40KB
-
memory/4292-150-0x00007FFF53900000-0x00007FFF543C1000-memory.dmpFilesize
10.8MB
-
memory/4292-149-0x00007FFF53900000-0x00007FFF543C1000-memory.dmpFilesize
10.8MB
-
memory/4512-132-0x0000000000000000-mapping.dmp
-
memory/4552-161-0x0000000000000000-mapping.dmp
-
memory/4688-160-0x0000000000000000-mapping.dmp