Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 19:27
Static task
static1
Behavioral task
behavioral1
Sample
fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.exe
Resource
win10v2004-20221111-en
General
-
Target
fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.exe
-
Size
557KB
-
MD5
e7f9ef3d5e20273e86e69a31761de2ca
-
SHA1
b21d31b193a8e5f7acadad51e58a9fe025668133
-
SHA256
fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e
-
SHA512
b9a9cb2f9bfcba9d5c60f0f53b076bd7b9eea51ec1fce48085df6eeb07e3dbbf650fdfe6fc3cb0289bd0438e7bf7e2b40eef1c6286f7a09b4c2d3c72f27540ef
-
SSDEEP
12288:+Mrzy90EJocKDGps79DglltIGx57tUK6uYCvSTG53Vpaey+bVnKmzzunKN0rR/:1y7fab9DgVfrDHvielJzd0rJ
Malware Config
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Signatures
-
Processes:
mika.exeadfx.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" adfx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" adfx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" adfx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" adfx.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection adfx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" adfx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mika.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vona.exemnolyk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation vona.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 7 IoCs
Processes:
cdfn.exeadfx.exemika.exevona.exemnolyk.exemnolyk.exemnolyk.exepid process 1828 cdfn.exe 4900 adfx.exe 4060 mika.exe 4528 vona.exe 216 mnolyk.exe 1712 mnolyk.exe 1284 mnolyk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2488 rundll32.exe -
Processes:
adfx.exemika.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features adfx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" adfx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mika.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.execdfn.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cdfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" cdfn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2524 4900 WerFault.exe adfx.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
adfx.exemika.exepid process 4900 adfx.exe 4900 adfx.exe 4060 mika.exe 4060 mika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
adfx.exemika.exedescription pid process Token: SeDebugPrivilege 4900 adfx.exe Token: SeDebugPrivilege 4060 mika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.execdfn.exevona.exemnolyk.execmd.exedescription pid process target process PID 2100 wrote to memory of 1828 2100 fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.exe cdfn.exe PID 2100 wrote to memory of 1828 2100 fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.exe cdfn.exe PID 2100 wrote to memory of 1828 2100 fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.exe cdfn.exe PID 1828 wrote to memory of 4900 1828 cdfn.exe adfx.exe PID 1828 wrote to memory of 4900 1828 cdfn.exe adfx.exe PID 1828 wrote to memory of 4900 1828 cdfn.exe adfx.exe PID 1828 wrote to memory of 4060 1828 cdfn.exe mika.exe PID 1828 wrote to memory of 4060 1828 cdfn.exe mika.exe PID 2100 wrote to memory of 4528 2100 fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.exe vona.exe PID 2100 wrote to memory of 4528 2100 fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.exe vona.exe PID 2100 wrote to memory of 4528 2100 fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.exe vona.exe PID 4528 wrote to memory of 216 4528 vona.exe mnolyk.exe PID 4528 wrote to memory of 216 4528 vona.exe mnolyk.exe PID 4528 wrote to memory of 216 4528 vona.exe mnolyk.exe PID 216 wrote to memory of 1776 216 mnolyk.exe schtasks.exe PID 216 wrote to memory of 1776 216 mnolyk.exe schtasks.exe PID 216 wrote to memory of 1776 216 mnolyk.exe schtasks.exe PID 216 wrote to memory of 3136 216 mnolyk.exe cmd.exe PID 216 wrote to memory of 3136 216 mnolyk.exe cmd.exe PID 216 wrote to memory of 3136 216 mnolyk.exe cmd.exe PID 3136 wrote to memory of 4056 3136 cmd.exe cmd.exe PID 3136 wrote to memory of 4056 3136 cmd.exe cmd.exe PID 3136 wrote to memory of 4056 3136 cmd.exe cmd.exe PID 3136 wrote to memory of 4972 3136 cmd.exe cacls.exe PID 3136 wrote to memory of 4972 3136 cmd.exe cacls.exe PID 3136 wrote to memory of 4972 3136 cmd.exe cacls.exe PID 3136 wrote to memory of 3448 3136 cmd.exe cacls.exe PID 3136 wrote to memory of 3448 3136 cmd.exe cacls.exe PID 3136 wrote to memory of 3448 3136 cmd.exe cacls.exe PID 3136 wrote to memory of 4620 3136 cmd.exe cmd.exe PID 3136 wrote to memory of 4620 3136 cmd.exe cmd.exe PID 3136 wrote to memory of 4620 3136 cmd.exe cmd.exe PID 3136 wrote to memory of 4632 3136 cmd.exe cacls.exe PID 3136 wrote to memory of 4632 3136 cmd.exe cacls.exe PID 3136 wrote to memory of 4632 3136 cmd.exe cacls.exe PID 3136 wrote to memory of 4260 3136 cmd.exe cacls.exe PID 3136 wrote to memory of 4260 3136 cmd.exe cacls.exe PID 3136 wrote to memory of 4260 3136 cmd.exe cacls.exe PID 216 wrote to memory of 2488 216 mnolyk.exe rundll32.exe PID 216 wrote to memory of 2488 216 mnolyk.exe rundll32.exe PID 216 wrote to memory of 2488 216 mnolyk.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.exe"C:\Users\Admin\AppData\Local\Temp\fbe8ce98942a72d29fba4959b35d65c7986cf9d5b773bc03a7bcf989f10c484e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cdfn.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cdfn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\adfx.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\adfx.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 10804⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4900 -ip 49001⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cdfn.exeFilesize
371KB
MD5ac37d0d8e2f10df758f2f303570bd472
SHA18eb112fd63a52fbf9588c14b4f62017b6a343238
SHA256c0e2b79c0c3a3ab043ddc1a0d2c79567759ef0b6a22421b9ff207e7c86a1ff92
SHA51237014fd0ce072b1be4cdb030dd90f7b8f883beec24c95e42e951ab1f0b57dc5e9d35cbab74fa2a8692228b3fafea082024f0c049c1b08d6679663ca3bb09557c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cdfn.exeFilesize
371KB
MD5ac37d0d8e2f10df758f2f303570bd472
SHA18eb112fd63a52fbf9588c14b4f62017b6a343238
SHA256c0e2b79c0c3a3ab043ddc1a0d2c79567759ef0b6a22421b9ff207e7c86a1ff92
SHA51237014fd0ce072b1be4cdb030dd90f7b8f883beec24c95e42e951ab1f0b57dc5e9d35cbab74fa2a8692228b3fafea082024f0c049c1b08d6679663ca3bb09557c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\adfx.exeFilesize
341KB
MD53e992824465f02894e443cc255fff678
SHA10c95d1a78a548c60da4f2c15465efd2e122bb8da
SHA25644946a180522e0a95656ed6be0cdb70acf648b7c3eae27850762ac344b05f8d0
SHA512becd6d844a43ad48d6c0b9af2cbf15b7f6085c5bab5c4eae4bd909b0064c7fca22a6601b94416f86a9e51a4a6f88cdbe73723a2862ff25c222b2f75809d3b9a3
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\adfx.exeFilesize
341KB
MD53e992824465f02894e443cc255fff678
SHA10c95d1a78a548c60da4f2c15465efd2e122bb8da
SHA25644946a180522e0a95656ed6be0cdb70acf648b7c3eae27850762ac344b05f8d0
SHA512becd6d844a43ad48d6c0b9af2cbf15b7f6085c5bab5c4eae4bd909b0064c7fca22a6601b94416f86a9e51a4a6f88cdbe73723a2862ff25c222b2f75809d3b9a3
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
memory/216-153-0x0000000000000000-mapping.dmp
-
memory/1776-156-0x0000000000000000-mapping.dmp
-
memory/1828-132-0x0000000000000000-mapping.dmp
-
memory/2488-164-0x0000000000000000-mapping.dmp
-
memory/3136-157-0x0000000000000000-mapping.dmp
-
memory/3448-160-0x0000000000000000-mapping.dmp
-
memory/4056-158-0x0000000000000000-mapping.dmp
-
memory/4060-149-0x00007FFA49C10000-0x00007FFA4A6D1000-memory.dmpFilesize
10.8MB
-
memory/4060-144-0x0000000000000000-mapping.dmp
-
memory/4060-148-0x00007FFA49C10000-0x00007FFA4A6D1000-memory.dmpFilesize
10.8MB
-
memory/4060-147-0x0000000000780000-0x000000000078A000-memory.dmpFilesize
40KB
-
memory/4260-163-0x0000000000000000-mapping.dmp
-
memory/4528-150-0x0000000000000000-mapping.dmp
-
memory/4620-161-0x0000000000000000-mapping.dmp
-
memory/4632-162-0x0000000000000000-mapping.dmp
-
memory/4900-141-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4900-143-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4900-142-0x0000000000624000-0x0000000000644000-memory.dmpFilesize
128KB
-
memory/4900-140-0x0000000001FA0000-0x0000000001FCD000-memory.dmpFilesize
180KB
-
memory/4900-139-0x0000000000624000-0x0000000000644000-memory.dmpFilesize
128KB
-
memory/4900-138-0x0000000004AF0000-0x0000000005094000-memory.dmpFilesize
5.6MB
-
memory/4900-135-0x0000000000000000-mapping.dmp
-
memory/4972-159-0x0000000000000000-mapping.dmp