Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 18:59
Static task
static1
Behavioral task
behavioral1
Sample
b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.exe
Resource
win10v2004-20221111-en
General
-
Target
b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.exe
-
Size
558KB
-
MD5
e74ebd7dbb48ae2070847cd6dafbc0c1
-
SHA1
04244f94f28ac3b718d46b1ae125f637b70eaf07
-
SHA256
b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e
-
SHA512
166e4fc30b1d7f3f300475c39dea497e2048e77476b2744b9774b920d229f21dc9c667dd3c350c10b72218642711ccd02cb33c1015cd198d7494fac71fbfc2d9
-
SSDEEP
12288:RMrRy90z/PamR5AqwE8QzUK6uYCvyTK53Vpa8a+bVJKOds/l7:EyC/PH5AqwmDHvC4dpQ
Malware Config
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Signatures
-
Processes:
mika.exeanlx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" anlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" anlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mika.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection anlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" anlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" anlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" anlx.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mnolyk.exevona.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation mnolyk.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation vona.exe -
Executes dropped EXE 7 IoCs
Processes:
cnln.exeanlx.exemika.exevona.exemnolyk.exemnolyk.exemnolyk.exepid process 4296 cnln.exe 4796 anlx.exe 2012 mika.exe 4456 vona.exe 4748 mnolyk.exe 4184 mnolyk.exe 2368 mnolyk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4236 rundll32.exe -
Processes:
mika.exeanlx.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mika.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features anlx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" anlx.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.execnln.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cnln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" cnln.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 760 4796 WerFault.exe anlx.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
anlx.exemika.exepid process 4796 anlx.exe 4796 anlx.exe 2012 mika.exe 2012 mika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
anlx.exemika.exedescription pid process Token: SeDebugPrivilege 4796 anlx.exe Token: SeDebugPrivilege 2012 mika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.execnln.exevona.exemnolyk.execmd.exedescription pid process target process PID 3576 wrote to memory of 4296 3576 b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.exe cnln.exe PID 3576 wrote to memory of 4296 3576 b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.exe cnln.exe PID 3576 wrote to memory of 4296 3576 b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.exe cnln.exe PID 4296 wrote to memory of 4796 4296 cnln.exe anlx.exe PID 4296 wrote to memory of 4796 4296 cnln.exe anlx.exe PID 4296 wrote to memory of 4796 4296 cnln.exe anlx.exe PID 4296 wrote to memory of 2012 4296 cnln.exe mika.exe PID 4296 wrote to memory of 2012 4296 cnln.exe mika.exe PID 3576 wrote to memory of 4456 3576 b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.exe vona.exe PID 3576 wrote to memory of 4456 3576 b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.exe vona.exe PID 3576 wrote to memory of 4456 3576 b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.exe vona.exe PID 4456 wrote to memory of 4748 4456 vona.exe mnolyk.exe PID 4456 wrote to memory of 4748 4456 vona.exe mnolyk.exe PID 4456 wrote to memory of 4748 4456 vona.exe mnolyk.exe PID 4748 wrote to memory of 2952 4748 mnolyk.exe schtasks.exe PID 4748 wrote to memory of 2952 4748 mnolyk.exe schtasks.exe PID 4748 wrote to memory of 2952 4748 mnolyk.exe schtasks.exe PID 4748 wrote to memory of 3140 4748 mnolyk.exe cmd.exe PID 4748 wrote to memory of 3140 4748 mnolyk.exe cmd.exe PID 4748 wrote to memory of 3140 4748 mnolyk.exe cmd.exe PID 3140 wrote to memory of 176 3140 cmd.exe cmd.exe PID 3140 wrote to memory of 176 3140 cmd.exe cmd.exe PID 3140 wrote to memory of 176 3140 cmd.exe cmd.exe PID 3140 wrote to memory of 228 3140 cmd.exe cacls.exe PID 3140 wrote to memory of 228 3140 cmd.exe cacls.exe PID 3140 wrote to memory of 228 3140 cmd.exe cacls.exe PID 3140 wrote to memory of 4948 3140 cmd.exe cacls.exe PID 3140 wrote to memory of 4948 3140 cmd.exe cacls.exe PID 3140 wrote to memory of 4948 3140 cmd.exe cacls.exe PID 3140 wrote to memory of 2080 3140 cmd.exe cmd.exe PID 3140 wrote to memory of 2080 3140 cmd.exe cmd.exe PID 3140 wrote to memory of 2080 3140 cmd.exe cmd.exe PID 3140 wrote to memory of 4268 3140 cmd.exe cacls.exe PID 3140 wrote to memory of 4268 3140 cmd.exe cacls.exe PID 3140 wrote to memory of 4268 3140 cmd.exe cacls.exe PID 3140 wrote to memory of 3544 3140 cmd.exe cacls.exe PID 3140 wrote to memory of 3544 3140 cmd.exe cacls.exe PID 3140 wrote to memory of 3544 3140 cmd.exe cacls.exe PID 4748 wrote to memory of 4236 4748 mnolyk.exe rundll32.exe PID 4748 wrote to memory of 4236 4748 mnolyk.exe rundll32.exe PID 4748 wrote to memory of 4236 4748 mnolyk.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.exe"C:\Users\Admin\AppData\Local\Temp\b45671e0e9c665d84728fe69190103fa223888998b048fb3845a43de060ca80e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cnln.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cnln.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\anlx.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\anlx.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 10444⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4796 -ip 47961⤵
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cnln.exeFilesize
371KB
MD5607394d7fa99730cfa49c760b15d9feb
SHA14be7080a8e16ab606a4b667555e5fd458fb228ba
SHA2567a26eeb3323994aae2444ce0c5f5bc09cb17f8d04ece28f0889a6d5fd817e316
SHA512b78fb6ae4cf260dd02101fa6c248ac4501922f2272471fd746117aadd62797747d54fa8993ae9730b5892df74144e7b06c9f00e7e5bca9568667bae780707ee5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cnln.exeFilesize
371KB
MD5607394d7fa99730cfa49c760b15d9feb
SHA14be7080a8e16ab606a4b667555e5fd458fb228ba
SHA2567a26eeb3323994aae2444ce0c5f5bc09cb17f8d04ece28f0889a6d5fd817e316
SHA512b78fb6ae4cf260dd02101fa6c248ac4501922f2272471fd746117aadd62797747d54fa8993ae9730b5892df74144e7b06c9f00e7e5bca9568667bae780707ee5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\anlx.exeFilesize
341KB
MD53e992824465f02894e443cc255fff678
SHA10c95d1a78a548c60da4f2c15465efd2e122bb8da
SHA25644946a180522e0a95656ed6be0cdb70acf648b7c3eae27850762ac344b05f8d0
SHA512becd6d844a43ad48d6c0b9af2cbf15b7f6085c5bab5c4eae4bd909b0064c7fca22a6601b94416f86a9e51a4a6f88cdbe73723a2862ff25c222b2f75809d3b9a3
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\anlx.exeFilesize
341KB
MD53e992824465f02894e443cc255fff678
SHA10c95d1a78a548c60da4f2c15465efd2e122bb8da
SHA25644946a180522e0a95656ed6be0cdb70acf648b7c3eae27850762ac344b05f8d0
SHA512becd6d844a43ad48d6c0b9af2cbf15b7f6085c5bab5c4eae4bd909b0064c7fca22a6601b94416f86a9e51a4a6f88cdbe73723a2862ff25c222b2f75809d3b9a3
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
memory/176-158-0x0000000000000000-mapping.dmp
-
memory/228-159-0x0000000000000000-mapping.dmp
-
memory/2012-149-0x00007FFB6C440000-0x00007FFB6CF01000-memory.dmpFilesize
10.8MB
-
memory/2012-147-0x0000000000960000-0x000000000096A000-memory.dmpFilesize
40KB
-
memory/2012-144-0x0000000000000000-mapping.dmp
-
memory/2012-148-0x00007FFB6C440000-0x00007FFB6CF01000-memory.dmpFilesize
10.8MB
-
memory/2080-161-0x0000000000000000-mapping.dmp
-
memory/2952-156-0x0000000000000000-mapping.dmp
-
memory/3140-157-0x0000000000000000-mapping.dmp
-
memory/3544-163-0x0000000000000000-mapping.dmp
-
memory/4236-165-0x0000000000000000-mapping.dmp
-
memory/4268-162-0x0000000000000000-mapping.dmp
-
memory/4296-132-0x0000000000000000-mapping.dmp
-
memory/4456-150-0x0000000000000000-mapping.dmp
-
memory/4748-153-0x0000000000000000-mapping.dmp
-
memory/4796-141-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4796-142-0x0000000000644000-0x0000000000664000-memory.dmpFilesize
128KB
-
memory/4796-140-0x00000000005F0000-0x000000000061D000-memory.dmpFilesize
180KB
-
memory/4796-143-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4796-139-0x0000000000644000-0x0000000000664000-memory.dmpFilesize
128KB
-
memory/4796-138-0x0000000004A80000-0x0000000005024000-memory.dmpFilesize
5.6MB
-
memory/4796-135-0x0000000000000000-mapping.dmp
-
memory/4948-160-0x0000000000000000-mapping.dmp