Analysis
-
max time kernel
118s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 00:35
Static task
static1
Behavioral task
behavioral1
Sample
b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.exe
Resource
win10v2004-20220901-en
General
-
Target
b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.exe
-
Size
557KB
-
MD5
658753446e290e92115e2e741aac64a8
-
SHA1
0120ab100f19fb314d4e7168c848ee08b41ba47d
-
SHA256
b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250
-
SHA512
dd6cd5cfffd11ce5e7d2675e679c9fdb5712d7f059d86644e8f989ddaae0c2bf60b68793a5523ff01912adb2c15e610f3bf99ab5ba18ccfffa54110dd729aaa0
-
SSDEEP
12288:5Mrky90mJ/A3EePjCaHsO0laO0X4LQ4A2:pyP/AUMjCaHsOaVQ8C2
Malware Config
Extracted
amadey
3.66
62.204.41.5/Bu58Ngs/index.php
Signatures
-
Processes:
aEEx.exemika.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection aEEx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" aEEx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mika.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" aEEx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" aEEx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" aEEx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" aEEx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection mika.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vona.exemnolyk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation vona.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 7 IoCs
Processes:
cEEn.exeaEEx.exemika.exevona.exemnolyk.exemnolyk.exemnolyk.exepid process 4724 cEEn.exe 1456 aEEx.exe 4564 mika.exe 4244 vona.exe 1308 mnolyk.exe 1772 mnolyk.exe 4332 mnolyk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2424 rundll32.exe -
Processes:
aEEx.exemika.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features aEEx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" aEEx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" mika.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.execEEn.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce cEEn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" cEEn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 440 1456 WerFault.exe aEEx.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
aEEx.exemika.exepid process 1456 aEEx.exe 1456 aEEx.exe 4564 mika.exe 4564 mika.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aEEx.exemika.exedescription pid process Token: SeDebugPrivilege 1456 aEEx.exe Token: SeDebugPrivilege 4564 mika.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.execEEn.exevona.exemnolyk.execmd.exedescription pid process target process PID 1712 wrote to memory of 4724 1712 b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.exe cEEn.exe PID 1712 wrote to memory of 4724 1712 b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.exe cEEn.exe PID 1712 wrote to memory of 4724 1712 b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.exe cEEn.exe PID 4724 wrote to memory of 1456 4724 cEEn.exe aEEx.exe PID 4724 wrote to memory of 1456 4724 cEEn.exe aEEx.exe PID 4724 wrote to memory of 1456 4724 cEEn.exe aEEx.exe PID 4724 wrote to memory of 4564 4724 cEEn.exe mika.exe PID 4724 wrote to memory of 4564 4724 cEEn.exe mika.exe PID 1712 wrote to memory of 4244 1712 b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.exe vona.exe PID 1712 wrote to memory of 4244 1712 b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.exe vona.exe PID 1712 wrote to memory of 4244 1712 b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.exe vona.exe PID 4244 wrote to memory of 1308 4244 vona.exe mnolyk.exe PID 4244 wrote to memory of 1308 4244 vona.exe mnolyk.exe PID 4244 wrote to memory of 1308 4244 vona.exe mnolyk.exe PID 1308 wrote to memory of 4324 1308 mnolyk.exe schtasks.exe PID 1308 wrote to memory of 4324 1308 mnolyk.exe schtasks.exe PID 1308 wrote to memory of 4324 1308 mnolyk.exe schtasks.exe PID 1308 wrote to memory of 5048 1308 mnolyk.exe cmd.exe PID 1308 wrote to memory of 5048 1308 mnolyk.exe cmd.exe PID 1308 wrote to memory of 5048 1308 mnolyk.exe cmd.exe PID 5048 wrote to memory of 4152 5048 cmd.exe cmd.exe PID 5048 wrote to memory of 4152 5048 cmd.exe cmd.exe PID 5048 wrote to memory of 4152 5048 cmd.exe cmd.exe PID 5048 wrote to memory of 544 5048 cmd.exe cacls.exe PID 5048 wrote to memory of 544 5048 cmd.exe cacls.exe PID 5048 wrote to memory of 544 5048 cmd.exe cacls.exe PID 5048 wrote to memory of 4480 5048 cmd.exe cacls.exe PID 5048 wrote to memory of 4480 5048 cmd.exe cacls.exe PID 5048 wrote to memory of 4480 5048 cmd.exe cacls.exe PID 5048 wrote to memory of 1012 5048 cmd.exe cmd.exe PID 5048 wrote to memory of 1012 5048 cmd.exe cmd.exe PID 5048 wrote to memory of 1012 5048 cmd.exe cmd.exe PID 5048 wrote to memory of 384 5048 cmd.exe cacls.exe PID 5048 wrote to memory of 384 5048 cmd.exe cacls.exe PID 5048 wrote to memory of 384 5048 cmd.exe cacls.exe PID 5048 wrote to memory of 2988 5048 cmd.exe cacls.exe PID 5048 wrote to memory of 2988 5048 cmd.exe cacls.exe PID 5048 wrote to memory of 2988 5048 cmd.exe cacls.exe PID 1308 wrote to memory of 2424 1308 mnolyk.exe rundll32.exe PID 1308 wrote to memory of 2424 1308 mnolyk.exe rundll32.exe PID 1308 wrote to memory of 2424 1308 mnolyk.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.exe"C:\Users\Admin\AppData\Local\Temp\b1672cb34ff89230e6ccb7f8446f41987e387298b0d20d785e4bc4cc8feb7250.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cEEn.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cEEn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aEEx.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aEEx.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 10804⤵
- Program crash
PID:440 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F4⤵
- Creates scheduled task(s)
PID:4324 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4152
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"5⤵PID:544
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E5⤵PID:4480
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1012
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"5⤵PID:384
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E5⤵PID:2988
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:2424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1456 -ip 14561⤵PID:3808
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:1772
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe1⤵
- Executes dropped EXE
PID:4332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cEEn.exeFilesize
371KB
MD591abf593df9a949e1e2e584f06f3cbf7
SHA1ae3919107122b7ff9de89f033906f337856f7f57
SHA2564afb1352c6d1281c550970db208143c1640dbceddca7636da224b40176645da7
SHA512bd171d6b28959df530e814a59dad4154a70d8a58506c03632bb502d4c0ce4535cee5c273f5b2302aeeccd3c55cd828ed79c04f9ddafd23950adf311a57ff4102
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cEEn.exeFilesize
371KB
MD591abf593df9a949e1e2e584f06f3cbf7
SHA1ae3919107122b7ff9de89f033906f337856f7f57
SHA2564afb1352c6d1281c550970db208143c1640dbceddca7636da224b40176645da7
SHA512bd171d6b28959df530e814a59dad4154a70d8a58506c03632bb502d4c0ce4535cee5c273f5b2302aeeccd3c55cd828ed79c04f9ddafd23950adf311a57ff4102
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vona.exeFilesize
236KB
MD5fde8915d251fada3a37530421eb29dcf
SHA144386a8947ddfab993409945dae05a772a13e047
SHA2566cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116
SHA512ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aEEx.exeFilesize
341KB
MD5153833d9864a4194e1a8e2aa434195f8
SHA197aa030d9853b360e77c566fd8e1c04aa08c993e
SHA2560e55ddcf51453954e5140e9dc8c2d8f3c3666fd980beff61c7265e159e55742f
SHA512ba98ec2a2c7bb26c3f70c9c79ddd6ad332ffb8ee05533cb1b5be573a508c8e60ec50143a18a31c72947440202ea07aeab761a418672f3057465c4b669545b3ce
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aEEx.exeFilesize
341KB
MD5153833d9864a4194e1a8e2aa434195f8
SHA197aa030d9853b360e77c566fd8e1c04aa08c993e
SHA2560e55ddcf51453954e5140e9dc8c2d8f3c3666fd980beff61c7265e159e55742f
SHA512ba98ec2a2c7bb26c3f70c9c79ddd6ad332ffb8ee05533cb1b5be573a508c8e60ec50143a18a31c72947440202ea07aeab761a418672f3057465c4b669545b3ce
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mika.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD59221a421a3e777eb7d4ce55e474bcc4a
SHA1c96d7bd7ccbf9352d50527bff472595b3dc5298e
SHA25610ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8
SHA51263ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3
-
memory/384-163-0x0000000000000000-mapping.dmp
-
memory/544-160-0x0000000000000000-mapping.dmp
-
memory/1012-162-0x0000000000000000-mapping.dmp
-
memory/1308-154-0x0000000000000000-mapping.dmp
-
memory/1456-135-0x0000000000000000-mapping.dmp
-
memory/1456-139-0x0000000000570000-0x0000000000670000-memory.dmpFilesize
1024KB
-
memory/1456-140-0x0000000000840000-0x000000000086D000-memory.dmpFilesize
180KB
-
memory/1456-144-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/1456-143-0x0000000000570000-0x0000000000670000-memory.dmpFilesize
1024KB
-
memory/1456-142-0x0000000004BA0000-0x0000000005144000-memory.dmpFilesize
5.6MB
-
memory/1456-141-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/2424-166-0x0000000000000000-mapping.dmp
-
memory/2988-164-0x0000000000000000-mapping.dmp
-
memory/4152-159-0x0000000000000000-mapping.dmp
-
memory/4244-151-0x0000000000000000-mapping.dmp
-
memory/4324-157-0x0000000000000000-mapping.dmp
-
memory/4480-161-0x0000000000000000-mapping.dmp
-
memory/4564-149-0x00007FFE93F60000-0x00007FFE94A21000-memory.dmpFilesize
10.8MB
-
memory/4564-145-0x0000000000000000-mapping.dmp
-
memory/4564-148-0x0000000000D90000-0x0000000000D9A000-memory.dmpFilesize
40KB
-
memory/4564-150-0x00007FFE93F60000-0x00007FFE94A21000-memory.dmpFilesize
10.8MB
-
memory/4724-132-0x0000000000000000-mapping.dmp
-
memory/5048-158-0x0000000000000000-mapping.dmp