Analysis
-
max time kernel
84s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
15-02-2023 15:44
General
-
Target
SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.28945.7721.msi
-
Size
12.8MB
-
MD5
22499f67ab91bdc43967a3ffd9d4a73a
-
SHA1
4a660bb1421d3df423702f630c3bde242967def0
-
SHA256
d1a7c0fe0e6f2790d8603cd7b6dfd10f6f340165eec003b4be8a5b68515f9023
-
SHA512
78de900d4dcff4f9113829dc521d498e233d68fe2258d0df0a0c1853e436588993fe4ef7fa35fa242e38cbd4374775897310aa1a59ba884a3b7b6961124f42c9
-
SSDEEP
393216:guJ6RO06ATsQq6IUKqwm1JL8Wl6TJPqsDs:SR/6m27LZm1xFUJPq
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.28945.7721.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EA0038D93B938E8E73D923C8228FCEDA2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-2bd495f2-1d76-4df0-bc39-02bf3c8e8b7c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\MW-2bd495f2-1d76-4df0-bc39-02bf3c8e8b7c\files\s7.exe"C:\Users\Admin\AppData\Local\Temp\MW-2bd495f2-1d76-4df0-bc39-02bf3c8e8b7c\files\s7.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c @echo off & ping 127.0.0.1 -n 5 -w 1000 > nul & del "C:\Users\Admin\AppData\Local\Temp\MW-2bd495f2-1d76-4df0-bc39-02bf3c8e8b7c\files\s7.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 5 -w 10005⤵
- Runs ping.exe
-
C:\ProgramData\banikiyig\diwomohimoba.exe"C:\ProgramData\banikiyig\diwomohimoba.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\edtgpboz1qec8ia8240639281.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\dsj0nnvba240639281.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\aht48pn88p4fk240639375.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\k11idi6pl2g189rj240639375.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\google\chrome\user data\default\Preferences\" \"C:\Users\Admin\AppData\Local\Temp\pngc64jd4o240639656.tmp\" -Force"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\dmk89vqve240652593.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\l8hjqx0yvkr240652593.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\rugap86gm0u240652687.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\29zg8yd8gb240652687.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\microsoft\edge\user data\default\Preferences\" \"C:\Users\Admin\AppData\Local\Temp\zffvsodg240652968.tmp\" -Force"6⤵
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-2bd495f2-1d76-4df0-bc39-02bf3c8e8b7c\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\banikiyig\diwomohimoba.exeFilesize
36.9MB
MD5b40d5fe0967d3d4e0071348e280777cc
SHA1cd9f6c94a48bae45bf13d6e3dfa5516aa5259383
SHA2567242adfd6b3efa0cb4713dcb3ad70c62ef7890d4661678934be7c85258e0d9a1
SHA5129df4c854fb1181dc0978613e55e846ea3fa0650003c1397f61cf3259fef637bb08a59b75a8c8da6e2149a110f7c1955cb1cbb39f37b890af91dea7def20a36c8
-
C:\ProgramData\banikiyig\diwomohimoba.exeFilesize
35.2MB
MD52e4c3fd3c3ff26a0a9a6efcc01075b01
SHA14c6c23702e7a3fa48d607109898e74bc98c89abe
SHA2561f6c5f7886acdbfdd744f2edc682a674df948a276e521a5d971189ea20396633
SHA5124099d238f5cdebb6e89de517d5ecb064b4552757dedafa1ca55b1e759afa2e3b96d9cb987ff533287211b056c4570c54d7f37a069c9fbf90b5e94897f74dcd1c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
C:\Users\Admin\AppData\Local\Temp\29zg8yd8gb240652687.tmpFilesize
2KB
MD55d2f52312a0a56c2af744ec87bac940d
SHA1b6e00448168c5c28c10df4bbd412016a63081755
SHA2560e4164daab706161a0a397450181709e86be6da842df30e958b9a8aef9d62486
SHA5121f5a29027c78511999dad2d3a375a41f3d90277cef57dec55efd7c9bccc837477d63dd8dc9c4e823d50a2630ba1bbbd1922d90f3235d7d244232859352d6fdba
-
C:\Users\Admin\AppData\Local\Temp\MW-2bd495f2-1d76-4df0-bc39-02bf3c8e8b7c\files.cabFilesize
12.2MB
MD507ef05e6ea4e1ace9b227a4d01094f59
SHA1b4039603eaad277ffc647a9435b5ef0361de20ed
SHA256018ec3e92de5ac18e02f6f3ad23995f233355466649f0e46df5c430d50c2989d
SHA512369237768c32da57fcb3dea6bce50b797e72250605deb351a8b137368dc5bec95195873e5406918cd9f863605abb9f6ab8548349e92b87bed93dcd8f3603ec19
-
C:\Users\Admin\AppData\Local\Temp\MW-2bd495f2-1d76-4df0-bc39-02bf3c8e8b7c\files\s7.exeFilesize
117.3MB
MD50f18fc85c237ac7bb5201e015ccc2eeb
SHA17d88c0ff364b0b4b23a3285e4e72660f432685de
SHA256b1e5424ca2a70ecbe21af5ef5b2ecaf81679591f112fef1048bdfa3fd8c5a132
SHA5127020ffc78c7220e9587d3f736197e67ace32f24114d564bbb967694be19879db80352b2768de311a8aacc37fcdf70100a894a6ac9ecf7236fc6bffe41fa8091b
-
C:\Users\Admin\AppData\Local\Temp\MW-2bd495f2-1d76-4df0-bc39-02bf3c8e8b7c\files\s7.exeFilesize
110.6MB
MD5034baa0a7ae7305253767fe96dabe40e
SHA105c48bc8375d0a3eeedda23306e162c28a92f064
SHA25639d65f5c1282b1563bd20cd9b0ba606282ba47fa840148f868e0b6b5d8bc31d7
SHA51271b9e1d04b0008d118dfdbcea82c03873725bc6905cfc158c982b3aa95f12956c5e007cddf02f10ebab05a66179657d8c0df216d3fff80d109d938790c113e77
-
C:\Users\Admin\AppData\Local\Temp\MW-2bd495f2-1d76-4df0-bc39-02bf3c8e8b7c\msiwrapper.iniFilesize
1KB
MD577c70ce9ed451058878f7184aba1f96b
SHA1a1a9cc25c93ec647be93249a706ec960cdbcd415
SHA256bf832f4727018cfdda7aa732e698538f39d1c16fad9f8513081b11f75b1778b3
SHA5122796b1b3fc9c87bb0434a1e08bf5508227e14505b10f86d4f7f7d9975345a1ac74759e08717fd18039193e7c0e859c098fbc8d77786897e3ac74324142690cbb
-
C:\Users\Admin\AppData\Local\Temp\MW-2bd495f2-1d76-4df0-bc39-02bf3c8e8b7c\msiwrapper.iniFilesize
1KB
MD57db9664beb47158f49504c7feb4dfbe4
SHA1ae35660e2e06375f334fdb20ca119a9fb94c0de2
SHA256a50bd4e66abb5c294d472354116ec86335bfe65d219e084c60dcab338b4b5428
SHA51252dec23958a3f992110860ee9aeb49fe333e58f6e8a4b83a6663b29c900397876163f17388c44dc1c53ead46352298718cddeb6afa605dfb7e8bc0b231c22264
-
C:\Users\Admin\AppData\Local\Temp\aht48pn88p4fk240639375.tmpFilesize
20KB
MD5055c8c5c47424f3c2e7a6fc2ee904032
SHA15952781d22cff35d94861fac25d89a39af6d0a87
SHA256531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a
SHA512c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a
-
C:\Users\Admin\AppData\Local\Temp\dmk89vqve240652593.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\dsj0nnvba240639281.tmpFilesize
88KB
MD58ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
C:\Users\Admin\AppData\Local\Temp\edtgpboz1qec8ia8240639281.tmpFilesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\k11idi6pl2g189rj240639375.tmpFilesize
2KB
MD5cdaa4c77cf37240a2822b239378841af
SHA1f4d4daf9c90849075a58c6f13a9ad342edf0539a
SHA256c480c95d9111d82555e0f0d7ed47b97f364735e4102f56dfbb629ed2f89ba8a1
SHA512912d5b1636138ce9af6934bfafc672e4b8c5a8ea4ee6769c70dba1ab128651b4753284582a70003bdf5e31f1bd9f28a2210a1300051d8ab61996fb3160112a92
-
C:\Users\Admin\AppData\Local\Temp\l8hjqx0yvkr240652593.tmpFilesize
112KB
MD5780853cddeaee8de70f28a4b255a600b
SHA1ad7a5da33f7ad12946153c497e990720b09005ed
SHA2561055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3
SHA512e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8
-
C:\Users\Admin\AppData\Local\Temp\pngc64jd4o240639656.tmpFilesize
6KB
MD5a5538caf2565d8c1e8ae8dce2b50e6cd
SHA17e7d30bc443a36ecc9033bdf5329ce9ee86783d9
SHA25695385104dfabee539b43c98ad10ab6c2c229f14e672dd91a3f645555086cfaf8
SHA5126afa57de6d03cdd924f32c0361787ad818bc1805875d656b8d396eeb7e402ff23e7562d38b2fc2f5889cb200ac17cf5f3f98c34e0503ef0b2f97fa20cb05682d
-
C:\Users\Admin\AppData\Local\Temp\zffvsodg240652968.tmpFilesize
3KB
MD5585ab466f02cbc2c12a710df620c775b
SHA1eeb2d2e7c863ef0ed147b4b26954567c33345973
SHA256bae4937cad057e620bb35525f9ebe6e0ce01bf693f391e8035bc55bc2bd9c1af
SHA512d4d5303a545068cee4d5262ec7cd5d949b9fff5e9367780d08674c509cae2be5f77bafd7810df692744e79325e7a4bfe60523eb454f22282c2be9dae368c9681
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD588950b54536ebaee56e01c6bc0d08c19
SHA1c6e9b250ec09f18d0272ea24cf8815cb92f94daf
SHA2562796344a41b33be0033be8d06ad2c6f885abc50aa126b19f182a28338d5285da
SHA5127164476cc4fa7143c4430276a5e0507b13e89085576126c25db1e3f349faa646d5902fe7a22732249a4b8a7d934419099455cc040acb14bb8f232d8db73ee2ed
-
C:\Windows\Installer\MSI8196.tmpFilesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
C:\Windows\Installer\MSI8196.tmpFilesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
C:\Windows\Installer\MSIEF75.tmpFilesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
C:\Windows\Installer\MSIEF75.tmpFilesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5218bc03afc1ac6cae7adc862576efe9c
SHA17985b0588203c3f55d108fc72a322907948adcac
SHA256471ba7af46e3cc9e8055e4da2b994fbb28557f16547226df9bd89c874c928ecb
SHA512551bb7f774cf14370e284779abc653974c4ccf1812e8e82d0e91c87fbfeb5313706cd79ddc74e09bacafbb4a488762b228760b51f68bdd0dfcacb08a5e7ac4e4
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{778bddd9-903d-474f-b752-ee2ac786cc04}_OnDiskSnapshotPropFilesize
5KB
MD58168764c59d728a8fdf7ce2eb29a8a67
SHA13893fb2756f4c9081e18ed87d5ef603b3b810eec
SHA25665382db4b83b2653d7ea705259735c2a4c00c43bde4c3b6269e1c5a24797dfff
SHA51232a9666f0b6c8afb0c69dcbc47c6da96691c45dceea7e754fa111d3c3b615f421804765c79a3624d4992062b1e436d024d7850357a31888480abf87ba2e89b08
-
memory/220-178-0x0000000000000000-mapping.dmp
-
memory/220-180-0x00007FFC86020000-0x00007FFC86AE1000-memory.dmpFilesize
10.8MB
-
memory/220-179-0x000001DD47DE0000-0x000001DD47E02000-memory.dmpFilesize
136KB
-
memory/888-154-0x0000000000000000-mapping.dmp
-
memory/1104-132-0x0000000000000000-mapping.dmp
-
memory/1940-133-0x0000000000000000-mapping.dmp
-
memory/2064-167-0x0000000000400000-0x00000000007BF000-memory.dmpFilesize
3.7MB
-
memory/2064-166-0x0000000000000000-mapping.dmp
-
memory/2064-184-0x0000000004120000-0x00000000041C7000-memory.dmpFilesize
668KB
-
memory/2064-172-0x0000000000400000-0x00000000007BF000-memory.dmpFilesize
3.7MB
-
memory/2064-173-0x0000000011000000-0x0000000011158000-memory.dmpFilesize
1.3MB
-
memory/2064-174-0x0000000004120000-0x00000000041C7000-memory.dmpFilesize
668KB
-
memory/2064-176-0x0000000004120000-0x00000000041C7000-memory.dmpFilesize
668KB
-
memory/2064-175-0x0000000011000000-0x0000000011158000-memory.dmpFilesize
1.3MB
-
memory/2064-177-0x0000000000400000-0x00000000007BF000-memory.dmpFilesize
3.7MB
-
memory/2064-168-0x0000000000400000-0x00000000007BF000-memory.dmpFilesize
3.7MB
-
memory/2064-171-0x0000000000400000-0x00000000007BF000-memory.dmpFilesize
3.7MB
-
memory/2064-169-0x0000000000400000-0x00000000007BF000-memory.dmpFilesize
3.7MB
-
memory/2200-161-0x0000000000020000-0x0000000001498000-memory.dmpFilesize
20.5MB
-
memory/2200-165-0x0000000001B33000-0x0000000001B3D000-memory.dmpFilesize
40KB
-
memory/2200-151-0x0000000000000000-mapping.dmp
-
memory/2200-170-0x0000000001B33000-0x0000000001B3D000-memory.dmpFilesize
40KB
-
memory/3388-139-0x0000000000000000-mapping.dmp
-
memory/4292-145-0x0000000000EC0000-0x0000000002338000-memory.dmpFilesize
20.5MB
-
memory/4292-155-0x00000000029C3000-0x00000000029CD000-memory.dmpFilesize
40KB
-
memory/4292-141-0x0000000000000000-mapping.dmp
-
memory/4292-150-0x00000000029C3000-0x00000000029CD000-memory.dmpFilesize
40KB
-
memory/4292-149-0x00000000029C3000-0x00000000029CD000-memory.dmpFilesize
40KB
-
memory/4496-136-0x0000000000000000-mapping.dmp
-
memory/4652-191-0x00007FFC86020000-0x00007FFC86AE1000-memory.dmpFilesize
10.8MB
-
memory/4652-187-0x0000000000000000-mapping.dmp
-
memory/4676-156-0x0000000000000000-mapping.dmp
-
memory/5076-157-0x0000000000000000-mapping.dmp