Overview
overview
10Static
static
8Heart-Send...ig.bat
windows7_x64
10Heart-Send...ig.bat
windows10_x64
10Heart-Send...ck.dll
windows7_x64
1Heart-Send...ck.dll
windows10_x64
1Heart-Send...ad.exe
windows7_x64
3Heart-Send...ad.exe
windows10_x64
1Heart-Send...er.exe
windows7_x64
9Heart-Send...er.exe
windows10_x64
9Heart-Send...r1.exe
windows7_x64
9Heart-Send...r1.exe
windows10_x64
9Heart-Send...ye.exe
windows7_x64
10Heart-Send...ye.exe
windows10_x64
10Heart-Send...ck.dll
windows7_x64
1Heart-Send...ck.dll
windows10_x64
1Heart-Send...ad.exe
windows7_x64
1Heart-Send...ad.exe
windows10_x64
1Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-03-2021 13:55
Static task
static1
Behavioral task
behavioral1
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Config.bat
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Config.bat
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Heart/HtmlAgilityPack.dll
Resource
win7v20201028
Behavioral task
behavioral4
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Heart/HtmlAgilityPack.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Heart/Load.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Heart/Load.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Loader.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Loader.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Loader1.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Loader1.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Heart-Sender-V1.2 Cracked by JC0der-FireEye.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/HtmlAgilityPack.dll
Resource
win7v20201028
Behavioral task
behavioral14
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/HtmlAgilityPack.dll
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Load.exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Load.exe
Resource
win10v20201028
General
Malware Config
Extracted
quasar
1.3.0.0
Heart
185.163.127.20:61110
HRT_MUTEX_kecTsVDPnERdvianlr
-
encryption_key
3vnM9JqtaSdxUVqeTXSi
-
install_name
Subfile.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDirr
Signatures
-
Quasar Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe family_quasar C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe family_quasar -
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Program Files\Common Files\System\symsrv.dll acprotect C:\Program Files\Common Files\System\symsrv.dll acprotect \Program Files\Common Files\System\symsrv.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
Sys32.exeSubfile.exepid process 760 Sys32.exe 1504 Subfile.exe -
Processes:
resource yara_rule \Program Files\Common Files\System\symsrv.dll upx C:\Program Files\Common Files\System\symsrv.dll upx C:\Users\Admin\AppData\Local\Temp\A1D26E2\7B484A06D8.tmp upx \Program Files\Common Files\System\symsrv.dll upx -
Loads dropped DLL 2 IoCs
Processes:
Loader.exeLoader1.exepid process 1752 Loader.exe 1704 Loader1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Drops file in Program Files directory 1 IoCs
Processes:
Loader.exedescription ioc process File created C:\Program Files\Common Files\System\symsrv.dll Loader.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Sys32.exepid process 760 Sys32.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
Processes:
Loader.exeLoader1.exepid process 1752 Loader.exe 1704 Loader1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1180 powershell.exe 1180 powershell.exe 1740 powershell.exe 1740 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exeLoader.exeLoader1.exeSubfile.exedescription pid process Token: SeDebugPrivilege 1180 powershell.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeDebugPrivilege 1752 Loader.exe Token: SeDebugPrivilege 1704 Loader1.exe Token: SeDebugPrivilege 1504 Subfile.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Subfile.exepid process 1504 Subfile.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
cmd.exetaskeng.exedescription pid process target process PID 1656 wrote to memory of 1180 1656 cmd.exe powershell.exe PID 1656 wrote to memory of 1180 1656 cmd.exe powershell.exe PID 1656 wrote to memory of 1180 1656 cmd.exe powershell.exe PID 1656 wrote to memory of 1740 1656 cmd.exe powershell.exe PID 1656 wrote to memory of 1740 1656 cmd.exe powershell.exe PID 1656 wrote to memory of 1740 1656 cmd.exe powershell.exe PID 1656 wrote to memory of 296 1656 cmd.exe schtasks.exe PID 1656 wrote to memory of 296 1656 cmd.exe schtasks.exe PID 1656 wrote to memory of 296 1656 cmd.exe schtasks.exe PID 1656 wrote to memory of 1144 1656 cmd.exe schtasks.exe PID 1656 wrote to memory of 1144 1656 cmd.exe schtasks.exe PID 1656 wrote to memory of 1144 1656 cmd.exe schtasks.exe PID 1656 wrote to memory of 1116 1656 cmd.exe attrib.exe PID 1656 wrote to memory of 1116 1656 cmd.exe attrib.exe PID 1656 wrote to memory of 1116 1656 cmd.exe attrib.exe PID 1656 wrote to memory of 1752 1656 cmd.exe Loader.exe PID 1656 wrote to memory of 1752 1656 cmd.exe Loader.exe PID 1656 wrote to memory of 1752 1656 cmd.exe Loader.exe PID 1656 wrote to memory of 1752 1656 cmd.exe Loader.exe PID 1656 wrote to memory of 1752 1656 cmd.exe Loader.exe PID 1656 wrote to memory of 1752 1656 cmd.exe Loader.exe PID 1656 wrote to memory of 1752 1656 cmd.exe Loader.exe PID 1656 wrote to memory of 1704 1656 cmd.exe Loader1.exe PID 1656 wrote to memory of 1704 1656 cmd.exe Loader1.exe PID 1656 wrote to memory of 1704 1656 cmd.exe Loader1.exe PID 1656 wrote to memory of 1704 1656 cmd.exe Loader1.exe PID 1656 wrote to memory of 1704 1656 cmd.exe Loader1.exe PID 1656 wrote to memory of 1704 1656 cmd.exe Loader1.exe PID 1656 wrote to memory of 1704 1656 cmd.exe Loader1.exe PID 528 wrote to memory of 760 528 taskeng.exe Sys32.exe PID 528 wrote to memory of 760 528 taskeng.exe Sys32.exe PID 528 wrote to memory of 760 528 taskeng.exe Sys32.exe PID 528 wrote to memory of 1504 528 taskeng.exe Subfile.exe PID 528 wrote to memory of 1504 528 taskeng.exe Subfile.exe PID 528 wrote to memory of 1504 528 taskeng.exe Subfile.exe PID 528 wrote to memory of 1504 528 taskeng.exe Subfile.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Config.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users" -force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile0" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe" /RL HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile1" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe" /RL HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\SubDirr2⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader.exeloader.exe -pP@$$W@RD@@2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader1.exeloader1.exe -pP@$$W@RD@@2⤵
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {9D685995-0A55-4FAC-A5FF-993ECDFDEDFA} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exeC:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exeC:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\symsrv.dllMD5
7574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1edd574d-9e49-4d9a-bdfc-8a95a3c1e53eMD5
faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3e4e1b4d-8adf-473b-881b-b19a9bfb379bMD5
e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6a48fbef-3c0b-4020-9294-3c5e0a594063MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_72c96d48-96f2-483a-8c88-e27307cc643fMD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_78ab6aaf-1fe5-4667-9edc-cdafcb7bd27fMD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8543a549-cdfb-4fca-b0c4-3319dcc5f534MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a7c8de12-6b5f-4f57-be6b-2349c05f27cbMD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
f0b80483d31ac747f8665b57793f60c2
SHA1ce3dd07b6f9d271f89f7f4a506ebef8ff086957e
SHA25610d3fde716a210aea888ece2ce1ac0a3d99bbf98e256ade403c5d28f2da1bbc0
SHA512de21ebe41110c63b81ce8416d2cd62f80533010621c07d1d1f5bb4290a19202b0b8d473f1d90e00784bab7bbeb969eea9c279ae43d19649d36a15a9d1a2ca9c9
-
C:\Users\Admin\AppData\Local\Temp\A1D26E2\7B484A06D8.tmpMD5
a0f5d9448eed029fef6d9944df015832
SHA1560dc39fbdccf26465005baf60648d3e0e41b32a
SHA25602d46c7d93d8be4e82fd29d9452203f86d75476dbfcc952efa63360a260fb242
SHA512c41251267d6c42aa916df9e15304e839b0cb9087c834c9aa2a3b912b91c67ba1804e0a1854c64b14654d9ead03e1ed0e4a4ca3a4fd87616f7ad47c8edcec12d7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
490e0b8ae37d7e2ed16c47d33f8479ec
SHA137aa4716c5e19348186471b526fadc97c38fec58
SHA256899663718a295d8cef076bb8c0c52f9f53c1b54591cdd99fb45e1fb59e3cd959
SHA5128e970ab568af254f412814ca8b64a4fde77ac1c53decfe0ace58b4bb0d85fb04b847a46803f84efd7bd0e878c69c608ea151916209f9b6320d206aa6fbe8a664
-
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exeMD5
3e5da207d7655d267515b8fd7fe35b8a
SHA185a81b28b919d283c7ae1df1a6c8c45dc0ff756a
SHA256db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42
SHA512f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d
-
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exeMD5
3e5da207d7655d267515b8fd7fe35b8a
SHA185a81b28b919d283c7ae1df1a6c8c45dc0ff756a
SHA256db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42
SHA512f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d
-
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exeMD5
4fb7326fe1263d2f0626ee186195b891
SHA1f2ceda16fe3ba9e90e2b17f77879278923fb3fe9
SHA256d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4
SHA512f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a
-
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exeMD5
4fb7326fe1263d2f0626ee186195b891
SHA1f2ceda16fe3ba9e90e2b17f77879278923fb3fe9
SHA256d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4
SHA512f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a
-
\Program Files\Common Files\System\symsrv.dllMD5
7574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
\Program Files\Common Files\System\symsrv.dllMD5
7574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
memory/296-46-0x0000000000000000-mapping.dmp
-
memory/760-70-0x000000001B8B0000-0x000000001B8B2000-memory.dmpFilesize
8KB
-
memory/760-64-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/760-61-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmpFilesize
9.9MB
-
memory/760-57-0x0000000000000000-mapping.dmp
-
memory/1116-48-0x0000000000000000-mapping.dmp
-
memory/1144-47-0x0000000000000000-mapping.dmp
-
memory/1180-6-0x000000001AE30000-0x000000001AE31000-memory.dmpFilesize
4KB
-
memory/1180-4-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmpFilesize
9.9MB
-
memory/1180-26-0x00000000027B0000-0x00000000027B1000-memory.dmpFilesize
4KB
-
memory/1180-14-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB
-
memory/1180-11-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB
-
memory/1180-10-0x0000000002060000-0x0000000002061000-memory.dmpFilesize
4KB
-
memory/1180-3-0x000007FEFB631000-0x000007FEFB633000-memory.dmpFilesize
8KB
-
memory/1180-27-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/1180-5-0x0000000001F10000-0x0000000001F11000-memory.dmpFilesize
4KB
-
memory/1180-2-0x0000000000000000-mapping.dmp
-
memory/1180-7-0x000000001ADB0000-0x000000001ADB2000-memory.dmpFilesize
8KB
-
memory/1180-9-0x0000000002650000-0x0000000002651000-memory.dmpFilesize
4KB
-
memory/1180-8-0x000000001ADB4000-0x000000001ADB6000-memory.dmpFilesize
8KB
-
memory/1504-69-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/1504-67-0x0000000000C20000-0x0000000000C21000-memory.dmpFilesize
4KB
-
memory/1504-66-0x0000000074000000-0x00000000746EE000-memory.dmpFilesize
6.9MB
-
memory/1504-62-0x0000000000000000-mapping.dmp
-
memory/1704-52-0x0000000000000000-mapping.dmp
-
memory/1740-31-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmpFilesize
9.9MB
-
memory/1740-32-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/1740-33-0x000000001AEB0000-0x000000001AEB1000-memory.dmpFilesize
4KB
-
memory/1740-36-0x00000000025B0000-0x00000000025B1000-memory.dmpFilesize
4KB
-
memory/1740-28-0x0000000000000000-mapping.dmp
-
memory/1740-35-0x000000001AE34000-0x000000001AE36000-memory.dmpFilesize
8KB
-
memory/1740-37-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB
-
memory/1740-34-0x000000001AE30000-0x000000001AE32000-memory.dmpFilesize
8KB
-
memory/1752-49-0x0000000000000000-mapping.dmp
-
memory/1752-50-0x0000000074D11000-0x0000000074D13000-memory.dmpFilesize
8KB