Analysis
-
max time kernel
7s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
18-10-2022 03:30
General
-
Target
9965e9b35cb08e31dc26fd15c0a89c0583c98387bdda8a8f9cde45dcd0e38aba.exe
-
Size
2.0MB
-
MD5
26ef5acc7a22a209efdbfbc6d82c8398
-
SHA1
1555bf0b8421468b26fb688bc903d6d473bb7315
-
SHA256
9965e9b35cb08e31dc26fd15c0a89c0583c98387bdda8a8f9cde45dcd0e38aba
-
SHA512
3aeeb36fe23a59046c982508993df1f8f2e09360a21c0cd719f704da38816a96b0537708049b45fe568b99e30585a4c1f81926955408d4014ecd150b2b67557a
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYG:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YU
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 13 IoCs
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9965e9b35cb08e31dc26fd15c0a89c0583c98387bdda8a8f9cde45dcd0e38aba.exe"C:\Users\Admin\AppData\Local\Temp\9965e9b35cb08e31dc26fd15c0a89c0583c98387bdda8a8f9cde45dcd0e38aba.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XvFomGuZ6FWL.bat" "4⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"5⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f33qs0zThrMb.bat" "6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"7⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N8dboL4mimEI.bat" "8⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650019⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"9⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f10⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYK6aDQrvw7Q.bat" "10⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500111⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 227210⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 19768⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 19886⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 22684⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\9965e9b35cb08e31dc26fd15c0a89c0583c98387bdda8a8f9cde45dcd0e38aba.exe"C:\Users\Admin\AppData\Local\Temp\9965e9b35cb08e31dc26fd15c0a89c0583c98387bdda8a8f9cde45dcd0e38aba.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4316 -ip 43161⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeC:\Users\Admin\btpanui\SystemPropertiesPerformance.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\vnc.exe"C:\Users\Admin\AppData\Local\Temp\vnc.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k3⤵
-
C:\Users\Admin\AppData\Local\Temp\windef.exe"C:\Users\Admin\AppData\Local\Temp\windef.exe"2⤵
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2776 -ip 27761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1260 -ip 12601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4864 -ip 48641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.logFilesize
1KB
MD510eab9c2684febb5327b6976f2047587
SHA1a12ed54146a7f5c4c580416aecb899549712449e
SHA256f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928
SHA5127e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50
-
C:\Users\Admin\AppData\Local\Temp\N8dboL4mimEI.batFilesize
208B
MD5fc4042e4aae67d2f3685d7b770de0580
SHA1052a49f59427709195fa0e07835351ea773c8195
SHA25615bc174b7474d7d0e6197146745344eec5cacb095659eaff3d6c3a134bd703db
SHA51235e404696ae53a8d0be4b45c0f11f87bee9d4a64f0d992541a9d0db03b46c5dde9a0d3420b749cd852de8bfa0abfebf09b25248b23b6364d1527059e65ccd7fd
-
C:\Users\Admin\AppData\Local\Temp\XvFomGuZ6FWL.batFilesize
208B
MD52225e9bc589ca8bdae538edba5d99abe
SHA15bb7b45042ead4a82b202fc91d4501c19a79ac49
SHA2566f2989d05fb309db80bebdda0a4d27822d2c32516b5004a9b19415146f8ee168
SHA5121c474400adaa7ce527c8bbdf17f3c130913db9336cc2f026592647e1cf50219219e5b0d28477869a5ae99d832aeb7a23fbdab85d27e84469d29a9dae379a24c2
-
C:\Users\Admin\AppData\Local\Temp\f33qs0zThrMb.batFilesize
208B
MD5ecdecaf0975efffc2d5582abd2994654
SHA1d09e524caba226fd964ea5a789b96e67159941ef
SHA2561a86e09c3296c88a3c184d30d10124e452cbca5dbcef0f6a8a6a7a8004da98a3
SHA512898ae1d1e33a80a0df69827f2d7b2c6ad49d4c7683bf3e965a79feeed01238547c8316801827eb228ea4f55069daec4c994537b89998835484a351f2227cc6a8
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\vnc.exeFilesize
405KB
MD5b8ba87ee4c3fc085a2fed0d839aadce1
SHA1b3a2e3256406330e8b1779199bb2b9865122d766
SHA2564e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
SHA5127a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\windef.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Local\Temp\yYK6aDQrvw7Q.batFilesize
208B
MD5647e8b18e47d5c15b9e0d3f6e3e2d8f6
SHA1fe869a2b14b11294512e7f6b7e96907028d4cea2
SHA2561f46d75b971a320f5df0a7b3d1498033e963a0a73d7e34604e3dbecdef35f2e2
SHA5123d2a5ae08ff0b1434983057e59e78ac08e6ae37c2ba26e048c30bfd233a4e5e003853dcf99e6f1ee8d09ce86ecac858f45628eecba98be7b286bbf239705df8f
-
C:\Users\Admin\AppData\Roaming\Logs\10-18-2022Filesize
224B
MD5acf370d8ae82c1cfa7275278e28af54d
SHA14b18abbbbcd27de9b48f3e646d443493d617b351
SHA256c4a216dc9491f6c3b3a0c071cf30bcf283d35a8ca89d8a3c32c917f0a7ad865a
SHA512d21ef844615a2604809657cb2c13eeeb763d2d7700df4a40792408ed778e643c7b16bb8aaf2c87294a9e4f02581fb16d3a2e2cbefa305339c6f542fc169b086e
-
C:\Users\Admin\AppData\Roaming\Logs\10-18-2022Filesize
224B
MD5f13023b774d06144c4c38e2bbf9c08c1
SHA169dc8d6804085b68a9fd2bda124fb068b9ad2f78
SHA2562fe684bb7a9a3efef320881eb7fb5ab0d39ccbc03d49af1746373d64a19e5729
SHA51232da24ed2d1d55570d14c76f9ab8d9cfa7bf3044ca356d500ce3db7b49760a1badcc885c9dadf26d81142a0055fa237b77e7f8f8c32dbb9a22444269a65ba66e
-
C:\Users\Admin\AppData\Roaming\Logs\10-18-2022Filesize
224B
MD5de651bf6d2c260900a532626d373fd2c
SHA165fb9e31cfd9dd0540f9d1c71d4646a79b13a2a3
SHA256987260919605c931a785a6f4e97e9d2f4801e20785856ddaa778a67733bc42f0
SHA512fe92cde4d50c280adcbe505b56923e6f0768d8e69b30bc6b05bf2686c921e10cef2cf14b27a4ea5cbffd4ff48cd70b240c0742a32e797b891d4e374ecfb81208
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exeFilesize
349KB
MD5b4a202e03d4135484d0e730173abcc72
SHA101b30014545ea526c15a60931d676f9392ea0c70
SHA2567050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
SHA512632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD5a01f7096dca0cc0134c628d3d5b37dcb
SHA1daf9fa90a273e0d9cb996c983fe94efb8dbfdb7c
SHA2563ab97293ab59044e56e53147e88b6183683b209b16f03b730589b29d2a9e8a53
SHA5126a3efdfe501d456dcd14af4b7919981fe62ad88b8f2b3893c514b7e0ea0e860bb0c0e93d64e789c5529e8bdaa94644c5da4a974c027150a96566430f06068ccb
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD5a01f7096dca0cc0134c628d3d5b37dcb
SHA1daf9fa90a273e0d9cb996c983fe94efb8dbfdb7c
SHA2563ab97293ab59044e56e53147e88b6183683b209b16f03b730589b29d2a9e8a53
SHA5126a3efdfe501d456dcd14af4b7919981fe62ad88b8f2b3893c514b7e0ea0e860bb0c0e93d64e789c5529e8bdaa94644c5da4a974c027150a96566430f06068ccb
-
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exeFilesize
2.0MB
MD5a01f7096dca0cc0134c628d3d5b37dcb
SHA1daf9fa90a273e0d9cb996c983fe94efb8dbfdb7c
SHA2563ab97293ab59044e56e53147e88b6183683b209b16f03b730589b29d2a9e8a53
SHA5126a3efdfe501d456dcd14af4b7919981fe62ad88b8f2b3893c514b7e0ea0e860bb0c0e93d64e789c5529e8bdaa94644c5da4a974c027150a96566430f06068ccb
-
memory/216-195-0x0000000000000000-mapping.dmp
-
memory/220-196-0x0000000000000000-mapping.dmp
-
memory/528-166-0x0000000000000000-mapping.dmp
-
memory/1080-211-0x0000000000000000-mapping.dmp
-
memory/1260-197-0x0000000000000000-mapping.dmp
-
memory/1588-165-0x0000000000000000-mapping.dmp
-
memory/1632-209-0x0000000000000000-mapping.dmp
-
memory/1656-203-0x0000000000000000-mapping.dmp
-
memory/1756-139-0x0000000000000000-mapping.dmp
-
memory/1756-140-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1756-151-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2056-207-0x0000000000000000-mapping.dmp
-
memory/2596-201-0x0000000000000000-mapping.dmp
-
memory/2608-180-0x0000000000690000-0x000000000072C000-memory.dmpFilesize
624KB
-
memory/2608-177-0x0000000000000000-mapping.dmp
-
memory/2712-152-0x0000000000000000-mapping.dmp
-
memory/2776-167-0x0000000000000000-mapping.dmp
-
memory/3040-175-0x0000000000000000-mapping.dmp
-
memory/3080-161-0x0000000000000000-mapping.dmp
-
memory/3336-192-0x0000000000000000-mapping.dmp
-
memory/3340-173-0x0000000000000000-mapping.dmp
-
memory/3512-169-0x0000000000000000-mapping.dmp
-
memory/3760-163-0x0000000000000000-mapping.dmp
-
memory/3800-193-0x0000000000000000-mapping.dmp
-
memory/3856-199-0x0000000000000000-mapping.dmp
-
memory/3948-212-0x0000000000000000-mapping.dmp
-
memory/4292-142-0x00000000002A0000-0x00000000002FE000-memory.dmpFilesize
376KB
-
memory/4292-154-0x0000000004F80000-0x0000000004FE6000-memory.dmpFilesize
408KB
-
memory/4292-146-0x0000000005150000-0x00000000056F4000-memory.dmpFilesize
5.6MB
-
memory/4292-150-0x0000000004BA0000-0x0000000004C32000-memory.dmpFilesize
584KB
-
memory/4292-155-0x0000000005BA0000-0x0000000005BB2000-memory.dmpFilesize
72KB
-
memory/4292-136-0x0000000000000000-mapping.dmp
-
memory/4292-156-0x0000000005FC0000-0x0000000005FFC000-memory.dmpFilesize
240KB
-
memory/4316-158-0x0000000000000000-mapping.dmp
-
memory/4316-162-0x00000000066D0000-0x00000000066DA000-memory.dmpFilesize
40KB
-
memory/4380-153-0x00000000004E0000-0x000000000057C000-memory.dmpFilesize
624KB
-
memory/4380-135-0x0000000000000000-mapping.dmp
-
memory/4496-157-0x0000000000000000-mapping.dmp
-
memory/4760-132-0x0000000000000000-mapping.dmp
-
memory/4864-205-0x0000000000000000-mapping.dmp
-
memory/5064-204-0x0000000000000000-mapping.dmp
-
memory/5096-181-0x0000000000000000-mapping.dmp
-
memory/5096-182-0x0000000001620000-0x0000000001640000-memory.dmpFilesize
128KB
-
memory/5096-191-0x0000000001620000-0x0000000001640000-memory.dmpFilesize
128KB