Analysis
-
max time kernel
519s -
max time network
518s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2023 01:16
Behavioral task
behavioral1
Sample
4Malware.zip
Resource
win10v2004-20231127-en
Behavioral task
behavioral2
Sample
Adobe-GenP-3.0.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral3
Sample
Qblqxvgkmiptnw.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral4
Sample
Set-up.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral5
Sample
winnnn.exe
Resource
win10v2004-20231127-en
General
-
Target
4Malware.zip
-
Size
6.1MB
-
MD5
bea2ac31ab219cbbc749b0aeeff7e872
-
SHA1
2edc2a00dde9c973fce77348e07310558855dabf
-
SHA256
2cd40802f898dd95f0756aa6c44263c38131379d0db2da72f37bfa8f53668412
-
SHA512
e0f67143df31d2701e3ec21d3eaf6d74725de1559963c2713c4e0f48264cdab544536e08278d86ec3c0b2f7494c06a5ebe8a24d19842cfcde0f8157e729c889f
-
SSDEEP
196608:zjgzmPgjU3TJJ5/BAyG8jCz/atKPHGnYb:vbEUDvnGLjatKfGYb
Malware Config
Extracted
quasar
1.4.1
Windows Update
141.98.112.144:4782
192.168.1.1:4782
43e4244e-f515-4759-a0f9-81d1dfceed2f
-
encryption_key
535B385BFDC78C4C5A8DEE5D1390F4841681628D
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update
-
subdirectory
SubDir
Extracted
formbook
4.1
kmge
jia0752d.com
cq0jt.sbs
whimsicalweddingrentals.com
meetsex-here.life
hhe-crv220.com
bedbillionaire.com
soycmo.com
mrawkward.xyz
11ramshornroad.com
motoyonaturals.com
thischicloves.com
gacorbet.pro
ihsanid.com
pancaketurner.com
santanarstore.com
cr3dtv.com
negotools.com
landfillequip.com
sejasuapropriachefe.com
diamant-verkopen.store
builtonmybrother.art
teoti.beauty
kickssoccercamp.com
chickfrau.com
compare-energy.com
icvp5o.xyz
susan-writes.com
dropletcoin.com
sivertool.com
sup-25987659.com
weedz-seeds.today
agritamaperkasaindonesia.com
safwankhalil.com
jm2s8a3mz.com
wfjwjm.com
be-heatpumps.life
hcwoodpanel.com
n5l780.com
mandalah.art
szexvideokingyen.sbs
justinroemmick.com
thecoolkidsdontfitin.com
gsolartech.com
swisswearables.com
chicagocarpetcleaneril.com
terrazahills-cbre.com
santatainha.com
sacksmantenimiento.store
wzhem.rest
shearwaterpembrokeshire.com
baansantiburi.com
mid-size-suv-87652.com
solunchina.com
nandos.moe
blucretebistro.com
identificatiekvk.digital
8772876.com
longfangyun.com
litblacklit.com
mobilferrari.com
zeeedajewelermusic.com
allenbach.swiss
industrialrevolution.ink
cmgamingtrack.com
a2zglobalimports.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1812-14-0x0000000000470000-0x0000000000794000-memory.dmp family_quasar -
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2268-39-0x0000000004650000-0x0000000005650000-memory.dmp formbook behavioral1/memory/2268-44-0x0000000004650000-0x0000000005650000-memory.dmp formbook behavioral1/memory/4304-51-0x00000000001C0000-0x00000000001EF000-memory.dmp formbook behavioral1/memory/4304-53-0x00000000001C0000-0x00000000001EF000-memory.dmp formbook -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4360-32-0x0000000004000000-0x0000000005000000-memory.dmp modiloader_stage2 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Qblqxvgkmiptnw.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qblqxvgk = "C:\\Users\\Public\\Qblqxvgk.url" Qblqxvgkmiptnw.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
colorcpl.exeWWAHost.exedescription pid process target process PID 2268 set thread context of 3120 2268 colorcpl.exe Explorer.EXE PID 4304 set thread context of 3120 4304 WWAHost.exe Explorer.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
Set-up.exeWWAHost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001" Set-up.exe Key created \Registry\User\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 WWAHost.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Set-up.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 91 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 93 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskmgr.exeAdobe-GenP-3.0.exepid process 4292 taskmgr.exe 3904 Adobe-GenP-3.0.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
colorcpl.exeWWAHost.exepid process 2268 colorcpl.exe 2268 colorcpl.exe 2268 colorcpl.exe 4304 WWAHost.exe 4304 WWAHost.exe 4304 WWAHost.exe 4304 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
taskmgr.exewinnnn.execolorcpl.exeExplorer.EXEWWAHost.exedescription pid process Token: SeDebugPrivilege 4292 taskmgr.exe Token: SeSystemProfilePrivilege 4292 taskmgr.exe Token: SeCreateGlobalPrivilege 4292 taskmgr.exe Token: SeDebugPrivilege 1812 winnnn.exe Token: SeDebugPrivilege 2268 colorcpl.exe Token: SeShutdownPrivilege 3120 Explorer.EXE Token: SeCreatePagefilePrivilege 3120 Explorer.EXE Token: SeDebugPrivilege 4304 WWAHost.exe Token: SeShutdownPrivilege 3120 Explorer.EXE Token: SeCreatePagefilePrivilege 3120 Explorer.EXE Token: SeShutdownPrivilege 3120 Explorer.EXE Token: SeCreatePagefilePrivilege 3120 Explorer.EXE Token: SeShutdownPrivilege 3120 Explorer.EXE Token: SeCreatePagefilePrivilege 3120 Explorer.EXE Token: SeShutdownPrivilege 3120 Explorer.EXE Token: SeCreatePagefilePrivilege 3120 Explorer.EXE Token: SeShutdownPrivilege 3120 Explorer.EXE Token: SeCreatePagefilePrivilege 3120 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe 4292 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Adobe-GenP-3.0.exepid process 3904 Adobe-GenP-3.0.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
winnnn.exeQblqxvgkmiptnw.exeExplorer.EXEWWAHost.exedescription pid process target process PID 1812 wrote to memory of 2568 1812 winnnn.exe schtasks.exe PID 1812 wrote to memory of 2568 1812 winnnn.exe schtasks.exe PID 4360 wrote to memory of 2268 4360 Qblqxvgkmiptnw.exe colorcpl.exe PID 4360 wrote to memory of 2268 4360 Qblqxvgkmiptnw.exe colorcpl.exe PID 4360 wrote to memory of 2268 4360 Qblqxvgkmiptnw.exe colorcpl.exe PID 4360 wrote to memory of 2268 4360 Qblqxvgkmiptnw.exe colorcpl.exe PID 3120 wrote to memory of 4304 3120 Explorer.EXE WWAHost.exe PID 3120 wrote to memory of 4304 3120 Explorer.EXE WWAHost.exe PID 3120 wrote to memory of 4304 3120 Explorer.EXE WWAHost.exe PID 4304 wrote to memory of 1412 4304 WWAHost.exe cmd.exe PID 4304 wrote to memory of 1412 4304 WWAHost.exe cmd.exe PID 4304 wrote to memory of 1412 4304 WWAHost.exe cmd.exe PID 4304 wrote to memory of 4856 4304 WWAHost.exe Firefox.exe PID 4304 wrote to memory of 4856 4304 WWAHost.exe Firefox.exe PID 4304 wrote to memory of 4856 4304 WWAHost.exe Firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\4Malware.zip2⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Desktop\winnnn.exe"C:\Users\Admin\Desktop\winnnn.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Desktop\Adobe-GenP-3.0.exe"C:\Users\Admin\Desktop\Adobe-GenP-3.0.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\Qblqxvgkmiptnw.exe"C:\Users\Admin\Desktop\Qblqxvgkmiptnw.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Set-up.exe"C:\Users\Admin\Desktop\Set-up.exe"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Roaming\LK3BNUQ2\LK3logim.jpegFilesize
121KB
MD5124133c6e6ba25907b458c6b9683a27d
SHA12f20c74116914f65992ed7b01d80a81419d0b189
SHA25673a78a7ae2ed7fae9c9ae7cdf8cd444500a18e3fa540480700e2e7aa839d903b
SHA5123197299669daa5ab833c6102b94799647b9bd3f41f6dc8e9e686f93662f9f77f3979a5d053b0c4cbb4db17aa5cc7ad56284606d5f5d48e1f9f578bc3194b8345
-
C:\Users\Admin\AppData\Roaming\LK3BNUQ2\LK3logrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\LK3BNUQ2\LK3logrg.iniFilesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
C:\Users\Admin\AppData\Roaming\LK3BNUQ2\LK3logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\LK3BNUQ2\LK3logrv.iniFilesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
C:\Users\Public\Qblqxvgk.urlFilesize
100B
MD54ca0baabe52b332dd13ef0207cef3a2d
SHA183d38e7abec3bc4ef4d9d83454a48c7b9c7fcfbf
SHA256e6fe9ab85ea1df2c1cd9f2367fb5beef6df66ece574b3dc513ed42d76d10a349
SHA512ac29154d38e0138d3acdeb58a868fe24d2e6108975ed3e850e9d68430d4f9067997041eb4fe81ec4b6970d98cf4b543e857d61e25f6e5ff045895213e574fa40
-
memory/1812-15-0x00007FFAB7D00000-0x00007FFAB87C1000-memory.dmpFilesize
10.8MB
-
memory/1812-28-0x000000001BF90000-0x000000001BFE0000-memory.dmpFilesize
320KB
-
memory/1812-43-0x00007FFAB7D00000-0x00007FFAB87C1000-memory.dmpFilesize
10.8MB
-
memory/1812-14-0x0000000000470000-0x0000000000794000-memory.dmpFilesize
3.1MB
-
memory/1812-31-0x000000001C020000-0x000000001C05C000-memory.dmpFilesize
240KB
-
memory/1812-16-0x000000001B2A0000-0x000000001B2B0000-memory.dmpFilesize
64KB
-
memory/1812-30-0x000000001BF60000-0x000000001BF72000-memory.dmpFilesize
72KB
-
memory/1812-29-0x000000001C0A0000-0x000000001C152000-memory.dmpFilesize
712KB
-
memory/2268-45-0x0000000016700000-0x0000000016714000-memory.dmpFilesize
80KB
-
memory/2268-41-0x00000000027A0000-0x0000000002AEA000-memory.dmpFilesize
3.3MB
-
memory/2268-44-0x0000000004650000-0x0000000005650000-memory.dmpFilesize
16.0MB
-
memory/2268-39-0x0000000004650000-0x0000000005650000-memory.dmpFilesize
16.0MB
-
memory/3120-83-0x000000000FAF0000-0x000000000FC34000-memory.dmpFilesize
1.3MB
-
memory/3120-72-0x000000000FAF0000-0x000000000FC34000-memory.dmpFilesize
1.3MB
-
memory/3120-74-0x000000000FAF0000-0x000000000FC34000-memory.dmpFilesize
1.3MB
-
memory/3120-46-0x0000000013830000-0x000000001397C000-memory.dmpFilesize
1.3MB
-
memory/4292-12-0x0000013A7D420000-0x0000013A7D421000-memory.dmpFilesize
4KB
-
memory/4292-9-0x0000013A7D420000-0x0000013A7D421000-memory.dmpFilesize
4KB
-
memory/4292-10-0x0000013A7D420000-0x0000013A7D421000-memory.dmpFilesize
4KB
-
memory/4292-11-0x0000013A7D420000-0x0000013A7D421000-memory.dmpFilesize
4KB
-
memory/4292-2-0x0000013A7D420000-0x0000013A7D421000-memory.dmpFilesize
4KB
-
memory/4292-6-0x0000013A7D420000-0x0000013A7D421000-memory.dmpFilesize
4KB
-
memory/4292-7-0x0000013A7D420000-0x0000013A7D421000-memory.dmpFilesize
4KB
-
memory/4292-8-0x0000013A7D420000-0x0000013A7D421000-memory.dmpFilesize
4KB
-
memory/4292-1-0x0000013A7D420000-0x0000013A7D421000-memory.dmpFilesize
4KB
-
memory/4292-0-0x0000013A7D420000-0x0000013A7D421000-memory.dmpFilesize
4KB
-
memory/4304-51-0x00000000001C0000-0x00000000001EF000-memory.dmpFilesize
188KB
-
memory/4304-69-0x0000000001000000-0x0000000001093000-memory.dmpFilesize
588KB
-
memory/4304-53-0x00000000001C0000-0x00000000001EF000-memory.dmpFilesize
188KB
-
memory/4304-52-0x00000000012C0000-0x000000000160A000-memory.dmpFilesize
3.3MB
-
memory/4304-75-0x0000000001000000-0x0000000001093000-memory.dmpFilesize
588KB
-
memory/4304-50-0x00000000006E0000-0x00000000007BC000-memory.dmpFilesize
880KB
-
memory/4304-47-0x00000000006E0000-0x00000000007BC000-memory.dmpFilesize
880KB
-
memory/4360-21-0x0000000004000000-0x0000000005000000-memory.dmpFilesize
16.0MB
-
memory/4360-34-0x0000000000400000-0x00000000005D7000-memory.dmpFilesize
1.8MB
-
memory/4360-32-0x0000000004000000-0x0000000005000000-memory.dmpFilesize
16.0MB
-
memory/4360-17-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB