Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-06-2024 22:19
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
dc2017d875a294af1881e553b11b8717
-
SHA1
40b4ab857db967b61d4708943f157f248c49b844
-
SHA256
5605c73c546e1dc58135d9f966e449d4acf0e791f4095989f4b746522e726f27
-
SHA512
faf2982b82dade07c2c88425bdc8f77ee4ee6e28d850f612db7e370547afd2c6337b6cc5b0087685a199e1e83d6666fcaae0109aa89bf6ea4ca2d150b9972262
-
SSDEEP
49152:PvEt62XlaSFNWPjljiFa2RoUYIkdyRfDKoGdf+THHB72eh2NT:PvY62XlaSFNWPjljiFXRoUYIkdyRfm
Malware Config
Extracted
quasar
1.4.1
Office04
0.tcp.eu.ngrok.io:12165
fbfe2df1-f4ca-4d07-920f-4075f27bc8a1
-
encryption_key
B22432E943AA88394E5F97387369DCA7D8B67608
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
system 32
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/236-1-0x0000000000740000-0x0000000000A64000-memory.dmp family_quasar C:\Windows\System32\SubDir\Client.exe family_quasar -
Executes dropped EXE 7 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 3048 Client.exe 5012 Client.exe 1000 Client.exe 1544 Client.exe 4400 Client.exe 4728 Client.exe 2732 Client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
Processes:
flow ioc 14 0.tcp.eu.ngrok.io 1 0.tcp.eu.ngrok.io 5 0.tcp.eu.ngrok.io 10 0.tcp.eu.ngrok.io 11 0.tcp.eu.ngrok.io 12 0.tcp.eu.ngrok.io 13 0.tcp.eu.ngrok.io -
Drops file in System32 directory 17 IoCs
Processes:
Client-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription ioc process File created C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir Client-built.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 7 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1504 PING.EXE 4808 PING.EXE 4048 PING.EXE 1388 PING.EXE 1040 PING.EXE 1984 PING.EXE 3104 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1692 schtasks.exe 1548 schtasks.exe 2072 schtasks.exe 4900 schtasks.exe 1804 schtasks.exe 1444 schtasks.exe 1552 schtasks.exe 1688 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Client-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 236 Client-built.exe Token: SeDebugPrivilege 3048 Client.exe Token: SeDebugPrivilege 5012 Client.exe Token: SeDebugPrivilege 1000 Client.exe Token: SeDebugPrivilege 1544 Client.exe Token: SeDebugPrivilege 4400 Client.exe Token: SeDebugPrivilege 4728 Client.exe Token: SeDebugPrivilege 2732 Client.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 3048 Client.exe 5012 Client.exe 1000 Client.exe 1544 Client.exe 4400 Client.exe 4728 Client.exe 2732 Client.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 3048 Client.exe 5012 Client.exe 1000 Client.exe 1544 Client.exe 4400 Client.exe 4728 Client.exe 2732 Client.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 3048 Client.exe 5012 Client.exe 1000 Client.exe 1544 Client.exe 4400 Client.exe 4728 Client.exe 2732 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Client-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exedescription pid process target process PID 236 wrote to memory of 1804 236 Client-built.exe schtasks.exe PID 236 wrote to memory of 1804 236 Client-built.exe schtasks.exe PID 236 wrote to memory of 3048 236 Client-built.exe Client.exe PID 236 wrote to memory of 3048 236 Client-built.exe Client.exe PID 3048 wrote to memory of 1444 3048 Client.exe schtasks.exe PID 3048 wrote to memory of 1444 3048 Client.exe schtasks.exe PID 3048 wrote to memory of 3148 3048 Client.exe cmd.exe PID 3048 wrote to memory of 3148 3048 Client.exe cmd.exe PID 3148 wrote to memory of 5116 3148 cmd.exe chcp.com PID 3148 wrote to memory of 5116 3148 cmd.exe chcp.com PID 3148 wrote to memory of 1504 3148 cmd.exe PING.EXE PID 3148 wrote to memory of 1504 3148 cmd.exe PING.EXE PID 3148 wrote to memory of 5012 3148 cmd.exe Client.exe PID 3148 wrote to memory of 5012 3148 cmd.exe Client.exe PID 5012 wrote to memory of 1552 5012 Client.exe schtasks.exe PID 5012 wrote to memory of 1552 5012 Client.exe schtasks.exe PID 5012 wrote to memory of 3672 5012 Client.exe cmd.exe PID 5012 wrote to memory of 3672 5012 Client.exe cmd.exe PID 3672 wrote to memory of 1508 3672 cmd.exe chcp.com PID 3672 wrote to memory of 1508 3672 cmd.exe chcp.com PID 3672 wrote to memory of 4808 3672 cmd.exe PING.EXE PID 3672 wrote to memory of 4808 3672 cmd.exe PING.EXE PID 3672 wrote to memory of 1000 3672 cmd.exe Client.exe PID 3672 wrote to memory of 1000 3672 cmd.exe Client.exe PID 1000 wrote to memory of 1688 1000 Client.exe schtasks.exe PID 1000 wrote to memory of 1688 1000 Client.exe schtasks.exe PID 1000 wrote to memory of 3504 1000 Client.exe cmd.exe PID 1000 wrote to memory of 3504 1000 Client.exe cmd.exe PID 3504 wrote to memory of 4776 3504 cmd.exe chcp.com PID 3504 wrote to memory of 4776 3504 cmd.exe chcp.com PID 3504 wrote to memory of 4048 3504 cmd.exe PING.EXE PID 3504 wrote to memory of 4048 3504 cmd.exe PING.EXE PID 3504 wrote to memory of 1544 3504 cmd.exe Client.exe PID 3504 wrote to memory of 1544 3504 cmd.exe Client.exe PID 1544 wrote to memory of 1692 1544 Client.exe schtasks.exe PID 1544 wrote to memory of 1692 1544 Client.exe schtasks.exe PID 1544 wrote to memory of 4480 1544 Client.exe cmd.exe PID 1544 wrote to memory of 4480 1544 Client.exe cmd.exe PID 4480 wrote to memory of 912 4480 cmd.exe chcp.com PID 4480 wrote to memory of 912 4480 cmd.exe chcp.com PID 4480 wrote to memory of 1388 4480 cmd.exe PING.EXE PID 4480 wrote to memory of 1388 4480 cmd.exe PING.EXE PID 4480 wrote to memory of 4400 4480 cmd.exe Client.exe PID 4480 wrote to memory of 4400 4480 cmd.exe Client.exe PID 4400 wrote to memory of 1548 4400 Client.exe schtasks.exe PID 4400 wrote to memory of 1548 4400 Client.exe schtasks.exe PID 4400 wrote to memory of 3732 4400 Client.exe cmd.exe PID 4400 wrote to memory of 3732 4400 Client.exe cmd.exe PID 3732 wrote to memory of 828 3732 cmd.exe chcp.com PID 3732 wrote to memory of 828 3732 cmd.exe chcp.com PID 3732 wrote to memory of 1040 3732 cmd.exe PING.EXE PID 3732 wrote to memory of 1040 3732 cmd.exe PING.EXE PID 3732 wrote to memory of 4728 3732 cmd.exe Client.exe PID 3732 wrote to memory of 4728 3732 cmd.exe Client.exe PID 4728 wrote to memory of 2072 4728 Client.exe schtasks.exe PID 4728 wrote to memory of 2072 4728 Client.exe schtasks.exe PID 4728 wrote to memory of 4844 4728 Client.exe cmd.exe PID 4728 wrote to memory of 4844 4728 Client.exe cmd.exe PID 4844 wrote to memory of 4516 4844 cmd.exe chcp.com PID 4844 wrote to memory of 4516 4844 cmd.exe chcp.com PID 4844 wrote to memory of 1984 4844 cmd.exe PING.EXE PID 4844 wrote to memory of 1984 4844 cmd.exe PING.EXE PID 4844 wrote to memory of 2732 4844 cmd.exe Client.exe PID 4844 wrote to memory of 2732 4844 cmd.exe Client.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tPCipWqAL597.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6gdFBxySKyJY.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RWesT06rAZ6s.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUh9jAfBagUw.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S7HKRFq0ovrF.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SrjB1LMjAhlv.bat" "13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "system 32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pLhGX8rsqTlp.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.logFilesize
2KB
MD515eab799098760706ed95d314e75449d
SHA1273fb07e40148d5c267ca53f958c5075d24c4444
SHA25645030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778
SHA51250c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c
-
C:\Users\Admin\AppData\Local\Temp\6gdFBxySKyJY.batFilesize
196B
MD5bd856e664014b7eea2d5ca6a888888f1
SHA155df959665abc2eb3fe5fd859685897f55a73a9e
SHA2569872c372050cac8e7d52239922eea9502f17510ef29c81821ab5369a34b15efc
SHA5128e9c77eed5f7d9629f4486c3bc8d542275083c2afd377b9f5e7dca6320f0bc6082ef8958f1df3c123cd40187ee869cc74e19f2ab2165d29c27d180c374ec65dc
-
C:\Users\Admin\AppData\Local\Temp\RWesT06rAZ6s.batFilesize
196B
MD52ead0c67d362d758471db5319625b3bd
SHA135cc74ea00b10f037be876d610b1b3ee68109e8d
SHA256eb515b0237d959aec71824f5c8b4e8bdd01eff124eef94ad9d0fe3e3d69492ec
SHA512c6cc71d7ec54397a962ac8be9bd8350d7f375801eb0a8b9f8e0e812c9ac5c0ec7aed5faaf3762b0febe6ebe13ef11271d24fe91f8bd7ca1e19fa83418843aa03
-
C:\Users\Admin\AppData\Local\Temp\S7HKRFq0ovrF.batFilesize
196B
MD514f83b666df9f6b58c12a61d713e7756
SHA1e79f274d7b51f9adc1e3a84fd0b78c8067c8e01a
SHA2569dd0b5b7f16c96cbf03c5002235b58bd82aca50ed7c7b74de715a7fc7dda20d3
SHA512997b5e7908d041f1ad4d7ac240a9aca8e22dbae0271de90e3ac7c06ff6ebe8993cf1084a583fcb5622ec8c3ef3ea3c4c07faafb9a4186f2e74b4a1255199c96f
-
C:\Users\Admin\AppData\Local\Temp\SrjB1LMjAhlv.batFilesize
196B
MD5ababf88234eb347fa61179d8a44734a9
SHA1de077f751eaf4cadf3c8b437e3ee3b730fdd280a
SHA256685346be9a8f4b78bd99ca7ab640e4f89be004f18e344216eb45a34f0cd7e076
SHA5122633805e9049faf133262b76ed08aeac76b86641aa75e1c4e17c4a53b666a111256fd0bbc99214e72844e51a19967698800f511bad2a821eb5f4771d35fe05d6
-
C:\Users\Admin\AppData\Local\Temp\nUh9jAfBagUw.batFilesize
196B
MD546588f341480a8738112545f2f89b49d
SHA19dd57652c5366caf3d3cfe758b1a338afa7771db
SHA256a0e31bbf9d58ee1d1a831b785e93497f688a55c01732376939b3d1a8221353e1
SHA512ceecdcf96cc01d6698a140486c93d9e68a24d14ae44f64d313773ca06f1fad5f59de9c12b747dd28e9782048b95a0cebe3c9720732b9e613f9cf23a20b5863c8
-
C:\Users\Admin\AppData\Local\Temp\pLhGX8rsqTlp.batFilesize
196B
MD52c64822b5e76b24050fc818a65402268
SHA17ab6ba19a98a19cc18c3393c52b879d3ca243c5e
SHA256f209db6f1ea830570fa0550bba7652bc6d57894ea6bf1bb6d28a9287d1561452
SHA51296e8a1993fda14108e995ffd1139192d048d935657d1614293365818676a65cd6cccdc3b2f077663dcd1c768d8db22cc51448b52b59eb812fc308f0e0ab02936
-
C:\Users\Admin\AppData\Local\Temp\tPCipWqAL597.batFilesize
196B
MD5b127f0548af21a69470c35965e4eaf8c
SHA11fd9c3c7383d4e2cdb65745b728e08a61c7fba4f
SHA25656ca93c36dda0dc7522578086c7c40c827b3babf2b25cdbcf3caa0b20d81c659
SHA5122d37d75be14bbefd3e80594c85c301f5a8bbe3b76bed0140393b981bee662b65158f9aa07e84b1f4afa926ebf6ab28703bd30be7b43018bde031ccecd87a3241
-
C:\Windows\System32\SubDir\Client.exeFilesize
3.1MB
MD5dc2017d875a294af1881e553b11b8717
SHA140b4ab857db967b61d4708943f157f248c49b844
SHA2565605c73c546e1dc58135d9f966e449d4acf0e791f4095989f4b746522e726f27
SHA512faf2982b82dade07c2c88425bdc8f77ee4ee6e28d850f612db7e370547afd2c6337b6cc5b0087685a199e1e83d6666fcaae0109aa89bf6ea4ca2d150b9972262
-
memory/236-9-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmpFilesize
10.8MB
-
memory/236-0-0x00007FF9B0373000-0x00007FF9B0375000-memory.dmpFilesize
8KB
-
memory/236-2-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmpFilesize
10.8MB
-
memory/236-1-0x0000000000740000-0x0000000000A64000-memory.dmpFilesize
3.1MB
-
memory/3048-18-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmpFilesize
10.8MB
-
memory/3048-13-0x000000001D050000-0x000000001D102000-memory.dmpFilesize
712KB
-
memory/3048-12-0x000000001CF40000-0x000000001CF90000-memory.dmpFilesize
320KB
-
memory/3048-11-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmpFilesize
10.8MB
-
memory/3048-10-0x00007FF9B0370000-0x00007FF9B0E32000-memory.dmpFilesize
10.8MB