Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 01:43
Static task
static1
Behavioral task
behavioral1
Sample
dll (1).exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
dll (1).exe
Resource
win10v2004-20240508-en
General
-
Target
dll (1).exe
-
Size
1.8MB
-
MD5
2d8725f268c90475c94941e550019cf9
-
SHA1
c51ed1a97e71cbdfb7712f7fbe2251553f1054b7
-
SHA256
8f619c4d07c848855b27863e887f95f7307ae2d46f64c661ca17a2d96798a2af
-
SHA512
4998e8bf9e33f31e895783e31185fd678c368e3eb3b524b65ff1d988f0395cdd8d7a1aa6776d89b1f284656f2e6c97b848d8e909c167b52932a1d83382e57bb1
-
SSDEEP
49152:d78cpUcrJCoHjuFnBPn20DRt8HcWynnBvIyn+inbT:d78cpUcrJC2q9BPjo8WyBv1n+in
Malware Config
Extracted
xworm
127.0.0.1:35472
haxxy999-35472.portmap.host:35472
-
Install_directory
%Temp%
-
install_file
svchost.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/1488-124-0x000000001BEE0000-0x000000001BEEE000-memory.dmp disable_win_def -
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\Feather new.exe family_xworm behavioral2/memory/1488-61-0x00000000005E0000-0x00000000005FC000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\ybevvn.exe family_xworm behavioral2/memory/3932-144-0x0000000000B80000-0x0000000000B9C000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5092 powershell.exe 4912 powershell.exe 4656 powershell.exe 3252 powershell.exe 3980 powershell.exe 2316 powershell.exe 3564 powershell.exe 2400 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dll (1).exeFeather new.exeybevvn.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation dll (1).exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Feather new.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation ybevvn.exe -
Drops startup file 3 IoCs
Processes:
ybevvn.exeFeather new.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk ybevvn.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Feather new.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Feather new.exe -
Executes dropped EXE 6 IoCs
Processes:
WaveInstaller.exeFeather new.exeybevvn.exezgsnkb.exesvchost.exesvchost.exepid process 1616 WaveInstaller.exe 1488 Feather new.exe 3932 ybevvn.exe 1420 zgsnkb.exe 408 svchost.exe 228 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Feather new.exeybevvn.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" Feather new.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe" ybevvn.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 42 ip-api.com 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2488 schtasks.exe 4068 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeFeather new.exepowershell.exepowershell.exepowershell.exepowershell.exeybevvn.exepid process 5092 powershell.exe 5092 powershell.exe 4912 powershell.exe 4912 powershell.exe 4656 powershell.exe 4656 powershell.exe 3252 powershell.exe 3252 powershell.exe 1488 Feather new.exe 1488 Feather new.exe 3980 powershell.exe 3980 powershell.exe 2316 powershell.exe 2316 powershell.exe 3564 powershell.exe 3564 powershell.exe 2400 powershell.exe 2400 powershell.exe 3932 ybevvn.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
Feather new.exepowershell.exepowershell.exepowershell.exepowershell.exeybevvn.exezgsnkb.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 1488 Feather new.exe Token: SeDebugPrivilege 5092 powershell.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeDebugPrivilege 4656 powershell.exe Token: SeDebugPrivilege 3252 powershell.exe Token: SeDebugPrivilege 1488 Feather new.exe Token: SeDebugPrivilege 3932 ybevvn.exe Token: SeDebugPrivilege 1420 zgsnkb.exe Token: SeDebugPrivilege 3980 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 3564 powershell.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeDebugPrivilege 408 svchost.exe Token: SeDebugPrivilege 3932 ybevvn.exe Token: SeDebugPrivilege 228 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Feather new.exeybevvn.exepid process 1488 Feather new.exe 3932 ybevvn.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
dll (1).exeFeather new.exeybevvn.exedescription pid process target process PID 60 wrote to memory of 1616 60 dll (1).exe WaveInstaller.exe PID 60 wrote to memory of 1616 60 dll (1).exe WaveInstaller.exe PID 60 wrote to memory of 1616 60 dll (1).exe WaveInstaller.exe PID 60 wrote to memory of 1488 60 dll (1).exe Feather new.exe PID 60 wrote to memory of 1488 60 dll (1).exe Feather new.exe PID 1488 wrote to memory of 5092 1488 Feather new.exe powershell.exe PID 1488 wrote to memory of 5092 1488 Feather new.exe powershell.exe PID 1488 wrote to memory of 4912 1488 Feather new.exe powershell.exe PID 1488 wrote to memory of 4912 1488 Feather new.exe powershell.exe PID 1488 wrote to memory of 4656 1488 Feather new.exe powershell.exe PID 1488 wrote to memory of 4656 1488 Feather new.exe powershell.exe PID 1488 wrote to memory of 3252 1488 Feather new.exe powershell.exe PID 1488 wrote to memory of 3252 1488 Feather new.exe powershell.exe PID 1488 wrote to memory of 2488 1488 Feather new.exe schtasks.exe PID 1488 wrote to memory of 2488 1488 Feather new.exe schtasks.exe PID 1488 wrote to memory of 3932 1488 Feather new.exe ybevvn.exe PID 1488 wrote to memory of 3932 1488 Feather new.exe ybevvn.exe PID 1488 wrote to memory of 1420 1488 Feather new.exe zgsnkb.exe PID 1488 wrote to memory of 1420 1488 Feather new.exe zgsnkb.exe PID 3932 wrote to memory of 3980 3932 ybevvn.exe powershell.exe PID 3932 wrote to memory of 3980 3932 ybevvn.exe powershell.exe PID 3932 wrote to memory of 2316 3932 ybevvn.exe powershell.exe PID 3932 wrote to memory of 2316 3932 ybevvn.exe powershell.exe PID 3932 wrote to memory of 3564 3932 ybevvn.exe powershell.exe PID 3932 wrote to memory of 3564 3932 ybevvn.exe powershell.exe PID 3932 wrote to memory of 2400 3932 ybevvn.exe powershell.exe PID 3932 wrote to memory of 2400 3932 ybevvn.exe powershell.exe PID 3932 wrote to memory of 4068 3932 ybevvn.exe schtasks.exe PID 3932 wrote to memory of 4068 3932 ybevvn.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dll (1).exe"C:\Users\Admin\AppData\Local\Temp\dll (1).exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\WaveInstaller.exe"C:\Users\Admin\WaveInstaller.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Feather new.exe"C:\Users\Admin\Feather new.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Feather new.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Feather new.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\ybevvn.exe"C:\Users\Admin\AppData\Local\Temp\ybevvn.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ybevvn.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ybevvn.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\zgsnkb.exe"C:\Users\Admin\AppData\Local\Temp\zgsnkb.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c1b0a9f26c3e1786191e94e419f1fbf9
SHA17f3492f4ec2d93e164f43fe2606b53edcffd8926
SHA256796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113
SHA512fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5329d930fea7f494cf4a36170921c064a
SHA1aac7a8a6e8103600950e14a18c5bd9fdcf0d3e72
SHA25695c0dc463114f6a9b5f0dd3d27ea44c551ee47f8c2b25b1a35c13633bf26f6f6
SHA512b5c97e2b5c3d45e1b66a513f2405810bbc6e20409a0a6e302f6b44852ae40c710d538fb049eef9aadb58c9ba76acc6105bad49d8eeb33dd19a4e99262b7f18ba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD51099dc40baabde4be41cc1faf6353f7d
SHA1345705c6b9adc64389b6d142e7484d0cdd4f2bd0
SHA2566cec99d44ed65e73240a96691f299a41e944a9c8f59c543df3ecd73d95c8bf40
SHA5126315f1089cc8139531acc422741290c84a60841a65a8cc9844cd907c96694d33d164120c36f460a0bef03e67e2a60c33f9c968ac41edf3dd82cab015e00e74a1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cc19bcff372d20459d3651ba8aef50e7
SHA13c6f1d4cdd647864fb97a16b1aefba67fcee11f7
SHA256366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9
SHA512a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d0a40a2d16d62c60994d5bb5624a589b
SHA130f0a77f10518a09d83e6185d6c4cde23e4de8af
SHA256c213a4024e89a0240d0b1fa3b18ea3db3db7bbe7ca1bdeed86dce9c2c4991ef8
SHA512cecef5087f194a83948880e36445324406218f6877386d6db7850b8f97ac107e042ea9445bb7e73c6e6a2c7da9782b7dae8caba0a1c997677d096b3271a4cac0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e60eb305a7b2d9907488068b7065abd3
SHA11643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA51295c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwuquqdw.q33.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\ybevvn.exeFilesize
84KB
MD532e2a2593d2ceb70749d5e070702da52
SHA12b9b2646ab4d0d0ca3cc722df7879254fbdc849e
SHA2567a63f2c2d35675dd511249d34e399449ff37e9afdd327b21faed9da57715b1a5
SHA512631ab888b85e9249784b39cf29f85fb7549110ec2c638eb42088bbaf00e5a38cbea6ce0eafe12592fd46d4a56bca84abb9c71b31db4ecf29c2e91d3da0f9b47e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkFilesize
1KB
MD523fbfad94432784e9bc9603ff3a74abf
SHA18319ba3f6ee5fa098390edcf44774e10be0edba2
SHA256f8f8297b2c2690eea1db70c18590f7e8844f2e13b50637b3a2580165ebfcabf8
SHA512932deb64968479fbaf5b37ca9c03222231795f1c6115edb66865950f80a768198a2792e4e69126e79c110abd2096a49a68305374228bff2277ce62154d5a855d
-
C:\Users\Admin\Feather new.exeFilesize
87KB
MD5d937a01ea0bd6d64bf218bf9f052601d
SHA1e47417cb8773b13c66717cc3137bda4f919578b2
SHA2568d2252827e127ba22c6645d57981a0556149255ec6b430582c02d9e6b8cb2adb
SHA512b1d73cf9377f1dcb774bce9840fafe950e44ab3d39763c2a12c918fb8a0a8de463a24b127388b59dae5fedd1147387ee9b1d0d1fcc0451d16094495f8703c0cd
-
C:\Users\Admin\WaveInstaller.exeFilesize
1.5MB
MD5b075f4320e46d0d5e78a649e8ee011cc
SHA1b0dd50171323f0f83dbea0340e9ed8cf44bea38e
SHA2568581823244a50bbed9709d09f3eba29dd9989681d96bff2b6c19245053069feb
SHA512e08024b5fa50dc344ca18413a6c21e0f20490c22c90c565d6f663014f1673643da1d5d748e0cefca8a7cbae91a62470289803ad588d3aa5cf3dc6292d7393d47
-
memory/60-0-0x00007FFB1AA53000-0x00007FFB1AA55000-memory.dmpFilesize
8KB
-
memory/60-1-0x0000000000AB0000-0x0000000000C8E000-memory.dmpFilesize
1.9MB
-
memory/1488-124-0x000000001BEE0000-0x000000001BEEE000-memory.dmpFilesize
56KB
-
memory/1488-177-0x000000001C9B0000-0x000000001C9BC000-memory.dmpFilesize
48KB
-
memory/1488-119-0x00007FFB1AA50000-0x00007FFB1B511000-memory.dmpFilesize
10.8MB
-
memory/1488-61-0x00000000005E0000-0x00000000005FC000-memory.dmpFilesize
112KB
-
memory/1488-121-0x000000001B2F0000-0x000000001B300000-memory.dmpFilesize
64KB
-
memory/1488-68-0x000000001B2F0000-0x000000001B300000-memory.dmpFilesize
64KB
-
memory/1488-62-0x00007FFB1AA50000-0x00007FFB1B511000-memory.dmpFilesize
10.8MB
-
memory/1616-66-0x000000000A130000-0x000000000A168000-memory.dmpFilesize
224KB
-
memory/1616-65-0x0000000074AE0000-0x0000000075290000-memory.dmpFilesize
7.7MB
-
memory/1616-64-0x0000000000BF0000-0x0000000000D82000-memory.dmpFilesize
1.6MB
-
memory/1616-63-0x0000000074AEE000-0x0000000074AEF000-memory.dmpFilesize
4KB
-
memory/1616-67-0x000000000A110000-0x000000000A11E000-memory.dmpFilesize
56KB
-
memory/1616-120-0x0000000074AE0000-0x0000000075290000-memory.dmpFilesize
7.7MB
-
memory/3932-144-0x0000000000B80000-0x0000000000B9C000-memory.dmpFilesize
112KB
-
memory/5092-78-0x000001DD4AF60000-0x000001DD4AF82000-memory.dmpFilesize
136KB