Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
08-06-2024 19:26
General
-
Target
Microsoft Network Realtime inspection.exe
-
Size
79KB
-
MD5
5c888eddae30076bd7aaa2e5d5fea097
-
SHA1
6a5b5c290d24bcd984a7083f934dbf35f56ec888
-
SHA256
267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
-
SHA512
4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1
-
SSDEEP
1536:y8p4oJOu7J3c+Fj4zo+ib+8qn36NOuCYh0uxqau:y5oJLJM5zJib+sOeh0uVu
Malware Config
Extracted
xworm
listing-trackbacks.gl.at.ply.gg:15337
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 4 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 30 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 30 IoCs
-
Suspicious use of SendNotifyMessage 10 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"2⤵
- Creates scheduled task(s)
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\owzihn.mp4"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\dvywbd.exe"C:\Users\Admin\AppData\Local\Temp\dvywbd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://wonderwork.ucoz.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskeng.exetaskeng.exe {C382553C-FA5C-4A6B-881A-3D8F51101C88} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\TLauncherC:\Users\Admin\AppData\Roaming\TLauncher2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\TLauncherC:\Users\Admin\AppData\Roaming\TLauncher2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\TLauncherC:\Users\Admin\AppData\Roaming\TLauncher2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322Filesize
471B
MD51fa17325918e618db3a2beb022df7a8c
SHA144fcfd4cc2aaae0b2f45bcee0b04d5346fdfcc2a
SHA2563e4903996b66e24f58f2c9acb3f98ad734c9aa3113d27f6c44b33ad450693930
SHA512417eab3dc9b6460247f02d50829b7027a8a6d445c43521f3d680cacab54dac132c94a36dcff7fd95004f154b6abbfd3e923deecc80619a8249468b70c1ac17b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5003406aa8c397a334961e278f3f96d4c
SHA18b1c49d36ad9cc65b65ef9689db07ea0243afa29
SHA2561826112f2f04cb5f78d0890a6661fafb4a60652cd56eb519d090388cc94511a9
SHA512d63296a6bd6c4b2ca2a67236e1cf7c6fcf1ccd1428df91886ee4de229e8a3d573444ce0e21b7f71d793379e1138f96db25b9b620fa699974bf36667043986def
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e8dd04646fd13b9e7a3aec946de6b7e4
SHA15c6870abe00e1381289aaacf68e2882da827b6df
SHA25697c4e4f67aedd6a4fa3c3ab368157f71040d31e6cf7f242624153cd184a3d4c1
SHA51298e9b8b8b87de8fced53aa1ed3eef37f5894afbeaaa8729b6a2f78853a9784e68e0738ec0d5847cde78c22874726696aac7317c417ccf264aa1d18190845455c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b50f22631818918a46132385e213b141
SHA14ffa098ff794f3c994a6cd33fc2893e9e0ccebb2
SHA25628d31e5a06db0868ed1ff42ad3aa19fc5cb38ba7888e6cc649a06113db1c5461
SHA512a8f8ef63d3ae7967721bb3ce9ad8aaeff1f36566a5dd45b6dbb3b1a4039c04b2f3c189db03a99da632c4f866026c226553984c9ebf46f1699522136418f9d7af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59e5c06719286f4eecc6b3dda4918a048
SHA15c66d9cc0b3febb12161edf316dc1fdc0413c893
SHA25642fa255f1232d525993d5c0c49a5a8f9c86971bad84bed39524cf1522d296dfe
SHA5120dfe3ac34f70b40bc93ee320fdf9935577994479ca24489b32844947cb8bd5f8bf78b70c6dd882d2bfe2e52392d6fceb5b9049c73dc597ca6f0147dab49dc02a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e2665408e477eafb52537d4d9a850d2b
SHA1722842883996d5f6f3cb44e48806b3e82595b4e2
SHA256a01e484286e301bd3579752eb615f65f4649bc1966304122500254fe05801a12
SHA512068dbe6e69a4cda7944b545e937294183c7fdabcc462d560a4364eb18ab24e60684853a4985743daff4d92cc9d804657a82597396d9e5ee7f37478a3902e1f6b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a577a4e89ff0110d3bd18ce86fd7f50a
SHA1db2c9dd96eaf6e3eb23183f70cf4a013b72c3bf1
SHA2563c0c267ebe54979d7771e30e7afe4bf409dc20c4d8d323f82275c7dc75eaa71c
SHA5123337a4bdec9ecca3b0a2718c01ac2f70c20fe95e6a0bd7d0cdc8632a3773460dc73a11c5faeb319bd6557c729adc84bd0e37d77fec25c3959a24606006260e0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5fd36db6ca6fb9de12912656ff2ee36fb
SHA1cb31f5547170c352e9e87f9bbb8436c968e58b71
SHA256686106cc40dfd90304ef786b1325a4f82c3ec32146b03d2371eb72dc05ef903e
SHA51246f1a05c697c01aaa13eae2ddcaf8a7a480ccedee404ede240770b7c105d925101b0d8adb8948d2b17f9529b342fc975927966694388f75a060825ca8bf72002
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f3b47935003fce2af3128d93a5d0e042
SHA113670d397b890dfe66c943cc193dd8e6e92266d4
SHA2566ae1930dc3d428976d8555e5b8093d563fd700055200bde617c1a99f3b1f7a50
SHA512571fc2894a6b158e2e794ca5fac399523d91d89b3fb0f4fb6427d95017e5a4258f2b6659ffcca8e632504ab4897abe7e8322dc46a18d25c7ff16764adb387294
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a7e37ecf2f204f95a2deb0028e557f6d
SHA10fbafbaf47974e601231bc0966ddd8780797da13
SHA256e87fa38b6d44538da32c609b0a2920d4e56fdc4c2153ce51214a458ab7a97375
SHA5129fa23a13326f07f683675f484d96f847e761650e2710eba3b0af4058cb8455bec0cee6d8304e64ec4985f853ecf548aa13195aaf220e7ef20c8ff9ae11376e5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD581598c9d4aa23a2f91e88cd06b5a46e9
SHA1c8dd575ea6f25e4d9ef5ca02f28b898b89174010
SHA256152714fab5e3fe27673a05986075ea62dcb5d46264d95b1cdd0308210d2b02f0
SHA51286b9c920446974cd4b85d502d8c51221c8687df8574627dfd32f49ecef1224dec7ae05e4c28cd232d22376c04c7da75818ab2c34ff5e58beb8c0d36cba086974
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD563ce644e11ecf45b043a3e757580379b
SHA17420127ba442d8943ab680a0697407470ffb0a02
SHA256b1d20ac3faae102ea147fcda97e276a9ab46a51acacd09a3374ed6d833759088
SHA5122eebd295f4494077537c3fd13744989f06ae32985e5cf079ff87ffa42e125c130132db9c28191a72d4c0a5ccc76a3f5d80cf42bf30cb28de8705284804e4835e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD54103aa0700f2dc439d4c321ebe22936e
SHA194f723d73f9deda4e4db60e5b8a7a0018f0f52e2
SHA2564f4f709cfd21c76526c769225e57ebeb1691197b6529299bd28950def897dc79
SHA512da522d7d963f89907379439d042c4600eb8c1f64c76485cfc282cbb75692690d20950a8b37227ea23147b8a0362e867d96a6031c619d12aebdbe2a31c1b01fd3
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wi962z5\imagestore.datFilesize
126KB
MD5cbd094c301d4d4bb4c7bf213c63fecb6
SHA168e5c47b951f70b7b960ab72f2ec03148fe25718
SHA25680115e73e15057e377678bd249f34c6669035d492caf03fc047610147a9fc553
SHA512812400aa4ed25a7b8970ebfdd1391af65f04973b5511d825ede443a58e47581cf513229b8514841225e6189aa857861353212ad447beca6198bf05ecc8c094de
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\favicon[1].pngFilesize
126KB
MD540520d030be304644ead991b25de54dc
SHA113c417cc8d9fe72b115670ab232adebc9adf6be4
SHA2563d29a578e7032ae64fafb00220be63f34e2771ee2ddb5ac1c80a917e47d1f38e
SHA51298cc818b669880254cb0f35fc6a6d9a2e76f5afcbef2e4d3d17c428543f55e06af47f6223546775428860442f150ecec6a5e266c33f032eaca24fb6c1925246d
-
C:\Users\Admin\AppData\Local\Temp\TarFE15.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\dvywbd.exeFilesize
571KB
MD5ab1d6a0b504e8302bfa1761e8ab6198d
SHA1982fbb07d7b18bf160f3111711fe5c194f7347d9
SHA25633a4b7269c1ff49c478d1da7a466d64a6ffdd8aa34f627a284bb5e6ee0cccb4a
SHA5128c88f1c61ac71a8dd2a2e89c0278c64576555a24e5f011898a4941fa1ebf501d0d2b19a9ea64053c55f703ca4440d2e30d30abfcc7a9f814a9f010c8dc156e17
-
C:\Users\Admin\AppData\Local\Temp\dvywbd.iniFilesize
70B
MD5c00ce9ed943065e34ae082f0dc82bb89
SHA1c5d364ac6c9cf5a132104a9aba36306d84ef877b
SHA256fefd534f4da1143b737a1b024203aadd65154ff969b3fa5ecd2b8cb05caf066f
SHA51286645fe0983989c98a11f84f60a292298679df5b0f79b52b01e1eab3af4fdda73b5a6405ef6d27329311cdcd5798ccbf29b2a31dcf177986a08e77248417a752
-
C:\Users\Admin\AppData\Local\Temp\owzihn.mp4Filesize
312KB
MD5e8653029eedb0e8e72a610d15c77907c
SHA11eb9f618ef3d2f2711e166721d3f5047313073e5
SHA2569c066096d1c6c277bb85c2c1e2f1371a964ff544b8187658cd35a79544f30c1b
SHA5126665da01a2b1923c0064856f60d99114dfe266a2660cd749da195d19b42b8e2e2c93232b548029e725b09d5657bb6c3a609b806086d522751e185f3925ddb915
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCTZ0OFAQKFL8QMP4I1Z.tempFilesize
7KB
MD591a822d337bddb5269ca871880e5c01b
SHA1a62d8ad1e62faf8a97150d00311a51fb70e64b91
SHA25657d7ddce7cc468ceda6883fe261e28d9f2e227d80389b8a59a2d6fc120cef030
SHA512afa7ac3916dd6b0a6b73e2c95a7d0c725b6be773418b5c2b8a2b846e2775c527f77c720ddce07a951c69c84e14b6cb41ae1309267141ba73ce53540f70a6c5c1
-
C:\Users\Admin\AppData\Roaming\TLauncherFilesize
79KB
MD55c888eddae30076bd7aaa2e5d5fea097
SHA16a5b5c290d24bcd984a7083f934dbf35f56ec888
SHA256267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
SHA5124a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1
-
memory/988-41-0x0000000001360000-0x000000000137A000-memory.dmpFilesize
104KB
-
memory/1700-2-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmpFilesize
9.9MB
-
memory/1700-1-0x00000000008B0000-0x00000000008CA000-memory.dmpFilesize
104KB
-
memory/1700-0-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmpFilesize
4KB
-
memory/1700-34-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmpFilesize
4KB
-
memory/1700-35-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmpFilesize
9.9MB
-
memory/1700-36-0x00000000003D0000-0x00000000003DC000-memory.dmpFilesize
48KB
-
memory/1700-39-0x000000001A8A0000-0x000000001A8B0000-memory.dmpFilesize
64KB
-
memory/2348-33-0x0000000000F10000-0x0000000000F2A000-memory.dmpFilesize
104KB
-
memory/2600-91-0x000007FEEA500000-0x000007FEEA515000-memory.dmpFilesize
84KB
-
memory/2600-65-0x000007FEF1070000-0x000007FEF1081000-memory.dmpFilesize
68KB
-
memory/2600-103-0x000007FEE9960000-0x000007FEE9994000-memory.dmpFilesize
208KB
-
memory/2600-102-0x000007FEE99A0000-0x000007FEE99F7000-memory.dmpFilesize
348KB
-
memory/2600-77-0x000007FEEAF00000-0x000007FEEC76F000-memory.dmpFilesize
24.4MB
-
memory/2600-101-0x000007FEE9A00000-0x000007FEE9A4E000-memory.dmpFilesize
312KB
-
memory/2600-100-0x000007FEE9CF0000-0x000007FEE9D01000-memory.dmpFilesize
68KB
-
memory/2600-98-0x000007FEE9EE0000-0x000007FEE9F27000-memory.dmpFilesize
284KB
-
memory/2600-97-0x000007FEE9F30000-0x000007FEE9F91000-memory.dmpFilesize
388KB
-
memory/2600-96-0x000007FEE9FA0000-0x000007FEE9FB1000-memory.dmpFilesize
68KB
-
memory/2600-95-0x000007FEEA360000-0x000007FEEA371000-memory.dmpFilesize
68KB
-
memory/2600-94-0x000007FEEA380000-0x000007FEEA486000-memory.dmpFilesize
1.0MB
-
memory/2600-90-0x000007FEEA520000-0x000007FEEA7D0000-memory.dmpFilesize
2.7MB
-
memory/2600-93-0x000007FEEA490000-0x000007FEEA4A3000-memory.dmpFilesize
76KB
-
memory/2600-92-0x000007FEEA4B0000-0x000007FEEA4D3000-memory.dmpFilesize
140KB
-
memory/2600-86-0x000007FEF0590000-0x000007FEF05A1000-memory.dmpFilesize
68KB
-
memory/2600-89-0x000007FEF0520000-0x000007FEF0562000-memory.dmpFilesize
264KB
-
memory/2600-88-0x000007FEEA860000-0x000007FEEA925000-memory.dmpFilesize
788KB
-
memory/2600-87-0x000007FEF0570000-0x000007FEF0586000-memory.dmpFilesize
88KB
-
memory/2600-85-0x000007FEF05B0000-0x000007FEF05DF000-memory.dmpFilesize
188KB
-
memory/2600-84-0x000007FEFB0F0000-0x000007FEFB100000-memory.dmpFilesize
64KB
-
memory/2600-83-0x000007FEEA930000-0x000007FEEAB71000-memory.dmpFilesize
2.3MB
-
memory/2600-82-0x000007FEF0AB0000-0x000007FEF0B07000-memory.dmpFilesize
348KB
-
memory/2600-81-0x000007FEF0B10000-0x000007FEF0B5D000-memory.dmpFilesize
308KB
-
memory/2600-80-0x000007FEF0B60000-0x000007FEF0BA2000-memory.dmpFilesize
264KB
-
memory/2600-79-0x000007FEF0BB0000-0x000007FEF0BC2000-memory.dmpFilesize
72KB
-
memory/2600-78-0x000007FEEACF0000-0x000007FEEAEF6000-memory.dmpFilesize
2.0MB
-
memory/2600-69-0x000007FEF0FF0000-0x000007FEF1008000-memory.dmpFilesize
96KB
-
memory/2600-68-0x000007FEF1010000-0x000007FEF1021000-memory.dmpFilesize
68KB
-
memory/2600-67-0x000007FEF1030000-0x000007FEF104B000-memory.dmpFilesize
108KB
-
memory/2600-66-0x000007FEF1050000-0x000007FEF1061000-memory.dmpFilesize
68KB
-
memory/2600-99-0x000007FEE9E60000-0x000007FEE9ED4000-memory.dmpFilesize
464KB
-
memory/2600-64-0x000007FEF1090000-0x000007FEF10A1000-memory.dmpFilesize
68KB
-
memory/2600-63-0x000007FEF10B0000-0x000007FEF10C8000-memory.dmpFilesize
96KB
-
memory/2600-62-0x000007FEF10D0000-0x000007FEF10F1000-memory.dmpFilesize
132KB
-
memory/2600-61-0x000007FEF1100000-0x000007FEF1141000-memory.dmpFilesize
260KB
-
memory/2600-106-0x000007FEF12E0000-0x000007FEF1596000-memory.dmpFilesize
2.7MB
-
memory/2600-70-0x000007FEF0FC0000-0x000007FEF0FF0000-memory.dmpFilesize
192KB
-
memory/2600-71-0x000007FEF0CB0000-0x000007FEF0D17000-memory.dmpFilesize
412KB
-
memory/2600-74-0x000007FEF0BD0000-0x000007FEF0C27000-memory.dmpFilesize
348KB
-
memory/2600-60-0x000007FEEC770000-0x000007FEED820000-memory.dmpFilesize
16.7MB
-
memory/2600-72-0x000007FEF0C30000-0x000007FEF0CAC000-memory.dmpFilesize
496KB
-
memory/2600-73-0x000007FEF0FA0000-0x000007FEF0FB1000-memory.dmpFilesize
68KB
-
memory/2600-75-0x000007FEEE9E0000-0x000007FEEEB60000-memory.dmpFilesize
1.5MB
-
memory/2600-76-0x000007FEF0F80000-0x000007FEF0F97000-memory.dmpFilesize
92KB
-
memory/2600-52-0x000007FEFA670000-0x000007FEFA688000-memory.dmpFilesize
96KB
-
memory/2600-53-0x000007FEF66A0000-0x000007FEF66B7000-memory.dmpFilesize
92KB
-
memory/2600-54-0x000007FEF5900000-0x000007FEF5911000-memory.dmpFilesize
68KB
-
memory/2600-55-0x000007FEF58E0000-0x000007FEF58F7000-memory.dmpFilesize
92KB
-
memory/2600-59-0x000007FEF0D20000-0x000007FEF0F2B000-memory.dmpFilesize
2.0MB
-
memory/2600-56-0x000007FEF1190000-0x000007FEF11A1000-memory.dmpFilesize
68KB
-
memory/2600-57-0x000007FEF1170000-0x000007FEF118D000-memory.dmpFilesize
116KB
-
memory/2600-51-0x000007FEF12E0000-0x000007FEF1596000-memory.dmpFilesize
2.7MB
-
memory/2600-58-0x000007FEF1150000-0x000007FEF1161000-memory.dmpFilesize
68KB
-
memory/2600-49-0x000000013FFB0000-0x00000001400A8000-memory.dmpFilesize
992KB
-
memory/2600-50-0x000007FEFA8D0000-0x000007FEFA904000-memory.dmpFilesize
208KB
-
memory/2716-16-0x0000000001E00000-0x0000000001E08000-memory.dmpFilesize
32KB
-
memory/2716-15-0x000000001B570000-0x000000001B852000-memory.dmpFilesize
2.9MB
-
memory/2824-7-0x0000000002AA0000-0x0000000002B20000-memory.dmpFilesize
512KB
-
memory/2824-8-0x000000001B660000-0x000000001B942000-memory.dmpFilesize
2.9MB
-
memory/2824-9-0x0000000002860000-0x0000000002868000-memory.dmpFilesize
32KB
