Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 09:02
Static task
static1
Behavioral task
behavioral1
Sample
ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d.vbs
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d.vbs
Resource
win10v2004-20240704-en
General
-
Target
ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d.vbs
-
Size
352KB
-
MD5
c465ada59596b24ce7ec12859f022d1f
-
SHA1
ce4d09b3a355ed0f5f88bcdc1fcdac749862b728
-
SHA256
ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d
-
SHA512
b9563c08c2c76334d78e73b59e5a9450469e002030b28520231708e756185742bc96f115e887753a51512616e81e9a7f4a44d3314647c088c58bbe0f644b675f
-
SSDEEP
1536:jh2F+VOLE9uko/3o1v4c4g2EePv/qcwUNQX3vGcXaA+7/BzGdZQn2sk82SCGZjjI:jeV1CZpyM
Malware Config
Extracted
xworm
fudisa.com:58538
-
Install_directory
%AppData%
-
install_file
Notepad++.exe
Extracted
xworm
5.0
mparrain10.duckdns.org:24124
bgBnpZsYijmcMpUV
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/448-60-0x0000000000400000-0x0000000000418000-memory.dmp family_xworm behavioral2/memory/448-107-0x00000000062B0000-0x00000000062BE000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/448-108-0x0000000006E80000-0x0000000006F9E000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 3 IoCs
Processes:
AddInProcess32.exeAddInProcess32.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad++.lnk AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad++.lnk AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad++.lnk AddInProcess32.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process target process PID 4360 set thread context of 448 4360 powershell.exe AddInProcess32.exe PID 4068 set thread context of 3380 4068 powershell.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2168 448 WerFault.exe AddInProcess32.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wermgr.exewermgr.exewermgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
wermgr.exewermgr.exewermgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 2076 vlc.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exeAddInProcess32.exepowershell.exeAddInProcess32.exepid process 4360 powershell.exe 4360 powershell.exe 864 powershell.exe 864 powershell.exe 864 powershell.exe 4360 powershell.exe 4360 powershell.exe 4360 powershell.exe 4360 powershell.exe 4360 powershell.exe 4360 powershell.exe 448 AddInProcess32.exe 448 AddInProcess32.exe 4068 powershell.exe 4068 powershell.exe 4068 powershell.exe 4068 powershell.exe 4068 powershell.exe 4068 powershell.exe 4068 powershell.exe 4068 powershell.exe 3380 AddInProcess32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 2076 vlc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exeAddInProcess32.exepowershell.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 4360 powershell.exe Token: SeDebugPrivilege 864 powershell.exe Token: SeDebugPrivilege 448 AddInProcess32.exe Token: SeDebugPrivilege 4068 powershell.exe Token: SeDebugPrivilege 3380 AddInProcess32.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
vlc.exepid process 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe 2076 vlc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
vlc.exeAddInProcess32.exeAddInProcess32.exepid process 2076 vlc.exe 448 AddInProcess32.exe 3380 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
WScript.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 1848 wrote to memory of 4360 1848 WScript.exe powershell.exe PID 1848 wrote to memory of 4360 1848 WScript.exe powershell.exe PID 1848 wrote to memory of 864 1848 WScript.exe powershell.exe PID 1848 wrote to memory of 864 1848 WScript.exe powershell.exe PID 4360 wrote to memory of 4308 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 4308 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 4308 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 3176 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 3176 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 3176 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 448 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 448 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 448 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 448 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 448 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 448 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 448 4360 powershell.exe AddInProcess32.exe PID 4360 wrote to memory of 448 4360 powershell.exe AddInProcess32.exe PID 864 wrote to memory of 1828 864 powershell.exe wermgr.exe PID 864 wrote to memory of 1828 864 powershell.exe wermgr.exe PID 4360 wrote to memory of 208 4360 powershell.exe wermgr.exe PID 4360 wrote to memory of 208 4360 powershell.exe wermgr.exe PID 1848 wrote to memory of 4068 1848 WScript.exe powershell.exe PID 1848 wrote to memory of 4068 1848 WScript.exe powershell.exe PID 4068 wrote to memory of 4764 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 4764 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 4764 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 4964 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 4964 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 4964 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 3380 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 3380 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 3380 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 3380 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 3380 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 3380 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 3380 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 3380 4068 powershell.exe AddInProcess32.exe PID 4068 wrote to memory of 624 4068 powershell.exe wermgr.exe PID 4068 wrote to memory of 624 4068 powershell.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d.vbs"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2740,i,4226873509039249198,15952596839998010243,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:81⤵
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\asy3.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 20804⤵
- Program crash
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4360" "2796" "2740" "2800" "0" "0" "2804" "0" "0" "0" "0" "0"3⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "864" "2692" "2616" "2696" "0" "0" "2700" "0" "0" "0" "0" "0"3⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4068" "2764" "2700" "2768" "0" "0" "2772" "0" "0" "0" "0" "0"3⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StepSuspend.mp3"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 448 -ip 4481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
3KB
MD56e809f4c18466a0a63db912fb7a2441c
SHA1d88653e1426406c3175c3fee38d55cd94a1ec5b1
SHA2562a684a0f36716559ec3fef1d5cdcd0fa7d48cd59e40457b7adc4d7b1f9a0c9fa
SHA512b47bb55f42d8930277dcab4d3850aba5b1f40b794f07cf1a0858b7280dc8bab243f445c50d2a45fa183c8f664c4864f476d4565c85380fc10cf45fe53d16100c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojuqacpz.rmo.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txtFilesize
230B
MD5dc0fc3b1d8dfb2151af683c5fe9128be
SHA17ff31e4cc5589bc38031b986f3c54fe94435a265
SHA2568b5d267bf8af05b8181abe36234fae9b9ce19a06875fc09b62d7b88240e5820a
SHA512e694e1fcc26bd7899aeaca448fefdf1f283003889d4a6f8673b092e8968b4afdfc1c16d72c5e22da60c16cbebe28477bc71a6efe551b17e9b5948011fd0a7ff2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD53365dd824d2b8c6b4e97089d1baad266
SHA1c3d896f0a530dff7121f2ea35870821dfebf4bf8
SHA25643c877b84ae448084180d95e3016fdadda2dc5c70baa6d424ad1502fd5fe20ab
SHA5126c34dbbab1870a2359ef129747c70611f2de33f913d8199c9798c3b468c4e5b8ac4ffd418dbe86224de350b1d14fe32c008fdcadaf63cd669890795811b52377
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD5b1ce13687a525f1669c47071658c442b
SHA160c92f59af276b6f875e84d7d6274f73c381ac22
SHA25670c56088dc110dbc21fd3e60d138fb0bdc56bbbbfe4827955b26eed7d5fae7da
SHA512064231a27f7ecc4ec5393cd058daf9fe929b3b6d89a0c520e5391e0b45b76eb7eaec5307c13d34edefc7b3c625822f730f11f1e4a6cf702fd26156d0d49245aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD51510fd7fd46e8fda5ddb480f524b46d8
SHA103a012cafeb2cd275da75fcc1867e17f0f16d723
SHA2564dab053aaf011d6808c60a641915225173f108f044a1ec5b9256b566821cfbbb
SHA5124957b28ef3ce80b629829c2efc86a024d82b727c71b50e8256e73215ebc6f1a3d7b8ecc6a96bed9bf81c9dff77de02108f2f2aade4224312e5b5c5ecc7991ace
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad++.lnkFilesize
783B
MD5fbd01e7c96e2ed34b5fecafc1a2da4eb
SHA1ec68e4908d23a6eee67ecff5ef7b5620d2d2f068
SHA256768179aa2b76794c6ddaa22c0fed3c5c441fcc0d07b39ad2ccecc5bbda2913a5
SHA5126c9857cabf487e505d96e8061a45da99aedbe6db6bcc07c359c15845df69bf784c2b628c0930e3fb569c4f77e40fb14ad8cf497eba9ebb2fb21adb3a3ee7c78b
-
C:\Users\Admin\AppData\Roaming\Notepad++.exeFilesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
C:\Users\Admin\asy3.vbsFilesize
1KB
MD5ecd56d423345d25d32d6894da7ea9a41
SHA1fa194094d6f86b76b9ea51cbee26ea2bd93d8852
SHA25601d5fd9a203634b7d45a547cdf72a1edcd601340f37892c324b5f842b22c7b73
SHA512a6d4550a2bd57be7cd3b50754d2826a100a844553e2a4308366cdd442250989971635d3847add663ec307981e8566f9bd823dece00fac48d085f60336bf5d355
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/448-107-0x00000000062B0000-0x00000000062BE000-memory.dmpFilesize
56KB
-
memory/448-86-0x0000000005AC0000-0x0000000005ACA000-memory.dmpFilesize
40KB
-
memory/448-85-0x0000000006160000-0x00000000061F2000-memory.dmpFilesize
584KB
-
memory/448-84-0x0000000005B10000-0x00000000060B4000-memory.dmpFilesize
5.6MB
-
memory/448-106-0x0000000006200000-0x0000000006266000-memory.dmpFilesize
408KB
-
memory/448-108-0x0000000006E80000-0x0000000006F9E000-memory.dmpFilesize
1.1MB
-
memory/448-76-0x0000000004E50000-0x0000000004EEC000-memory.dmpFilesize
624KB
-
memory/448-60-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/448-109-0x0000000006FE0000-0x0000000007334000-memory.dmpFilesize
3.3MB
-
memory/448-110-0x0000000007390000-0x00000000073DC000-memory.dmpFilesize
304KB
-
memory/2076-24-0x00007FFE085D0000-0x00007FFE085E8000-memory.dmpFilesize
96KB
-
memory/2076-27-0x00007FFDFFF30000-0x00007FFDFFF47000-memory.dmpFilesize
92KB
-
memory/2076-34-0x00007FFDFDF30000-0x00007FFDFDF51000-memory.dmpFilesize
132KB
-
memory/2076-35-0x00007FFDFF1B0000-0x00007FFDFF1C8000-memory.dmpFilesize
96KB
-
memory/2076-36-0x00007FFDFCB20000-0x00007FFDFCB31000-memory.dmpFilesize
68KB
-
memory/2076-22-0x00007FFDFFE60000-0x00007FFDFFE94000-memory.dmpFilesize
208KB
-
memory/2076-21-0x00007FF730B10000-0x00007FF730C08000-memory.dmpFilesize
992KB
-
memory/2076-37-0x00007FFDFC790000-0x00007FFDFC7A1000-memory.dmpFilesize
68KB
-
memory/2076-38-0x00007FFDFC770000-0x00007FFDFC781000-memory.dmpFilesize
68KB
-
memory/2076-39-0x00007FFDF9D60000-0x00007FFDF9D71000-memory.dmpFilesize
68KB
-
memory/2076-33-0x00007FFDFCB40000-0x00007FFDFCB81000-memory.dmpFilesize
260KB
-
memory/2076-30-0x00007FFDFF1D0000-0x00007FFDFF1E1000-memory.dmpFilesize
68KB
-
memory/2076-26-0x00007FFE003E0000-0x00007FFE003F1000-memory.dmpFilesize
68KB
-
memory/2076-32-0x00007FFDE4860000-0x00007FFDE5910000-memory.dmpFilesize
16.7MB
-
memory/2076-98-0x00007FFDE4860000-0x00007FFDE5910000-memory.dmpFilesize
16.7MB
-
memory/2076-31-0x00007FFDFC7B0000-0x00007FFDFC9BB000-memory.dmpFilesize
2.0MB
-
memory/2076-25-0x00007FFE00F70000-0x00007FFE00F87000-memory.dmpFilesize
92KB
-
memory/2076-23-0x00007FFDFA270000-0x00007FFDFA526000-memory.dmpFilesize
2.7MB
-
memory/2076-28-0x00007FFDFFB10000-0x00007FFDFFB21000-memory.dmpFilesize
68KB
-
memory/2076-29-0x00007FFDFF950000-0x00007FFDFF96D000-memory.dmpFilesize
116KB
-
memory/2076-157-0x00007FFDE4860000-0x00007FFDE5910000-memory.dmpFilesize
16.7MB
-
memory/4360-59-0x0000020A4A310000-0x0000020A4A31C000-memory.dmpFilesize
48KB
-
memory/4360-58-0x0000020A47D90000-0x0000020A47D9A000-memory.dmpFilesize
40KB
-
memory/4360-15-0x0000020A4A3F0000-0x0000020A4A466000-memory.dmpFilesize
472KB
-
memory/4360-14-0x0000020A4A320000-0x0000020A4A364000-memory.dmpFilesize
272KB
-
memory/4360-13-0x0000020A47D40000-0x0000020A47D62000-memory.dmpFilesize
136KB