Analysis
-
max time kernel
300s -
max time network
302s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
29-03-2024 01:52
General
-
Target
a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9.exe
-
Size
315KB
-
MD5
5fe67781ffe47ec36f91991abf707432
-
SHA1
137e6d50387a837bf929b0da70ab6b1512e95466
-
SHA256
a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9
-
SHA512
0e32d9a72b562d4c4a8c4edbd3d0ece54b67ee87c8ac382c6508c62b04b11a2dcd1fba23c3a78004fcd0c2b623dc854fd2fd82eb372dc7becdcbdd7ec7fe1b68
-
SSDEEP
3072:Q/uViE3w/D/5q+eF/2HjXuq4wQa+pOhKRIEcwE3G/uWQnDPPWCA6jeCKGAY:Q/uVi35q+bGVO7xSQPPfxahhY
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
lumma
https://democraticseekysiwo.shop/api
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 22 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Windows security bypass 2 TTPs 7 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 30 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9.exe"C:\Users\Admin\AppData\Local\Temp\a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\FC71.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\FC71.dll2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\694.exeC:\Users\Admin\AppData\Local\Temp\694.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\A536.exeC:\Users\Admin\AppData\Local\Temp\A536.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exeFilesize
4.2MB
MD543b4b9050e5b237de2d1412de8781f36
SHA1125cd51af3ca81d4c3e517b8405b9afae92b86f2
SHA25697bb5c78c753aa5e39ffc3d4c1058f584d0241e9b19aff20a248f1f159fdca6d
SHA51224e90d5a5d4a06e0d62ff2b5bc91e686f5cdb2e77fb4c31ef3b6a59f62afae9fc6642bb57576c334e46e234d10300a2814cca747cc315b52ea63b0226a6695d3
-
C:\Users\Admin\AppData\Local\Temp\694.exeFilesize
4.7MB
MD54645adc87acf83b55edff3c5ce2fc28e
SHA14953795cc90315cf7004b8f71718f117887b8c91
SHA2565a03eb8534caf92f4c3d7896d1af7fe61292b5f0995567be8c783ab28c3b74f8
SHA5123d8853dd1f28062f7554628565bc62e42296b0ab69da28665bf29771d78c50fdcdb2432aea09dbeb69d935e0dcf6d3b703af8ba1b7a0aed70b5be93b7959c602
-
C:\Users\Admin\AppData\Local\Temp\A536.exeFilesize
8.4MB
MD5e3b220dd67fcf4900d6602e3c4f44f83
SHA1bfda906d707aaae7d1383dfc494039bc95901722
SHA256117fecc9d6a335c1f065cad4e7a0db5b62bb3ce4fac513a83cc3c775a56ad7e0
SHA51258af1b5e637c1f46b6bcf7371144b57e5b4f7fab18c78541a1259ea78b335d8e5728e7e7f06b47895569ec1b2e3e0313bdbea5547f1a56b1e33bed217ca70765
-
C:\Users\Admin\AppData\Local\Temp\FC71.dllFilesize
3.0MB
MD5a3621c096c304b8e9cbd64dbbad2e7ae
SHA19c53c1a8ffc2afa8d476270c05789260b88d5b2f
SHA2569805d7ea0b73b0322cdb7a7b7def139f75fd01c446556e1c68c43b329d554723
SHA5120c1f80587fc05f5d55c1a8055c514dd8fa332d0889c447e6da7f01272bb0b6da055f2e9e5226aa4f8ba30dc6ce3269ab8b1c6727d63c2c6a6d455cf69da2a347
-
C:\Users\Admin\AppData\Local\Temp\ISetup4.exeFilesize
464KB
MD544f814be76122897ef325f8938f8e4cf
SHA15f338e940d1ee1fa89523d13a0b289912e396d23
SHA2562899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6
SHA512daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jd22qsrx.tly.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD52e3c32a3af4950a2eaca3f601971a82a
SHA1f04632236d5b636c8862c8f1d27f2c84baea6341
SHA256365bc337994f0f9d3fabe90dbbe9e3874c1bee0d98f87e1b28b43c713c618245
SHA5128ebd9c0353df5eb46f69325cb6a843f3a589263e01894bb299d4697b60f71d1b6577831067ce48bc93f187cbee554e9c2afc71bbc74cc2a4b1399f816d283ea6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD535b2cecfcdae11bb667990ff310fedb4
SHA18a567cad1a982b9f724f3ad6959b4e162b5fef47
SHA256418b2d20ef4f4376b7250f036c461a09ec20960a0fa23bf6d48aae5b5589bee8
SHA512dd90b3311bb81f8ffa608666dee52553af739dd0c72c945a0a0fb0e3d58c804ed31602cb82fdc1d9c539b0b4f87ac216199d08a48ce005c56f45b2e5a934c132
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD58efe6cacc7cc28caad6bdc11ba5df462
SHA1dd343b160a9ec59cf420ab87dd132c87372af451
SHA256331efd377075c302de4f090913c42e1d9026637af1953ad10dbbcc7da6fae016
SHA512609eac1a3afbde4428924bf4bc9d67750063fe269ec853cc5657e0837a931b3b88e06ca779872395268b0ce93bdd91ebb3392811153e60f46abf555fe97f4497
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5f1d75f079943bc1fb5d48822a79c40b1
SHA19927c81f0707bcd40d428c8b266f24f3f10a177a
SHA256b9acfdee46e89e7dbe9cc5fab818224dca965af9946df9ed9ad1b4d6c64b5788
SHA51295c9d51225c5bd9f35c267d02e6d098a0a2d7a727946b05289dfbf745665724cdf9a0f769f0d89710c757bf920ddeb12bd2e40f4e45c1658f2a310dfe76ec60e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5ce5265665a9b84bbab96d2ee42745d28
SHA1aae731893b07eda42ce3aa510108808144d92d94
SHA25649d9ffed6735824a9cd06f536e379f91d212c8a169fda1cc29729b5b3511fd63
SHA51259d6729ee638e6a9a1f0f14efc5ff1f19dec9264099008ab2dcdd964c56ced49c41a2970a21e4e01ef61a7b86bc5cb92559cc7a70ce2ad14bc6117ed9a048fb1
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/208-175-0x0000000000400000-0x0000000002D72000-memory.dmpFilesize
41.4MB
-
memory/208-35-0x0000000003000000-0x0000000003100000-memory.dmpFilesize
1024KB
-
memory/208-38-0x00000000049E0000-0x0000000004A4F000-memory.dmpFilesize
444KB
-
memory/208-44-0x0000000000400000-0x0000000002D72000-memory.dmpFilesize
41.4MB
-
memory/208-134-0x0000000003000000-0x0000000003100000-memory.dmpFilesize
1024KB
-
memory/208-49-0x0000000000400000-0x0000000002D72000-memory.dmpFilesize
41.4MB
-
memory/216-2-0x0000000000400000-0x0000000002D4D000-memory.dmpFilesize
41.3MB
-
memory/216-1-0x0000000002EC0000-0x0000000002FC0000-memory.dmpFilesize
1024KB
-
memory/216-5-0x0000000000400000-0x0000000002D4D000-memory.dmpFilesize
41.3MB
-
memory/216-3-0x0000000002E90000-0x0000000002E9B000-memory.dmpFilesize
44KB
-
memory/1268-43-0x0000000073AA0000-0x000000007418E000-memory.dmpFilesize
6.9MB
-
memory/1268-26-0x0000000000E20000-0x00000000012D0000-memory.dmpFilesize
4.7MB
-
memory/1268-27-0x0000000073AA0000-0x000000007418E000-memory.dmpFilesize
6.9MB
-
memory/1336-654-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1336-372-0x0000000004C20000-0x000000000501B000-memory.dmpFilesize
4.0MB
-
memory/1336-373-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1336-649-0x0000000004C20000-0x000000000501B000-memory.dmpFilesize
4.0MB
-
memory/1336-1107-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1680-2078-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1680-2086-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1680-2088-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1680-2090-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1680-2092-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1680-1852-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1680-2094-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1680-1950-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1680-2096-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1680-2080-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1680-2082-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1680-2084-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1776-888-0x0000000070980000-0x00000000709CB000-memory.dmpFilesize
300KB
-
memory/1776-863-0x0000000006590000-0x00000000065A0000-memory.dmpFilesize
64KB
-
memory/1776-865-0x0000000006590000-0x00000000065A0000-memory.dmpFilesize
64KB
-
memory/1776-862-0x0000000073900000-0x0000000073FEE000-memory.dmpFilesize
6.9MB
-
memory/1856-379-0x0000000007E80000-0x00000000081D0000-memory.dmpFilesize
3.3MB
-
memory/1856-399-0x0000000070980000-0x00000000709CB000-memory.dmpFilesize
300KB
-
memory/1856-378-0x0000000004FF0000-0x0000000005000000-memory.dmpFilesize
64KB
-
memory/1856-377-0x0000000004FF0000-0x0000000005000000-memory.dmpFilesize
64KB
-
memory/1856-616-0x0000000073900000-0x0000000073FEE000-memory.dmpFilesize
6.9MB
-
memory/1856-406-0x0000000004FF0000-0x0000000005000000-memory.dmpFilesize
64KB
-
memory/1856-376-0x0000000073900000-0x0000000073FEE000-memory.dmpFilesize
6.9MB
-
memory/1856-400-0x0000000070510000-0x0000000070860000-memory.dmpFilesize
3.3MB
-
memory/1856-405-0x00000000099C0000-0x0000000009A65000-memory.dmpFilesize
660KB
-
memory/1856-380-0x00000000087A0000-0x00000000087EB000-memory.dmpFilesize
300KB
-
memory/2144-136-0x0000000004D00000-0x00000000050FA000-memory.dmpFilesize
4.0MB
-
memory/2144-46-0x0000000005200000-0x0000000005AEB000-memory.dmpFilesize
8.9MB
-
memory/2144-118-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/2144-47-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/2144-50-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/2144-366-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/2144-45-0x0000000004D00000-0x00000000050FA000-memory.dmpFilesize
4.0MB
-
memory/2144-370-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/2520-57-0x0000000006F60000-0x0000000007588000-memory.dmpFilesize
6.2MB
-
memory/2520-55-0x00000000067D0000-0x0000000006806000-memory.dmpFilesize
216KB
-
memory/2520-344-0x0000000009970000-0x000000000998A000-memory.dmpFilesize
104KB
-
memory/2520-349-0x0000000009960000-0x0000000009968000-memory.dmpFilesize
32KB
-
memory/2520-54-0x00000000737D0000-0x0000000073EBE000-memory.dmpFilesize
6.9MB
-
memory/2520-56-0x0000000006920000-0x0000000006930000-memory.dmpFilesize
64KB
-
memory/2520-368-0x00000000737D0000-0x0000000073EBE000-memory.dmpFilesize
6.9MB
-
memory/2520-58-0x0000000006920000-0x0000000006930000-memory.dmpFilesize
64KB
-
memory/2520-59-0x0000000002BD0000-0x0000000002BF2000-memory.dmpFilesize
136KB
-
memory/2520-60-0x0000000006DD0000-0x0000000006E36000-memory.dmpFilesize
408KB
-
memory/2520-62-0x0000000007590000-0x00000000078E0000-memory.dmpFilesize
3.3MB
-
memory/2520-61-0x0000000006E40000-0x0000000006EA6000-memory.dmpFilesize
408KB
-
memory/2520-135-0x0000000009AB0000-0x0000000009B44000-memory.dmpFilesize
592KB
-
memory/2520-63-0x0000000006A30000-0x0000000006A4C000-memory.dmpFilesize
112KB
-
memory/2520-64-0x0000000007960000-0x00000000079AB000-memory.dmpFilesize
300KB
-
memory/2520-83-0x0000000007DA0000-0x0000000007DDC000-memory.dmpFilesize
240KB
-
memory/2520-137-0x0000000006920000-0x0000000006930000-memory.dmpFilesize
64KB
-
memory/2520-114-0x0000000008A30000-0x0000000008AA6000-memory.dmpFilesize
472KB
-
memory/2520-123-0x0000000009850000-0x0000000009883000-memory.dmpFilesize
204KB
-
memory/2520-125-0x0000000070C90000-0x0000000070FE0000-memory.dmpFilesize
3.3MB
-
memory/2520-133-0x0000000009890000-0x0000000009935000-memory.dmpFilesize
660KB
-
memory/2520-124-0x0000000070C40000-0x0000000070C8B000-memory.dmpFilesize
300KB
-
memory/2520-126-0x0000000009830000-0x000000000984E000-memory.dmpFilesize
120KB
-
memory/2520-128-0x000000007EFC0000-0x000000007EFD0000-memory.dmpFilesize
64KB
-
memory/2960-21-0x0000000004FB0000-0x00000000050B4000-memory.dmpFilesize
1.0MB
-
memory/2960-179-0x00000000050C0000-0x0000000005C97000-memory.dmpFilesize
11.8MB
-
memory/2960-15-0x0000000002DA0000-0x0000000002DA6000-memory.dmpFilesize
24KB
-
memory/2960-17-0x0000000004E90000-0x0000000004FAF000-memory.dmpFilesize
1.1MB
-
memory/2960-18-0x0000000004FB0000-0x00000000050B4000-memory.dmpFilesize
1.0MB
-
memory/2960-19-0x0000000004FB0000-0x00000000050B4000-memory.dmpFilesize
1.0MB
-
memory/2960-14-0x0000000010000000-0x0000000010309000-memory.dmpFilesize
3.0MB
-
memory/2960-177-0x0000000004FB0000-0x00000000050B4000-memory.dmpFilesize
1.0MB
-
memory/2960-199-0x0000000005DA0000-0x0000000005E94000-memory.dmpFilesize
976KB
-
memory/2960-183-0x0000000005CA0000-0x0000000005D97000-memory.dmpFilesize
988KB
-
memory/2960-48-0x0000000010000000-0x0000000010309000-memory.dmpFilesize
3.0MB
-
memory/2960-190-0x0000000005DA0000-0x0000000005E94000-memory.dmpFilesize
976KB
-
memory/2960-214-0x0000000002CB0000-0x0000000002CC2000-memory.dmpFilesize
72KB
-
memory/2960-215-0x000000006C9E0000-0x000000006CA28000-memory.dmpFilesize
288KB
-
memory/2960-203-0x0000000005DA0000-0x0000000005E94000-memory.dmpFilesize
976KB
-
memory/3324-1853-0x0000000002BA0000-0x0000000002BEC000-memory.dmpFilesize
304KB
-
memory/3324-1856-0x0000000002BA0000-0x0000000002BEC000-memory.dmpFilesize
304KB
-
memory/3340-1851-0x00007FF60B740000-0x00007FF60C011000-memory.dmpFilesize
8.8MB
-
memory/3340-1854-0x00007FF60B740000-0x00007FF60C011000-memory.dmpFilesize
8.8MB
-
memory/3380-4-0x0000000000AC0000-0x0000000000AD6000-memory.dmpFilesize
88KB
-
memory/3552-1949-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4048-2077-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4048-2081-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4976-859-0x0000000073900000-0x0000000073FEE000-memory.dmpFilesize
6.9MB
-
memory/4976-622-0x0000000006870000-0x0000000006880000-memory.dmpFilesize
64KB
-
memory/4976-621-0x0000000006870000-0x0000000006880000-memory.dmpFilesize
64KB
-
memory/4976-620-0x0000000073900000-0x0000000073FEE000-memory.dmpFilesize
6.9MB
-
memory/4976-642-0x000000007F160000-0x000000007F170000-memory.dmpFilesize
64KB
-
memory/4976-644-0x0000000070510000-0x0000000070860000-memory.dmpFilesize
3.3MB
-
memory/4976-643-0x0000000070980000-0x00000000709CB000-memory.dmpFilesize
300KB