Analysis
-
max time kernel
59s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
21-04-2024 05:54
General
-
Target
file300un.exe
-
Size
3.3MB
-
MD5
b9882fe8bb7ab2a4d094f9ff5442df1c
-
SHA1
e17c146530a4371e0595c195c24863935a3dee8b
-
SHA256
4f47d84b03f5cfa3845d1b36df5e40df984756fc6ba2d98586eb39dced212628
-
SHA512
bee33d43deb43854975e6c7a57f27ab8c6519ea3e6df51297ca670ac62831f29f6a18eff0bb0af14f9e985ebf9e2169ed97582fa64998cfb33b1d8b61ec72db4
-
SSDEEP
49152:zUIbNigeVE2MD7ZDAgUf0dgF8bEOlf84L:JI3bg3J
Malware Config
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 16 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 4 IoCs
-
Executes dropped EXE 10 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 10 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file300un.exe"C:\Users\Admin\AppData\Local\Temp\file300un.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\LRmVpMiYJzJYgg3XROIOifh5.exe"C:\Users\Admin\Pictures\LRmVpMiYJzJYgg3XROIOifh5.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\LRmVpMiYJzJYgg3XROIOifh5.exe"C:\Users\Admin\Pictures\LRmVpMiYJzJYgg3XROIOifh5.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\kvvizWi8MRMm0JIaMmFzS96W.exe"C:\Users\Admin\Pictures\kvvizWi8MRMm0JIaMmFzS96W.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\kvvizWi8MRMm0JIaMmFzS96W.exe"C:\Users\Admin\Pictures\kvvizWi8MRMm0JIaMmFzS96W.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\vrqkgxdEDNasfqNlt5WlLco4.exe"C:\Users\Admin\Pictures\vrqkgxdEDNasfqNlt5WlLco4.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u1nc.0.exe"C:\Users\Admin\AppData\Local\Temp\u1nc.0.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 12925⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2068 -ip 20681⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5a6ea7bfcd3aac150c0caef765cb52281
SHA1037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
21KB
MD53021aaa368441fe5aadf27e54d8a4de0
SHA15fdeb83f77ac22d9ba1d3b9864a3a985d416b80b
SHA256a537c89c3660753ac71be0146d96edb1d86ccb528368ff1338e76566777aff8e
SHA512804283bb47421ba98a5a2376d04c8d2beba6c00ad0b82aa25f3dcc17d189331f69bd9a8c7753a111841b138adc0675934737a1fb6e2fb2ea5cf84dfa69f71867
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_00df51qv.aja.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\u1nc.0.exeFilesize
323KB
MD51d4341aa0ca4aefcb043d19eb205d8ac
SHA1c6e7a063a22e6bad72b2c81017747ab31cb59579
SHA25642af762221074082dc3aa6e4efdc2b6439cc026d6e94d6eeae97fcfafda272b4
SHA5121bcc133000feb1ab7944295a14601ff1a66432dcbe117e9e60c9f98cb8aee5b28f0ddcbbc25e2b6d91b677ca67de32a8930a1317de9b8be17524a9bea43c73a7
-
C:\Users\Admin\Pictures\LRmVpMiYJzJYgg3XROIOifh5.exeFilesize
4.2MB
MD512c1251ddacc8c6651573aaae2a36711
SHA1aa4a4fc95f24a847f33a0fcc22d318fe947929d0
SHA256a018166a731757f43374b0b24baecfbf31b85cf9de793b9d11b186acf887bf22
SHA512e8e9723b210254504ae06f77ed86ff5c7da0ac1ba5134cb2ab99cd42b06744cdf2379835d5e8cbd413da69b1184a0d6297d29dc8393794d8959c5a2dc94f0a69
-
C:\Users\Admin\Pictures\UiJwPe2tuCIX64zQGf0DJA9J.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\vrqkgxdEDNasfqNlt5WlLco4.exeFilesize
445KB
MD5ddbb9a4caa78db40bb47ee413252f12f
SHA16153acfbb9773424f3d3ccfcca917c277b2500d5
SHA256f2c98424e2142ea86ef140dd1b0bdf1b3c7b8cc99ec6194c851ad2f0ed3b2e31
SHA5125afa0ee709e43f3445b9c9733ac8df92c04682d9b3e8b25441e5392cb17303c0c39e9c56c9d3bf27ea266815d571d659749dedc18af0506c987b056c6d9dbb60
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5c5bef9f9ea8ff234da0cebea6857b234
SHA132b96eb65d973087c5e2b9ffbee131c4ed7d3060
SHA25666547b59f5a31e83691f19ca916dfa1552469a3522ca70d8912328f82966dfb4
SHA512a87e8dd215d521613c9755f825e2f7654996c464372dea8d483c5f56e8f11ed83fa39f850fc0432f0a4c04dd50fac80d068908917d7e91b7cb64e9f78417e9a2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD518737d8ba45669d5c65782cdc5761a5c
SHA1dc331db998f77d1dfe3377146f410604f3bc1e00
SHA2562c5a11cc7b5a366abb1ea9f9d2fba5a4c436da074aae53f16c3a974117f405b7
SHA512a63f3c66af709b7a9ef8410a0201a800f8a0ff19350cb88847bce4168cbf040f50302e99245a8d5212f2be889835d81424f758fc660c20085e633e23bb6e6553
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD535d4389ae83f62ce1f8e48718af862af
SHA16d77f7d0a1fc881d8a1d75bc81b91597001f51f7
SHA2565eacb38f8957c5c14e4e14a1d5bb1be6aa9d64f0256c7707b600528cf37f800a
SHA512f4443e2deac39a1e042267c418ac004cd477a29f1359f5718b2c42da6b922cd06c47a2bc6d185fcfb1d39e60bc15758ce5b34acb9ac779eecd49211e5d55aab3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e667f18b04a493e005e88253c7c22df1
SHA150ddbce888ac18aabae9d6c3668a1ea7b8bf9de6
SHA256090ebec1b39f687ffb0214cefcb1b88f5fe94ba27bc3098201b8d5eff93d8c95
SHA512d7bde4471e8d70565e9cd455a71083b5363d16858e2bba69da25305b6ed1b8b15babc9ec192d62d9551730bd10860a310a9cc37c09126af86d9f9b7dd997ffd6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD522842b3a577f7cc63ca1b15679285b4e
SHA1d033b893f68f5301f2f864deae112cb24467de8c
SHA25641612ddc22bd9287c1f32ae1f1354515c4db9f7f7cc5706904697575a1548bfb
SHA5129664f39c502cfa22fce0e3b7c2775e06226c6aa722fd5b34285c285821ab81afd75abf4d600834dd0782436411671df48fc16d4450720e346315d9d274bda3c5
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/716-154-0x0000000003A40000-0x0000000003E3B000-memory.dmpFilesize
4.0MB
-
memory/716-169-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/716-67-0x0000000003F40000-0x000000000482B000-memory.dmpFilesize
8.9MB
-
memory/716-68-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/716-65-0x0000000003A40000-0x0000000003E3B000-memory.dmpFilesize
4.0MB
-
memory/892-484-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1924-179-0x0000000005FD0000-0x0000000006324000-memory.dmpFilesize
3.3MB
-
memory/1924-171-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/1924-170-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/1968-84-0x0000000007060000-0x0000000007092000-memory.dmpFilesize
200KB
-
memory/1968-139-0x0000000007260000-0x0000000007268000-memory.dmpFilesize
32KB
-
memory/1968-69-0x0000000006DF0000-0x0000000006E66000-memory.dmpFilesize
472KB
-
memory/1968-34-0x0000000004C30000-0x0000000005258000-memory.dmpFilesize
6.2MB
-
memory/1968-82-0x00000000074F0000-0x0000000007B6A000-memory.dmpFilesize
6.5MB
-
memory/1968-83-0x0000000006EA0000-0x0000000006EBA000-memory.dmpFilesize
104KB
-
memory/1968-48-0x0000000005AE0000-0x0000000005AFE000-memory.dmpFilesize
120KB
-
memory/1968-66-0x0000000005EE0000-0x0000000005F24000-memory.dmpFilesize
272KB
-
memory/1968-90-0x000000007F580000-0x000000007F590000-memory.dmpFilesize
64KB
-
memory/1968-86-0x000000006F870000-0x000000006F8BC000-memory.dmpFilesize
304KB
-
memory/1968-109-0x00000000070A0000-0x00000000070BE000-memory.dmpFilesize
120KB
-
memory/1968-110-0x0000000002530000-0x0000000002540000-memory.dmpFilesize
64KB
-
memory/1968-114-0x00000000070C0000-0x0000000007163000-memory.dmpFilesize
652KB
-
memory/1968-49-0x0000000005B20000-0x0000000005B6C000-memory.dmpFilesize
304KB
-
memory/1968-31-0x00000000024F0000-0x0000000002526000-memory.dmpFilesize
216KB
-
memory/1968-93-0x000000006FA40000-0x000000006FD94000-memory.dmpFilesize
3.3MB
-
memory/1968-33-0x0000000002530000-0x0000000002540000-memory.dmpFilesize
64KB
-
memory/1968-35-0x0000000004C00000-0x0000000004C22000-memory.dmpFilesize
136KB
-
memory/1968-117-0x00000000071B0000-0x00000000071BA000-memory.dmpFilesize
40KB
-
memory/1968-36-0x00000000052F0000-0x0000000005356000-memory.dmpFilesize
408KB
-
memory/1968-119-0x0000000007270000-0x0000000007306000-memory.dmpFilesize
600KB
-
memory/1968-121-0x0000000002530000-0x0000000002540000-memory.dmpFilesize
64KB
-
memory/1968-122-0x00000000071D0000-0x00000000071E1000-memory.dmpFilesize
68KB
-
memory/1968-37-0x0000000005490000-0x00000000054F6000-memory.dmpFilesize
408KB
-
memory/1968-125-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/1968-146-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/1968-47-0x0000000005500000-0x0000000005854000-memory.dmpFilesize
3.3MB
-
memory/1968-135-0x0000000007210000-0x000000000721E000-memory.dmpFilesize
56KB
-
memory/1968-137-0x0000000007220000-0x0000000007234000-memory.dmpFilesize
80KB
-
memory/1968-138-0x0000000007310000-0x000000000732A000-memory.dmpFilesize
104KB
-
memory/1968-32-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/2068-198-0x0000000000400000-0x0000000001A1C000-memory.dmpFilesize
22.1MB
-
memory/2068-172-0x0000000001C90000-0x0000000001CB7000-memory.dmpFilesize
156KB
-
memory/2068-178-0x0000000000400000-0x0000000001A1C000-memory.dmpFilesize
22.1MB
-
memory/2136-118-0x0000000000400000-0x0000000001A3A000-memory.dmpFilesize
22.2MB
-
memory/2136-116-0x0000000003590000-0x00000000035FE000-memory.dmpFilesize
440KB
-
memory/2136-236-0x0000000000400000-0x0000000001A3A000-memory.dmpFilesize
22.2MB
-
memory/2136-115-0x0000000001BF0000-0x0000000001CF0000-memory.dmpFilesize
1024KB
-
memory/2264-124-0x000000006FA40000-0x000000006FD94000-memory.dmpFilesize
3.3MB
-
memory/2264-123-0x000000006F870000-0x000000006F8BC000-memory.dmpFilesize
304KB
-
memory/2264-71-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/2264-136-0x000000007FAB0000-0x000000007FAC0000-memory.dmpFilesize
64KB
-
memory/2264-72-0x00000000047B0000-0x00000000047C0000-memory.dmpFilesize
64KB
-
memory/2264-145-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/3172-184-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/3552-1-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/3552-0-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/3552-2-0x00000000056E0000-0x00000000056F0000-memory.dmpFilesize
64KB
-
memory/3552-70-0x00000000056E0000-0x00000000056F0000-memory.dmpFilesize
64KB
-
memory/3552-64-0x0000000074B60000-0x0000000075310000-memory.dmpFilesize
7.7MB
-
memory/3800-151-0x0000000003AC0000-0x0000000003EC0000-memory.dmpFilesize
4.0MB
-
memory/3800-360-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3800-152-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3800-286-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3840-156-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3840-297-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3840-155-0x0000000003A60000-0x0000000003E68000-memory.dmpFilesize
4.0MB
-
memory/3840-368-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/3964-479-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4664-474-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4664-467-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4664-483-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4788-29-0x0000000003E60000-0x000000000474B000-memory.dmpFilesize
8.9MB
-
memory/4788-28-0x0000000003A60000-0x0000000003E5A000-memory.dmpFilesize
4.0MB
-
memory/4788-157-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4788-30-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4788-120-0x0000000000400000-0x0000000001DF9000-memory.dmpFilesize
26.0MB
-
memory/4788-85-0x0000000003A60000-0x0000000003E5A000-memory.dmpFilesize
4.0MB