Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
07-06-2023 23:45
General
-
Target
72a79ffccc1970d24b9daf5a40b00693d487cd66d33018f0cb049af1b66efdbb.exe
-
Size
4.1MB
-
MD5
9a9dc54b799ace465b77c166422cce89
-
SHA1
bc5caf7ae43f02fae28b7f011225307952a6c29b
-
SHA256
72a79ffccc1970d24b9daf5a40b00693d487cd66d33018f0cb049af1b66efdbb
-
SHA512
ec8ea8da58f2972f5dbd03a308aa6708d0508d13714e093971e41c8e6b7a3af0bd7be22444b5167838bc84b191d7439738db698e0d229149842596efa4367cde
-
SSDEEP
98304:vBN1RAFSgRiVCpISJpdcmes/cLo8j85qRy/lobOo38dy:VWKCpI4pdFo5Hy/loNsU
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 17 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\72a79ffccc1970d24b9daf5a40b00693d487cd66d33018f0cb049af1b66efdbb.exe"C:\Users\Admin\AppData\Local\Temp\72a79ffccc1970d24b9daf5a40b00693d487cd66d33018f0cb049af1b66efdbb.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\72a79ffccc1970d24b9daf5a40b00693d487cd66d33018f0cb049af1b66efdbb.exe"C:\Users\Admin\AppData\Local\Temp\72a79ffccc1970d24b9daf5a40b00693d487cd66d33018f0cb049af1b66efdbb.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wyfglidf.1e2.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD557b8c2e6fee3116dd5ad1b2ca222ad80
SHA1ca5274dcf7886cba5e0cabd42a19a8017e9b1494
SHA256517375ac3faa7edc8a219009f94f352ad01f9e5545341d751784d778fff536aa
SHA51292c37d2086b6776fa6bd4b337b3c0da343896b299f177d6622df906a2459f5075b31380011aef176236e1e759e64a33c1aab9742fbe70d7efe58661aeb683826
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD57ae21394891d51af8406a2cc23c1470d
SHA199532a7cc8ce8a8352092db6f16d516fc9ba8a8c
SHA25644504f360d7ff37b7f3f6ac196e8afaa0e383f24d0dd6b07e0c0659db071ba7b
SHA51266a03381464fb5d3ee74ed794dcb519a9745195fc4b79836891347b8aadd4991cb56a64f25630ea9fb38ff310441d29033bb8bd26307edc746777dbb3f2d0b2e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b8d65c466cd5382884831f52ca4ac600
SHA143675b164e31f9a6407321797fdc7f21d7f505f9
SHA256da2988b10ee4c1f739d9f7f85b6220f300b2ad3b88b36af67c0bd552aed27675
SHA512ca0df780b45af51c8bf4914bebddc7624638719762d6071505b3559da9d46b420aec933e58e3ed6634cd3c6d8ed785a0e8e39b1d03ee706973cc0cb97ed2b851
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD56d8c0807177427ec717791ef80ee7f9e
SHA13d82c6ea5c03132810dfc9d1b49bf55d8b711213
SHA256d186cbd14e198c85fe97a3a3500f18249cfd71071b52c7f6939fb62818d70898
SHA5128164d6592fff4ff4b7e66d6a3c0d74777bbdfc87ffa67c7f2fce38db52e66e9853361e050e1be0bba0f215402725489f838dfcb5746592d1407f0958215fd7f9
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD567e42855daf45eda2685bf46aeaeec90
SHA10de82ff14235eb4febba4a55ad7f43678327b3c5
SHA25678b8d50467c3c827a712d0646ebbfdc4b03a831566175438c2cf6fa241f2b3a0
SHA5128500e6f5f877f5ef1f0f0ec3b50ecfd68e8ed2bb7843151a2b7973a557de20300e7e5e99193a894726e2c9856225240fe503e797243c947a37c4466d94bba284
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD59a9dc54b799ace465b77c166422cce89
SHA1bc5caf7ae43f02fae28b7f011225307952a6c29b
SHA25672a79ffccc1970d24b9daf5a40b00693d487cd66d33018f0cb049af1b66efdbb
SHA512ec8ea8da58f2972f5dbd03a308aa6708d0508d13714e093971e41c8e6b7a3af0bd7be22444b5167838bc84b191d7439738db698e0d229149842596efa4367cde
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD59a9dc54b799ace465b77c166422cce89
SHA1bc5caf7ae43f02fae28b7f011225307952a6c29b
SHA25672a79ffccc1970d24b9daf5a40b00693d487cd66d33018f0cb049af1b66efdbb
SHA512ec8ea8da58f2972f5dbd03a308aa6708d0508d13714e093971e41c8e6b7a3af0bd7be22444b5167838bc84b191d7439738db698e0d229149842596efa4367cde
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/220-336-0x0000000000DE0000-0x0000000000DF0000-memory.dmpFilesize
64KB
-
memory/220-334-0x0000000000DE0000-0x0000000000DF0000-memory.dmpFilesize
64KB
-
memory/220-333-0x0000000000DE0000-0x0000000000DF0000-memory.dmpFilesize
64KB
-
memory/220-337-0x0000000070AA0000-0x0000000070AEC000-memory.dmpFilesize
304KB
-
memory/220-338-0x0000000070C20000-0x0000000070F74000-memory.dmpFilesize
3.3MB
-
memory/220-348-0x000000007FD10000-0x000000007FD20000-memory.dmpFilesize
64KB
-
memory/1412-236-0x000000007F210000-0x000000007F220000-memory.dmpFilesize
64KB
-
memory/1412-222-0x0000000005370000-0x0000000005380000-memory.dmpFilesize
64KB
-
memory/1412-221-0x0000000005370000-0x0000000005380000-memory.dmpFilesize
64KB
-
memory/1412-225-0x0000000070D00000-0x0000000071054000-memory.dmpFilesize
3.3MB
-
memory/1412-224-0x0000000070B80000-0x0000000070BCC000-memory.dmpFilesize
304KB
-
memory/1412-223-0x0000000005370000-0x0000000005380000-memory.dmpFilesize
64KB
-
memory/2096-281-0x00000000054B0000-0x00000000054C0000-memory.dmpFilesize
64KB
-
memory/2096-282-0x00000000054B0000-0x00000000054C0000-memory.dmpFilesize
64KB
-
memory/2096-283-0x0000000070B80000-0x0000000070BCC000-memory.dmpFilesize
304KB
-
memory/2096-284-0x0000000071320000-0x0000000071674000-memory.dmpFilesize
3.3MB
-
memory/2096-294-0x00000000054B0000-0x00000000054C0000-memory.dmpFilesize
64KB
-
memory/2096-295-0x000000007FA80000-0x000000007FA90000-memory.dmpFilesize
64KB
-
memory/2216-364-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2216-373-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2216-376-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3640-174-0x000000007F9A0000-0x000000007F9B0000-memory.dmpFilesize
64KB
-
memory/3640-143-0x00000000057B0000-0x0000000005816000-memory.dmpFilesize
408KB
-
memory/3640-157-0x0000000002A60000-0x0000000002A70000-memory.dmpFilesize
64KB
-
memory/3640-156-0x00000000071E0000-0x0000000007256000-memory.dmpFilesize
472KB
-
memory/3640-155-0x0000000006400000-0x0000000006444000-memory.dmpFilesize
272KB
-
memory/3640-137-0x0000000002580000-0x00000000025B6000-memory.dmpFilesize
216KB
-
memory/3640-154-0x0000000005E80000-0x0000000005E9E000-memory.dmpFilesize
120KB
-
memory/3640-159-0x0000000007260000-0x000000000727A000-memory.dmpFilesize
104KB
-
memory/3640-138-0x0000000005110000-0x0000000005738000-memory.dmpFilesize
6.2MB
-
memory/3640-178-0x0000000007600000-0x0000000007608000-memory.dmpFilesize
32KB
-
memory/3640-160-0x0000000007420000-0x0000000007452000-memory.dmpFilesize
200KB
-
memory/3640-139-0x0000000002A60000-0x0000000002A70000-memory.dmpFilesize
64KB
-
memory/3640-140-0x0000000002A60000-0x0000000002A70000-memory.dmpFilesize
64KB
-
memory/3640-141-0x0000000004EC0000-0x0000000004EE2000-memory.dmpFilesize
136KB
-
memory/3640-142-0x0000000004F60000-0x0000000004FC6000-memory.dmpFilesize
408KB
-
memory/3640-158-0x00000000078E0000-0x0000000007F5A000-memory.dmpFilesize
6.5MB
-
memory/3640-177-0x00000000076C0000-0x00000000076DA000-memory.dmpFilesize
104KB
-
memory/3640-176-0x00000000075C0000-0x00000000075CE000-memory.dmpFilesize
56KB
-
memory/3640-161-0x0000000070B80000-0x0000000070BCC000-memory.dmpFilesize
304KB
-
memory/3640-175-0x0000000007620000-0x00000000076B6000-memory.dmpFilesize
600KB
-
memory/3640-162-0x0000000070D00000-0x0000000071054000-memory.dmpFilesize
3.3MB
-
memory/3640-173-0x0000000007560000-0x000000000756A000-memory.dmpFilesize
40KB
-
memory/3640-172-0x0000000007400000-0x000000000741E000-memory.dmpFilesize
120KB
-
memory/4064-267-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4064-220-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4136-134-0x0000000004AD0000-0x00000000053BB000-memory.dmpFilesize
8.9MB
-
memory/4136-191-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4136-153-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4136-136-0x0000000004AD0000-0x00000000053BB000-memory.dmpFilesize
8.9MB
-
memory/4136-135-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4156-361-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4156-363-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4296-261-0x0000000005500000-0x0000000005510000-memory.dmpFilesize
64KB
-
memory/4296-248-0x0000000005500000-0x0000000005510000-memory.dmpFilesize
64KB
-
memory/4296-249-0x0000000005500000-0x0000000005510000-memory.dmpFilesize
64KB
-
memory/4296-250-0x0000000070B80000-0x0000000070BCC000-memory.dmpFilesize
304KB
-
memory/4296-251-0x0000000071300000-0x0000000071654000-memory.dmpFilesize
3.3MB
-
memory/4296-262-0x000000007F020000-0x000000007F030000-memory.dmpFilesize
64KB
-
memory/4388-310-0x0000000071230000-0x0000000071584000-memory.dmpFilesize
3.3MB
-
memory/4388-308-0x0000000002910000-0x0000000002920000-memory.dmpFilesize
64KB
-
memory/4388-307-0x0000000002910000-0x0000000002920000-memory.dmpFilesize
64KB
-
memory/4388-309-0x0000000070AA0000-0x0000000070AEC000-memory.dmpFilesize
304KB
-
memory/4388-320-0x0000000002910000-0x0000000002920000-memory.dmpFilesize
64KB
-
memory/4632-374-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4632-377-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4632-321-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4632-386-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4632-355-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4632-383-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4632-365-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4632-368-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4632-371-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4632-380-0x0000000000400000-0x000000000294C000-memory.dmpFilesize
37.3MB
-
memory/4932-193-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/4932-195-0x0000000070B80000-0x0000000070BCC000-memory.dmpFilesize
304KB
-
memory/4932-194-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/4932-196-0x000000007F530000-0x000000007F540000-memory.dmpFilesize
64KB
-
memory/4932-197-0x0000000071300000-0x0000000071654000-memory.dmpFilesize
3.3MB
-
memory/4932-192-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB