Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
08-06-2023 12:30
General
-
Target
b040adbb9d7116e7e6dd53c712e5aec53ec056a993ccfeab4d3b361f384c2156.exe
-
Size
4.2MB
-
MD5
6d3b66b33451277e80df2ac89d0cbada
-
SHA1
05daca25a2695069507cbd7f568e5c5a62792f7d
-
SHA256
b040adbb9d7116e7e6dd53c712e5aec53ec056a993ccfeab4d3b361f384c2156
-
SHA512
db74558059976a031672c80086fa2528a9accda3623aa86757b0318c9bb0e2c2fe216fdb7688b0e14de7d5ab4ae29019be9011bb7b95d0a4f5bbf0aaa3e8584a
-
SSDEEP
98304:N4Oukmwozu5N1sjvc6C5HzAFpDV4v2Gff887WFFSEVpe1l6UqT5uN2:0xw0u5Xsj06C5HzAFtV4vjftWfSDTd43
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 13 IoCs
-
Windows security bypass 2 TTPs 7 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 7 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b040adbb9d7116e7e6dd53c712e5aec53ec056a993ccfeab4d3b361f384c2156.exe"C:\Users\Admin\AppData\Local\Temp\b040adbb9d7116e7e6dd53c712e5aec53ec056a993ccfeab4d3b361f384c2156.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b040adbb9d7116e7e6dd53c712e5aec53ec056a993ccfeab4d3b361f384c2156.exe"C:\Users\Admin\AppData\Local\Temp\b040adbb9d7116e7e6dd53c712e5aec53ec056a993ccfeab4d3b361f384c2156.exe"2⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe4⤵
- Executes dropped EXE
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfe1wvob.mvn.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeFilesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeFilesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD58d087a1d64e636f8192cb83e53aa6d31
SHA1f497810e4a342ba00ba1665c5c102c173500d280
SHA256af122150bc297d18a74c2dd07a886504d37166d3628310e75ff286f90bcb7956
SHA512386c693129023b0f923f8bb51304b6a9b88bcc7f2347b76ef61f0e632d04a7e3478d501f905424b3566d5d365c4503b2d0488e71ae7dc496d1d36272db2ab521
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD500eda2baa220f008994dc23d0ad92129
SHA18ed5d53be3ca4477dedfa33b73de172c295a1584
SHA25636f18d2a3579b495556e15da8bdc9d3f2ad5fe60a96f9140cb7f0638c5b58211
SHA512e437cc217e9d4f0fdd3c2c5d1b5b4c5a001a22d0b2780625d2f320ab460766448227dbfd204ea27baa404aa8c6eba12fa33173eaae7b75596f1078a7a2772470
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD57521c25d506448e899c5c35532960294
SHA1cfd9bc24339aa8b68583437dd3639b6550b12480
SHA256583bc84a21a4b1279f8d343adbe25f1d6fc7e32f3e060c9d49f5bef3460a23a9
SHA5124953e8bdcdc67f80d39074c7db0808ac2809126b53e101833544f0b9b5e400cbcf6c4cc3f8a04b94ae88743b4a2203b1243246d5f0a195f606618be2628a0678
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD56085dc4d2cf74df536e972b7c97c01ac
SHA16792f22078bc1d0f54ba29457b968c9a3b61884d
SHA256862293d6c6fc080f15e2c415b7aa8499b27d07c00748964ba91465a42a825689
SHA5122da6196ef08c5c4bb26977886b1fe9d25835a12160f8d3e588f67fcdc8f9bf782b26590bde986165d6056a1f6160651b668abbf732eca88519251dda614fec5e
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
18KB
MD5a8a3744b396ad2aa0dcbd61df69a773c
SHA1281ed10a05f0495124d9bb42f03e33129dc298d7
SHA2564e26c626ba40b54994bd37a6a458cc7e483099450e3931e753f6fdae1a68bba6
SHA5127de4be147ecdbcf100139900a065557d4310a460df38462e2a73c4979cdbb60f416c02cbf39d326a23aeeb75d6ec6635ee3f6107215267c4bb177706bf6ccfc4
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD56d3b66b33451277e80df2ac89d0cbada
SHA105daca25a2695069507cbd7f568e5c5a62792f7d
SHA256b040adbb9d7116e7e6dd53c712e5aec53ec056a993ccfeab4d3b361f384c2156
SHA512db74558059976a031672c80086fa2528a9accda3623aa86757b0318c9bb0e2c2fe216fdb7688b0e14de7d5ab4ae29019be9011bb7b95d0a4f5bbf0aaa3e8584a
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD56d3b66b33451277e80df2ac89d0cbada
SHA105daca25a2695069507cbd7f568e5c5a62792f7d
SHA256b040adbb9d7116e7e6dd53c712e5aec53ec056a993ccfeab4d3b361f384c2156
SHA512db74558059976a031672c80086fa2528a9accda3623aa86757b0318c9bb0e2c2fe216fdb7688b0e14de7d5ab4ae29019be9011bb7b95d0a4f5bbf0aaa3e8584a
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/1052-1159-0x0000000007490000-0x00000000077E0000-memory.dmpFilesize
3.3MB
-
memory/1052-1158-0x0000000006640000-0x0000000006650000-memory.dmpFilesize
64KB
-
memory/1052-1161-0x0000000007C30000-0x0000000007C7B000-memory.dmpFilesize
300KB
-
memory/1052-1185-0x000000007F5B0000-0x000000007F5C0000-memory.dmpFilesize
64KB
-
memory/1052-1186-0x0000000006640000-0x0000000006650000-memory.dmpFilesize
64KB
-
memory/1052-1184-0x0000000008EA0000-0x0000000008F45000-memory.dmpFilesize
660KB
-
memory/1320-946-0x000000007EBC0000-0x000000007EBD0000-memory.dmpFilesize
64KB
-
memory/1320-924-0x0000000006A10000-0x0000000006A20000-memory.dmpFilesize
64KB
-
memory/1320-923-0x0000000006A10000-0x0000000006A20000-memory.dmpFilesize
64KB
-
memory/1320-947-0x0000000006A10000-0x0000000006A20000-memory.dmpFilesize
64KB
-
memory/1832-690-0x000000007E960000-0x000000007E970000-memory.dmpFilesize
64KB
-
memory/1832-761-0x00000000072A0000-0x00000000072B0000-memory.dmpFilesize
64KB
-
memory/1832-671-0x00000000072A0000-0x00000000072B0000-memory.dmpFilesize
64KB
-
memory/1832-670-0x00000000072A0000-0x00000000072B0000-memory.dmpFilesize
64KB
-
memory/1832-668-0x0000000007F10000-0x0000000008260000-memory.dmpFilesize
3.3MB
-
memory/2468-1153-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/2468-939-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/2468-664-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/2608-1905-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/2608-1903-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/2608-1401-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/2608-1914-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/2608-1901-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/2608-1742-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/2608-1892-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/2784-1902-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2784-1911-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2784-1913-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2784-1899-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3504-422-0x0000000007CA0000-0x0000000007FF0000-memory.dmpFilesize
3.3MB
-
memory/3504-423-0x0000000008110000-0x000000000815B000-memory.dmpFilesize
300KB
-
memory/3504-520-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/3504-449-0x00000000095F0000-0x0000000009695000-memory.dmpFilesize
660KB
-
memory/3504-444-0x000000007EBD0000-0x000000007EBE0000-memory.dmpFilesize
64KB
-
memory/3504-425-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/3504-424-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/3640-121-0x00000000051E0000-0x0000000005ACB000-memory.dmpFilesize
8.9MB
-
memory/3640-270-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/3640-418-0x0000000000400000-0x00000000030DE000-memory.dmpFilesize
44.9MB
-
memory/3784-1648-0x0000000000D70000-0x0000000000D80000-memory.dmpFilesize
64KB
-
memory/3784-1674-0x000000007ED50000-0x000000007ED60000-memory.dmpFilesize
64KB
-
memory/3784-1649-0x0000000000D70000-0x0000000000D80000-memory.dmpFilesize
64KB
-
memory/3784-1647-0x0000000007DF0000-0x0000000007E3B000-memory.dmpFilesize
300KB
-
memory/3784-1675-0x0000000000D70000-0x0000000000D80000-memory.dmpFilesize
64KB
-
memory/3876-1900-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3876-1896-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/3964-1406-0x0000000008490000-0x00000000084DB000-memory.dmpFilesize
300KB
-
memory/3964-1429-0x00000000094B0000-0x0000000009555000-memory.dmpFilesize
660KB
-
memory/3964-1451-0x000000007E210000-0x000000007E220000-memory.dmpFilesize
64KB
-
memory/3964-1453-0x0000000006C70000-0x0000000006C80000-memory.dmpFilesize
64KB
-
memory/3964-1404-0x00000000079C0000-0x0000000007D10000-memory.dmpFilesize
3.3MB
-
memory/3964-1403-0x0000000006C70000-0x0000000006C80000-memory.dmpFilesize
64KB
-
memory/3964-1402-0x0000000006C70000-0x0000000006C80000-memory.dmpFilesize
64KB
-
memory/4288-196-0x0000000009990000-0x0000000009A35000-memory.dmpFilesize
660KB
-
memory/4288-133-0x0000000007A10000-0x0000000007A5B000-memory.dmpFilesize
300KB
-
memory/4288-393-0x0000000007ED0000-0x0000000007EEA000-memory.dmpFilesize
104KB
-
memory/4288-198-0x0000000009B50000-0x0000000009BE4000-memory.dmpFilesize
592KB
-
memory/4288-197-0x000000007F980000-0x000000007F990000-memory.dmpFilesize
64KB
-
memory/4288-410-0x00000000068A0000-0x00000000068B0000-memory.dmpFilesize
64KB
-
memory/4288-191-0x0000000009930000-0x000000000994E000-memory.dmpFilesize
120KB
-
memory/4288-190-0x0000000009950000-0x0000000009983000-memory.dmpFilesize
204KB
-
memory/4288-398-0x0000000007D70000-0x0000000007D78000-memory.dmpFilesize
32KB
-
memory/4288-153-0x00000000089F0000-0x0000000008A2C000-memory.dmpFilesize
240KB
-
memory/4288-144-0x0000000008970000-0x00000000089E6000-memory.dmpFilesize
472KB
-
memory/4288-267-0x00000000068A0000-0x00000000068B0000-memory.dmpFilesize
64KB
-
memory/4288-407-0x00000000068A0000-0x00000000068B0000-memory.dmpFilesize
64KB
-
memory/4288-132-0x00000000079C0000-0x00000000079DC000-memory.dmpFilesize
112KB
-
memory/4288-131-0x0000000007600000-0x0000000007950000-memory.dmpFilesize
3.3MB
-
memory/4288-130-0x0000000006E30000-0x0000000006E96000-memory.dmpFilesize
408KB
-
memory/4288-129-0x0000000007510000-0x0000000007576000-memory.dmpFilesize
408KB
-
memory/4288-128-0x0000000006C20000-0x0000000006C42000-memory.dmpFilesize
136KB
-
memory/4288-127-0x00000000068A0000-0x00000000068B0000-memory.dmpFilesize
64KB
-
memory/4288-126-0x00000000068A0000-0x00000000068B0000-memory.dmpFilesize
64KB
-
memory/4288-124-0x0000000000D60000-0x0000000000D96000-memory.dmpFilesize
216KB
-
memory/4288-125-0x0000000006EE0000-0x0000000007508000-memory.dmpFilesize
6.2MB
-
memory/4860-1912-0x0000000000400000-0x0000000000C25000-memory.dmpFilesize
8.1MB
-
memory/4860-1915-0x0000000000400000-0x0000000000C25000-memory.dmpFilesize
8.1MB