Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
-
submitted
19-04-2024 00:24
General
-
Target
b7c16221812fe9f30bba82098ba82e7895949c80265a9f5df15e58c64403fd12.exe
-
Size
4.2MB
-
MD5
cee9f4f344f5ec9a3baeca2b3027df98
-
SHA1
0f3043c3c24ba31ee63c4f8ef2073f005bc60c64
-
SHA256
b7c16221812fe9f30bba82098ba82e7895949c80265a9f5df15e58c64403fd12
-
SHA512
2036ccb221bc212933221517776059b21e816111196931cc84560e42062a012aa38197a81db2095615c933f64b8e7e709ab36e11f71459c9637971d0e3c0299e
-
SSDEEP
98304:ObvDuo/zvoC5HERRwr8YNEXJ0TS4JBXxT3BRfe7gLCxccCwfp3PGPzDBAeGjYAX:OnBoCproYNEXJ0O+Xpe7jrRPGnBARjfX
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 19 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7c16221812fe9f30bba82098ba82e7895949c80265a9f5df15e58c64403fd12.exe"C:\Users\Admin\AppData\Local\Temp\b7c16221812fe9f30bba82098ba82e7895949c80265a9f5df15e58c64403fd12.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 23963⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\b7c16221812fe9f30bba82098ba82e7895949c80265a9f5df15e58c64403fd12.exe"C:\Users\Admin\AppData\Local\Temp\b7c16221812fe9f30bba82098ba82e7895949c80265a9f5df15e58c64403fd12.exe"2⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 9243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 8282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4516 -ip 45161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1640 -ip 16401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3744 -ip 37441⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wugc5iyf.pp5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD54d8785c597e3f088b2a00e4bcd633324
SHA173c0c6f21f1cdc64da55abfbe6fe078086e3b387
SHA256ee476624a53a64872da7ed282848f19b252ddd8bc57fd505eee58d80fb999c4d
SHA512be6f881f3ac14001f1937587668da6049229969b7c18bc2ac84bad0c9579d4056448b2c2c9da674da4fe9762c6d280ee010fcd9fc17cc131df37d70ab68829c6
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5e021d1069ad41e66ce4bb95e1695debf
SHA16c1592f2f97d80237f6d596da42b95d7a83bd7be
SHA256820144463401d4f57d23e035784abb20e99f711f9c940c7246eb45dc0e9c8c1b
SHA5124fb11d1319198fe42bbe18fa782a368f31e8e2e6ad15fa05ffc898ab74e771ce7bbef91ef4edd18e83b262c90c13445c5a709dc9cc93ec411b9eb2d10c8c30d3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD54a94d0ab6572acc6d49aa253d081c219
SHA1f39af60dbfe22b1d574063340702b8ea5617d1af
SHA2563a17b5a08e8f45e1c63ed2154908f31ae96cd8fe06a4842533e8c582a0f9edab
SHA512cd103573fb06f3f72cf0abf2814b3290d938f1b5bde45bf1951993b82c433d953686f9db311bee814c61382b363cb0f1755e21a54c6adc1e22b9f56c8b70a002
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5751b92b2b4c666c77c84c0eba714807e
SHA11472e0b9ad4420dac286d7269444a105a6c0be6c
SHA256c68a66abd25ed24608e1802e4f11bfd3eaff1f933579005e0a5a3bb87ddf0e6a
SHA512044b5a2ca6a606816c0778c3fd2d5749db2e6879996e582ae871d87a06fe024f19fd557f3ec818afa04a9a578a1694e554c70bf8d26479b3dc5ce33120b8647c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD51bcb3e7eb606a236ae0dbd5d609f7132
SHA130374fe67b528dfb0902949b28c2329dade50ff8
SHA256fb5293078e16c1462af082dd908fb1bd86e93aa0d5f0adb3da2f1872f2174254
SHA512492d16c191875fc1696766659e8494acb2c6369a7f767f455f65442a1d7330f4464f981ca7d6807a8161879d48e47cb67704ffbce023196cb78317954679037f
-
C:\Windows\rss\csrss.exeFilesize
4.2MB
MD5cee9f4f344f5ec9a3baeca2b3027df98
SHA10f3043c3c24ba31ee63c4f8ef2073f005bc60c64
SHA256b7c16221812fe9f30bba82098ba82e7895949c80265a9f5df15e58c64403fd12
SHA5122036ccb221bc212933221517776059b21e816111196931cc84560e42062a012aa38197a81db2095615c933f64b8e7e709ab36e11f71459c9637971d0e3c0299e
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/1568-254-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1568-250-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1640-1-0x00000000034D0000-0x00000000038CF000-memory.dmpFilesize
4.0MB
-
memory/1640-41-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/1640-43-0x0000000005270000-0x0000000005B5B000-memory.dmpFilesize
8.9MB
-
memory/1640-3-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/1640-2-0x0000000005270000-0x0000000005B5B000-memory.dmpFilesize
8.9MB
-
memory/1644-108-0x0000000074790000-0x0000000074F41000-memory.dmpFilesize
7.7MB
-
memory/1644-106-0x0000000003210000-0x0000000003220000-memory.dmpFilesize
64KB
-
memory/1644-84-0x0000000003210000-0x0000000003220000-memory.dmpFilesize
64KB
-
memory/1644-83-0x0000000074790000-0x0000000074F41000-memory.dmpFilesize
7.7MB
-
memory/1644-96-0x0000000070C80000-0x0000000070FD7000-memory.dmpFilesize
3.3MB
-
memory/1644-94-0x0000000070A70000-0x0000000070ABC000-memory.dmpFilesize
304KB
-
memory/1644-105-0x000000007F370000-0x000000007F380000-memory.dmpFilesize
64KB
-
memory/2004-257-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2004-255-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2004-219-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2004-259-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2004-142-0x0000000003800000-0x0000000003C00000-memory.dmpFilesize
4.0MB
-
memory/2004-253-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2004-261-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2004-251-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2004-148-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2004-263-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2004-249-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/2004-240-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3096-47-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/3096-61-0x0000000070C80000-0x0000000070FD7000-memory.dmpFilesize
3.3MB
-
memory/3096-72-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/3096-70-0x0000000006FB0000-0x0000000007054000-memory.dmpFilesize
656KB
-
memory/3096-73-0x00000000073B0000-0x0000000007446000-memory.dmpFilesize
600KB
-
memory/3096-74-0x00000000072E0000-0x00000000072F1000-memory.dmpFilesize
68KB
-
memory/3096-75-0x0000000007320000-0x000000000732E000-memory.dmpFilesize
56KB
-
memory/3096-76-0x0000000007330000-0x0000000007345000-memory.dmpFilesize
84KB
-
memory/3096-77-0x0000000007370000-0x000000000738A000-memory.dmpFilesize
104KB
-
memory/3096-78-0x0000000007390000-0x0000000007398000-memory.dmpFilesize
32KB
-
memory/3096-81-0x0000000074790000-0x0000000074F41000-memory.dmpFilesize
7.7MB
-
memory/3096-71-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/3096-59-0x000000007F730000-0x000000007F740000-memory.dmpFilesize
64KB
-
memory/3096-60-0x0000000070A70000-0x0000000070ABC000-memory.dmpFilesize
304KB
-
memory/3096-58-0x0000000005DF0000-0x0000000005E3C000-memory.dmpFilesize
304KB
-
memory/3096-57-0x0000000005850000-0x0000000005BA7000-memory.dmpFilesize
3.3MB
-
memory/3096-48-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/3096-46-0x0000000074790000-0x0000000074F41000-memory.dmpFilesize
7.7MB
-
memory/3744-95-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3744-45-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/3744-44-0x0000000003480000-0x000000000387C000-memory.dmpFilesize
4.0MB
-
memory/3744-109-0x0000000003480000-0x000000000387C000-memory.dmpFilesize
4.0MB
-
memory/3744-140-0x0000000000400000-0x0000000003009000-memory.dmpFilesize
44.0MB
-
memory/4416-149-0x0000000005A80000-0x0000000005DD7000-memory.dmpFilesize
3.3MB
-
memory/4516-38-0x0000000007810000-0x000000000782A000-memory.dmpFilesize
104KB
-
memory/4516-19-0x0000000005D50000-0x00000000060A7000-memory.dmpFilesize
3.3MB
-
memory/4516-4-0x0000000002D10000-0x0000000002D46000-memory.dmpFilesize
216KB
-
memory/4516-5-0x00000000746F0000-0x0000000074EA1000-memory.dmpFilesize
7.7MB
-
memory/4516-6-0x00000000055D0000-0x0000000005BFA000-memory.dmpFilesize
6.2MB
-
memory/4516-7-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/4516-8-0x0000000005440000-0x0000000005462000-memory.dmpFilesize
136KB
-
memory/4516-9-0x0000000005C70000-0x0000000005CD6000-memory.dmpFilesize
408KB
-
memory/4516-10-0x0000000005CE0000-0x0000000005D46000-memory.dmpFilesize
408KB
-
memory/4516-40-0x00000000746F0000-0x0000000074EA1000-memory.dmpFilesize
7.7MB
-
memory/4516-39-0x0000000007850000-0x000000000785A000-memory.dmpFilesize
40KB
-
memory/4516-37-0x0000000007E50000-0x00000000084CA000-memory.dmpFilesize
6.5MB
-
memory/4516-36-0x00000000076F0000-0x0000000007794000-memory.dmpFilesize
656KB
-
memory/4516-35-0x00000000076D0000-0x00000000076EE000-memory.dmpFilesize
120KB
-
memory/4516-26-0x0000000070AE0000-0x0000000070E37000-memory.dmpFilesize
3.3MB
-
memory/4516-24-0x000000007F930000-0x000000007F940000-memory.dmpFilesize
64KB
-
memory/4516-25-0x0000000070960000-0x00000000709AC000-memory.dmpFilesize
304KB
-
memory/4516-23-0x0000000007670000-0x00000000076A4000-memory.dmpFilesize
208KB
-
memory/4516-22-0x0000000006740000-0x0000000006786000-memory.dmpFilesize
280KB
-
memory/4516-20-0x0000000006210000-0x000000000622E000-memory.dmpFilesize
120KB
-
memory/4516-21-0x0000000006230000-0x000000000627C000-memory.dmpFilesize
304KB
-
memory/4620-247-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4780-111-0x0000000003430000-0x0000000003440000-memory.dmpFilesize
64KB
-
memory/4780-110-0x0000000074790000-0x0000000074F41000-memory.dmpFilesize
7.7MB
-
memory/4780-112-0x0000000003430000-0x0000000003440000-memory.dmpFilesize
64KB
-
memory/4780-135-0x0000000074790000-0x0000000074F41000-memory.dmpFilesize
7.7MB
-
memory/4780-133-0x0000000003430000-0x0000000003440000-memory.dmpFilesize
64KB
-
memory/4780-124-0x0000000070CC0000-0x0000000071017000-memory.dmpFilesize
3.3MB
-
memory/4780-123-0x0000000070A70000-0x0000000070ABC000-memory.dmpFilesize
304KB
-
memory/4780-113-0x0000000006380000-0x00000000066D7000-memory.dmpFilesize
3.3MB