Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
21-04-2024 13:03
General
-
Target
fd8898f4b00574becd211f73e6031d6ede884f6074bf2c33ee27cfc78ed9fed1.exe
-
Size
4.1MB
-
MD5
8b0837ac590e41607fb88e67d2554529
-
SHA1
2ef0f5321d5060f4356dbbaf4ad795d82ad0cb3f
-
SHA256
fd8898f4b00574becd211f73e6031d6ede884f6074bf2c33ee27cfc78ed9fed1
-
SHA512
fdfe06f8ad3dce2880eefd30f2176d0142e2431f697db8e062e0862f5966536b89f26064198c99d36a2bde4be791342bbc620be292962102f40852783cdf13db
-
SSDEEP
98304:oupp3WUkLaIVxVQ5Lfi8+DAGSBgUwbhlmIRT0sLJ5E:l24wrgi8oddlbq
Malware Config
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 36 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd8898f4b00574becd211f73e6031d6ede884f6074bf2c33ee27cfc78ed9fed1.exe"C:\Users\Admin\AppData\Local\Temp\fd8898f4b00574becd211f73e6031d6ede884f6074bf2c33ee27cfc78ed9fed1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fd8898f4b00574becd211f73e6031d6ede884f6074bf2c33ee27cfc78ed9fed1.exe"C:\Users\Admin\AppData\Local\Temp\fd8898f4b00574becd211f73e6031d6ede884f6074bf2c33ee27cfc78ed9fed1.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\fd8898f4b00574becd211f73e6031d6ede884f6074bf2c33ee27cfc78ed9fed1.exe"C:\Users\Admin\AppData\Local\Temp\fd8898f4b00574becd211f73e6031d6ede884f6074bf2c33ee27cfc78ed9fed1.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fd8898f4b00574becd211f73e6031d6ede884f6074bf2c33ee27cfc78ed9fed1.exe"C:\Users\Admin\AppData\Local\Temp\fd8898f4b00574becd211f73e6031d6ede884f6074bf2c33ee27cfc78ed9fed1.exe"4⤵
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f7⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile7⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F7⤵
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ni41cnc.wwo.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5c5c94d9873cf43fa80a0de5f8d60cbb8
SHA158ac029abce3e5e6e2b171567fb4f1386039d4e1
SHA2567931cad5e35ec86e5b1d0c6a7a977835d77ddf2ecba222e14db801e183375088
SHA512ceab3e902ecec47835d18f98dc3e5d9fb503027176a53b2754787aaf541d861f183e9d120ca20a505efdeaaedf8521bd7b032fccbed336405ed8fb3676636f48
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD570d73700addeff57ad8d8cdc95d4f0f8
SHA17114f359a121f6739cbad97caecf691184dee38d
SHA256224c4b3e9aa2f06e1c3bc5ac1b9826b794885c3402c756e03b5b29d910bb5752
SHA51268da6bbea07730413f0b8c82ec3ce170e7195460347d656e7288d85f18ae66a70853dfde160a189bd8b0c5738863f3a4b5351d06c5cb655dbfc091a58b3d6aa2
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD538952a8671dc5534d8184951a2941b7d
SHA1c8f63f311ddb14783a4cb153560e3959e134c984
SHA256a51085173e2aeeff166e89401ed5e453ed9be9ca337bd278e386adddf7627695
SHA51260a5296d5420ee1f4d053d4d26d8ced45f8f17ba399c2d86ef3514042e78b086ee3798f4da0896631b51f74fddc901c464091d4ede9843b6c2cd173875583355
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5adad11ec63b7a0d42d2a40c8cbc229ac
SHA13f4b5f8142bde03f88839a488c45ca73a0b4532a
SHA256631083b2531c841f3f34f102ce27311347df50f65e8da01fcfed2fa8acf73793
SHA512586713ecc4ef981482faebdede682c00ee8991565852e21421ab09566f8f4bfb35624c56fca0d8fb13b0aa6dc2099cb2a8a2551bb1a6867ab574a1b56353968d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a2fd25ac6e6c1298a32ae9757b196420
SHA1bc6b90219a0ff10704bcc99b044e643ce5542f58
SHA25653952bb481e41b7610e6f160af012f22029190f8990e6156382a33869cc2e72c
SHA512a61aa9e53d44665b62b2d612d7735809539c281e614ec18f9058913760023a1b5af8398f5518c27521af5a94d66161d9d078eb8a9aa59f756749ef5b40b83d24
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD58b0837ac590e41607fb88e67d2554529
SHA12ef0f5321d5060f4356dbbaf4ad795d82ad0cb3f
SHA256fd8898f4b00574becd211f73e6031d6ede884f6074bf2c33ee27cfc78ed9fed1
SHA512fdfe06f8ad3dce2880eefd30f2176d0142e2431f697db8e062e0862f5966536b89f26064198c99d36a2bde4be791342bbc620be292962102f40852783cdf13db
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/452-1-0x0000000003C20000-0x000000000401F000-memory.dmpFilesize
4.0MB
-
memory/452-2-0x0000000004020000-0x000000000490C000-memory.dmpFilesize
8.9MB
-
memory/908-284-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-301-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-295-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-307-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-305-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-303-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-188-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-189-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-190-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-297-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-286-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-285-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-299-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-283-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-191-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-219-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/908-251-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1500-173-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1500-114-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1500-80-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1500-79-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1500-113-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1500-78-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1500-77-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/1500-170-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2196-300-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2196-296-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2248-294-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2680-182-0x0000000004000000-0x0000000004400000-memory.dmpFilesize
4.0MB
-
memory/2916-8-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2916-9-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2916-65-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2916-29-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2916-10-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2916-5-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2916-6-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2916-3-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2916-38-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2916-7-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2980-36-0x00000000070D0000-0x00000000070EA000-memory.dmpFilesize
104KB
-
memory/2980-34-0x0000000007020000-0x0000000007096000-memory.dmpFilesize
472KB
-
memory/2980-11-0x0000000074570000-0x0000000074D20000-memory.dmpFilesize
7.7MB
-
memory/2980-13-0x00000000046A0000-0x00000000046D6000-memory.dmpFilesize
216KB
-
memory/2980-12-0x0000000004770000-0x0000000004780000-memory.dmpFilesize
64KB
-
memory/2980-14-0x0000000004770000-0x0000000004780000-memory.dmpFilesize
64KB
-
memory/2980-15-0x0000000004DB0000-0x00000000053D8000-memory.dmpFilesize
6.2MB
-
memory/2980-16-0x0000000004CF0000-0x0000000004D12000-memory.dmpFilesize
136KB
-
memory/2980-17-0x0000000005550000-0x00000000055B6000-memory.dmpFilesize
408KB
-
memory/2980-18-0x0000000005630000-0x0000000005696000-memory.dmpFilesize
408KB
-
memory/2980-24-0x00000000056A0000-0x00000000059F4000-memory.dmpFilesize
3.3MB
-
memory/2980-30-0x0000000005D80000-0x0000000005D9E000-memory.dmpFilesize
120KB
-
memory/2980-31-0x0000000005E10000-0x0000000005E5C000-memory.dmpFilesize
304KB
-
memory/2980-32-0x0000000006260000-0x00000000062A4000-memory.dmpFilesize
272KB
-
memory/2980-33-0x0000000004770000-0x0000000004780000-memory.dmpFilesize
64KB
-
memory/2980-35-0x0000000007720000-0x0000000007D9A000-memory.dmpFilesize
6.5MB
-
memory/2980-37-0x00000000072A0000-0x00000000072D2000-memory.dmpFilesize
200KB
-
memory/2980-40-0x0000000070410000-0x000000007045C000-memory.dmpFilesize
304KB
-
memory/2980-41-0x0000000070B70000-0x0000000070EC4000-memory.dmpFilesize
3.3MB
-
memory/2980-51-0x0000000007280000-0x000000000729E000-memory.dmpFilesize
120KB
-
memory/2980-39-0x000000007F970000-0x000000007F980000-memory.dmpFilesize
64KB
-
memory/2980-52-0x00000000072E0000-0x0000000007383000-memory.dmpFilesize
652KB
-
memory/2980-53-0x00000000073C0000-0x00000000073CA000-memory.dmpFilesize
40KB
-
memory/2980-64-0x0000000074570000-0x0000000074D20000-memory.dmpFilesize
7.7MB
-
memory/2980-54-0x0000000007480000-0x0000000007516000-memory.dmpFilesize
600KB
-
memory/2980-55-0x00000000073E0000-0x00000000073F1000-memory.dmpFilesize
68KB
-
memory/2980-57-0x0000000007420000-0x000000000742E000-memory.dmpFilesize
56KB
-
memory/2980-58-0x0000000074570000-0x0000000074D20000-memory.dmpFilesize
7.7MB
-
memory/2980-61-0x0000000007460000-0x0000000007468000-memory.dmpFilesize
32KB
-
memory/2980-60-0x0000000007520000-0x000000000753A000-memory.dmpFilesize
104KB
-
memory/2980-59-0x0000000007430000-0x0000000007444000-memory.dmpFilesize
80KB
-
memory/3020-141-0x0000000074570000-0x0000000074D20000-memory.dmpFilesize
7.7MB
-
memory/3020-127-0x0000000004A40000-0x0000000004A50000-memory.dmpFilesize
64KB
-
memory/3020-128-0x0000000070470000-0x00000000704BC000-memory.dmpFilesize
304KB
-
memory/3020-116-0x0000000074570000-0x0000000074D20000-memory.dmpFilesize
7.7MB
-
memory/3020-129-0x0000000070C30000-0x0000000070F84000-memory.dmpFilesize
3.3MB
-
memory/3020-139-0x000000007F700000-0x000000007F710000-memory.dmpFilesize
64KB
-
memory/3272-155-0x0000000005150000-0x0000000005160000-memory.dmpFilesize
64KB
-
memory/3272-142-0x0000000074570000-0x0000000074D20000-memory.dmpFilesize
7.7MB
-
memory/3272-143-0x0000000005150000-0x0000000005160000-memory.dmpFilesize
64KB
-
memory/3272-149-0x0000000005F10000-0x0000000006264000-memory.dmpFilesize
3.3MB
-
memory/3272-156-0x0000000070470000-0x00000000704BC000-memory.dmpFilesize
304KB
-
memory/3272-157-0x0000000070BF0000-0x0000000070F44000-memory.dmpFilesize
3.3MB
-
memory/3272-168-0x0000000074570000-0x0000000074D20000-memory.dmpFilesize
7.7MB
-
memory/4456-93-0x0000000006250000-0x00000000065A4000-memory.dmpFilesize
3.3MB
-
memory/4456-81-0x0000000074570000-0x0000000074D20000-memory.dmpFilesize
7.7MB
-
memory/4456-83-0x0000000005500000-0x0000000005510000-memory.dmpFilesize
64KB
-
memory/4456-82-0x0000000005500000-0x0000000005510000-memory.dmpFilesize
64KB
-
memory/4456-112-0x0000000074570000-0x0000000074D20000-memory.dmpFilesize
7.7MB
-
memory/4456-109-0x0000000007DF0000-0x0000000007E04000-memory.dmpFilesize
80KB
-
memory/4456-108-0x0000000007DA0000-0x0000000007DB1000-memory.dmpFilesize
68KB
-
memory/4456-107-0x0000000007A90000-0x0000000007B33000-memory.dmpFilesize
652KB
-
memory/4456-97-0x0000000070C30000-0x0000000070F84000-memory.dmpFilesize
3.3MB
-
memory/4456-96-0x0000000070470000-0x00000000704BC000-memory.dmpFilesize
304KB
-
memory/4456-95-0x0000000005500000-0x0000000005510000-memory.dmpFilesize
64KB
-
memory/4456-94-0x0000000006A20000-0x0000000006A6C000-memory.dmpFilesize
304KB
-
memory/4712-72-0x0000000003AB0000-0x0000000003EAF000-memory.dmpFilesize
4.0MB