Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/04/2024, 22:43

General

  • Target

    b10c0352ab3e69f051e9f625d1f274d32e77b16646730d81daef21b5e96d1398.exe

  • Size

    4.2MB

  • MD5

    26e6411d7a0c48c6eeb8c754597c3780

  • SHA1

    5054f7863baed1540d99353fb7574fbbaed8ebb6

  • SHA256

    b10c0352ab3e69f051e9f625d1f274d32e77b16646730d81daef21b5e96d1398

  • SHA512

    720324576e066820aead1cc2d40348701ad58e69789757c82452cbb5b898f4b037dc1d1f17ac88fb8e1c86e5f74d4ef3dd15178a9ce8d2ecd5e06f232edde157

  • SSDEEP

    98304:f/40EOOAEftLoGWLNDgTXMgGOTrFzBqlMJaGItfGk:XdVQtLoTZDg5GO9BqlcM

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 22 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b10c0352ab3e69f051e9f625d1f274d32e77b16646730d81daef21b5e96d1398.exe
    "C:\Users\Admin\AppData\Local\Temp\b10c0352ab3e69f051e9f625d1f274d32e77b16646730d81daef21b5e96d1398.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3328
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3216
    • C:\Users\Admin\AppData\Local\Temp\b10c0352ab3e69f051e9f625d1f274d32e77b16646730d81daef21b5e96d1398.exe
      "C:\Users\Admin\AppData\Local\Temp\b10c0352ab3e69f051e9f625d1f274d32e77b16646730d81daef21b5e96d1398.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4320
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:352
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3780
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1688
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4780
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:228
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:584
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:1840
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4764
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2844
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:812
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:1596
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3708
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2292
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:1320
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 888
          3⤵
          • Program crash
          PID:3660
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4320 -ip 4320
      1⤵
        PID:4092
      • C:\Windows\windefender.exe
        C:\Windows\windefender.exe
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:4080

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bviaa1if.zcl.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

              Filesize

              281KB

              MD5

              d98e33b66343e7c96158444127a117f6

              SHA1

              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

              SHA256

              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

              SHA512

              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

              Filesize

              2KB

              MD5

              d0c46cad6c0778401e21910bd6b56b70

              SHA1

              7be418951ea96326aca445b8dfe449b2bfa0dca6

              SHA256

              9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

              SHA512

              057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

              Filesize

              19KB

              MD5

              5e012300b5539d2ed62130d847f93bb5

              SHA1

              e34c6e217ea29d279a57e50431f8607739ea1ef5

              SHA256

              c239be39f5959f118b134d49a21f4a5913544be174112f11ecdda87d7cd176b5

              SHA512

              a3ba132d4d361d775b2371ecea1ca380482268591c88b1d48a220f9715b8ad9b589145239819f4114f31935f8c6664bf8221a469249a01b0a424a41393d0d356

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

              Filesize

              19KB

              MD5

              d03ce5f3d21cdeb2222712b69052a350

              SHA1

              85ffcc73ced81b20571a9be26789c09f3911a213

              SHA256

              18e9709b1aa3d70bc4f38bfcf4e4c71ea203a47930c7f25533bef8db55911c75

              SHA512

              d034df2c73c5ec0475c77cf961638f2c8ca475ec50545cbd4a910589cf677285f8591885dc0d17300742584a076eef0922e571837a2e64f1b5cb6e24005e42b1

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

              Filesize

              19KB

              MD5

              6fb7369de513bafcc1c15be1212e94a5

              SHA1

              b5e4db4c64cfbec3aed0df857fda5791e507bf1d

              SHA256

              75f732468ea9c192213e8ce5c4ff33f07d2589f5a7715a0642097e57f2267b80

              SHA512

              c6f0826fcbff3a691c1b9d52c691d327277d69d09a14fd2c75ee51402470c0bce68122ec220cf8595316322c28e4713d0b0d4c6dfdbd6c4cf06009e0980d6116

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

              Filesize

              19KB

              MD5

              c1ac01793bf614755dba5423eafb4a67

              SHA1

              23d6a299bad96d8e0436960389ec9fb1d2a81c3f

              SHA256

              1318fa520c69e63253d8384821b97c944414951dd83524f6b3b6ee51be84e595

              SHA512

              62d9a4fe573c34a7cca69ba9591ca499feb36bdb67d7193c827da6c098ce4d0daf5fb8a9984aa4c852d5b37619c3097d59bb6f6695dcb1fccaf5e37eb171bb0b

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

              Filesize

              19KB

              MD5

              f577d75d5d6d17d337f8c5d923ba36e6

              SHA1

              1a2ed7ca1ab7e67f19ed35d941059a99bb873a5d

              SHA256

              2349d822e73dc5160e5300cc574dd685d2be38c4ee90c3c0001ec0e6edb5b7bb

              SHA512

              706a859c41582a4546e233913bf788407935b997bd6839f9546fa413c27b35115c390c9d27bcbed4837831d5423349a4515f473976d709295835637422853b4e

            • C:\Windows\rss\csrss.exe

              Filesize

              4.2MB

              MD5

              26e6411d7a0c48c6eeb8c754597c3780

              SHA1

              5054f7863baed1540d99353fb7574fbbaed8ebb6

              SHA256

              b10c0352ab3e69f051e9f625d1f274d32e77b16646730d81daef21b5e96d1398

              SHA512

              720324576e066820aead1cc2d40348701ad58e69789757c82452cbb5b898f4b037dc1d1f17ac88fb8e1c86e5f74d4ef3dd15178a9ce8d2ecd5e06f232edde157

            • C:\Windows\windefender.exe

              Filesize

              2.0MB

              MD5

              8e67f58837092385dcf01e8a2b4f5783

              SHA1

              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

              SHA256

              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

              SHA512

              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

            • memory/352-86-0x0000000074490000-0x0000000074C41000-memory.dmp

              Filesize

              7.7MB

            • memory/352-59-0x00000000047E0000-0x00000000047F0000-memory.dmp

              Filesize

              64KB

            • memory/352-58-0x00000000047E0000-0x00000000047F0000-memory.dmp

              Filesize

              64KB

            • memory/352-57-0x0000000074490000-0x0000000074C41000-memory.dmp

              Filesize

              7.7MB

            • memory/352-68-0x00000000058B0000-0x0000000005C07000-memory.dmp

              Filesize

              3.3MB

            • memory/352-69-0x0000000005D10000-0x0000000005D5C000-memory.dmp

              Filesize

              304KB

            • memory/352-70-0x0000000070780000-0x00000000707CC000-memory.dmp

              Filesize

              304KB

            • memory/352-71-0x0000000070900000-0x0000000070C57000-memory.dmp

              Filesize

              3.3MB

            • memory/352-81-0x0000000006CA0000-0x0000000006D44000-memory.dmp

              Filesize

              656KB

            • memory/352-80-0x00000000047E0000-0x00000000047F0000-memory.dmp

              Filesize

              64KB

            • memory/352-82-0x0000000007200000-0x0000000007211000-memory.dmp

              Filesize

              68KB

            • memory/352-83-0x0000000007250000-0x0000000007265000-memory.dmp

              Filesize

              84KB

            • memory/2412-263-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2412-276-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2412-273-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2412-272-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2412-270-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2412-268-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2412-266-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2412-258-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2412-262-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2412-245-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2412-260-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2412-254-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2412-256-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/2572-129-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

              Filesize

              64KB

            • memory/2572-117-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

              Filesize

              64KB

            • memory/2572-130-0x0000000070780000-0x00000000707CC000-memory.dmp

              Filesize

              304KB

            • memory/2572-115-0x0000000074490000-0x0000000074C41000-memory.dmp

              Filesize

              7.7MB

            • memory/2572-118-0x0000000005070000-0x00000000053C7000-memory.dmp

              Filesize

              3.3MB

            • memory/2572-116-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

              Filesize

              64KB

            • memory/3216-39-0x00000000082D0000-0x000000000894A000-memory.dmp

              Filesize

              6.5MB

            • memory/3216-7-0x0000000003320000-0x0000000003330000-memory.dmp

              Filesize

              64KB

            • memory/3216-46-0x0000000007D90000-0x0000000007DAA000-memory.dmp

              Filesize

              104KB

            • memory/3216-45-0x0000000007D40000-0x0000000007D55000-memory.dmp

              Filesize

              84KB

            • memory/3216-44-0x0000000007D30000-0x0000000007D3E000-memory.dmp

              Filesize

              56KB

            • memory/3216-43-0x0000000007CF0000-0x0000000007D01000-memory.dmp

              Filesize

              68KB

            • memory/3216-42-0x0000000007DD0000-0x0000000007E66000-memory.dmp

              Filesize

              600KB

            • memory/3216-41-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

              Filesize

              40KB

            • memory/3216-40-0x0000000007C80000-0x0000000007C9A000-memory.dmp

              Filesize

              104KB

            • memory/3216-26-0x0000000070670000-0x00000000706BC000-memory.dmp

              Filesize

              304KB

            • memory/3216-36-0x0000000007B40000-0x0000000007B5E000-memory.dmp

              Filesize

              120KB

            • memory/3216-27-0x00000000707F0000-0x0000000070B47000-memory.dmp

              Filesize

              3.3MB

            • memory/3216-4-0x0000000003240000-0x0000000003276000-memory.dmp

              Filesize

              216KB

            • memory/3216-24-0x000000007F420000-0x000000007F430000-memory.dmp

              Filesize

              64KB

            • memory/3216-5-0x0000000074400000-0x0000000074BB1000-memory.dmp

              Filesize

              7.7MB

            • memory/3216-6-0x0000000003320000-0x0000000003330000-memory.dmp

              Filesize

              64KB

            • memory/3216-8-0x00000000059D0000-0x0000000005FFA000-memory.dmp

              Filesize

              6.2MB

            • memory/3216-9-0x0000000005800000-0x0000000005822000-memory.dmp

              Filesize

              136KB

            • memory/3216-10-0x0000000006000000-0x0000000006066000-memory.dmp

              Filesize

              408KB

            • memory/3216-11-0x0000000006070000-0x00000000060D6000-memory.dmp

              Filesize

              408KB

            • memory/3216-50-0x0000000074400000-0x0000000074BB1000-memory.dmp

              Filesize

              7.7MB

            • memory/3216-38-0x0000000003320000-0x0000000003330000-memory.dmp

              Filesize

              64KB

            • memory/3216-20-0x00000000061A0000-0x00000000064F7000-memory.dmp

              Filesize

              3.3MB

            • memory/3216-21-0x00000000066D0000-0x00000000066EE000-memory.dmp

              Filesize

              120KB

            • memory/3216-47-0x0000000007DB0000-0x0000000007DB8000-memory.dmp

              Filesize

              32KB

            • memory/3216-23-0x0000000006C70000-0x0000000006CB6000-memory.dmp

              Filesize

              280KB

            • memory/3216-22-0x0000000006710000-0x000000000675C000-memory.dmp

              Filesize

              304KB

            • memory/3216-37-0x0000000007B60000-0x0000000007C04000-memory.dmp

              Filesize

              656KB

            • memory/3216-25-0x0000000007B00000-0x0000000007B34000-memory.dmp

              Filesize

              208KB

            • memory/3328-1-0x0000000003D10000-0x000000000410F000-memory.dmp

              Filesize

              4.0MB

            • memory/3328-51-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/3328-3-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/3328-2-0x0000000004110000-0x00000000049FB000-memory.dmp

              Filesize

              8.9MB

            • memory/3328-54-0x0000000004110000-0x00000000049FB000-memory.dmp

              Filesize

              8.9MB

            • memory/3708-252-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

            • memory/4080-255-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

            • memory/4080-259-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

            • memory/4320-56-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/4320-148-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/4320-55-0x0000000004050000-0x000000000493B000-memory.dmp

              Filesize

              8.9MB

            • memory/4320-53-0x0000000003C50000-0x000000000404B000-memory.dmp

              Filesize

              4.0MB

            • memory/4320-100-0x0000000003C50000-0x000000000404B000-memory.dmp

              Filesize

              4.0MB

            • memory/4320-127-0x0000000000400000-0x0000000001E06000-memory.dmp

              Filesize

              26.0MB

            • memory/4780-112-0x0000000004C90000-0x0000000004CA0000-memory.dmp

              Filesize

              64KB

            • memory/4780-102-0x0000000070900000-0x0000000070C57000-memory.dmp

              Filesize

              3.3MB

            • memory/4780-103-0x000000007F440000-0x000000007F450000-memory.dmp

              Filesize

              64KB

            • memory/4780-114-0x0000000074490000-0x0000000074C41000-memory.dmp

              Filesize

              7.7MB

            • memory/4780-101-0x0000000070780000-0x00000000707CC000-memory.dmp

              Filesize

              304KB

            • memory/4780-88-0x0000000074490000-0x0000000074C41000-memory.dmp

              Filesize

              7.7MB

            • memory/4780-90-0x0000000004C90000-0x0000000004CA0000-memory.dmp

              Filesize

              64KB

            • memory/4780-89-0x0000000004C90000-0x0000000004CA0000-memory.dmp

              Filesize

              64KB