Analysis

  • max time kernel
    10s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/04/2024, 19:23

General

  • Target

    f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe

  • Size

    4.2MB

  • MD5

    0796ac200d1f3642b598d14cf31606a1

  • SHA1

    149e9647d003952a2b1a001c1510167158022cea

  • SHA256

    f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6

  • SHA512

    bb49e5f61975654800fa822e018275266c28c9fbec3dd6a2c93484a815d8e72d0df4d6dd66d3eb6d9e4c228272ab6d22896cc92c31d19857e06f3b8a741c69a5

  • SSDEEP

    98304:btwUIgr6Tu/hivXD0fl0IvZVjhgp1+mYFjvUcmYnimsjZaHeK:Jw6rquKXDtU1Y2GYniVjUH3

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 21 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 2 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe
    "C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3548
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 2440
        3⤵
        • Program crash
        PID:4664
    • C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe
      "C:\Users\Admin\AppData\Local\Temp\f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6.exe"
      2⤵
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4324
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4332
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5060
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3136
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4636
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
          PID:3320
        • C:\Windows\rss\csrss.exe
          C:\Windows\rss\csrss.exe
          3⤵
            PID:792
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
                PID:2956
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                4⤵
                • Creates scheduled task(s)
                PID:1016
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /delete /tn ScheduledUpdate /f
                4⤵
                  PID:1400
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                    PID:3416
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    4⤵
                      PID:4976
                    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                      4⤵
                        PID:5088
                      • C:\Windows\SYSTEM32\schtasks.exe
                        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                        4⤵
                        • Creates scheduled task(s)
                        PID:2456
                      • C:\Windows\windefender.exe
                        "C:\Windows\windefender.exe"
                        4⤵
                          PID:2072
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                            5⤵
                              PID:2016
                              • C:\Windows\SysWOW64\sc.exe
                                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                6⤵
                                • Launches sc.exe
                                PID:4352
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3548 -ip 3548
                      1⤵
                        PID:4224
                      • C:\Windows\windefender.exe
                        C:\Windows\windefender.exe
                        1⤵
                          PID:2440

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dn0t3h2p.x1h.ps1

                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

                                Filesize

                                281KB

                                MD5

                                d98e33b66343e7c96158444127a117f6

                                SHA1

                                bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                SHA256

                                5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                SHA512

                                705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                Filesize

                                2KB

                                MD5

                                ac4917a885cf6050b1a483e4bc4d2ea5

                                SHA1

                                b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

                                SHA256

                                e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

                                SHA512

                                092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                Filesize

                                19KB

                                MD5

                                227009207df95f563b12d6e087c29a1f

                                SHA1

                                0cbd7d6769cf669b9f896966834b8812ceea302f

                                SHA256

                                aceb1c10d64aa64ac94e68c836687f8ca5199c04ed85a997c0ac1bbf59a2924e

                                SHA512

                                c12c1b6ec85784b2d823f5b4a2f12a922a9cf8195038e853b8335220a3f6c609028008e59325442c6dd7a7946a3503a40c5524d6a81a8dc415376346f6cbb2c8

                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                Filesize

                                19KB

                                MD5

                                ac068a1ffcd9149ce887695a1f451d5a

                                SHA1

                                97a8514e279c688a20032d493b2d15482287289c

                                SHA256

                                53222baec25fd586f59d1086298102f3175d7b9fca15e7e96cb72186ddd87caf

                                SHA512

                                62915b79b1afb3cc1adf3be73a993d86bafcd958932486e6f991cbccca3e31b5869b8d1c51b659a370d43007ec544fb62acf6858cd7ca568c60a7574e9588c9a

                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                Filesize

                                19KB

                                MD5

                                7e18c7528e98a2950b0a44e47033c4ad

                                SHA1

                                9491b0812d116c7534b72d05a894b852965a750f

                                SHA256

                                a6b16796fc2f46d22bea6833031a88a9eb1b2437029fa2ddc1f3c0cb67b1f1a0

                                SHA512

                                7e682877aec2d1997dbd0976f760462edfc6d83ac3784fd28012def0978c03c56bb60551a6a4a1df4d9959ad8aac46bda3ef011fc76a6158c127c232dc682055

                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                Filesize

                                19KB

                                MD5

                                bcbd091bec5ac7be696f93bd988f1ed4

                                SHA1

                                c9345bb8851835ce6e5532751dee8384335eded0

                                SHA256

                                d85e0449bd5309a9eaa10b6aff2b5e5c482a9a240c235955907c5544bb0d9ce7

                                SHA512

                                9377b090522dfcc37e766504269d30ae71503f42540400e311c6179d12666830d20d9759e84588f4941060893dec3d04a52ae10c3b50cd2bfc60b299f99e6939

                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                Filesize

                                19KB

                                MD5

                                fb359dfcf37031f3bb927aaa7edf3ec1

                                SHA1

                                bd7ab54fe9f904052a7bfc2a342712b39ff0d6fe

                                SHA256

                                db729b25ddf0278ba65770c5dcf6cd0f28f532bdbd1943fe0766445ec08ea796

                                SHA512

                                a6f76d3e56ace2d60dce355fbf606c83668b6eb2a6116e9826524c2b21947580f15c7385bf70330bfd8b86da83fe08929d06b8cd8c09e81bbbbb69632c45fdc8

                              • C:\Windows\rss\csrss.exe

                                Filesize

                                4.2MB

                                MD5

                                0796ac200d1f3642b598d14cf31606a1

                                SHA1

                                149e9647d003952a2b1a001c1510167158022cea

                                SHA256

                                f18cedf4b99abbcc778c1b6925a46c64bf7383782c9a48dbcca4e7949f8381f6

                                SHA512

                                bb49e5f61975654800fa822e018275266c28c9fbec3dd6a2c93484a815d8e72d0df4d6dd66d3eb6d9e4c228272ab6d22896cc92c31d19857e06f3b8a741c69a5

                              • C:\Windows\windefender.exe

                                Filesize

                                2.0MB

                                MD5

                                8e67f58837092385dcf01e8a2b4f5783

                                SHA1

                                012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                                SHA256

                                166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                                SHA512

                                40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                              • memory/792-141-0x0000000004200000-0x0000000004600000-memory.dmp

                                Filesize

                                4.0MB

                              • memory/792-260-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-255-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-251-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-291-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-247-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-287-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-283-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-236-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-264-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-268-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-272-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-275-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-142-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/792-279-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/2072-244-0x0000000000400000-0x00000000008DF000-memory.dmp

                                Filesize

                                4.9MB

                              • memory/2440-258-0x0000000000400000-0x00000000008DF000-memory.dmp

                                Filesize

                                4.9MB

                              • memory/2440-250-0x0000000000400000-0x00000000008DF000-memory.dmp

                                Filesize

                                4.9MB

                              • memory/3320-135-0x0000000074250000-0x0000000074A01000-memory.dmp

                                Filesize

                                7.7MB

                              • memory/3320-133-0x0000000005350000-0x0000000005360000-memory.dmp

                                Filesize

                                64KB

                              • memory/3320-132-0x000000007F9D0000-0x000000007F9E0000-memory.dmp

                                Filesize

                                64KB

                              • memory/3320-121-0x00000000704C0000-0x000000007050C000-memory.dmp

                                Filesize

                                304KB

                              • memory/3320-122-0x0000000070640000-0x0000000070997000-memory.dmp

                                Filesize

                                3.3MB

                              • memory/3320-110-0x0000000074250000-0x0000000074A01000-memory.dmp

                                Filesize

                                7.7MB

                              • memory/3548-38-0x0000000007FB0000-0x000000000862A000-memory.dmp

                                Filesize

                                6.5MB

                              • memory/3548-21-0x00000000063E0000-0x00000000063FE000-memory.dmp

                                Filesize

                                120KB

                              • memory/3548-41-0x0000000074250000-0x0000000074A01000-memory.dmp

                                Filesize

                                7.7MB

                              • memory/3548-40-0x00000000079B0000-0x00000000079BA000-memory.dmp

                                Filesize

                                40KB

                              • memory/3548-4-0x0000000002F10000-0x0000000002F46000-memory.dmp

                                Filesize

                                216KB

                              • memory/3548-5-0x0000000074250000-0x0000000074A01000-memory.dmp

                                Filesize

                                7.7MB

                              • memory/3548-6-0x0000000002F00000-0x0000000002F10000-memory.dmp

                                Filesize

                                64KB

                              • memory/3548-7-0x0000000002F00000-0x0000000002F10000-memory.dmp

                                Filesize

                                64KB

                              • memory/3548-8-0x00000000057F0000-0x0000000005E1A000-memory.dmp

                                Filesize

                                6.2MB

                              • memory/3548-9-0x0000000005530000-0x0000000005552000-memory.dmp

                                Filesize

                                136KB

                              • memory/3548-10-0x0000000005E20000-0x0000000005E86000-memory.dmp

                                Filesize

                                408KB

                              • memory/3548-13-0x0000000005E90000-0x0000000005EF6000-memory.dmp

                                Filesize

                                408KB

                              • memory/3548-20-0x0000000005F00000-0x0000000006257000-memory.dmp

                                Filesize

                                3.3MB

                              • memory/3548-39-0x0000000007970000-0x000000000798A000-memory.dmp

                                Filesize

                                104KB

                              • memory/3548-22-0x0000000006410000-0x000000000645C000-memory.dmp

                                Filesize

                                304KB

                              • memory/3548-23-0x00000000067D0000-0x0000000006816000-memory.dmp

                                Filesize

                                280KB

                              • memory/3548-24-0x000000007FD60000-0x000000007FD70000-memory.dmp

                                Filesize

                                64KB

                              • memory/3548-25-0x00000000077C0000-0x00000000077F4000-memory.dmp

                                Filesize

                                208KB

                              • memory/3548-26-0x00000000704C0000-0x000000007050C000-memory.dmp

                                Filesize

                                304KB

                              • memory/3548-36-0x0000000007820000-0x000000000783E000-memory.dmp

                                Filesize

                                120KB

                              • memory/3548-37-0x0000000007840000-0x00000000078E4000-memory.dmp

                                Filesize

                                656KB

                              • memory/3548-27-0x0000000070640000-0x0000000070997000-memory.dmp

                                Filesize

                                3.3MB

                              • memory/4216-90-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/4216-1-0x0000000003E00000-0x0000000004200000-memory.dmp

                                Filesize

                                4.0MB

                              • memory/4216-48-0x0000000003E00000-0x0000000004200000-memory.dmp

                                Filesize

                                4.0MB

                              • memory/4216-3-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/4216-2-0x0000000004200000-0x0000000004AEB000-memory.dmp

                                Filesize

                                8.9MB

                              • memory/4324-131-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/4324-111-0x0000000003C60000-0x0000000004066000-memory.dmp

                                Filesize

                                4.0MB

                              • memory/4324-45-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/4324-44-0x0000000004070000-0x000000000495B000-memory.dmp

                                Filesize

                                8.9MB

                              • memory/4324-43-0x0000000003C60000-0x0000000004066000-memory.dmp

                                Filesize

                                4.0MB

                              • memory/4324-169-0x0000000000400000-0x0000000001E08000-memory.dmp

                                Filesize

                                26.0MB

                              • memory/4332-76-0x0000000007750000-0x000000000776A000-memory.dmp

                                Filesize

                                104KB

                              • memory/4332-69-0x00000000073A0000-0x0000000007444000-memory.dmp

                                Filesize

                                656KB

                              • memory/4332-58-0x0000000005D20000-0x0000000006077000-memory.dmp

                                Filesize

                                3.3MB

                              • memory/4332-47-0x0000000004E40000-0x0000000004E50000-memory.dmp

                                Filesize

                                64KB

                              • memory/4332-71-0x0000000004E40000-0x0000000004E50000-memory.dmp

                                Filesize

                                64KB

                              • memory/4332-70-0x0000000004E40000-0x0000000004E50000-memory.dmp

                                Filesize

                                64KB

                              • memory/4332-46-0x0000000004E40000-0x0000000004E50000-memory.dmp

                                Filesize

                                64KB

                              • memory/4332-60-0x0000000070E00000-0x0000000071157000-memory.dmp

                                Filesize

                                3.3MB

                              • memory/4332-72-0x00000000077A0000-0x0000000007836000-memory.dmp

                                Filesize

                                600KB

                              • memory/4332-73-0x00000000076C0000-0x00000000076D1000-memory.dmp

                                Filesize

                                68KB

                              • memory/4332-74-0x0000000007700000-0x000000000770E000-memory.dmp

                                Filesize

                                56KB

                              • memory/4332-75-0x0000000007710000-0x0000000007725000-memory.dmp

                                Filesize

                                84KB

                              • memory/4332-57-0x0000000074250000-0x0000000074A01000-memory.dmp

                                Filesize

                                7.7MB

                              • memory/4332-59-0x00000000704C0000-0x000000007050C000-memory.dmp

                                Filesize

                                304KB

                              • memory/4332-80-0x0000000074250000-0x0000000074A01000-memory.dmp

                                Filesize

                                7.7MB

                              • memory/4332-77-0x0000000007770000-0x0000000007778000-memory.dmp

                                Filesize

                                32KB

                              • memory/4636-107-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

                                Filesize

                                64KB

                              • memory/4636-92-0x0000000074250000-0x0000000074A01000-memory.dmp

                                Filesize

                                7.7MB

                              • memory/4636-94-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

                                Filesize

                                64KB

                              • memory/4636-93-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

                                Filesize

                                64KB

                              • memory/4636-96-0x0000000070640000-0x0000000070997000-memory.dmp

                                Filesize

                                3.3MB

                              • memory/4636-95-0x00000000704C0000-0x000000007050C000-memory.dmp

                                Filesize

                                304KB

                              • memory/4636-106-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

                                Filesize

                                64KB

                              • memory/4636-109-0x0000000074250000-0x0000000074A01000-memory.dmp

                                Filesize

                                7.7MB