Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/04/2024, 20:06

General

  • Target

    2b594acf3a66dda0d7c2004ab3e42c85129479f36bc1f9b498afe247c4cebfb8.exe

  • Size

    4.2MB

  • MD5

    c3ef1155fd5f029ec180444ad56ee9cd

  • SHA1

    dd63227bd963fe3879048e3212ff7044d98f7ba4

  • SHA256

    2b594acf3a66dda0d7c2004ab3e42c85129479f36bc1f9b498afe247c4cebfb8

  • SHA512

    b5634ebd569d86e28ccb0c3d4d6aec2d230fb840de360deeac9bc083b9ec871750e125222b189f19c93135ea59aec0e0e375d19daa844ed1b1844b8ead9478f9

  • SSDEEP

    98304:500QK3N3Jc8wpX9Ml+P+WnP01raAvqFLRTemOJzdkXGQ:7pJcNpX++PyaASVpB6kl

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 20 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b594acf3a66dda0d7c2004ab3e42c85129479f36bc1f9b498afe247c4cebfb8.exe
    "C:\Users\Admin\AppData\Local\Temp\2b594acf3a66dda0d7c2004ab3e42c85129479f36bc1f9b498afe247c4cebfb8.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4344
    • C:\Users\Admin\AppData\Local\Temp\2b594acf3a66dda0d7c2004ab3e42c85129479f36bc1f9b498afe247c4cebfb8.exe
      "C:\Users\Admin\AppData\Local\Temp\2b594acf3a66dda0d7c2004ab3e42c85129479f36bc1f9b498afe247c4cebfb8.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2060
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1740
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3452
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4216
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:572
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2580
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3916
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4916
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2480
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:1796
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3112
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2104
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:236
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:1216

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvpblcb2.u1y.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

            Filesize

            281KB

            MD5

            d98e33b66343e7c96158444127a117f6

            SHA1

            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

            SHA256

            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

            SHA512

            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            d0c46cad6c0778401e21910bd6b56b70

            SHA1

            7be418951ea96326aca445b8dfe449b2bfa0dca6

            SHA256

            9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

            SHA512

            057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            5dee71cef707ff34d89b6b3b5efddabf

            SHA1

            90ac6c53e4c9e4f0c6921afbd6342aa669d6a501

            SHA256

            9d5c6f3dcc017faeb146f1be372bd398c2c7cfb9e9012666960fbe8d8ba770fb

            SHA512

            ff0f22fa3b505967df11d8f55b9ef0ab26cc94b23672b4a4b0205118dae23bb63ccac2159892a63818db88ecf265bcb3284f222a194bc09ce8c6521635c59d04

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            52331a8d45ee09a7fd1e36d957487e1c

            SHA1

            f6f6f84d4a0d351d6ab055b292d00f9649a2faa9

            SHA256

            61fc3866975cde0712a8e8339cd8a4a6622d9ba7f1643feea2bd8a5cc7c26c1d

            SHA512

            25b2b470c3be990ad5282cebc471befe995325b20e4bab2e6e1e96fd5809f2cadb6f352c91a6294d5a744db71090dfb1ab0d401b34ce27ebe6661291a0838d27

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            6956c7281031e71e36772dda807d5280

            SHA1

            61bf1fe00a8c7ab0b738a556b8dab6d191c3f7bd

            SHA256

            e84e4a44f83f2102e65a76472decc310cdb16fe269927531c4c830cea4ae8090

            SHA512

            a054f9bc6dad91e9036e78742d64ddab0fb3bb4faa85b9c479950dd55c6f1c043f8056098e85a0f125d9b2a6b8240e23062706c8c0ed16b4189cba8f33c75a8f

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            13ae38d6f7b58a633062f3f72eb92609

            SHA1

            0dd9a7dbc82f941b837a8b67896b1648c8785bc6

            SHA256

            e3992ec492af88ef801c61c79c824645866ab3e4fc638db1886da4f444c253fe

            SHA512

            5af29979a5144b2641a7614952d45ef376165c2bb0a383ea844d0b112c817743e3d124655cfa193edc1824ead229ea8481cc1266d5ea27984a14a62c1daea222

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            e45b3d361ff248033fc5221a208902fc

            SHA1

            ffe700a6a791ec54471b8c267863f6f0f526fa7f

            SHA256

            71f21674861c58b06a5d3939c22e54fc1f942f3aaa3939d97b6c13e8659f4a8a

            SHA512

            6b03235386edc7bc545b690cd25278f2ae2699d020d6cb31bd8fdb7db2c80bde3e5c08cec93db6d4539a511e117d4f8b765dfc891f0456edb573a203c9cff4cb

          • C:\Windows\rss\csrss.exe

            Filesize

            4.2MB

            MD5

            c3ef1155fd5f029ec180444ad56ee9cd

            SHA1

            dd63227bd963fe3879048e3212ff7044d98f7ba4

            SHA256

            2b594acf3a66dda0d7c2004ab3e42c85129479f36bc1f9b498afe247c4cebfb8

            SHA512

            b5634ebd569d86e28ccb0c3d4d6aec2d230fb840de360deeac9bc083b9ec871750e125222b189f19c93135ea59aec0e0e375d19daa844ed1b1844b8ead9478f9

          • C:\Windows\windefender.exe

            Filesize

            2.0MB

            MD5

            8e67f58837092385dcf01e8a2b4f5783

            SHA1

            012c49cfd8c5d06795a6f67ea2baf2a082cf8625

            SHA256

            166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

            SHA512

            40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

          • memory/1216-256-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/1216-259-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/1788-272-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/1788-270-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/1788-255-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/1788-254-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/1788-257-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/1788-274-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/1788-245-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/1788-275-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/1788-260-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/1788-262-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/1788-264-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/1788-265-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/1788-267-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/2060-59-0x00000000054D0000-0x0000000005827000-memory.dmp

            Filesize

            3.3MB

          • memory/2060-68-0x0000000005A40000-0x0000000005A8C000-memory.dmp

            Filesize

            304KB

          • memory/2060-80-0x0000000006BF0000-0x0000000006C94000-memory.dmp

            Filesize

            656KB

          • memory/2060-71-0x0000000070620000-0x0000000070977000-memory.dmp

            Filesize

            3.3MB

          • memory/2060-69-0x000000007F860000-0x000000007F870000-memory.dmp

            Filesize

            64KB

          • memory/2060-70-0x00000000703D0000-0x000000007041C000-memory.dmp

            Filesize

            304KB

          • memory/2060-56-0x00000000740F0000-0x00000000748A1000-memory.dmp

            Filesize

            7.7MB

          • memory/2060-58-0x00000000045E0000-0x00000000045F0000-memory.dmp

            Filesize

            64KB

          • memory/2060-81-0x00000000045E0000-0x00000000045F0000-memory.dmp

            Filesize

            64KB

          • memory/2060-86-0x00000000740F0000-0x00000000748A1000-memory.dmp

            Filesize

            7.7MB

          • memory/2060-57-0x00000000045E0000-0x00000000045F0000-memory.dmp

            Filesize

            64KB

          • memory/2060-82-0x0000000006F40000-0x0000000006F51000-memory.dmp

            Filesize

            68KB

          • memory/2060-83-0x0000000006F90000-0x0000000006FA5000-memory.dmp

            Filesize

            84KB

          • memory/2116-102-0x0000000070620000-0x0000000070977000-memory.dmp

            Filesize

            3.3MB

          • memory/2116-88-0x00000000740F0000-0x00000000748A1000-memory.dmp

            Filesize

            7.7MB

          • memory/2116-113-0x00000000740F0000-0x00000000748A1000-memory.dmp

            Filesize

            7.7MB

          • memory/2116-89-0x00000000048A0000-0x00000000048B0000-memory.dmp

            Filesize

            64KB

          • memory/2116-90-0x00000000048A0000-0x00000000048B0000-memory.dmp

            Filesize

            64KB

          • memory/2116-100-0x000000007F370000-0x000000007F380000-memory.dmp

            Filesize

            64KB

          • memory/2116-101-0x00000000703D0000-0x000000007041C000-memory.dmp

            Filesize

            304KB

          • memory/3112-253-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/3388-143-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/3388-55-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/3388-53-0x0000000003AD0000-0x0000000003ECF000-memory.dmp

            Filesize

            4.0MB

          • memory/3388-111-0x0000000003AD0000-0x0000000003ECF000-memory.dmp

            Filesize

            4.0MB

          • memory/3388-136-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/3452-127-0x0000000070620000-0x0000000070977000-memory.dmp

            Filesize

            3.3MB

          • memory/3452-139-0x00000000740F0000-0x00000000748A1000-memory.dmp

            Filesize

            7.7MB

          • memory/3452-137-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

            Filesize

            64KB

          • memory/3452-126-0x00000000703D0000-0x000000007041C000-memory.dmp

            Filesize

            304KB

          • memory/3452-114-0x00000000740F0000-0x00000000748A1000-memory.dmp

            Filesize

            7.7MB

          • memory/3452-115-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

            Filesize

            64KB

          • memory/3452-116-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

            Filesize

            64KB

          • memory/3928-3-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/3928-1-0x0000000003D20000-0x0000000004128000-memory.dmp

            Filesize

            4.0MB

          • memory/3928-2-0x0000000004130000-0x0000000004A1B000-memory.dmp

            Filesize

            8.9MB

          • memory/3928-51-0x0000000000400000-0x0000000001E06000-memory.dmp

            Filesize

            26.0MB

          • memory/3928-54-0x0000000004130000-0x0000000004A1B000-memory.dmp

            Filesize

            8.9MB

          • memory/4344-39-0x0000000007E40000-0x00000000084BA000-memory.dmp

            Filesize

            6.5MB

          • memory/4344-23-0x0000000006800000-0x0000000006846000-memory.dmp

            Filesize

            280KB

          • memory/4344-41-0x0000000007840000-0x000000000784A000-memory.dmp

            Filesize

            40KB

          • memory/4344-42-0x0000000007950000-0x00000000079E6000-memory.dmp

            Filesize

            600KB

          • memory/4344-43-0x0000000007860000-0x0000000007871000-memory.dmp

            Filesize

            68KB

          • memory/4344-44-0x00000000078B0000-0x00000000078BE000-memory.dmp

            Filesize

            56KB

          • memory/4344-45-0x00000000078C0000-0x00000000078D5000-memory.dmp

            Filesize

            84KB

          • memory/4344-46-0x0000000007910000-0x000000000792A000-memory.dmp

            Filesize

            104KB

          • memory/4344-38-0x0000000004F90000-0x0000000004FA0000-memory.dmp

            Filesize

            64KB

          • memory/4344-37-0x00000000076E0000-0x0000000007784000-memory.dmp

            Filesize

            656KB

          • memory/4344-36-0x00000000076C0000-0x00000000076DE000-memory.dmp

            Filesize

            120KB

          • memory/4344-27-0x0000000070440000-0x0000000070797000-memory.dmp

            Filesize

            3.3MB

          • memory/4344-26-0x00000000702C0000-0x000000007030C000-memory.dmp

            Filesize

            304KB

          • memory/4344-25-0x0000000007680000-0x00000000076B4000-memory.dmp

            Filesize

            208KB

          • memory/4344-24-0x000000007F120000-0x000000007F130000-memory.dmp

            Filesize

            64KB

          • memory/4344-40-0x0000000007800000-0x000000000781A000-memory.dmp

            Filesize

            104KB

          • memory/4344-22-0x0000000006290000-0x00000000062DC000-memory.dmp

            Filesize

            304KB

          • memory/4344-21-0x0000000006240000-0x000000000625E000-memory.dmp

            Filesize

            120KB

          • memory/4344-20-0x0000000005D60000-0x00000000060B7000-memory.dmp

            Filesize

            3.3MB

          • memory/4344-11-0x0000000005C70000-0x0000000005CD6000-memory.dmp

            Filesize

            408KB

          • memory/4344-10-0x0000000005540000-0x00000000055A6000-memory.dmp

            Filesize

            408KB

          • memory/4344-9-0x0000000005490000-0x00000000054B2000-memory.dmp

            Filesize

            136KB

          • memory/4344-7-0x0000000004F90000-0x0000000004FA0000-memory.dmp

            Filesize

            64KB

          • memory/4344-8-0x00000000055D0000-0x0000000005BFA000-memory.dmp

            Filesize

            6.2MB

          • memory/4344-6-0x0000000004F90000-0x0000000004FA0000-memory.dmp

            Filesize

            64KB

          • memory/4344-5-0x0000000074050000-0x0000000074801000-memory.dmp

            Filesize

            7.7MB

          • memory/4344-4-0x0000000002D90000-0x0000000002DC6000-memory.dmp

            Filesize

            216KB

          • memory/4344-47-0x0000000007930000-0x0000000007938000-memory.dmp

            Filesize

            32KB

          • memory/4344-50-0x0000000074050000-0x0000000074801000-memory.dmp

            Filesize

            7.7MB