Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/05/2024, 17:02

General

  • Target

    b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe

  • Size

    4.1MB

  • MD5

    eb9df0160ed192efc462adb201695525

  • SHA1

    6cc4b2ddd3e2de41f1d67d032916eb6e256d8554

  • SHA256

    b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51

  • SHA512

    0b5256997333c513d230d599deef0ea0d958ad3431b806b70a95ce9af8fa43487c2fecfb95f7312d3388d9630e1ec2f4faae2f1067dd54b13bd76e80855f2460

  • SSDEEP

    98304:LlDK2ogLLeo95J5ZPcfTDKdk17ZCPQ0/B9CeuvJXiZ9xD4RskEV31Kmzb:R7B3j0rWdEQQ059Cfd4xbkE91Km/

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 16 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe
    "C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
    • C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe
      "C:\Users\Admin\AppData\Local\Temp\b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3776
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1988
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:2200
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:892
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:708
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:2092
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3132
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2820
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:1396
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2272
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4804
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4492
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:1388
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2260
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3700
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:3312
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Modifies data under HKEY_USERS
      PID:1468

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmabgqgr.afc.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            ac4917a885cf6050b1a483e4bc4d2ea5

            SHA1

            b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

            SHA256

            e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

            SHA512

            092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            d003b200e95173feb0c6305ba5b371e7

            SHA1

            67bb431f35ae229e29afb688c468968b291accec

            SHA256

            03940237ff9c13e768960f4fb3f7a78acb82227c5205c4318de41ed970153829

            SHA512

            1b1afea44b8ae12cb727a8d854c69e22d227383a47e50492d459660eadff138a084b0393779b2494f4d86d33bcf7b996fbb1f3cdce0730618dcdd2ad635192a7

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            b488b9fce32465048b7bd85c41129856

            SHA1

            acb76533ab73e06fb96eb4c38788dd3eb3e4b213

            SHA256

            d15995cc7065976819294ac13fd9e35db218e3dc17bfb970b98555123adb4e87

            SHA512

            2cedf925d65efce5d6de5b320fe7d6524efc8f1a73953431a7656a84bc7c38f7f18ed321e10e3bd1abdb84e761b7f134d27dc685fb76c6fb618b76bca152fa47

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            2d71238b060c35c905295d13a4529612

            SHA1

            e4a940ec3c1cfecb07825351e7e232627a293c0e

            SHA256

            0965fa473866a5c0e3a200029e3245ca62067496d884500fe8cbe839b0d8cdb6

            SHA512

            dfd4688163ba3a03ba6660d8aff92cad59d2911d43bfb97b01f733643e83803aeeb40f9275b2feaaa21615872db3baee780ef0c110c83b51d94c43d56509d64f

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            7a6a7ee51f295f88fe8f79fc68deebed

            SHA1

            be0cbbb3ce9beca7e8b80619750e80a57033836f

            SHA256

            3db786d474d4bdcbf8d84ac5746fddc3714b8871b866dfe4053a8c3aa30bb647

            SHA512

            71aeedffb1af23ceb4b723107e9f6bfcef747b200cfed32d66947ae8c22e5b6d64e2e3532596a855c84f79a5e5830b130ebba20979b1caee1a16448fcb10a4ad

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            e60e119c91e7d11cf5d2f6f214f89fe8

            SHA1

            d97882662652275b6796417e135bfff2c39b751f

            SHA256

            d2c269179d3cd7c4b4383452b6dcd4d5d6f63e04af4b7acbecde5cac28983754

            SHA512

            57204a142d0ed18d1de252f3dd58ff1cbee86c872199f76d7a2a8e387db33bd0ff7672a93d48ef204b72a34cd43f617a8ca84266d7da205a2b81323490314b47

          • C:\Windows\rss\csrss.exe

            Filesize

            4.1MB

            MD5

            eb9df0160ed192efc462adb201695525

            SHA1

            6cc4b2ddd3e2de41f1d67d032916eb6e256d8554

            SHA256

            b622bad3af0a0c83e7ec1244edd4135fec647c22e76c04d86dc4edd551eb1d51

            SHA512

            0b5256997333c513d230d599deef0ea0d958ad3431b806b70a95ce9af8fa43487c2fecfb95f7312d3388d9630e1ec2f4faae2f1067dd54b13bd76e80855f2460

          • memory/708-110-0x0000000070720000-0x000000007076C000-memory.dmp

            Filesize

            304KB

          • memory/708-111-0x0000000070970000-0x0000000070CC7000-memory.dmp

            Filesize

            3.3MB

          • memory/892-90-0x0000000070970000-0x0000000070CC7000-memory.dmp

            Filesize

            3.3MB

          • memory/892-89-0x0000000070720000-0x000000007076C000-memory.dmp

            Filesize

            304KB

          • memory/892-87-0x0000000006250000-0x00000000065A7000-memory.dmp

            Filesize

            3.3MB

          • memory/1468-235-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/1468-215-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/1468-203-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/1988-75-0x0000000007590000-0x00000000075A5000-memory.dmp

            Filesize

            84KB

          • memory/1988-61-0x0000000005AE0000-0x0000000005E37000-memory.dmp

            Filesize

            3.3MB

          • memory/1988-62-0x0000000006050000-0x000000000609C000-memory.dmp

            Filesize

            304KB

          • memory/1988-63-0x0000000070720000-0x000000007076C000-memory.dmp

            Filesize

            304KB

          • memory/1988-64-0x00000000708A0000-0x0000000070BF7000-memory.dmp

            Filesize

            3.3MB

          • memory/1988-73-0x0000000007240000-0x00000000072E4000-memory.dmp

            Filesize

            656KB

          • memory/1988-74-0x0000000007540000-0x0000000007551000-memory.dmp

            Filesize

            68KB

          • memory/2092-207-0x0000000074CE0000-0x0000000074D21000-memory.dmp

            Filesize

            260KB

          • memory/2092-236-0x0000000000400000-0x0000000002ED6000-memory.dmp

            Filesize

            42.8MB

          • memory/2092-201-0x0000000074DC0000-0x0000000074DDE000-memory.dmp

            Filesize

            120KB

          • memory/2092-199-0x0000000074CE0000-0x0000000074D21000-memory.dmp

            Filesize

            260KB

          • memory/2092-198-0x0000000000400000-0x0000000002ED6000-memory.dmp

            Filesize

            42.8MB

          • memory/2092-266-0x0000000000400000-0x0000000002ED6000-memory.dmp

            Filesize

            42.8MB

          • memory/2092-256-0x0000000000400000-0x0000000002ED6000-memory.dmp

            Filesize

            42.8MB

          • memory/2092-212-0x0000000074C30000-0x0000000074C71000-memory.dmp

            Filesize

            260KB

          • memory/2092-211-0x0000000074C50000-0x0000000074C61000-memory.dmp

            Filesize

            68KB

          • memory/2092-208-0x0000000074C70000-0x0000000074CD7000-memory.dmp

            Filesize

            412KB

          • memory/2092-206-0x0000000000400000-0x0000000002ED6000-memory.dmp

            Filesize

            42.8MB

          • memory/2092-216-0x0000000000400000-0x0000000002ED6000-memory.dmp

            Filesize

            42.8MB

          • memory/2092-226-0x0000000000400000-0x0000000002ED6000-memory.dmp

            Filesize

            42.8MB

          • memory/2092-125-0x0000000000400000-0x0000000002ED6000-memory.dmp

            Filesize

            42.8MB

          • memory/2092-246-0x0000000000400000-0x0000000002ED6000-memory.dmp

            Filesize

            42.8MB

          • memory/2260-205-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/2260-202-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/2272-174-0x0000000005690000-0x00000000056A5000-memory.dmp

            Filesize

            84KB

          • memory/2272-173-0x0000000007190000-0x00000000071A1000-memory.dmp

            Filesize

            68KB

          • memory/2272-163-0x0000000070720000-0x0000000070A77000-memory.dmp

            Filesize

            3.3MB

          • memory/2272-172-0x0000000006FC0000-0x0000000007064000-memory.dmp

            Filesize

            656KB

          • memory/2272-162-0x00000000705A0000-0x00000000705EC000-memory.dmp

            Filesize

            304KB

          • memory/2272-161-0x0000000006280000-0x00000000062CC000-memory.dmp

            Filesize

            304KB

          • memory/2272-160-0x00000000058A0000-0x0000000005BF7000-memory.dmp

            Filesize

            3.3MB

          • memory/2512-49-0x0000000000400000-0x0000000002ED6000-memory.dmp

            Filesize

            42.8MB

          • memory/2512-52-0x0000000005030000-0x000000000591B000-memory.dmp

            Filesize

            8.9MB

          • memory/2512-50-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

          • memory/2512-2-0x0000000005030000-0x000000000591B000-memory.dmp

            Filesize

            8.9MB

          • memory/2512-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

          • memory/2512-1-0x0000000003200000-0x0000000003603000-memory.dmp

            Filesize

            4.0MB

          • memory/2968-39-0x0000000007BD0000-0x0000000007BDA000-memory.dmp

            Filesize

            40KB

          • memory/2968-38-0x0000000007B90000-0x0000000007BAA000-memory.dmp

            Filesize

            104KB

          • memory/2968-6-0x00000000743A0000-0x0000000074B51000-memory.dmp

            Filesize

            7.7MB

          • memory/2968-8-0x0000000005E80000-0x0000000005EA2000-memory.dmp

            Filesize

            136KB

          • memory/2968-9-0x0000000006020000-0x0000000006086000-memory.dmp

            Filesize

            408KB

          • memory/2968-11-0x00000000743A0000-0x0000000074B51000-memory.dmp

            Filesize

            7.7MB

          • memory/2968-10-0x0000000006090000-0x00000000060F6000-memory.dmp

            Filesize

            408KB

          • memory/2968-14-0x0000000006100000-0x0000000006457000-memory.dmp

            Filesize

            3.3MB

          • memory/2968-37-0x00000000081D0000-0x000000000884A000-memory.dmp

            Filesize

            6.5MB

          • memory/2968-40-0x0000000007C90000-0x0000000007D26000-memory.dmp

            Filesize

            600KB

          • memory/2968-21-0x00000000065D0000-0x00000000065EE000-memory.dmp

            Filesize

            120KB

          • memory/2968-41-0x0000000007C00000-0x0000000007C11000-memory.dmp

            Filesize

            68KB

          • memory/2968-42-0x0000000007C40000-0x0000000007C4E000-memory.dmp

            Filesize

            56KB

          • memory/2968-43-0x0000000007C50000-0x0000000007C65000-memory.dmp

            Filesize

            84KB

          • memory/2968-44-0x0000000007D50000-0x0000000007D6A000-memory.dmp

            Filesize

            104KB

          • memory/2968-48-0x00000000743A0000-0x0000000074B51000-memory.dmp

            Filesize

            7.7MB

          • memory/2968-45-0x0000000007D30000-0x0000000007D38000-memory.dmp

            Filesize

            32KB

          • memory/2968-7-0x0000000005820000-0x0000000005E4A000-memory.dmp

            Filesize

            6.2MB

          • memory/2968-4-0x00000000743AE000-0x00000000743AF000-memory.dmp

            Filesize

            4KB

          • memory/2968-5-0x00000000051B0000-0x00000000051E6000-memory.dmp

            Filesize

            216KB

          • memory/2968-24-0x00000000079E0000-0x0000000007A14000-memory.dmp

            Filesize

            208KB

          • memory/2968-36-0x0000000007A60000-0x0000000007B04000-memory.dmp

            Filesize

            656KB

          • memory/2968-35-0x0000000007A40000-0x0000000007A5E000-memory.dmp

            Filesize

            120KB

          • memory/2968-26-0x0000000070860000-0x0000000070BB7000-memory.dmp

            Filesize

            3.3MB

          • memory/2968-25-0x0000000070610000-0x000000007065C000-memory.dmp

            Filesize

            304KB

          • memory/2968-23-0x0000000006B40000-0x0000000006B86000-memory.dmp

            Filesize

            280KB

          • memory/2968-22-0x0000000006670000-0x00000000066BC000-memory.dmp

            Filesize

            304KB

          • memory/3132-134-0x0000000006370000-0x00000000066C7000-memory.dmp

            Filesize

            3.3MB

          • memory/3132-149-0x00000000066F0000-0x0000000006705000-memory.dmp

            Filesize

            84KB

          • memory/3132-148-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

            Filesize

            68KB

          • memory/3132-147-0x0000000007B80000-0x0000000007C24000-memory.dmp

            Filesize

            656KB

          • memory/3132-138-0x00000000708D0000-0x0000000070C27000-memory.dmp

            Filesize

            3.3MB

          • memory/3132-137-0x0000000070680000-0x00000000706CC000-memory.dmp

            Filesize

            304KB

          • memory/3132-136-0x0000000006E40000-0x0000000006E8C000-memory.dmp

            Filesize

            304KB

          • memory/3776-124-0x0000000000400000-0x0000000002ED6000-memory.dmp

            Filesize

            42.8MB

          • memory/3776-99-0x0000000000400000-0x0000000002ED6000-memory.dmp

            Filesize

            42.8MB

          • memory/4804-187-0x00000000707F0000-0x0000000070B47000-memory.dmp

            Filesize

            3.3MB

          • memory/4804-186-0x00000000705A0000-0x00000000705EC000-memory.dmp

            Filesize

            304KB

          • memory/4804-184-0x00000000063C0000-0x0000000006717000-memory.dmp

            Filesize

            3.3MB