Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/05/2024, 19:32

General

  • Target

    3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe

  • Size

    4.1MB

  • MD5

    6f4d183e5d1aab790f02bc0295e3d43e

  • SHA1

    1326ffb83de86687ef30cd8db10c5598be84bee2

  • SHA256

    3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5

  • SHA512

    ac935aa0489b23892a7653547888428c583ed116223c3c2cb207a8e30f5f3f0fc671fd58cc8addc5056ccfe41ab7afcd12f1f5def809f3025c4b9c36913e5f20

  • SSDEEP

    98304:dwBco1salv4p8AdbboIKOJLJ1nO5Zld79mTpg:dwqoWyv4yANjKQa7oi

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe
    "C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3744
    • C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe
      "C:\Users\Admin\AppData\Local\Temp\3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4436
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1016
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1444
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1952
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4000
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3412
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3772
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:4944
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5020
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4016
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4852
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4528
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3444
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3236
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:4636
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2604

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojn4niex.guc.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

            Filesize

            281KB

            MD5

            d98e33b66343e7c96158444127a117f6

            SHA1

            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

            SHA256

            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

            SHA512

            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            d0c46cad6c0778401e21910bd6b56b70

            SHA1

            7be418951ea96326aca445b8dfe449b2bfa0dca6

            SHA256

            9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

            SHA512

            057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            1c471c8f4a8dc28216b61243e4119c74

            SHA1

            ed4bd0f95ddcf40571158a7d9806ca2f7ab47628

            SHA256

            44980ec5a2628b6125d0dfd00a89cc79fa30a5fd6261ef9b4c47467d3de076f8

            SHA512

            868ed93cfac8580f16e7cad192686b4890657f56e7157ca2d2835b66844c888f8af1fc657af448e6289db957e96a8f17d27e632ea7d30231b2927c2e98be11fa

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            3483e1f6e0e30f7cce88b408ae8019ce

            SHA1

            40cb33a0515192f9feaccb94ad2aa08a6ad9e2e6

            SHA256

            0fe01978959d84b09381ccac4d166dd37517818e4895efab4f2e2ee1bc1238fc

            SHA512

            d1b8a14b5f68e89cc0b4465d9f772e9ede3100063bae651294fafdca866037c0f98e3d682b82a55f2959b66d15e161d7d627675fada3b93483aca0a5cefd494f

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            75201c4362dc6ed5321e99f8aff0f520

            SHA1

            413cf94e2b2fcf66afb2650b8668cb26100af316

            SHA256

            59f44f93745da037108f7dbd224345a1cc9aa4a0a464d30137dd7cb9c8f95831

            SHA512

            8ef1db9c93ea70bf07abc57a535636f57d9b0c53d5b6c65f2c98d7e9fb2cc1ecfa051f25fa1d5dd26be114a1a863f3cf97bd2532fcd35fabfca3e73c95a34362

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            0084f004e29ff57c3d7e2e0993c9c408

            SHA1

            5c86e4c7231f9a972d72b547882a63092dd21ea5

            SHA256

            f6da7f04bf628de968e9a33f53c699115dba181fd834e303eb666297cc49e5a9

            SHA512

            c55f694fe84ffdec003fdaefefdf8b073afca913f420c200c3b036c6ad6711166bf2f8d8b378526fd53eaf81e2f3d8fb7cfd80a31269971a970fb3bd85e5f8b1

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

            Filesize

            19KB

            MD5

            d835b8fe58b372c711238e85a25a65d6

            SHA1

            8e9c038e12c68571c30f0c804cbae22d99e67cfd

            SHA256

            6c68f4da8d7fabcd4f8044c2e14fcd72b3223d8dcfe40e7dcf84368069b95adf

            SHA512

            e2f39cc566e1ba6b5b3d3a41bea691bc7e40f3500d27f14397600b64bd02a88ee803fbb88418bfc0149a759686d80c66afb9ea542e6df1cb61f9d20bf61cc496

          • C:\Windows\rss\csrss.exe

            Filesize

            4.1MB

            MD5

            6f4d183e5d1aab790f02bc0295e3d43e

            SHA1

            1326ffb83de86687ef30cd8db10c5598be84bee2

            SHA256

            3390720191c192801273ec66cf14aa11dbb6f888d3d2387b7b65406fb18064f5

            SHA512

            ac935aa0489b23892a7653547888428c583ed116223c3c2cb207a8e30f5f3f0fc671fd58cc8addc5056ccfe41ab7afcd12f1f5def809f3025c4b9c36913e5f20

          • C:\Windows\windefender.exe

            Filesize

            2.0MB

            MD5

            8e67f58837092385dcf01e8a2b4f5783

            SHA1

            012c49cfd8c5d06795a6f67ea2baf2a082cf8625

            SHA256

            166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

            SHA512

            40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

          • memory/1392-234-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1392-222-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1392-219-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1392-216-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1392-225-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1392-213-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1392-205-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1392-228-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1392-231-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1392-237-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1392-240-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1392-194-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1940-71-0x00000000033E0000-0x00000000037DA000-memory.dmp

            Filesize

            4.0MB

          • memory/1940-1-0x00000000033E0000-0x00000000037DA000-memory.dmp

            Filesize

            4.0MB

          • memory/1940-73-0x0000000005080000-0x000000000596B000-memory.dmp

            Filesize

            8.9MB

          • memory/1940-50-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/1940-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

          • memory/1940-2-0x0000000005080000-0x000000000596B000-memory.dmp

            Filesize

            8.9MB

          • memory/1940-120-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

          • memory/1952-87-0x0000000070B20000-0x0000000070B6C000-memory.dmp

            Filesize

            304KB

          • memory/1952-88-0x0000000070CC0000-0x0000000071017000-memory.dmp

            Filesize

            3.3MB

          • memory/2604-209-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/2604-214-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/2604-220-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/3412-138-0x0000000070B20000-0x0000000070B6C000-memory.dmp

            Filesize

            304KB

          • memory/3412-139-0x0000000070D70000-0x00000000710C7000-memory.dmp

            Filesize

            3.3MB

          • memory/3444-207-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/3444-211-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

          • memory/3744-38-0x0000000007F30000-0x0000000007F4A000-memory.dmp

            Filesize

            104KB

          • memory/3744-25-0x0000000070B20000-0x0000000070B6C000-memory.dmp

            Filesize

            304KB

          • memory/3744-4-0x00000000748BE000-0x00000000748BF000-memory.dmp

            Filesize

            4KB

          • memory/3744-5-0x00000000054B0000-0x00000000054E6000-memory.dmp

            Filesize

            216KB

          • memory/3744-6-0x0000000005C00000-0x000000000622A000-memory.dmp

            Filesize

            6.2MB

          • memory/3744-7-0x00000000748B0000-0x0000000075061000-memory.dmp

            Filesize

            7.7MB

          • memory/3744-8-0x00000000748B0000-0x0000000075061000-memory.dmp

            Filesize

            7.7MB

          • memory/3744-9-0x0000000005BC0000-0x0000000005BE2000-memory.dmp

            Filesize

            136KB

          • memory/3744-10-0x00000000063A0000-0x0000000006406000-memory.dmp

            Filesize

            408KB

          • memory/3744-11-0x0000000006480000-0x00000000064E6000-memory.dmp

            Filesize

            408KB

          • memory/3744-48-0x00000000748B0000-0x0000000075061000-memory.dmp

            Filesize

            7.7MB

          • memory/3744-20-0x00000000064F0000-0x0000000006847000-memory.dmp

            Filesize

            3.3MB

          • memory/3744-45-0x0000000008060000-0x0000000008068000-memory.dmp

            Filesize

            32KB

          • memory/3744-21-0x0000000006970000-0x000000000698E000-memory.dmp

            Filesize

            120KB

          • memory/3744-44-0x0000000008040000-0x000000000805A000-memory.dmp

            Filesize

            104KB

          • memory/3744-43-0x0000000007FF0000-0x0000000008005000-memory.dmp

            Filesize

            84KB

          • memory/3744-42-0x0000000007FE0000-0x0000000007FEE000-memory.dmp

            Filesize

            56KB

          • memory/3744-22-0x00000000069C0000-0x0000000006A0C000-memory.dmp

            Filesize

            304KB

          • memory/3744-41-0x0000000007F90000-0x0000000007FA1000-memory.dmp

            Filesize

            68KB

          • memory/3744-23-0x0000000006D80000-0x0000000006DC6000-memory.dmp

            Filesize

            280KB

          • memory/3744-24-0x0000000007D80000-0x0000000007DB4000-memory.dmp

            Filesize

            208KB

          • memory/3744-26-0x0000000070CB0000-0x0000000071007000-memory.dmp

            Filesize

            3.3MB

          • memory/3744-35-0x0000000007DE0000-0x0000000007DFE000-memory.dmp

            Filesize

            120KB

          • memory/3744-36-0x0000000007E00000-0x0000000007EA4000-memory.dmp

            Filesize

            656KB

          • memory/3744-37-0x0000000008570000-0x0000000008BEA000-memory.dmp

            Filesize

            6.5MB

          • memory/3744-39-0x0000000007F70000-0x0000000007F7A000-memory.dmp

            Filesize

            40KB

          • memory/3744-40-0x0000000008080000-0x0000000008116000-memory.dmp

            Filesize

            600KB

          • memory/4000-110-0x0000000070D70000-0x00000000710C7000-memory.dmp

            Filesize

            3.3MB

          • memory/4000-104-0x00000000055E0000-0x0000000005937000-memory.dmp

            Filesize

            3.3MB

          • memory/4000-109-0x0000000070B20000-0x0000000070B6C000-memory.dmp

            Filesize

            304KB

          • memory/4016-184-0x0000000070A40000-0x0000000070A8C000-memory.dmp

            Filesize

            304KB

          • memory/4016-182-0x0000000006370000-0x00000000066C7000-memory.dmp

            Filesize

            3.3MB

          • memory/4016-185-0x0000000070BE0000-0x0000000070F37000-memory.dmp

            Filesize

            3.3MB

          • memory/4436-72-0x0000000007E00000-0x0000000007E11000-memory.dmp

            Filesize

            68KB

          • memory/4436-70-0x0000000007AD0000-0x0000000007B74000-memory.dmp

            Filesize

            656KB

          • memory/4436-61-0x0000000070CC0000-0x0000000071017000-memory.dmp

            Filesize

            3.3MB

          • memory/4436-74-0x0000000007E50000-0x0000000007E65000-memory.dmp

            Filesize

            84KB

          • memory/4436-60-0x0000000070B20000-0x0000000070B6C000-memory.dmp

            Filesize

            304KB

          • memory/4436-59-0x0000000006410000-0x0000000006767000-memory.dmp

            Filesize

            3.3MB

          • memory/5020-170-0x0000000007890000-0x0000000007934000-memory.dmp

            Filesize

            656KB

          • memory/5020-157-0x0000000006040000-0x0000000006397000-memory.dmp

            Filesize

            3.3MB

          • memory/5020-159-0x00000000066B0000-0x00000000066FC000-memory.dmp

            Filesize

            304KB

          • memory/5020-160-0x0000000070A40000-0x0000000070A8C000-memory.dmp

            Filesize

            304KB

          • memory/5020-161-0x0000000070C90000-0x0000000070FE7000-memory.dmp

            Filesize

            3.3MB

          • memory/5020-171-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

            Filesize

            68KB

          • memory/5020-172-0x00000000063F0000-0x0000000006405000-memory.dmp

            Filesize

            84KB

          • memory/5032-119-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB

          • memory/5032-125-0x0000000000400000-0x0000000002ED5000-memory.dmp

            Filesize

            42.8MB