Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30-05-2023 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd8d8e47c6354cf9df12b2ba1646d26c2b0f6e437d97f151cd3db3ae351ead6b.exe

  • Size

    4.2MB

  • MD5

    7755321df289ea0207234442e98d353d

  • SHA1

    f42524b38acde2ca22babfb847ded17745d08252

  • SHA256

    bd8d8e47c6354cf9df12b2ba1646d26c2b0f6e437d97f151cd3db3ae351ead6b

  • SHA512

    cbaa1230478fde2ea735b33d482800efcdf4262e15e51a7002f1200500aed229c5a2cccf9bc9d04c0961591872555df6ceaff763031f4618b3711c350ff4e560

  • SSDEEP

    98304:OEetIp/wDrYhBLw7jCPSQSbSuKLRXxaJCNcYPEKwlzgxt5Y/LrznN5YThq:Us/cr2AKZuTKNxaKcYpLxEzP

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd8d8e47c6354cf9df12b2ba1646d26c2b0f6e437d97f151cd3db3ae351ead6b.exe
    "C:\Users\Admin\AppData\Local\Temp\bd8d8e47c6354cf9df12b2ba1646d26c2b0f6e437d97f151cd3db3ae351ead6b.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Users\Admin\AppData\Local\Temp\bd8d8e47c6354cf9df12b2ba1646d26c2b0f6e437d97f151cd3db3ae351ead6b.exe
      "C:\Users\Admin\AppData\Local\Temp\bd8d8e47c6354cf9df12b2ba1646d26c2b0f6e437d97f151cd3db3ae351ead6b.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4316
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:756
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2112
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3964
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2120
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2216
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2932
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2220
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3432
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4756
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4712

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tfunjzcq.of4.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      db01a2c1c7e70b2b038edf8ad5ad9826

      SHA1

      540217c647a73bad8d8a79e3a0f3998b5abd199b

      SHA256

      413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

      SHA512

      c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      a6bc15b4d7c244d304938f0baf98c3fd

      SHA1

      68e2f72f84685a80213861ea5c1320db3974d930

      SHA256

      0636a234a8815f8da82024e6cc9497e381919dd41c45fc9997362d596a84291b

      SHA512

      e5f15c6417227d9e84b9f0138d65ecb4382a59c437cee102efc837f92a2d2cd2c44c6722b8b13c93fc8680e9f336d7e931ab20de1a92c1c70e9b54919683a413

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      7ce42523dd10993532889599873f9506

      SHA1

      154b927388eb356611994ff825bcf302d36f48f3

      SHA256

      978700b87f4f86f5bbe8bbe520b3125162b25535bb5c794a878af2cfd643a697

      SHA512

      037991460cf78f4ccfaa353905c528fa05dd9006ea4c7bae30bc8943efef0de959199182ceebabf4591aca035c21990e9d16bddaba654465d8b319ed517ace16

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      b21da62d38f811a0f41bbb2fa2027253

      SHA1

      4d31e383d9bd55ff53236e6449e4b2317fe342d7

      SHA256

      210edc9c44b810a96290f6de1fa62559b681b34391c4c5bee8ce4e97c3ad524b

      SHA512

      2d9e1459f0f688ec29070ef9ff4fffa0c7d9ab038b70b2ac894da06268d07ea2212cfb8a6e18728d91ee10eaf9e6d6ef4fc32060a0d017cae7fcb8ba58d82fc2

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      f11ee1aaba66bfa812bb78e7effa25c8

      SHA1

      85dc003485c180697bad5b8c03418b5752471472

      SHA256

      d8d258efc4765aa3acdec30660eab44849f26ceb62f24dae0f9af3cc27acb645

      SHA512

      789f6258f5471da3e4f91710f7ea03286cf73ce3df57d445bfbb0906ef9fe0749db1b582724a2832ab0941bb5de00cb60a9e19f61cace8d2092f5cc6bc7a1cc7

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      e5779d9665fc38cedcbbe813cf8cd603

      SHA1

      7d319a8c149f70bc2f45fa96e868e0203e16f850

      SHA256

      e8c3084debc57eb809f71275bc3aa082b86af8cb4c57f37ed26439335997c464

      SHA512

      c168e9477e96995588a15a2fa8960ffe3ab6c9e12c9a03ae7e62290914b74951dfbbf16ad527c09e8bc81615fc212d647016b65d6809c50de9fa171e385666cf

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      7755321df289ea0207234442e98d353d

      SHA1

      f42524b38acde2ca22babfb847ded17745d08252

      SHA256

      bd8d8e47c6354cf9df12b2ba1646d26c2b0f6e437d97f151cd3db3ae351ead6b

      SHA512

      cbaa1230478fde2ea735b33d482800efcdf4262e15e51a7002f1200500aed229c5a2cccf9bc9d04c0961591872555df6ceaff763031f4618b3711c350ff4e560

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      7755321df289ea0207234442e98d353d

      SHA1

      f42524b38acde2ca22babfb847ded17745d08252

      SHA256

      bd8d8e47c6354cf9df12b2ba1646d26c2b0f6e437d97f151cd3db3ae351ead6b

      SHA512

      cbaa1230478fde2ea735b33d482800efcdf4262e15e51a7002f1200500aed229c5a2cccf9bc9d04c0961591872555df6ceaff763031f4618b3711c350ff4e560

      Download Submit

    • memory/656-118-0x0000000003040000-0x000000000392B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/656-415-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/656-204-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1744-1890-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1744-1400-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1744-1699-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1744-1888-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1744-1889-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1744-1891-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1744-1892-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1744-1893-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1744-1894-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1744-1895-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2112-720-0x0000000004C40000-0x0000000004C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2112-665-0x0000000007970000-0x0000000007CC0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2112-718-0x000000007FA10000-0x000000007FA20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2112-668-0x0000000004C40000-0x0000000004C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2112-667-0x0000000004C40000-0x0000000004C50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2120-1168-0x0000000005110000-0x0000000005120000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2120-1171-0x0000000005110000-0x0000000005120000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2120-1182-0x0000000009BE0000-0x0000000009C85000-memory.dmp

      Filesize

      660KB

      Download

    • memory/2120-1157-0x0000000008A90000-0x0000000008ADB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2120-1155-0x0000000008110000-0x0000000008460000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2120-1187-0x000000007E420000-0x000000007E430000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2120-1188-0x0000000005110000-0x0000000005120000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-1474-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-1427-0x00000000092F0000-0x0000000009395000-memory.dmp

      Filesize

      660KB

      Download

    • memory/2220-1403-0x0000000007950000-0x000000000799B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2220-1401-0x0000000006BA0000-0x0000000006BB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2220-1399-0x0000000007AD0000-0x0000000007E20000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2220-1426-0x000000007ECF0000-0x000000007ED00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2860-404-0x0000000004E80000-0x0000000004E90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2860-121-0x0000000004DB0000-0x0000000004DE6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2860-130-0x0000000008AF0000-0x0000000008B3B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2860-141-0x00000000095E0000-0x0000000009656000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2860-150-0x0000000009750000-0x000000000978C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2860-202-0x000000007E870000-0x000000007E880000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2860-129-0x00000000085C0000-0x00000000085DC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2860-194-0x000000000A750000-0x000000000A7E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/2860-395-0x0000000007490000-0x0000000007498000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2860-193-0x000000000A580000-0x000000000A625000-memory.dmp

      Filesize

      660KB

      Download

    • memory/2860-122-0x0000000004E80000-0x0000000004E90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2860-207-0x0000000004E80000-0x0000000004E90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2860-128-0x0000000008180000-0x00000000084D0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2860-413-0x0000000004E80000-0x0000000004E90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2860-123-0x0000000007A60000-0x0000000008088000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2860-126-0x0000000008100000-0x0000000008166000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2860-390-0x00000000074A0000-0x00000000074BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2860-188-0x000000000A520000-0x000000000A53E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2860-127-0x0000000008090000-0x00000000080F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2860-187-0x000000000A540000-0x000000000A573000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2860-125-0x0000000004E80000-0x0000000004E90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2860-124-0x0000000007740000-0x0000000007762000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3120-936-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3120-661-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3120-1150-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3432-1701-0x0000000001140000-0x0000000001150000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3432-1643-0x0000000007680000-0x00000000079D0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3432-1646-0x0000000001140000-0x0000000001150000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3432-1645-0x0000000001140000-0x0000000001150000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3964-908-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3964-938-0x000000007ECC0000-0x000000007ECD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3964-907-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3964-940-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4316-445-0x0000000009A80000-0x0000000009B25000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4316-419-0x00000000052D0000-0x00000000052E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4316-420-0x00000000081E0000-0x0000000008530000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4316-421-0x00000000085B0000-0x00000000085FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4316-422-0x00000000052D0000-0x00000000052E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4316-516-0x00000000052D0000-0x00000000052E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4316-446-0x000000007ECF0000-0x000000007ED00000-memory.dmp

      Filesize

      64KB

      Download