Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2023, 05:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b47875c3610c14308db0bbd7028fada1f511d419255887ddcfc693334070965.exe

  • Size

    4.2MB

  • MD5

    a74f977a76a84e9abe226d37060a60ff

  • SHA1

    d0fdd076ee5b88112d0c5a9f599b4680bf391c55

  • SHA256

    8b47875c3610c14308db0bbd7028fada1f511d419255887ddcfc693334070965

  • SHA512

    26e517452636bbb3ae20187ccf52b9d628c8771b7f7a8459d53684a5b57007677708844eeccd666ea3dabf538f0cc35932d4b3ef07701eba34b08f25122c1854

  • SSDEEP

    98304:+EetIp/wDrYhBLw7jCPSQSbSuKLRXxaJCNcYPEKwlzgxt5Y/LrznN5YT4:Es/cr2AKZuTKNxaKcYpLxEz7

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b47875c3610c14308db0bbd7028fada1f511d419255887ddcfc693334070965.exe
    "C:\Users\Admin\AppData\Local\Temp\8b47875c3610c14308db0bbd7028fada1f511d419255887ddcfc693334070965.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4412
    • C:\Users\Admin\AppData\Local\Temp\8b47875c3610c14308db0bbd7028fada1f511d419255887ddcfc693334070965.exe
      "C:\Users\Admin\AppData\Local\Temp\8b47875c3610c14308db0bbd7028fada1f511d419255887ddcfc693334070965.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3148
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:2984
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2440
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3092
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3564
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1944
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3760
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2572
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3088
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5040
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4912
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4384
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 872
        2⤵
        • Program crash
        PID:3696
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2256 -ip 2256
      1⤵
        PID:3844

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgy343at.502.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        Filesize

        281KB

        MD5

        d98e33b66343e7c96158444127a117f6

        SHA1

        bb716c5509a2bf345c6c1152f6e3e1452d39d50d

        SHA256

        5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

        SHA512

        705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        Filesize

        281KB

        MD5

        d98e33b66343e7c96158444127a117f6

        SHA1

        bb716c5509a2bf345c6c1152f6e3e1452d39d50d

        SHA256

        5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

        SHA512

        705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        968cb9309758126772781b83adb8a28f

        SHA1

        8da30e71accf186b2ba11da1797cf67f8f78b47c

        SHA256

        92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

        SHA512

        4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        65703d1df8ec1cc077bed9b777e489af

        SHA1

        04b21612c1f14fe09fb6272683d70a009997b65f

        SHA256

        b5678194b81b838b39cbce14a817be8ea277c0a51c3adaccfa10c3e8c0b3c60c

        SHA512

        d09badb3105b9f1a9dfc71cb13c92f81a58a5f2dce8048f4cb4c3785a02234eaae07e5e8b18c61505aa25b2de91e77be5d90a73955b6a09bd442c851563ca3e7

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        d756bf6f32752c1f5fcf85c1b30d64ae

        SHA1

        d5a863643a640cb667c9433f720da5b40fb21e43

        SHA256

        17d60096b174ad6f049979e7f527f443218d4ce6ccdf61d3e249baa6529a265a

        SHA512

        2fb7f92191930520e7710aa600d0e7b252c901126530684dc2f093984967f67babad23d95ffb5c8aa89a9f9537102622eb337199dc45376cbe33fdc9e211978e

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        9c1369426d65579cf5a6552892849268

        SHA1

        77dc2c6ae32625f836868093b7f04e84ac4dc73f

        SHA256

        154c775b9a4cd0d4dd9941abc04f81fce57c9d07bcbf84572286c901779a9988

        SHA512

        230fa463d673633fecf35add7cb3cf001ad0a46fb0605b2f8ec4d130c3747c753bb398e9c37d09d1d857ebc0c5417bd1eb540d53496552e572315cdc09bd6c8b

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        f61cd181778da0deb9e3385d53eb3aaa

        SHA1

        87561e5f1d4d5656419817e5da00428783357c39

        SHA256

        72ea7ada5cd91818c016c57a372fe17a001f5f1b2e2b70367af346bfd14de80b

        SHA512

        3ec0d88be7f9ad0c46c3acafa0514c09e465200490109adebeb7264ed6677c5e031476e4be45e2fcb190c9614c2d248d0d8a45b246eede6c881f34107fe6ab55

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        0614ac9a74a533dfa0c93b4388a346d3

        SHA1

        b24e548802736bf3fdb639316e9fff34b80a3bc3

        SHA256

        bd6fd1450511e5f4b1ab57556dc078368574f4430e0959929f367bd5fb22c8bb

        SHA512

        2820319cc0a98e05a1c1cea8cff0f9add288e9e24a5d0b43b4e149836492cb2006db017e554af39d6e90f81fd2c3e858662918057d3ceb4b386eed81dba42fb4

        Download Submit

      • C:\Windows\rss\csrss.exe
        Filesize

        4.2MB

        MD5

        a74f977a76a84e9abe226d37060a60ff

        SHA1

        d0fdd076ee5b88112d0c5a9f599b4680bf391c55

        SHA256

        8b47875c3610c14308db0bbd7028fada1f511d419255887ddcfc693334070965

        SHA512

        26e517452636bbb3ae20187ccf52b9d628c8771b7f7a8459d53684a5b57007677708844eeccd666ea3dabf538f0cc35932d4b3ef07701eba34b08f25122c1854

        Download Submit

      • C:\Windows\rss\csrss.exe
        Filesize

        4.2MB

        MD5

        a74f977a76a84e9abe226d37060a60ff

        SHA1

        d0fdd076ee5b88112d0c5a9f599b4680bf391c55

        SHA256

        8b47875c3610c14308db0bbd7028fada1f511d419255887ddcfc693334070965

        SHA512

        26e517452636bbb3ae20187ccf52b9d628c8771b7f7a8459d53684a5b57007677708844eeccd666ea3dabf538f0cc35932d4b3ef07701eba34b08f25122c1854

        Download Submit

      • memory/1944-277-0x0000000004850000-0x0000000004860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1944-278-0x0000000004850000-0x0000000004860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1944-279-0x0000000070590000-0x00000000705DC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1944-280-0x0000000070D30000-0x0000000071084000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1944-291-0x000000007F070000-0x000000007F080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1944-290-0x0000000004850000-0x0000000004860000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2256-173-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/2256-134-0x0000000003110000-0x00000000039FB000-memory.dmp

        Filesize

        8.9MB

        Download

      • memory/2256-180-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/2440-223-0x0000000070DF0000-0x0000000071144000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2440-220-0x00000000051F0000-0x0000000005200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2440-221-0x00000000051F0000-0x0000000005200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2440-219-0x00000000051F0000-0x0000000005200000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2440-222-0x0000000070630000-0x000000007067C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2440-233-0x000000007F370000-0x000000007F380000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3088-307-0x0000000070630000-0x0000000070984000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3088-303-0x0000000003050000-0x0000000003060000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3088-306-0x0000000003050000-0x0000000003060000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3088-305-0x00000000704B0000-0x00000000704FC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3088-304-0x0000000003050000-0x0000000003060000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3092-249-0x0000000070DD0000-0x0000000071124000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3092-259-0x000000007F3A0000-0x000000007F3B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3092-245-0x00000000050D0000-0x00000000050E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3092-248-0x0000000070630000-0x000000007067C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3092-246-0x00000000050D0000-0x00000000050E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3092-247-0x00000000050D0000-0x00000000050E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3148-204-0x000000007FAD0000-0x000000007FAE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3148-181-0x0000000004900000-0x0000000004910000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3148-203-0x0000000004900000-0x0000000004910000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3148-193-0x0000000070DF0000-0x0000000071144000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3148-192-0x0000000070630000-0x000000007067C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3148-182-0x0000000004900000-0x0000000004910000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3564-359-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3564-350-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3564-351-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3564-352-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3564-353-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3564-354-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3564-317-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3564-355-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3564-356-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3564-357-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3564-358-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/4412-152-0x0000000006330000-0x0000000006374000-memory.dmp

        Filesize

        272KB

        Download

      • memory/4412-159-0x00000000706B0000-0x0000000070A04000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4412-151-0x0000000005E40000-0x0000000005E5E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4412-143-0x0000000005720000-0x0000000005786000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4412-140-0x0000000005000000-0x0000000005066000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4412-139-0x0000000002920000-0x0000000002930000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4412-155-0x0000000007860000-0x0000000007EDA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4412-154-0x0000000002920000-0x0000000002930000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4412-156-0x0000000007200000-0x000000000721A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4412-137-0x0000000004F60000-0x0000000004F82000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4412-176-0x0000000007590000-0x0000000007598000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4412-157-0x00000000073B0000-0x00000000073E2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4412-138-0x0000000002920000-0x0000000002930000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4412-175-0x0000000007640000-0x000000000765A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4412-174-0x0000000007550000-0x000000000755E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4412-172-0x00000000075A0000-0x0000000007636000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4412-171-0x00000000074E0000-0x00000000074EA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4412-170-0x0000000007390000-0x00000000073AE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4412-168-0x000000007F170000-0x000000007F180000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4412-136-0x0000000005080000-0x00000000056A8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4412-135-0x0000000002850000-0x0000000002886000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4412-158-0x0000000070530000-0x000000007057C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4412-153-0x0000000007160000-0x00000000071D6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4752-218-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/4752-264-0x0000000000400000-0x0000000000D1B000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/5040-332-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5040-333-0x000000007F980000-0x000000007F990000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5040-334-0x0000000070630000-0x0000000070984000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/5040-331-0x00000000704B0000-0x00000000704FC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/5040-329-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5040-330-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

        Filesize

        64KB

        Download