Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/09/2023, 08:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    321acfeb0098a86373ab3752f9b7145cc85fd5bc5b50d8876241b28d4d5724dd.exe

  • Size

    4.2MB

  • MD5

    fb5e19d4335fcdc40ba3980c5d3a1bcc

  • SHA1

    1d707cb928336a1d6903a24354cc1df1d06bf7de

  • SHA256

    321acfeb0098a86373ab3752f9b7145cc85fd5bc5b50d8876241b28d4d5724dd

  • SHA512

    d983432a56c8201444d77e8befc8aa0d8beb2183b73dea1e64a7d28b3158a6c394c8d3884a7038037fbb2a2c57951f07d8770ef3b6d6f051ed7e415f181d0414

  • SSDEEP

    98304:OfrTbheRqFixgd2vdUGHDWyNS6A06u71wPfCzjVACDb:wbheAjdutRNS6L1tzj

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 22 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\321acfeb0098a86373ab3752f9b7145cc85fd5bc5b50d8876241b28d4d5724dd.exe
    "C:\Users\Admin\AppData\Local\Temp\321acfeb0098a86373ab3752f9b7145cc85fd5bc5b50d8876241b28d4d5724dd.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1224
    • C:\Users\Admin\AppData\Local\Temp\321acfeb0098a86373ab3752f9b7145cc85fd5bc5b50d8876241b28d4d5724dd.exe
      "C:\Users\Admin\AppData\Local\Temp\321acfeb0098a86373ab3752f9b7145cc85fd5bc5b50d8876241b28d4d5724dd.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4852
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4444
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:2292
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1996
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4528
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4972
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:5060
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2196
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:208
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3132
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4248
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:2148

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nadcq5hb.qld.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      3d086a433708053f9bf9523e1d87a4e8

      SHA1

      b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

      SHA256

      6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

      SHA512

      931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      db9930a3477ae31353bb34c060496283

      SHA1

      1d9a6e3da62a41e45453ed6f7ef8564edf026fa7

      SHA256

      2b64502b81ff1187c658a2a7f458e00900b199354394de304729b295fec6acd4

      SHA512

      ba154db46d15f6fa7100ec2e9261dd97e4c98148d3cff06544182181f569c21591d604f645e65a2af61cc2251c17eda3671933d36a0191b04488a6c201db6795

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      29557fb9112337ca2ef9277b6315a1fa

      SHA1

      b6cb9a66ca93da80948ebbce410ab58c8a0179eb

      SHA256

      594a9bc683a3b8aa52eb72d2dcc50e377459ac17cd3996cfebacdf537477a0e3

      SHA512

      54e04eb5a02b80cf287d94469aad5eac8516d110c860e07aabbc4fadfa8b3e61b5e1545883d69bc9848b9ad0758dcce677cbf7621e9ef4fdeba43d435d3c19f6

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      04784c08817f22a251b6bf173eb730cf

      SHA1

      39322dc7bc49a59688d36eb696460869adec1e0e

      SHA256

      2097f1def714f8033e00fc88b5b60eddc6662c8e6ff7408a826fdd7ce079ab3a

      SHA512

      263625e62f07e5492a82ccfc3ac8f1ccc2a55fc56e299613202cc7dfdd21094c6a541b5b5310770e3a719b7145c29d56e55bfb53b7ba42a8ce32c668b23438fb

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      80807f6dbef7c0dc8d1509cca0b6a4c5

      SHA1

      5002b35ef0873bb3060b3c8e5a0cc8c3fec71d1b

      SHA256

      b938b5ef292481d5f19cf92b0a528b2ec29bc4b3652f404fb8b297e2ae594e49

      SHA512

      0e849128ffde78840beab36c8d95d074cc4052cd0749465e78df46dd32ac139885294f912109088dab762bceb7a1f89e6dccee7c3ab903d894dc42549115667d

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      d582adfdd60a742da5a9e25f6b38dcac

      SHA1

      d833b909697686f0db65fb4c174bd559ffb0a692

      SHA256

      c992ed897da8813070daccbb290f4f1a58d10d620a1f92f2081977a9087b068b

      SHA512

      139f75353c195bae2650a12f4da7780d11ab94ad7e4058eb8276343d84020eff210e20575d53b814ddf9915bc9c1aa426f01e8c3945dd82382efbdf8fc3cd536

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      fb5e19d4335fcdc40ba3980c5d3a1bcc

      SHA1

      1d707cb928336a1d6903a24354cc1df1d06bf7de

      SHA256

      321acfeb0098a86373ab3752f9b7145cc85fd5bc5b50d8876241b28d4d5724dd

      SHA512

      d983432a56c8201444d77e8befc8aa0d8beb2183b73dea1e64a7d28b3158a6c394c8d3884a7038037fbb2a2c57951f07d8770ef3b6d6f051ed7e415f181d0414

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      fb5e19d4335fcdc40ba3980c5d3a1bcc

      SHA1

      1d707cb928336a1d6903a24354cc1df1d06bf7de

      SHA256

      321acfeb0098a86373ab3752f9b7145cc85fd5bc5b50d8876241b28d4d5724dd

      SHA512

      d983432a56c8201444d77e8befc8aa0d8beb2183b73dea1e64a7d28b3158a6c394c8d3884a7038037fbb2a2c57951f07d8770ef3b6d6f051ed7e415f181d0414

      Download Submit

    • memory/1224-29-0x0000000007AC0000-0x000000000813A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1224-44-0x0000000007650000-0x00000000076F3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/1224-22-0x0000000006090000-0x00000000060AE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1224-23-0x00000000060D0000-0x000000000611C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1224-24-0x0000000006640000-0x0000000006684000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1224-12-0x0000000005A10000-0x0000000005A76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1224-10-0x00000000059A0000-0x0000000005A06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1224-27-0x0000000002A30000-0x0000000002A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1224-28-0x00000000073C0000-0x0000000007436000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1224-9-0x00000000050B0000-0x00000000050D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1224-30-0x0000000007460000-0x000000000747A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1224-32-0x00000000702E0000-0x000000007032C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1224-31-0x0000000007610000-0x0000000007642000-memory.dmp

      Filesize

      200KB

      Download

    • memory/1224-33-0x0000000070460000-0x00000000707B4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1224-43-0x00000000075F0000-0x000000000760E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1224-21-0x0000000005C80000-0x0000000005FD4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1224-8-0x0000000005140000-0x0000000005768000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1224-7-0x0000000002A30000-0x0000000002A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1224-47-0x0000000007740000-0x000000000774A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1224-48-0x000000007F010000-0x000000007F020000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1224-49-0x0000000007800000-0x0000000007896000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1224-50-0x0000000007760000-0x0000000007771000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1224-51-0x00000000077A0000-0x00000000077AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1224-52-0x00000000077B0000-0x00000000077C4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1224-53-0x0000000074440000-0x0000000074BF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1224-54-0x00000000078A0000-0x00000000078BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1224-55-0x00000000077F0000-0x00000000077F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1224-58-0x0000000074440000-0x0000000074BF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1224-6-0x0000000002A30000-0x0000000002A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1224-5-0x0000000004AD0000-0x0000000004B06000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1224-4-0x0000000074440000-0x0000000074BF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1996-116-0x000000007F550000-0x000000007F560000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-129-0x00000000744E0000-0x0000000074C90000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1996-102-0x0000000002540000-0x0000000002550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-101-0x00000000744E0000-0x0000000074C90000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1996-113-0x0000000005580000-0x00000000058D4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1996-103-0x0000000002540000-0x0000000002550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-115-0x0000000002540000-0x0000000002550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1996-117-0x00000000703E0000-0x000000007042C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1996-118-0x0000000070580000-0x00000000708D4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2688-270-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/2688-265-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/2688-257-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/2688-266-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/2688-267-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/2688-268-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/2688-269-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/2688-271-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/2688-272-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/2688-273-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/4444-93-0x0000000007BF0000-0x0000000007C01000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4444-81-0x0000000070560000-0x00000000708B4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4444-65-0x0000000003100000-0x0000000003110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4444-99-0x00000000744E0000-0x0000000074C90000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4444-95-0x0000000007C40000-0x0000000007C54000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4444-66-0x0000000003100000-0x0000000003110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4444-76-0x0000000006160000-0x00000000064B4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4444-64-0x00000000744E0000-0x0000000074C90000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4444-77-0x0000000006740000-0x000000000678C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4444-78-0x0000000003100000-0x0000000003110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4444-80-0x00000000703E0000-0x000000007042C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4444-82-0x000000007FD30000-0x000000007FD40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4444-92-0x00000000078D0000-0x0000000007973000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4776-59-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/4776-26-0x0000000004CC0000-0x00000000055AB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4776-25-0x00000000048B0000-0x0000000004CB7000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4776-1-0x00000000048B0000-0x0000000004CB7000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4776-3-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/4776-2-0x0000000004CC0000-0x00000000055AB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4776-45-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/4776-46-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/4852-63-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/4852-79-0x0000000004510000-0x000000000490B000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4852-155-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/4852-61-0x0000000004510000-0x000000000490B000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4852-94-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/4852-161-0x0000000000400000-0x000000000298A000-memory.dmp

      Filesize

      37.5MB

      Download

    • memory/4852-62-0x0000000004A10000-0x00000000052FB000-memory.dmp

      Filesize

      8.9MB

      Download