Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/10/2023, 13:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d825cbdd7a4e9a6e5e3d3198140c054f5be1e76ba04a3f58439e13087860bc6c.exe

  • Size

    4.2MB

  • MD5

    aa79e0d2728845087c3c4025aef59b2f

  • SHA1

    55320acd4358eb3fa8d9c5cf6e73da9b65846173

  • SHA256

    d825cbdd7a4e9a6e5e3d3198140c054f5be1e76ba04a3f58439e13087860bc6c

  • SHA512

    c1b9e7a694c9b1f8bb98f61efeea923a3f86d57c32e24c62d6b3a74fe2e7aa41fd9189ff04ff6728ffbd12bd6beee722ed6525ca9419f02607c4fac2a361a61b

  • SSDEEP

    98304:4722wvMsLFwNAIQdLBckav8O3ncXtSVwXLW+Sv:I22wUsLY/QBBcnv8OMAVwCpv

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 22 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d825cbdd7a4e9a6e5e3d3198140c054f5be1e76ba04a3f58439e13087860bc6c.exe
    "C:\Users\Admin\AppData\Local\Temp\d825cbdd7a4e9a6e5e3d3198140c054f5be1e76ba04a3f58439e13087860bc6c.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4148
    • C:\Users\Admin\AppData\Local\Temp\d825cbdd7a4e9a6e5e3d3198140c054f5be1e76ba04a3f58439e13087860bc6c.exe
      "C:\Users\Admin\AppData\Local\Temp\d825cbdd7a4e9a6e5e3d3198140c054f5be1e76ba04a3f58439e13087860bc6c.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4092
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:3592
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1164
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3520
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:224
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3276
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3236
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:1004
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4164
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3432
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2220
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:1892

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_12tvdowk.1gh.ps1
            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            Filesize

            281KB

            MD5

            d98e33b66343e7c96158444127a117f6

            SHA1

            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

            SHA256

            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

            SHA512

            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            Filesize

            281KB

            MD5

            d98e33b66343e7c96158444127a117f6

            SHA1

            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

            SHA256

            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

            SHA512

            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            db01a2c1c7e70b2b038edf8ad5ad9826

            SHA1

            540217c647a73bad8d8a79e3a0f3998b5abd199b

            SHA256

            413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

            SHA512

            c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            18KB

            MD5

            8b80bb0ee7f3af822c1135c272cbe45d

            SHA1

            9ba225b6262ddcee154a3e79430774e20158adf4

            SHA256

            6617af56fcbcca25c697a98466538246af1d8d31ee4011ed0826f6f21d306a26

            SHA512

            85872cfc34294060f9105296e7f7b97bf00ee0a82a1e7810d360060b98e369b6cdd7122d631c900eaad2d6f3b5f760cb258cea5db4523cdb9dd65b5e0f4a7f6c

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            18KB

            MD5

            a4c75532f7809cc55efbf83506f488cd

            SHA1

            dc965410364a319bd96e3ea81e7b67f65fd2d07c

            SHA256

            0ffa85a6bd8a4c9d15ff5c6e0591dac8fac7e01245924dc8c39d5be3db54691e

            SHA512

            c917083954cdde427ed270af4c9f1476316da7bc729caef7d078b73a5063bedc426a9abe211bd63a6b553e5edf069623e396b039d61684ae52db9b635f0262f8

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            18KB

            MD5

            643f4a6a6b5325c944771c6e54521da6

            SHA1

            9784a0f6632e574392bfc01604366c39320b667a

            SHA256

            ff23d99e7c6d5c9fbaad9ab6686226eed3e83179730694e0dbabc8e49f79db69

            SHA512

            c42c7fb66de81aea8057c4bd6835f38c970dc6569c1b65152ecd8afb69398857b751602b3351ddbebc66455db850716fa01445ce6d36110e5b269b2a9e4ecdff

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            18KB

            MD5

            92dd36bfea2de7b1a931b784af963ee1

            SHA1

            6a9cc9bc45ee04864e55b47631d8b7d55ec4dc47

            SHA256

            a757fdd266a37a6b69d95a6b1de2d9e59a9b7be92d19ddac2d291f4c13623d0c

            SHA512

            e7424d7b69091b6df022ebf1ec6261c941da525c3c0d8e2b9ecc24a7a495fb1c3bcc210095f159940082b8083f595ff5c8f6e78c81dcffbff8e6d1de2c7c3dfe

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            18KB

            MD5

            f2b94a3638124318d8144b68672e1112

            SHA1

            bbf9fa9417aa0afcb3feeef8822d2b59b7b61c2d

            SHA256

            1114eaedbd2513a7d652359fb6faffd69498897fa38718632bb6e56a46ecc913

            SHA512

            16fa4021079b41604b29a0c1c13a134a892da9c7aa5c810fd1049321507a0a6768b4d9b92ac2e9aa7509426ff4df1af54a037ea0b60cd1265b7f60f33986daf1

            Download Submit

          • C:\Windows\rss\csrss.exe
            Filesize

            4.2MB

            MD5

            aa79e0d2728845087c3c4025aef59b2f

            SHA1

            55320acd4358eb3fa8d9c5cf6e73da9b65846173

            SHA256

            d825cbdd7a4e9a6e5e3d3198140c054f5be1e76ba04a3f58439e13087860bc6c

            SHA512

            c1b9e7a694c9b1f8bb98f61efeea923a3f86d57c32e24c62d6b3a74fe2e7aa41fd9189ff04ff6728ffbd12bd6beee722ed6525ca9419f02607c4fac2a361a61b

            Download Submit

          • C:\Windows\rss\csrss.exe
            Filesize

            4.2MB

            MD5

            aa79e0d2728845087c3c4025aef59b2f

            SHA1

            55320acd4358eb3fa8d9c5cf6e73da9b65846173

            SHA256

            d825cbdd7a4e9a6e5e3d3198140c054f5be1e76ba04a3f58439e13087860bc6c

            SHA512

            c1b9e7a694c9b1f8bb98f61efeea923a3f86d57c32e24c62d6b3a74fe2e7aa41fd9189ff04ff6728ffbd12bd6beee722ed6525ca9419f02607c4fac2a361a61b

            Download Submit

          • memory/224-1809-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/224-1060-0x0000000004B00000-0x00000000053EB000-memory.dmp

            Filesize

            8.9MB

            Download

          • memory/224-1810-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/224-1816-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/224-1811-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/224-1582-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/224-1812-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/224-1815-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/224-1059-0x0000000004700000-0x0000000004AF9000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/224-1813-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/224-1165-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/224-1814-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/224-1061-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/1164-566-0x0000000072E50000-0x000000007353E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1164-567-0x0000000005330000-0x0000000005340000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1164-594-0x0000000005330000-0x0000000005340000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1164-807-0x0000000072E50000-0x000000007353E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/1164-588-0x000000006FB80000-0x000000006FBCB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/1164-568-0x0000000008140000-0x0000000008490000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1164-589-0x000000006FBF0000-0x000000006FF40000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2464-14-0x0000000004470000-0x000000000486B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/2464-305-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/2464-1-0x0000000004470000-0x000000000486B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/2464-3-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/2464-2-0x0000000004870000-0x000000000515B000-memory.dmp

            Filesize

            8.9MB

            Download

          • memory/2464-73-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/2464-17-0x0000000004870000-0x000000000515B000-memory.dmp

            Filesize

            8.9MB

            Download

          • memory/2464-70-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/3520-1052-0x0000000072E50000-0x000000007353E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3520-811-0x0000000072E50000-0x000000007353E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3520-812-0x0000000007290000-0x00000000072A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3520-832-0x000000006FB80000-0x000000006FBCB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/3520-834-0x000000006FBF0000-0x000000006FF40000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3520-833-0x000000007ED70000-0x000000007ED80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3520-839-0x0000000007290000-0x00000000072A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4092-344-0x0000000006F00000-0x0000000006F10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4092-312-0x0000000072E50000-0x000000007353E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4092-561-0x0000000006F00000-0x0000000006F10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4092-562-0x0000000072E50000-0x000000007353E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4092-545-0x0000000072E50000-0x000000007353E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4092-343-0x00000000097E0000-0x0000000009885000-memory.dmp

            Filesize

            660KB

            Download

          • memory/4092-313-0x0000000006F00000-0x0000000006F10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4092-338-0x000000006FBD0000-0x000000006FF20000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4092-337-0x000000007ECF0000-0x000000007ED00000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4092-335-0x000000006FB80000-0x000000006FBCB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/4092-316-0x0000000008760000-0x00000000087AB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/4092-315-0x0000000007DF0000-0x0000000008140000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4092-314-0x0000000006F00000-0x0000000006F10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4148-88-0x0000000009BB0000-0x0000000009C44000-memory.dmp

            Filesize

            592KB

            Download

          • memory/4148-13-0x0000000007670000-0x00000000079C0000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4148-6-0x0000000072D50000-0x000000007343E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4148-7-0x0000000004660000-0x0000000004670000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4148-8-0x00000000044E0000-0x0000000004516000-memory.dmp

            Filesize

            216KB

            Download

          • memory/4148-304-0x0000000072D50000-0x000000007343E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4148-286-0x0000000007F10000-0x0000000007F18000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4148-281-0x0000000009A80000-0x0000000009A9A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/4148-9-0x0000000006D10000-0x0000000007338000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/4148-86-0x0000000072D50000-0x000000007343E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4148-87-0x0000000004660000-0x0000000004670000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4148-10-0x0000000006BA0000-0x0000000006BC2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4148-85-0x0000000009990000-0x0000000009A35000-memory.dmp

            Filesize

            660KB

            Download

          • memory/4148-79-0x000000006FAB0000-0x000000006FE00000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4148-80-0x0000000009930000-0x000000000994E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/4148-78-0x000000006FA60000-0x000000006FAAB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/4148-76-0x000000007F480000-0x000000007F490000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4148-77-0x0000000009950000-0x0000000009983000-memory.dmp

            Filesize

            204KB

            Download

          • memory/4148-67-0x0000000008B40000-0x0000000008BB6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/4148-36-0x0000000008A30000-0x0000000008A6C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4148-16-0x00000000079F0000-0x0000000007A3B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/4148-15-0x00000000079C0000-0x00000000079DC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4148-11-0x0000000007520000-0x0000000007586000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4148-12-0x0000000007600000-0x0000000007666000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4548-808-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/4548-1057-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/4548-413-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/4548-308-0x0000000004290000-0x0000000004689000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/4548-309-0x0000000000400000-0x0000000002675000-memory.dmp

            Filesize

            34.5MB

            Download

          • memory/4548-336-0x0000000004290000-0x0000000004689000-memory.dmp

            Filesize

            4.0MB

            Download