Overview

overview

10

Static

static

3

c3036a3246...74.exe

windows7-x64

10

c3036a3246...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 12:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe

  • Size

    3.9MB

  • MD5

    68ae6ccb3c5a879ea7d350372fe1f637

  • SHA1

    fda8df32fac91f400aebc9f1f12fe2b7874c41c4

  • SHA256

    c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74

  • SHA512

    aa8741fba30bfe5a1c6e7fe357d719f67b66c1348f0f6072b2cc96d0b4cccf5f982a0979aa5b46bb2c7a9310d6904cc5f0357ecd6b053b607946704ab6ad7fdc

  • SSDEEP

    98304:Yws2ANlKXOaeOgmhIFValfyCwwDK4F0Fc:O0XbeO75OK

Score
10/10
gh0stratpurplefoxsalitybackdoorevasionpersistenceratrootkittrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Detect PurpleFox Rootkit 9 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 10 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 37 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\fontdrvhost.exe
    "fontdrvhost.exe"
    1⤵
      PID:780
    • C:\Windows\system32\fontdrvhost.exe
      "fontdrvhost.exe"
      1⤵
        PID:784
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        1⤵
          PID:316
        • C:\Windows\system32\sihost.exe
          sihost.exe
          1⤵
            PID:2920
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
            1⤵
              PID:3000
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
                PID:3172
              • C:\Windows\Explorer.EXE
                C:\Windows\Explorer.EXE
                1⤵
                  PID:3388
                  • C:\Users\Admin\AppData\Local\Temp\c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe
                    "C:\Users\Admin\AppData\Local\Temp\c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe"
                    2⤵
                    • Modifies firewall policy service
                    • UAC bypass
                    • Windows security bypass
                    • Windows security modification
                    • Checks whether UAC is enabled
                    • Enumerates connected drives
                    • Drops autorun.inf file
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    • System policy modification
                    PID:3544
                    • C:\Users\Admin\AppData\Local\Temp\R.exe
                      C:\Users\Admin\AppData\Local\Temp\\R.exe
                      3⤵
                      • Sets DLL path for service in the registry
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      PID:5060
                    • C:\Users\Admin\AppData\Local\Temp\N.exe
                      C:\Users\Admin\AppData\Local\Temp\\N.exe
                      3⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Suspicious use of WriteProcessMemory
                      PID:4120
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
                        4⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3168
                        • C:\Windows\SysWOW64\PING.EXE
                          ping -n 2 127.0.0.1
                          5⤵
                          • Runs ping.exe
                          PID:1580
                    • C:\Users\Admin\AppData\Local\Temp\HD_c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe
                      C:\Users\Admin\AppData\Local\Temp\HD_c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe
                      3⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      PID:4148
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3568
                  • C:\Windows\system32\DllHost.exe
                    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                    1⤵
                      PID:3760
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                        PID:3876
                      • C:\Windows\System32\RuntimeBroker.exe
                        C:\Windows\System32\RuntimeBroker.exe -Embedding
                        1⤵
                          PID:3940
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:4016
                          • C:\Windows\System32\RuntimeBroker.exe
                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                            1⤵
                              PID:4080
                            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
                              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
                              1⤵
                                PID:2968
                              • C:\Windows\System32\RuntimeBroker.exe
                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                1⤵
                                  PID:3180
                                • C:\Windows\system32\backgroundTaskHost.exe
                                  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
                                  1⤵
                                    PID:3240
                                  • C:\Windows\system32\backgroundTaskHost.exe
                                    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
                                    1⤵
                                      PID:3872
                                    • C:\Windows\system32\backgroundTaskHost.exe
                                      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                      1⤵
                                        PID:2084
                                      • C:\Windows\SysWOW64\svchost.exe
                                        C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
                                        1⤵
                                          PID:4668
                                        • C:\Windows\SysWOW64\svchost.exe
                                          C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
                                          1⤵
                                          • Loads dropped DLL
                                          • Drops file in System32 directory
                                          • Suspicious use of WriteProcessMemory
                                          PID:4544
                                          • C:\Windows\SysWOW64\Remote Data.exe
                                            "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240595906.txt",MainThread
                                            2⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:1220
                                        • C:\Windows\SysWOW64\TXPlatfor.exe
                                          C:\Windows\SysWOW64\TXPlatfor.exe -auto
                                          1⤵
                                          • Executes dropped EXE
                                          • Suspicious use of WriteProcessMemory
                                          PID:4100
                                          • C:\Windows\SysWOW64\TXPlatfor.exe
                                            C:\Windows\SysWOW64\TXPlatfor.exe -acsi
                                            2⤵
                                            • Drops file in Drivers directory
                                            • Sets service image path in registry
                                            • Executes dropped EXE
                                            • Suspicious behavior: LoadsDriver
                                            PID:64
                                        • C:\Windows\System32\RuntimeBroker.exe
                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                          1⤵
                                            PID:1464
                                          • C:\Windows\System32\RuntimeBroker.exe
                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                            1⤵
                                              PID:3112

                                            Network

                                            MITRE ATT&CK Matrix ATT&CK v13

                                            Initial Access

                                            Replication Through Removable Media

                                            1
                                            T1091

                                            Execution

                                            Persistence

                                            Create or Modify System Process

                                            1
                                            T1543

                                            Windows Service

                                            1
                                            T1543.003

                                            Boot or Logon Autostart Execution

                                            2
                                            T1547

                                            Registry Run Keys / Startup Folder

                                            2
                                            T1547.001

                                            Privilege Escalation

                                            Create or Modify System Process

                                            1
                                            T1543

                                            Windows Service

                                            1
                                            T1543.003

                                            Abuse Elevation Control Mechanism

                                            1
                                            T1548

                                            Bypass User Account Control

                                            1
                                            T1548.002

                                            Boot or Logon Autostart Execution

                                            2
                                            T1547

                                            Registry Run Keys / Startup Folder

                                            2
                                            T1547.001

                                            Defense Evasion

                                            Modify Registry

                                            7
                                            T1112

                                            Abuse Elevation Control Mechanism

                                            1
                                            T1548

                                            Bypass User Account Control

                                            1
                                            T1548.002

                                            Impair Defenses

                                            3
                                            T1562

                                            Disable or Modify Tools

                                            3
                                            T1562.001

                                            Credential Access

                                            Discovery

                                            System Information Discovery

                                            2
                                            T1082

                                            Query Registry

                                            1
                                            T1012

                                            Peripheral Device Discovery

                                            1
                                            T1120

                                            Remote System Discovery

                                            1
                                            T1018

                                            Lateral Movement

                                            Replication Through Removable Media

                                            1
                                            T1091

                                            Collection

                                            Exfiltration

                                            Command and Control

                                            Impact

                                            Resource Development

                                            Reconnaissance

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Temp\0E578A8D_Rar\c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe
                                              Filesize

                                              3.9MB

                                              MD5

                                              b460f9a898a55bbc6f3bfc7906669425

                                              SHA1

                                              e5c8109b55c134e9707707ccbc80bedc410cea1b

                                              SHA256

                                              92c4bb6c17cd83c620ed45e8c273319a89e6cd93ef89333d4ba6df326ee60aa7

                                              SHA512

                                              2dee9b38c3f68c0ef80605158ebe61abb09ee70942d858dc05862de68568411424ad147a25f1c778f20fe81f3eb437567ba82d5af2b201123a6bf8cc9cb329df

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\HD_c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe
                                              Filesize

                                              1.3MB

                                              MD5

                                              9af4ff55c1c5aefe42bc22a6283f3c86

                                              SHA1

                                              629b290a8ee422211eb513d5fc91efcbb0d0f8ff

                                              SHA256

                                              eb9e892b792b8057aba8aa8a012ae18993011e261558e86eac5b5e835bfeb332

                                              SHA512

                                              3fd9c94ec4d2ca17b1a360a4d0f878ebc69655b91f645a294fb42908eaf4cae9b2daba2eb0f747b8904a4b77992ecf90666a5d79c2b3ba77127176d331e14f5e

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\N.exe
                                              Filesize

                                              377KB

                                              MD5

                                              4a36a48e58829c22381572b2040b6fe0

                                              SHA1

                                              f09d30e44ff7e3f20a5de307720f3ad148c6143b

                                              SHA256

                                              3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

                                              SHA512

                                              5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

                                              Download Submit
                                            • C:\Users\Admin\AppData\Local\Temp\R.exe
                                              Filesize

                                              941KB

                                              MD5

                                              8dc3adf1c490211971c1e2325f1424d2

                                              SHA1

                                              4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

                                              SHA256

                                              bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

                                              SHA512

                                              ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

                                              Download Submit
                                            • C:\Windows\SysWOW64\240595906.txt
                                              Filesize

                                              899KB

                                              MD5

                                              4a61f73a7faca57a57d183a51ab9f9f4

                                              SHA1

                                              707abccbce3da5b06cb8fc4e590e9c0559505c5e

                                              SHA256

                                              b174d3a954d9acd730dbf6f472fd0b4033de2bd964b701abab3507fae637d55b

                                              SHA512

                                              714a5abbf6c03c361e2cf8f5da35142258296cf77743793fe9dbba877e54d9b45d8c710499bb6639a27068a7a6ad1aaec865030615db846d6d251a9d77231364

                                              Download Submit
                                            • C:\Windows\SysWOW64\Remote Data.exe
                                              Filesize

                                              60KB

                                              MD5

                                              889b99c52a60dd49227c5e485a016679

                                              SHA1

                                              8fa889e456aa646a4d0a4349977430ce5fa5e2d7

                                              SHA256

                                              6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

                                              SHA512

                                              08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

                                              Download Submit
                                            • F:\ycvxqk.pif
                                              Filesize

                                              100KB

                                              MD5

                                              7137201a01ee87d6cb09dc2d4ee4fd9f

                                              SHA1

                                              a8d6f4a122a39ed1968a485e2cdedc7525afd6e6

                                              SHA256

                                              cc925de4401027d5b2d1a803a16a9e9997d25bac3ab511baf428132bee7d8dd3

                                              SHA512

                                              227e311d59ffd9e01c1e26f1415fc6bd45d46da6e6623f7559025d5d83ab7d85bedb51641d7b9bd9c2e6620198e0af85e8d1c005d090451c1f1288eea59e7e9f

                                              Download Submit
                                            • memory/64-72-0x0000000010000000-0x00000000101B6000-memory.dmp
                                              Filesize

                                              1.7MB

                                              Download
                                            • memory/64-69-0x0000000010000000-0x00000000101B6000-memory.dmp
                                              Filesize

                                              1.7MB

                                              Download
                                            • memory/64-67-0x0000000010000000-0x00000000101B6000-memory.dmp
                                              Filesize

                                              1.7MB

                                              Download
                                            • memory/3544-58-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-50-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-23-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-1-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-3-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-32-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-108-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-106-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-37-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-104-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-41-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-101-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-17-0x0000000003670000-0x0000000003672000-memory.dmp
                                              Filesize

                                              8KB

                                              Download
                                            • memory/3544-99-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-96-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-93-0x0000000003670000-0x0000000003672000-memory.dmp
                                              Filesize

                                              8KB

                                              Download
                                            • memory/3544-19-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-0-0x0000000000400000-0x00000000006CC000-memory.dmp
                                              Filesize

                                              2.8MB

                                              Download
                                            • memory/3544-94-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-14-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-15-0x0000000003680000-0x0000000003681000-memory.dmp
                                              Filesize

                                              4KB

                                              Download
                                            • memory/3544-13-0x0000000003670000-0x0000000003672000-memory.dmp
                                              Filesize

                                              8KB

                                              Download
                                            • memory/3544-74-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-75-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-76-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-12-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-82-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-83-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-84-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-86-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/3544-87-0x00000000025C0000-0x000000000364E000-memory.dmp
                                              Filesize

                                              16.6MB

                                              Download
                                            • memory/4100-48-0x0000000010000000-0x00000000101B6000-memory.dmp
                                              Filesize

                                              1.7MB

                                              Download
                                            • memory/4100-46-0x0000000010000000-0x00000000101B6000-memory.dmp
                                              Filesize

                                              1.7MB

                                              Download
                                            • memory/4100-49-0x0000000010000000-0x00000000101B6000-memory.dmp
                                              Filesize

                                              1.7MB

                                              Download
                                            • memory/4100-63-0x0000000010000000-0x00000000101B6000-memory.dmp
                                              Filesize

                                              1.7MB

                                              Download
                                            • memory/4120-51-0x0000000010000000-0x00000000101B6000-memory.dmp
                                              Filesize

                                              1.7MB

                                              Download
                                            • memory/4120-40-0x0000000010000000-0x00000000101B6000-memory.dmp
                                              Filesize

                                              1.7MB

                                              Download
                                            • memory/4120-39-0x0000000010000000-0x00000000101B6000-memory.dmp
                                              Filesize

                                              1.7MB

                                              Download
                                            • memory/4120-35-0x0000000010000000-0x00000000101B6000-memory.dmp
                                              Filesize

                                              1.7MB

                                              Download
                                            • memory/4148-92-0x00000000020E0000-0x00000000020E2000-memory.dmp
                                              Filesize

                                              8KB

                                              Download
                                            • memory/4148-91-0x00000000020E0000-0x00000000020E2000-memory.dmp
                                              Filesize

                                              8KB

                                              Download
                                            • memory/4148-90-0x0000000002220000-0x0000000002221000-memory.dmp
                                              Filesize

                                              4KB

                                              Download
                                            • memory/4148-140-0x00000000020E0000-0x00000000020E2000-memory.dmp
                                              Filesize

                                              8KB

                                              Download
                                            • memory/5060-103-0x0000000000630000-0x0000000000632000-memory.dmp
                                              Filesize

                                              8KB

                                              Download
                                            • memory/5060-29-0x0000000000630000-0x0000000000632000-memory.dmp
                                              Filesize

                                              8KB

                                              Download
                                            • memory/5060-20-0x0000000000640000-0x0000000000641000-memory.dmp
                                              Filesize

                                              4KB

                                              Download