Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    185s
  • max time network
    200s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-10-2023 13:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04c80c17d31a4191dd620dd2e2a5c94a04404e8f7a137b545c13d2876d7f85db.exe

  • Size

    4.1MB

  • MD5

    2b8086a5ca13fd4cc5457d53d657af60

  • SHA1

    b19d9220b49944e583124283b54dddb5c381bc2c

  • SHA256

    04c80c17d31a4191dd620dd2e2a5c94a04404e8f7a137b545c13d2876d7f85db

  • SHA512

    df2ca4e0d433ba98432f710562065be4eb23929d5f92fd88bffed85bc12b536dac181ed522f074a405ec70bb51a93449e08c969f97bbc4e73130505069b6a8f0

  • SSDEEP

    98304:Hlhp/+MAY8LSBetbsJnYPJay0ram2uVyHV/vsKO4IVa8TY/jpHwrm:HlT/+M2+BeVsJYPms9vsd3Va8M/jpn

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 20 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\04c80c17d31a4191dd620dd2e2a5c94a04404e8f7a137b545c13d2876d7f85db.exe
    "C:\Users\Admin\AppData\Local\Temp\04c80c17d31a4191dd620dd2e2a5c94a04404e8f7a137b545c13d2876d7f85db.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1056
    • C:\Users\Admin\AppData\Local\Temp\04c80c17d31a4191dd620dd2e2a5c94a04404e8f7a137b545c13d2876d7f85db.exe
      "C:\Users\Admin\AppData\Local\Temp\04c80c17d31a4191dd620dd2e2a5c94a04404e8f7a137b545c13d2876d7f85db.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4204
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4720
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:2000
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5092
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4944
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4824
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2900
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4420
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:4612
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4832
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1340
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4168
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:368

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l2qsasqa.rtx.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      db01a2c1c7e70b2b038edf8ad5ad9826

      SHA1

      540217c647a73bad8d8a79e3a0f3998b5abd199b

      SHA256

      413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

      SHA512

      c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      df29029619dabd502f8d88b9e20a1cc0

      SHA1

      65e7cd768c172f799265773755824673c93af0af

      SHA256

      58b71862d00eddff336db01840e58ec816a4ed80e4954040270a474b6626adaf

      SHA512

      c23bac4319e7cbd82b8913271ff3d501be580048eddc6e6952e002cdbad934d3a9260a6ab3c17d1c45cee7d1c1ebc184a74a34bb5f4b714cbdec758d22af996e

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      f149869724c73f7ba9397ec79758a045

      SHA1

      b95bc7c58f7d9357a9f323c6c280105beb658c2c

      SHA256

      540088f68204cc0b10facebef9fc0d2790551e5cadef3de21371708bb7467606

      SHA512

      3741030787e300c337dd52cd61eaad3bb9482e469c6161f6b753bc3e8ff92fcf4d204d9988c8911cb5405cf3115f68f0f20ef84246779334a648e197c25d7aab

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      b809a8fd036e9bf8dc854dbf6469b9d4

      SHA1

      42945380b7c9169de57a59d3a1f786be7c604a4a

      SHA256

      b28289af9621804a76849df44d58453812116c064035fb0a8617a95539e33b25

      SHA512

      4eb24e2a6cf31f411b9e3f8e4536bd1a76a70ce8bbe3ff32dfc699e2b35d75d6ae3ce37419e88336e75715c1b44698086ba351cf527a6c8b6e6516dbd63384c7

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      b6d34ff4998adf9756c2d194f8a7462d

      SHA1

      06cb5ad7dc4d45b41ea700e4cbf63bed634b52e3

      SHA256

      12450b1ccf2d661f467e236dbf6e1e46c0170365a7a0d2c77c286d3bd8f3526a

      SHA512

      a9983ccaca77bd3abd6622c9354b6c211df23496cbfaa6e6dee29eaca31976de016f8a46a49edc7dd36d5b36177fa00fc8967d9394932399838a367942345bd5

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      0a641bbb4e4af38d032441127867529e

      SHA1

      96c818915f2bbe4a2b023fdc613a6a0d4c6d96d8

      SHA256

      e50333ecc0b55b23938ec78c9a9806f1d67e23871a2e5da069c96b5e731baf74

      SHA512

      345610231ef3c0c98f0fd0a6ba72be888a5a56e50cff6a6e0431c625e0ed8007b02e82b277dd4940b3e69512f711c238faf0da109cf15c9627612d20b4cf7431

      Download Submit
    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      2b8086a5ca13fd4cc5457d53d657af60

      SHA1

      b19d9220b49944e583124283b54dddb5c381bc2c

      SHA256

      04c80c17d31a4191dd620dd2e2a5c94a04404e8f7a137b545c13d2876d7f85db

      SHA512

      df2ca4e0d433ba98432f710562065be4eb23929d5f92fd88bffed85bc12b536dac181ed522f074a405ec70bb51a93449e08c969f97bbc4e73130505069b6a8f0

      Download Submit
    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      2b8086a5ca13fd4cc5457d53d657af60

      SHA1

      b19d9220b49944e583124283b54dddb5c381bc2c

      SHA256

      04c80c17d31a4191dd620dd2e2a5c94a04404e8f7a137b545c13d2876d7f85db

      SHA512

      df2ca4e0d433ba98432f710562065be4eb23929d5f92fd88bffed85bc12b536dac181ed522f074a405ec70bb51a93449e08c969f97bbc4e73130505069b6a8f0

      Download Submit
    • memory/1056-310-0x0000000073CC0000-0x00000000743AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1056-90-0x0000000004A60000-0x0000000004A70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1056-16-0x00000000082B0000-0x00000000082CC000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1056-17-0x0000000008600000-0x000000000864B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1056-7-0x0000000004AB0000-0x0000000004AE6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1056-14-0x0000000007DD0000-0x0000000007E36000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1056-37-0x0000000008870000-0x00000000088AC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1056-9-0x00000000076A0000-0x0000000007CC8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1056-69-0x0000000009370000-0x00000000093E6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/1056-70-0x0000000073CC0000-0x00000000743AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1056-78-0x000000000A260000-0x000000000A293000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1056-79-0x00000000709D0000-0x0000000070A1B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1056-80-0x0000000070A20000-0x0000000070D70000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1056-10-0x0000000004A60000-0x0000000004A70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1056-81-0x000000000A240000-0x000000000A25E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1056-82-0x0000000004A60000-0x0000000004A70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1056-84-0x000000007F3F0000-0x000000007F400000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1056-88-0x000000000A2A0000-0x000000000A345000-memory.dmp
      Filesize

      660KB

      Download
    • memory/1056-89-0x0000000004A60000-0x0000000004A70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1056-15-0x0000000007F00000-0x0000000008250000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1056-91-0x000000000A420000-0x000000000A4B4000-memory.dmp
      Filesize

      592KB

      Download
    • memory/1056-215-0x000000007F3F0000-0x000000007F400000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1056-286-0x000000000A3A0000-0x000000000A3BA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1056-291-0x000000000A390000-0x000000000A398000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1056-308-0x0000000004A60000-0x0000000004A70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1056-13-0x00000000075D0000-0x0000000007636000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1056-8-0x0000000073CC0000-0x00000000743AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1056-12-0x0000000007530000-0x0000000007552000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1056-11-0x0000000004A60000-0x0000000004A70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2624-311-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/2624-77-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/2624-57-0x00000000050F0000-0x00000000059DB000-memory.dmp
      Filesize

      8.9MB

      Download
    • memory/2624-18-0x0000000004CE0000-0x00000000050E5000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/2624-1-0x0000000004CE0000-0x00000000050E5000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/2624-4-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/2624-3-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/2624-2-0x00000000050F0000-0x00000000059DB000-memory.dmp
      Filesize

      8.9MB

      Download
    • memory/4204-321-0x00000000074F0000-0x0000000007840000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4204-341-0x0000000070AF0000-0x0000000070B3B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4204-349-0x0000000009050000-0x00000000090F5000-memory.dmp
      Filesize

      660KB

      Download
    • memory/4204-320-0x0000000004630000-0x0000000004640000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4204-487-0x0000000073DC0000-0x00000000744AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4204-542-0x0000000004630000-0x0000000004640000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4204-558-0x0000000004630000-0x0000000004640000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4204-568-0x0000000073DC0000-0x00000000744AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4204-343-0x0000000070B40000-0x0000000070E90000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4204-319-0x0000000004630000-0x0000000004640000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4204-322-0x0000000007FA0000-0x0000000007FEB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4204-318-0x0000000073DC0000-0x00000000744AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4204-344-0x000000007F570000-0x000000007F580000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4336-812-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4336-315-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4336-355-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4336-313-0x0000000004B10000-0x0000000004F10000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/4336-1061-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4336-314-0x0000000005010000-0x00000000058FB000-memory.dmp
      Filesize

      8.9MB

      Download
    • memory/4336-342-0x0000000004B10000-0x0000000004F10000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/4336-1058-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4824-1570-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4824-1817-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4824-1818-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4824-1815-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4824-1816-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4824-1819-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4824-1811-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4824-1314-0x0000000000400000-0x0000000002FB8000-memory.dmp
      Filesize

      43.7MB

      Download
    • memory/4944-838-0x0000000070B40000-0x0000000070E90000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4944-1056-0x0000000073DC0000-0x00000000744AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4944-843-0x0000000006920000-0x0000000006930000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4944-837-0x0000000070AF0000-0x0000000070B3B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4944-817-0x0000000006920000-0x0000000006930000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4944-816-0x0000000006920000-0x0000000006930000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4944-815-0x0000000073DC0000-0x00000000744AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/5092-811-0x0000000073DC0000-0x00000000744AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/5092-598-0x0000000004E20000-0x0000000004E30000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5092-593-0x0000000070B40000-0x0000000070E90000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/5092-592-0x0000000070AF0000-0x0000000070B3B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/5092-572-0x0000000073DC0000-0x00000000744AE000-memory.dmp
      Filesize

      6.9MB

      Download