Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2023 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34e5cf1ad6d276b008e407ac0d3ecdb0dfc77fe4c7581bfcc803b119bf01f7da.exe

  • Size

    4.2MB

  • MD5

    504d6820d56fb275ba53f9d0b20fc40b

  • SHA1

    7a4d28d88b2c228e50f516720da9d9a47a2b2f99

  • SHA256

    34e5cf1ad6d276b008e407ac0d3ecdb0dfc77fe4c7581bfcc803b119bf01f7da

  • SHA512

    c8d3fb8588595f73e5c534b1cb76b138d2789b50369c2a6b0fe9b18c71414310e218c1efa24d1b7f1b5d9590f3586053549d6158e3c7b58f7bfc36d43f38f9f5

  • SSDEEP

    98304:KxQ7TT3z4SRBE5r5hJaPEdEtrFit4KKDM5ulG:KSTjdRir5vasEt2VKDM5ulG

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\34e5cf1ad6d276b008e407ac0d3ecdb0dfc77fe4c7581bfcc803b119bf01f7da.exe
    "C:\Users\Admin\AppData\Local\Temp\34e5cf1ad6d276b008e407ac0d3ecdb0dfc77fe4c7581bfcc803b119bf01f7da.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2244
    • C:\Users\Admin\AppData\Local\Temp\34e5cf1ad6d276b008e407ac0d3ecdb0dfc77fe4c7581bfcc803b119bf01f7da.exe
      "C:\Users\Admin\AppData\Local\Temp\34e5cf1ad6d276b008e407ac0d3ecdb0dfc77fe4c7581bfcc803b119bf01f7da.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4004
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3756
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1952
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2068
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4372
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2500
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1384
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2688
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1140
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2208
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1664
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:3888
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1160
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:864
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:2516
          • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
            4⤵
            • Executes dropped EXE
            PID:3392
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /delete /tn "csrss" /f
              5⤵
                PID:624
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /delete /tn "ScheduledUpdate" /f
                5⤵
                  PID:1140
        • C:\Windows\windefender.exe
          C:\Windows\windefender.exe
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:4836

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1jfloz0.div.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
          Filesize

          3.2MB

          MD5

          f801950a962ddba14caaa44bf084b55c

          SHA1

          7cadc9076121297428442785536ba0df2d4ae996

          SHA256

          c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

          SHA512

          4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
          Filesize

          3.2MB

          MD5

          f801950a962ddba14caaa44bf084b55c

          SHA1

          7cadc9076121297428442785536ba0df2d4ae996

          SHA256

          c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

          SHA512

          4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          Filesize

          281KB

          MD5

          d98e33b66343e7c96158444127a117f6

          SHA1

          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

          SHA256

          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

          SHA512

          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          Filesize

          281KB

          MD5

          d98e33b66343e7c96158444127a117f6

          SHA1

          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

          SHA256

          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

          SHA512

          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          7ddc2dc58ae775237208fc1abbc1d47a

          SHA1

          8b55141f780841d2d373f7370c85c35db81be62d

          SHA256

          741d3c050f3ac7bee01f0b36be800ff6760efce72e7b8af73151bb77afa9fad8

          SHA512

          a227c5f570e86a43fb17f524684f979376cf0ae7430ed5e9940f8434d3402cc7f5520f4ae04133dcccc9a9e188136376623499e085531021d54830f13bf48674

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          b1510f0048a707b59be9a6485a57770b

          SHA1

          b5c0afd8170938703841ed0588e4af50ec628a81

          SHA256

          562028b7ffea8b8bebb8ab0f047fda03baa9c3305e9b40b47aef4fe1d4e353ea

          SHA512

          22cc35d89945dd35c8ced2f52f7e9d04ae11174aa7cf19905a71da5b11f290e30cc544a8891b52f5ab9e94b02d75d7536f4f4960c0b5231b777237bac2bd0b4e

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          3d1d601a3edef5b01afb9a36bfeb0f26

          SHA1

          642564d548c3b48b49481179fe9194a31af59d30

          SHA256

          a1de20f10be18ce4ce604f6df4168bcbdc14b1648f27ffc9be0646c9ceba93f3

          SHA512

          146181b8cde94cb8478efd82992b3bd7db579a0f797d3739f57a671a17c31852a064fba72cb116b16caf496231a7e288f2386fc5f39651582e139b7713e75a54

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          5d67917942b2a15266721ea39ac2e2da

          SHA1

          f9be495ceda034947cc13e02a98c82e80188e186

          SHA256

          fdc4185357763daf6d9cd6dc79279d56f68b7cd3fe3e0a6c3b1246cf02f9baef

          SHA512

          41617ca8033302917802126c565bdb2020590455d110b1d4f9029abfe5fe2dded616099a66c67e2e27a2da70d164f38733d9aa062bfe0c40f5a93150a9d65783

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          917c729b7c83971a0e65320d5ec538e7

          SHA1

          2eae133714eb2e09e1d8c1f55829a0c5443be9e4

          SHA256

          119361e35899e693e601f587a7fce1de72012c1cb180d492b1e6337e02e87b33

          SHA512

          8bdf04e826194d9b372df8eb3b6c2f049dcb1d8fbc11674f115fa7e33e352996e647a83dda7305ac84c57115a8d4809ae18bdb36179157f476a8a5f4eeb144df

          Download Submit

        • C:\Windows\rss\csrss.exe
          Filesize

          4.2MB

          MD5

          504d6820d56fb275ba53f9d0b20fc40b

          SHA1

          7a4d28d88b2c228e50f516720da9d9a47a2b2f99

          SHA256

          34e5cf1ad6d276b008e407ac0d3ecdb0dfc77fe4c7581bfcc803b119bf01f7da

          SHA512

          c8d3fb8588595f73e5c534b1cb76b138d2789b50369c2a6b0fe9b18c71414310e218c1efa24d1b7f1b5d9590f3586053549d6158e3c7b58f7bfc36d43f38f9f5

          Download Submit

        • C:\Windows\rss\csrss.exe
          Filesize

          4.2MB

          MD5

          504d6820d56fb275ba53f9d0b20fc40b

          SHA1

          7a4d28d88b2c228e50f516720da9d9a47a2b2f99

          SHA256

          34e5cf1ad6d276b008e407ac0d3ecdb0dfc77fe4c7581bfcc803b119bf01f7da

          SHA512

          c8d3fb8588595f73e5c534b1cb76b138d2789b50369c2a6b0fe9b18c71414310e218c1efa24d1b7f1b5d9590f3586053549d6158e3c7b58f7bfc36d43f38f9f5

          Download Submit

        • C:\Windows\windefender.exe
          Filesize

          2.0MB

          MD5

          8e67f58837092385dcf01e8a2b4f5783

          SHA1

          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

          SHA256

          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

          SHA512

          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

          Download Submit

        • C:\Windows\windefender.exe
          Filesize

          2.0MB

          MD5

          8e67f58837092385dcf01e8a2b4f5783

          SHA1

          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

          SHA256

          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

          SHA512

          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

          Download Submit

        • C:\Windows\windefender.exe
          Filesize

          2.0MB

          MD5

          8e67f58837092385dcf01e8a2b4f5783

          SHA1

          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

          SHA256

          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

          SHA512

          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

          Download Submit

        • memory/1140-304-0x00000000029A0000-0x00000000029B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1140-303-0x00000000029A0000-0x00000000029B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1140-317-0x000000007F3D0000-0x000000007F3E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1140-316-0x00000000029A0000-0x00000000029B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1140-306-0x00000000709E0000-0x0000000070D34000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1140-305-0x0000000070250000-0x000000007029C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1160-362-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/1160-361-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/1832-206-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1832-134-0x0000000002ED0000-0x00000000037BB000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/1832-172-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2068-233-0x000000007FA90000-0x000000007FAA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2068-232-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2068-218-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2068-219-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2068-220-0x0000000070330000-0x000000007037C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2068-221-0x0000000070A70000-0x0000000070DC4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2208-334-0x0000000070250000-0x000000007029C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2208-335-0x00000000709E0000-0x0000000070D34000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2208-345-0x000000007F040000-0x000000007F050000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2208-332-0x0000000004BF0000-0x0000000004C00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2208-333-0x0000000004BF0000-0x0000000004C00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2208-331-0x0000000004BF0000-0x0000000004C00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2244-175-0x0000000007F60000-0x0000000007F7A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2244-171-0x0000000007EC0000-0x0000000007F56000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2244-135-0x0000000003170000-0x00000000031A6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2244-136-0x0000000005A90000-0x00000000060B8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2244-137-0x0000000005450000-0x0000000005460000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2244-138-0x0000000005450000-0x0000000005460000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2244-139-0x0000000005810000-0x0000000005832000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2244-140-0x00000000059B0000-0x0000000005A16000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2244-141-0x0000000006170000-0x00000000061D6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2244-151-0x00000000067D0000-0x00000000067EE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2244-152-0x0000000006CB0000-0x0000000006CF4000-memory.dmp

          Filesize

          272KB

          Download

        • memory/2244-153-0x0000000007A80000-0x0000000007AF6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2244-154-0x0000000005450000-0x0000000005460000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2244-155-0x0000000008180000-0x00000000087FA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2244-156-0x0000000007B20000-0x0000000007B3A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2244-157-0x0000000007CD0000-0x0000000007D02000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2244-158-0x0000000070330000-0x000000007037C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2244-159-0x00000000708E0000-0x0000000070C34000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2244-169-0x0000000007CB0000-0x0000000007CCE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2244-170-0x0000000007E00000-0x0000000007E0A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2244-176-0x0000000007EA0000-0x0000000007EA8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2244-174-0x0000000007E60000-0x0000000007E6E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2244-173-0x000000007EEC0000-0x000000007EED0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2500-279-0x0000000070330000-0x000000007037C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2500-280-0x00000000704B0000-0x0000000070804000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2500-291-0x000000007F040000-0x000000007F050000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2500-267-0x0000000002650000-0x0000000002660000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2500-278-0x0000000002650000-0x0000000002660000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2792-376-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2792-365-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2792-330-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2792-397-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2792-392-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2792-389-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2792-385-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2792-381-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2792-353-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2792-373-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2792-368-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3392-405-0x0000000000400000-0x0000000000C25000-memory.dmp

          Filesize

          8.1MB

          Download

        • memory/3756-180-0x0000000005290000-0x00000000052A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3756-203-0x000000007F700000-0x000000007F710000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3756-193-0x0000000070AB0000-0x0000000070E04000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3756-181-0x0000000005290000-0x00000000052A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3756-191-0x0000000005290000-0x00000000052A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3756-192-0x0000000070330000-0x000000007037C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4004-231-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4004-290-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4372-249-0x0000000070AB0000-0x0000000070E04000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4372-259-0x000000007F250000-0x000000007F260000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4372-248-0x0000000070330000-0x000000007037C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4372-247-0x00000000049C0000-0x00000000049D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4372-246-0x00000000049C0000-0x00000000049D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4372-245-0x00000000049C0000-0x00000000049D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4836-375-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/4836-367-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/4836-363-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/4836-406-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download