Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/05/2023, 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fffdbba06a49691274b26eb372f7967982a28bb3a4c74768f16aa511bc4dd1e9.exe

  • Size

    4.2MB

  • MD5

    1b30d4919c98b4d049f9740601220905

  • SHA1

    eecc22b5a1fd9d20e29c32ca3ff25794c19ac112

  • SHA256

    fffdbba06a49691274b26eb372f7967982a28bb3a4c74768f16aa511bc4dd1e9

  • SHA512

    0acbc4b40739020b0a2b6077a9a2f83ea816256ef3a0988a0fde258039ab0d048563822de0ddffa80852ad2e619788f64ef427443213a393b5f4bf430c1babac

  • SSDEEP

    98304:k7/r5u7Re4y4OOwwt2wLMnO19y0p17IW77+8k2x5TY:k7/r5gtyHOzckkOBI+75E

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 17 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fffdbba06a49691274b26eb372f7967982a28bb3a4c74768f16aa511bc4dd1e9.exe
    "C:\Users\Admin\AppData\Local\Temp\fffdbba06a49691274b26eb372f7967982a28bb3a4c74768f16aa511bc4dd1e9.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2456
    • C:\Users\Admin\AppData\Local\Temp\fffdbba06a49691274b26eb372f7967982a28bb3a4c74768f16aa511bc4dd1e9.exe
      "C:\Users\Admin\AppData\Local\Temp\fffdbba06a49691274b26eb372f7967982a28bb3a4c74768f16aa511bc4dd1e9.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:168
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1548
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:5028
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4076
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3020
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1916
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1360
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:224
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4956
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3896
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3040
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4532
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4824
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:5060
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:2716
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:3332

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zn0t5bi4.4z4.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      db01a2c1c7e70b2b038edf8ad5ad9826

      SHA1

      540217c647a73bad8d8a79e3a0f3998b5abd199b

      SHA256

      413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

      SHA512

      c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      eeba7a14c604c8ee40dcb6a68bf6ba25

      SHA1

      304ce4274c992f2a07514d899a25e3b2320c6714

      SHA256

      e43e7f6e935616fe5197593e0c220c889399e2a60ce0a24cd0f3a90a64940a90

      SHA512

      f738924b5d961f5e00527d38d88dc9d251f32934dfaa85ff987341cff3c6d5bed05464d8b88e9010a10a928ccb54b244d16e49625f352f709905d8bf94f7691a

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      952387f839d7a4f417bf0fc413b3bceb

      SHA1

      c9b3215ca5467cf4bab319720897acf670ede90e

      SHA256

      fa81f7dff6f099cd7092dd3ec32c48cc0a40f4b2d330a40dfbbef34afcc6c8c2

      SHA512

      c98622e4028aaa9f6dfa113fae289df787ff823d7645163b4818e634f24228bf4c1f2507123c504c75bd2caf0676d03577b90b394ffd023191c06f322684ddf6

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      ab8306b558ca9fdf0f135ca5302df5cc

      SHA1

      818483e9a169178002d0a4a1b6ce3a04f1a1ccb5

      SHA256

      6b5b70f0ae91f730bd76f8873dd115bb85e8ae896fade51aa96aa6172538c57c

      SHA512

      ae7ad70932f039c1757b843656bf1019ef93d7c316ecbe25542a6c2ec0ffbaa6ebbd4583f1eb4602b9d006f74486c3c2cb47ed5f8dc912e1def246adfcf37fb9

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      4460bc2328e25c6e92dafc19f2b88924

      SHA1

      4c543b4cd39c309f306943df44895931cc80b798

      SHA256

      c38f03ddf640bbfbb9ca9ef9ccff55f324cdda9744ae92ad517c571c76c3b423

      SHA512

      fcc4b61c3d5a412a517c9ce40496d00b909fc5b6e2855b4f19feeb9ae812127f5cdee607e38e476d44badf5f09fd3b6a6b19a17f871ad43b459255411d9a04c4

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      2317dab1dc7c8051102e5eda627f8427

      SHA1

      97acf13336a358630f87e6fbad08a9d9fa9b7f46

      SHA256

      f834287fa659fbb0aa2702853908d2fb727e6722641c36466abeb9b7c9aab2d5

      SHA512

      8b31af524c6815afd75ad806a58a6d078b7a8946dab4abaefd9104ea08ee89b908ce9061d556b65a87ab0ed2bcfded890cf2fcfd8c88d35c9a2728c1dc23d4ac

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      1b30d4919c98b4d049f9740601220905

      SHA1

      eecc22b5a1fd9d20e29c32ca3ff25794c19ac112

      SHA256

      fffdbba06a49691274b26eb372f7967982a28bb3a4c74768f16aa511bc4dd1e9

      SHA512

      0acbc4b40739020b0a2b6077a9a2f83ea816256ef3a0988a0fde258039ab0d048563822de0ddffa80852ad2e619788f64ef427443213a393b5f4bf430c1babac

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      1b30d4919c98b4d049f9740601220905

      SHA1

      eecc22b5a1fd9d20e29c32ca3ff25794c19ac112

      SHA256

      fffdbba06a49691274b26eb372f7967982a28bb3a4c74768f16aa511bc4dd1e9

      SHA512

      0acbc4b40739020b0a2b6077a9a2f83ea816256ef3a0988a0fde258039ab0d048563822de0ddffa80852ad2e619788f64ef427443213a393b5f4bf430c1babac

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/168-1151-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/168-909-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/168-650-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1548-424-0x0000000003630000-0x0000000003640000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1548-517-0x0000000003630000-0x0000000003640000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1548-448-0x000000007F0E0000-0x000000007F0F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1548-447-0x0000000009C30000-0x0000000009CD5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1548-423-0x0000000003630000-0x0000000003640000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1548-422-0x0000000008730000-0x000000000877B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1548-421-0x0000000008260000-0x00000000085B0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1556-1909-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1556-1905-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1556-1903-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1556-1740-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1556-1899-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1556-1901-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1556-1911-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1556-1907-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1556-1407-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1556-1890-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1916-1156-0x0000000007580000-0x00000000078D0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1916-1158-0x0000000007AF0000-0x0000000007B3B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1916-1187-0x0000000006730000-0x0000000006740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-1186-0x000000007EDD0000-0x000000007EDE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-1183-0x0000000008F10000-0x0000000008FB5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1916-1160-0x0000000006730000-0x0000000006740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1916-1159-0x0000000006730000-0x0000000006740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2456-132-0x0000000007B40000-0x0000000007B5C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2456-131-0x0000000007750000-0x0000000007AA0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2456-125-0x00000000066C0000-0x00000000066F6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2456-199-0x0000000009D20000-0x0000000009DB4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/2456-198-0x0000000009B20000-0x0000000009BC5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/2456-193-0x0000000009AC0000-0x0000000009ADE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2456-191-0x0000000009AE0000-0x0000000009B13000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2456-192-0x000000007DFB0000-0x000000007DFC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2456-126-0x00000000067B0000-0x00000000067C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2456-127-0x0000000006DF0000-0x0000000007418000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2456-266-0x00000000067B0000-0x00000000067C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2456-393-0x0000000007F70000-0x0000000007F8A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2456-398-0x00000000069F0000-0x00000000069F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2456-128-0x0000000006DB0000-0x0000000006DD2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2456-184-0x0000000008CD0000-0x0000000008D46000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2456-152-0x0000000007FE0000-0x000000000801C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2456-129-0x0000000007490000-0x00000000074F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2456-133-0x00000000080C0000-0x000000000810B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2456-130-0x00000000076E0000-0x0000000007746000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3020-930-0x000000007E9E0000-0x000000007E9F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3020-910-0x0000000006D40000-0x0000000006D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3020-911-0x0000000006D40000-0x0000000006D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3020-1003-0x0000000006D40000-0x0000000006D50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3332-1906-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3332-1898-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3332-1910-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3896-1647-0x00000000046A0000-0x00000000046B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3896-1673-0x00000000046A0000-0x00000000046B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3896-1646-0x00000000046A0000-0x00000000046B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3896-1672-0x000000007E990000-0x000000007E9A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4076-670-0x00000000071D0000-0x00000000071E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4076-671-0x00000000071D0000-0x00000000071E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4076-688-0x000000007E450000-0x000000007E460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4076-742-0x00000000071D0000-0x00000000071E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4824-1897-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4824-1895-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4956-1430-0x00000000071C0000-0x00000000071D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4956-1401-0x00000000071C0000-0x00000000071D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4956-1402-0x0000000008040000-0x0000000008390000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4956-1400-0x00000000071C0000-0x00000000071D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4956-1404-0x00000000086E0000-0x000000000872B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4956-1428-0x0000000009C30000-0x0000000009CD5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4956-1429-0x000000007EDA0000-0x000000007EDB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4956-122-0x0000000002F60000-0x000000000384B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4956-417-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4956-416-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4956-153-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download