Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/06/2023, 07:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0f5eae90ad0fdd13a2fd418b298816166344f4446e0c5bd45b2ed784c8996e74.exe

  • Size

    4.2MB

  • MD5

    8d4803509899ed55b8aa37c0101ed508

  • SHA1

    2933a04b525c2a7ba110c97101841a350b021f72

  • SHA256

    0f5eae90ad0fdd13a2fd418b298816166344f4446e0c5bd45b2ed784c8996e74

  • SHA512

    2dd8a1b3d25d0e1bb8418108b772428a713d03bafce4a9067403694ad13f7428580aece750875d151bcb2f6e41d76b8694d39b2ada7ceb3c1934ec74ed2cc79a

  • SSDEEP

    98304:dDpOZQJuC/XgnbxpPY15ehxqRDcyHzCkKrqxPLEPecklCySdVS:dDouuEXgnbxu1wiRDvT8rqBsQCySdQ

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f5eae90ad0fdd13a2fd418b298816166344f4446e0c5bd45b2ed784c8996e74.exe
    "C:\Users\Admin\AppData\Local\Temp\0f5eae90ad0fdd13a2fd418b298816166344f4446e0c5bd45b2ed784c8996e74.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3224
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:540
    • C:\Users\Admin\AppData\Local\Temp\0f5eae90ad0fdd13a2fd418b298816166344f4446e0c5bd45b2ed784c8996e74.exe
      "C:\Users\Admin\AppData\Local\Temp\0f5eae90ad0fdd13a2fd418b298816166344f4446e0c5bd45b2ed784c8996e74.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:956
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3312
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4680
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1576
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2196
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1200
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2784
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:1664
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:632
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1396
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4840
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:3344
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4428
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3712
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:4260
          • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
            4⤵
            • Executes dropped EXE
            PID:1312
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /delete /tn "csrss" /f
              5⤵
                PID:4684
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /delete /tn "ScheduledUpdate" /f
                5⤵
                  PID:3924
        • C:\Windows\windefender.exe
          C:\Windows\windefender.exe
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:2556

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0v0oivjs.v5p.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
                Filesize

                3.2MB

                MD5

                f801950a962ddba14caaa44bf084b55c

                SHA1

                7cadc9076121297428442785536ba0df2d4ae996

                SHA256

                c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

                SHA512

                4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
                Filesize

                3.2MB

                MD5

                f801950a962ddba14caaa44bf084b55c

                SHA1

                7cadc9076121297428442785536ba0df2d4ae996

                SHA256

                c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

                SHA512

                4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                Filesize

                99KB

                MD5

                09031a062610d77d685c9934318b4170

                SHA1

                880f744184e7774f3d14c1bb857e21cc7fe89a6d

                SHA256

                778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

                SHA512

                9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                Filesize

                281KB

                MD5

                d98e33b66343e7c96158444127a117f6

                SHA1

                bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                SHA256

                5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                SHA512

                705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                Filesize

                281KB

                MD5

                d98e33b66343e7c96158444127a117f6

                SHA1

                bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                SHA256

                5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                SHA512

                705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                3d086a433708053f9bf9523e1d87a4e8

                SHA1

                b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                SHA256

                6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                SHA512

                931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                949f210e95deebd2c0567a3c5c71a41c

                SHA1

                8c0c9072b35f949bd994d51ff618a836552e11cd

                SHA256

                1e607a208a28ce07fb505fa814f22c099577e1bd3225a1b36c256984a3d414ad

                SHA512

                35228d2cc3103dd4382e2cfb50a787a587a83f569924f1c996342ea5320c219c11b8ef6736696574376ad23fcc11c720be07f89a002e829b8aaa1770f21b4910

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                a4c5690307771acb67607b062b325573

                SHA1

                73477b89ca4106e6d299343c014a877ac284aa9d

                SHA256

                d690c4798712d15fbcc7d20d71466998e78ddbd262d5fbea1569c9b8ff98d867

                SHA512

                89a56615711f0828958d2f6705b0c8cf4be1643398f6786e8cb717729fd0bf7c569bf503b78b7de98b5948c1c73750bcbb3c970e61f970d90bd80ca835f39488

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                7f553639c6f7608ea5c3ea89e59b381e

                SHA1

                92a368bb8706f9598efd14706872d49db834169d

                SHA256

                7844384a4e32b3f7372915eaabddbc81c263c2d70af8ad90689829994fb814f5

                SHA512

                6c40b23f65d0a4b82e0644f82abb524954386b2e46a9620690689e16b7b7b423bebe114b82839c43d77963d57e8c75709d7f942a9c76ee0b63520aa3369dac00

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                660b3a28c457c886fe088b89a2064706

                SHA1

                e9da118c8a8edbba392d8c70215caef20121248a

                SHA256

                52db028fb1e08a0523c7ac024af277907708044bfc6508e2e62056320b686b33

                SHA512

                185450dbf9daa80cffb1280ab9ff341fa842d986a26848f84766a77ebb58cbf7f39a7211deeaf41e54ca2ee646db389acbf8793445ddb02ebdfca201ddd15939

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                43c06238db63ac15bbaaefd4ba1c358e

                SHA1

                11a4b6a727ac1dbc565a9fba568bef9210a19461

                SHA256

                a73f70b48292504404d2992ba3814cfda4c197ae67c91498cf3c1730edd081cd

                SHA512

                abb35ed5becae6f171e1729dce1f79576fa050ff3627206d9f55f6fe971b60611fa7bf4eca1df2f9433a85da915fa5e7b2a15111ead0391f657ad257be298954

                Download Submit

              • C:\Windows\rss\csrss.exe
                Filesize

                4.2MB

                MD5

                8d4803509899ed55b8aa37c0101ed508

                SHA1

                2933a04b525c2a7ba110c97101841a350b021f72

                SHA256

                0f5eae90ad0fdd13a2fd418b298816166344f4446e0c5bd45b2ed784c8996e74

                SHA512

                2dd8a1b3d25d0e1bb8418108b772428a713d03bafce4a9067403694ad13f7428580aece750875d151bcb2f6e41d76b8694d39b2ada7ceb3c1934ec74ed2cc79a

                Download Submit

              • C:\Windows\rss\csrss.exe
                Filesize

                4.2MB

                MD5

                8d4803509899ed55b8aa37c0101ed508

                SHA1

                2933a04b525c2a7ba110c97101841a350b021f72

                SHA256

                0f5eae90ad0fdd13a2fd418b298816166344f4446e0c5bd45b2ed784c8996e74

                SHA512

                2dd8a1b3d25d0e1bb8418108b772428a713d03bafce4a9067403694ad13f7428580aece750875d151bcb2f6e41d76b8694d39b2ada7ceb3c1934ec74ed2cc79a

                Download Submit

              • C:\Windows\windefender.exe
                Filesize

                2.0MB

                MD5

                8e67f58837092385dcf01e8a2b4f5783

                SHA1

                012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                SHA256

                166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                SHA512

                40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                Download Submit

              • C:\Windows\windefender.exe
                Filesize

                2.0MB

                MD5

                8e67f58837092385dcf01e8a2b4f5783

                SHA1

                012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                SHA256

                166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                SHA512

                40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                Download Submit

              • C:\Windows\windefender.exe
                Filesize

                2.0MB

                MD5

                8e67f58837092385dcf01e8a2b4f5783

                SHA1

                012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                SHA256

                166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                SHA512

                40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                Download Submit

              • memory/540-136-0x0000000005640000-0x0000000005C68000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/540-153-0x0000000007780000-0x00000000077F6000-memory.dmp

                Filesize

                472KB

                Download

              • memory/540-170-0x0000000007B00000-0x0000000007B0A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/540-172-0x0000000007BC0000-0x0000000007C56000-memory.dmp

                Filesize

                600KB

                Download

              • memory/540-135-0x0000000004EC0000-0x0000000004EF6000-memory.dmp

                Filesize

                216KB

                Download

              • memory/540-173-0x000000007FA10000-0x000000007FA20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/540-174-0x0000000007B70000-0x0000000007B7E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/540-175-0x0000000007C60000-0x0000000007C7A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/540-176-0x0000000007BB0000-0x0000000007BB8000-memory.dmp

                Filesize

                32KB

                Download

              • memory/540-141-0x0000000005D90000-0x0000000005DF6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/540-152-0x00000000069C0000-0x0000000006A04000-memory.dmp

                Filesize

                272KB

                Download

              • memory/540-140-0x0000000005C70000-0x0000000005CD6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/540-155-0x0000000007E80000-0x00000000084FA000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/540-139-0x00000000055A0000-0x00000000055C2000-memory.dmp

                Filesize

                136KB

                Download

              • memory/540-138-0x0000000005000000-0x0000000005010000-memory.dmp

                Filesize

                64KB

                Download

              • memory/540-151-0x0000000006460000-0x000000000647E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/540-169-0x00000000079B0000-0x00000000079CE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/540-154-0x0000000005000000-0x0000000005010000-memory.dmp

                Filesize

                64KB

                Download

              • memory/540-156-0x0000000007820000-0x000000000783A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/540-137-0x0000000005000000-0x0000000005010000-memory.dmp

                Filesize

                64KB

                Download

              • memory/540-159-0x0000000070B10000-0x0000000070E64000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/540-158-0x0000000070990000-0x00000000709DC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/540-157-0x00000000079D0000-0x0000000007A02000-memory.dmp

                Filesize

                200KB

                Download

              • memory/632-318-0x000000007F6E0000-0x000000007F6F0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/632-317-0x0000000005190000-0x00000000051A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/632-306-0x0000000071060000-0x00000000713B4000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/632-305-0x00000000708B0000-0x00000000708FC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/632-304-0x0000000005190000-0x00000000051A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/632-303-0x0000000005190000-0x00000000051A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/956-203-0x000000007F140000-0x000000007F150000-memory.dmp

                Filesize

                64KB

                Download

              • memory/956-202-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/956-192-0x0000000070B30000-0x0000000070E84000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/956-191-0x0000000070990000-0x00000000709DC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/956-190-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/956-189-0x0000000002ED0000-0x0000000002EE0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/980-218-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/980-289-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/1200-278-0x0000000070990000-0x00000000709DC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/1200-279-0x0000000070B10000-0x0000000070E64000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/1200-291-0x000000007EEC0000-0x000000007EED0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1200-290-0x0000000004E80000-0x0000000004E90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1200-276-0x0000000004E80000-0x0000000004E90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1200-275-0x0000000004E80000-0x0000000004E90000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1312-406-0x0000000000400000-0x0000000000C25000-memory.dmp

                Filesize

                8.1MB

                Download

              • memory/1312-403-0x0000000000400000-0x0000000000C25000-memory.dmp

                Filesize

                8.1MB

                Download

              • memory/1312-398-0x0000000000400000-0x0000000000C25000-memory.dmp

                Filesize

                8.1MB

                Download

              • memory/1396-332-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1396-331-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1396-333-0x000000007F650000-0x000000007F660000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1396-334-0x00000000708B0000-0x00000000708FC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/1396-335-0x0000000070A30000-0x0000000070D84000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/1576-219-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1576-220-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1576-221-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1576-222-0x0000000070990000-0x00000000709DC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/1576-233-0x000000007F3D0000-0x000000007F3E0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1576-223-0x0000000071110000-0x0000000071464000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/2196-247-0x0000000070990000-0x00000000709DC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/2196-259-0x000000007F310000-0x000000007F320000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2196-246-0x0000000002990000-0x00000000029A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2196-258-0x0000000002990000-0x00000000029A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2196-248-0x0000000071110000-0x0000000071464000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/2556-374-0x0000000000400000-0x00000000008DF000-memory.dmp

                Filesize

                4.9MB

                Download

              • memory/2556-399-0x0000000000400000-0x00000000008DF000-memory.dmp

                Filesize

                4.9MB

                Download

              • memory/2556-362-0x0000000000400000-0x00000000008DF000-memory.dmp

                Filesize

                4.9MB

                Download

              • memory/3224-204-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/3224-134-0x0000000004CC0000-0x00000000055AB000-memory.dmp

                Filesize

                8.9MB

                Download

              • memory/3224-171-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/4428-361-0x0000000000400000-0x00000000008DF000-memory.dmp

                Filesize

                4.9MB

                Download

              • memory/4428-359-0x0000000000400000-0x00000000008DF000-memory.dmp

                Filesize

                4.9MB

                Download

              • memory/4496-380-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/4496-388-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/4496-364-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/4496-353-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/4496-396-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/4496-384-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/4496-372-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/4496-401-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/4496-330-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/4496-376-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download

              • memory/4496-368-0x0000000000400000-0x000000000295A000-memory.dmp

                Filesize

                37.4MB

                Download