Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16-07-2023 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9603b5ab4925e5f2fcdf3f8c77253350467e2228af081b15636c41b57fb8526.exe

  • Size

    4.2MB

  • MD5

    9465c4df499aff2d1414f41061942f8c

  • SHA1

    06736f267f03b8d3df7623e3656cc3395927b1b8

  • SHA256

    c9603b5ab4925e5f2fcdf3f8c77253350467e2228af081b15636c41b57fb8526

  • SHA512

    dddff557c9528669a395001872bc4722e739534327a4c439f433026381e7235df873c7c5359c9ec6a783ae15946cb6b265ff69bc73cdd0d88ad3be6687557697

  • SSDEEP

    98304:keTcHN5n+a4fgld7uBNnLU7Kn4s9s/xnQPiZ/Ms7R:4HH2fgzqBVLU7KnRgdIiZd

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 23 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9603b5ab4925e5f2fcdf3f8c77253350467e2228af081b15636c41b57fb8526.exe
    "C:\Users\Admin\AppData\Local\Temp\c9603b5ab4925e5f2fcdf3f8c77253350467e2228af081b15636c41b57fb8526.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4620
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3512
    • C:\Users\Admin\AppData\Local\Temp\c9603b5ab4925e5f2fcdf3f8c77253350467e2228af081b15636c41b57fb8526.exe
      "C:\Users\Admin\AppData\Local\Temp\c9603b5ab4925e5f2fcdf3f8c77253350467e2228af081b15636c41b57fb8526.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2760
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4348
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5016
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4844
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4660
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5076
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2756
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3456
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4016
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1968
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2140
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:3268
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3032
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4136
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:856
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:4988

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ygsflbry.i5s.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      a063ecc9fffa09b1aa9472d804853818

      SHA1

      f056469cdce5870df62ce0da765680798a970b86

      SHA256

      e9eb8b45f3379d42ea1d35ed9077837c8af374900e43b27cc3b45c3f0a7cfd6a

      SHA512

      703a34a436af69561fe9923b676552a961cad483e298c29dad68644c6f71c58d59b0837d2058b41139b2ed54f22eb0ea1d71e4db3596d7a2cd897aaa9c794964

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      b01f70abe68c108b9471cb2a1e351686

      SHA1

      9620868a1d6818e976ba07e7beaee5cdb753cf7f

      SHA256

      3fef0531f02eeb0c9634f61e45929a858eb21ebf1a2810c6d2ebeb7c3985dff1

      SHA512

      c45e45c57c7b46604009418a0efe86d8cb661b16903c6e09cd9e7d12356bc7a1de438117cb8194cd929f3038e420fc84c63cc3a05ca9c0ba26a0741d68d35a07

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      5d800dcdea04da17639be11a9b6e3708

      SHA1

      d730eb5b0d6b90b64444fde51ab1041e9056112a

      SHA256

      178436537fd0e579931f3d05d28498969a0db8b8fb92f1715786e66de13f86ef

      SHA512

      eefae265c5ea5cdab796a1dbcd085a6dbdd1a118eb1a351b1824215df82e87448f9fc7f5f9ed9ea50c9aff97a0740cdc8ce0d64417b498d033cc985e9200425b

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      ecfee14c10b0e7d42ea19e5d646aaacf

      SHA1

      eabdbb2f722bb643a90480a2b3c1827cd229232a

      SHA256

      f5da68f778d16c5338aa701450aebd3084dcde5bac388d33a0ef09f255e78eff

      SHA512

      d271db38abc79a309101af8e0060e1177b5cdb95d38807cfa471dd75e05ec8c18b2ede541813da2c955e1c4538bd1d80cac7baaae509b0aada5a288be6878fe0

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      53af4c79b1f54416c0a00585e18fabff

      SHA1

      53c3aff984763822e9bf26e5fe6ddf6c03d8a0be

      SHA256

      79bc633b8b0b4302d92b2c6125cc8bbd977c444f49dc3b6fcee07b4ed3e2abf7

      SHA512

      5bec7c59f0cbac175e4ef38a09e88e0cce85c943954f6bb06075c31862971d55f66e293b6f534d5190616a0b7a9e79b318ffa42a97da01fe730f86bc351e13e9

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      9465c4df499aff2d1414f41061942f8c

      SHA1

      06736f267f03b8d3df7623e3656cc3395927b1b8

      SHA256

      c9603b5ab4925e5f2fcdf3f8c77253350467e2228af081b15636c41b57fb8526

      SHA512

      dddff557c9528669a395001872bc4722e739534327a4c439f433026381e7235df873c7c5359c9ec6a783ae15946cb6b265ff69bc73cdd0d88ad3be6687557697

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      9465c4df499aff2d1414f41061942f8c

      SHA1

      06736f267f03b8d3df7623e3656cc3395927b1b8

      SHA256

      c9603b5ab4925e5f2fcdf3f8c77253350467e2228af081b15636c41b57fb8526

      SHA512

      dddff557c9528669a395001872bc4722e739534327a4c439f433026381e7235df873c7c5359c9ec6a783ae15946cb6b265ff69bc73cdd0d88ad3be6687557697

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/2760-464-0x00000000074C0000-0x00000000074D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2760-458-0x000000007E790000-0x000000007E7A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2760-433-0x0000000073D20000-0x000000007440E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2760-435-0x00000000074C0000-0x00000000074D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2760-680-0x0000000073D20000-0x000000007440E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2760-645-0x0000000073D20000-0x000000007440E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2760-436-0x0000000008160000-0x00000000084B0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2760-437-0x0000000008CE0000-0x0000000008D2B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2760-463-0x0000000009C60000-0x0000000009D05000-memory.dmp

      Filesize

      660KB

      Download

    • memory/3032-1928-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3220-707-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3220-457-0x00000000029F0000-0x0000000002DF5000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3220-448-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3220-430-0x00000000029F0000-0x0000000002DF5000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3220-535-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3220-1171-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3220-431-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3512-205-0x000000000A050000-0x000000000A0F5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/3512-135-0x0000000007D10000-0x0000000007D76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3512-427-0x0000000073C20000-0x000000007430E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3512-128-0x0000000073C20000-0x000000007430E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3512-408-0x0000000008510000-0x0000000008518000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3512-403-0x0000000008520000-0x000000000853A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3512-129-0x0000000004870000-0x00000000048A6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3512-332-0x0000000004820000-0x0000000004830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3512-278-0x0000000073C20000-0x000000007430E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3512-207-0x000000000A250000-0x000000000A2E4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/3512-206-0x0000000004820000-0x0000000004830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3512-130-0x0000000004820000-0x0000000004830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3512-199-0x000000007EB90000-0x000000007EBA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3512-200-0x0000000009FF0000-0x000000000A00E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3512-131-0x0000000004820000-0x0000000004830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3512-197-0x000000000A010000-0x000000000A043000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3512-190-0x0000000009200000-0x0000000009276000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3512-132-0x0000000007510000-0x0000000007B38000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3512-158-0x0000000009140000-0x000000000917C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3512-133-0x00000000072E0000-0x0000000007302000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3512-134-0x0000000007460000-0x00000000074C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3512-417-0x0000000004820000-0x0000000004830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3512-136-0x0000000007D80000-0x00000000080D0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3512-137-0x0000000007BA0000-0x0000000007BBC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3512-138-0x00000000080F0000-0x000000000813B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4620-331-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4620-122-0x0000000002A90000-0x0000000002E92000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4620-198-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4620-164-0x0000000002EA0000-0x000000000378B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4620-428-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4620-139-0x0000000002A90000-0x0000000002E92000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4620-125-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4620-124-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4620-123-0x0000000002EA0000-0x000000000378B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4660-1175-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4660-1671-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4660-1174-0x0000000002F00000-0x00000000032F9000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4660-1935-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4660-1933-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4660-1931-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4660-1919-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4660-1929-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4660-1937-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4660-1939-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4660-1184-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4844-1167-0x0000000073D20000-0x000000007440E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4844-929-0x00000000044F0000-0x0000000004500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4844-930-0x00000000044F0000-0x0000000004500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4844-954-0x00000000044F0000-0x0000000004500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4844-928-0x0000000073D20000-0x000000007440E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4988-1934-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4988-1930-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/5016-686-0x0000000004C90000-0x0000000004CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5016-684-0x0000000073D20000-0x000000007440E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/5016-712-0x0000000004C90000-0x0000000004CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5016-685-0x0000000004C90000-0x0000000004CA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5016-687-0x00000000081F0000-0x0000000008540000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5016-925-0x0000000073D20000-0x000000007440E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/5076-1208-0x00000000091A0000-0x0000000009245000-memory.dmp

      Filesize

      660KB

      Download

    • memory/5076-1203-0x000000007E1F0000-0x000000007E200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5076-1183-0x0000000007E80000-0x0000000007ECB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5076-1181-0x00000000076C0000-0x0000000007A10000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5076-1179-0x0000000004350000-0x0000000004360000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5076-1180-0x0000000004350000-0x0000000004360000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5076-1178-0x0000000073C80000-0x000000007436E000-memory.dmp

      Filesize

      6.9MB

      Download