Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29-08-2023 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d7fe3531815a4634d43f6b89ed094ba0e5535955a54c18fd01ed6acfff81d03.exe

  • Size

    4.2MB

  • MD5

    5e7956f5211527fbdbc4c9b4cb3f210b

  • SHA1

    4e2a942287f402dd6a1cdfe8cfe0314a8dbc6c61

  • SHA256

    3d7fe3531815a4634d43f6b89ed094ba0e5535955a54c18fd01ed6acfff81d03

  • SHA512

    bf169ee09c748667d1d6dc0d939d078f405182e30a42388a979210d128523e043128c5fb1f4263ed1b9ceb9ef2df1a23fac0250cd67a491d3f727d83e1e7b6f5

  • SSDEEP

    49152:6W0Fvkv8kl6qbwDRvr22MJU0etpt+0NZHFhyBOvLtKzEW63YDNGh+jzlaudyeUU0:zfQvr22MgtpJNZP3vwqic+LUtuLg/

Score
10/10
gluptebadropperevasionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 23 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d7fe3531815a4634d43f6b89ed094ba0e5535955a54c18fd01ed6acfff81d03.exe
    "C:\Users\Admin\AppData\Local\Temp\3d7fe3531815a4634d43f6b89ed094ba0e5535955a54c18fd01ed6acfff81d03.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1928
    • C:\Users\Admin\AppData\Local\Temp\3d7fe3531815a4634d43f6b89ed094ba0e5535955a54c18fd01ed6acfff81d03.exe
      "C:\Users\Admin\AppData\Local\Temp\3d7fe3531815a4634d43f6b89ed094ba0e5535955a54c18fd01ed6acfff81d03.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3924
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1580
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:3440
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4412
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4088
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1180
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3932
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3920
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4076
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1288
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1824
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4372
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4600
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1148
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:792
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2104

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i2ochq1t.oje.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      7ae3d2afae696a1142b2cab03ad6621a

      SHA1

      27e5940d943b211d3450d905a0585799a2e118db

      SHA256

      cacab3f7ad51734dcbb61f22cc03534bcecb1a1ea1c6e51c2a3bfa5267ad7e69

      SHA512

      d34a36ad8d41b2ef8e039e5f1358fa60032674b3eac62ebef33e70a360024ff2fb8f03cb435d44664e2072b817d3bf99c2cf3d6ad34903274ae7e45cdcde66c5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      23df99731244ab1b398f3b979ec942e1

      SHA1

      eb88dc469764d118d3cb1a8bb377f38d08e43f3a

      SHA256

      24eb0baed7b9a998a0e0088eb5cec580aef212fa2a1cd9ee6034942666a1d931

      SHA512

      04a05a07bffe6fc4f7ad143f18f01d230e233fb7b0df53f10060b147dc2fc36a46caa7aa4afd766743316afc2bcc86965e2ac10819341aeac558ec0ae9db5654

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      442adb76824754a662975b7fbf294a10

      SHA1

      9620182ba40fd9a71eb8dca8538b67b1226e44e1

      SHA256

      fb7cda6c7e89a5ca1a29b1bed6aa01624f8b780dbf613fdbbd47734e49b71160

      SHA512

      6b5f736f305d43e4dcc84eff2aaa8feab2058ab31adbe5150524aef21463e737072807089684365b2f949c6153f96add5a8492e3b7a636c01dab0582effb2b18

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      0cc5c3acf421156d7272e507ee738e9b

      SHA1

      f673331e687aec058236e1f7b037075cecc0fd9b

      SHA256

      5519ffbe7085f6c86040701086d11bbf4ea9a1fd187b273314d2188e082a4ed9

      SHA512

      49684e1c0f9374297bae78c5806d27cd11f6854518d8ed7c2dfb43e4feda13f9a7341571881f332b85cc332173bfa2fd211468ce533b258f717f8a42bb2b7378

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      d90dd5c35e0dbb1a3ad4899f1a5cb0db

      SHA1

      d23175a623c471ecbb6b29c8338b8ed5649b98fb

      SHA256

      9466f265c8425d9844eb6bfb1898c9eaf7979114bc57350ebc8844994626b2d4

      SHA512

      be5dfb724827a113f6e6c5b01770b29d8c41d5224ca237321ff508d411220d3cf3bf287c03894d71b71e5f01af4720351a4e87be0ccf9f94be394d1682f3d8d5

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      5e7956f5211527fbdbc4c9b4cb3f210b

      SHA1

      4e2a942287f402dd6a1cdfe8cfe0314a8dbc6c61

      SHA256

      3d7fe3531815a4634d43f6b89ed094ba0e5535955a54c18fd01ed6acfff81d03

      SHA512

      bf169ee09c748667d1d6dc0d939d078f405182e30a42388a979210d128523e043128c5fb1f4263ed1b9ceb9ef2df1a23fac0250cd67a491d3f727d83e1e7b6f5

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      5e7956f5211527fbdbc4c9b4cb3f210b

      SHA1

      4e2a942287f402dd6a1cdfe8cfe0314a8dbc6c61

      SHA256

      3d7fe3531815a4634d43f6b89ed094ba0e5535955a54c18fd01ed6acfff81d03

      SHA512

      bf169ee09c748667d1d6dc0d939d078f405182e30a42388a979210d128523e043128c5fb1f4263ed1b9ceb9ef2df1a23fac0250cd67a491d3f727d83e1e7b6f5

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/1180-1082-0x00000000098C0000-0x0000000009965000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1180-1077-0x000000007E800000-0x000000007E810000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-1053-0x0000000006E80000-0x0000000006E90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-1283-0x0000000073470000-0x0000000073B5E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1180-1055-0x0000000007DA0000-0x00000000080F0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1180-1083-0x0000000006E80000-0x0000000006E90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-1054-0x0000000006E80000-0x0000000006E90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-1057-0x0000000008820000-0x000000000886B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1180-1052-0x0000000073470000-0x0000000073B5E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1620-897-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/1620-564-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/1620-1046-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/1620-306-0x0000000004490000-0x0000000004888000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1620-316-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/1620-308-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/1620-307-0x0000000004890000-0x000000000517B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/1928-83-0x0000000009DF0000-0x0000000009E95000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1928-9-0x00000000071D0000-0x00000000077F8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1928-304-0x0000000073410000-0x0000000073AFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1928-5-0x0000000004970000-0x00000000049A6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1928-285-0x0000000008160000-0x0000000008168000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1928-280-0x0000000008170000-0x000000000818A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1928-157-0x0000000006B90000-0x0000000006BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1928-6-0x0000000073410000-0x0000000073AFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1928-7-0x0000000006B90000-0x0000000006BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1928-8-0x0000000006B90000-0x0000000006BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1928-10-0x0000000007080000-0x00000000070A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1928-11-0x0000000007950000-0x00000000079B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1928-154-0x0000000006B90000-0x0000000006BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1928-12-0x0000000007800000-0x0000000007866000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1928-13-0x0000000007A60000-0x0000000007DB0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1928-15-0x0000000007E10000-0x0000000007E2C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1928-16-0x0000000008270000-0x00000000082BB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1928-37-0x0000000008EB0000-0x0000000008EEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1928-85-0x0000000009FF0000-0x000000000A084000-memory.dmp

      Filesize

      592KB

      Download

    • memory/1928-68-0x0000000008F70000-0x0000000008FE6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1928-75-0x0000000009DB0000-0x0000000009DE3000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1928-77-0x0000000073410000-0x0000000073AFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1928-84-0x0000000006B90000-0x0000000006BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1928-76-0x0000000009D90000-0x0000000009DAE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1928-79-0x000000007E9B0000-0x000000007E9C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2104-1809-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2104-1804-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3924-556-0x0000000073510000-0x0000000073BFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3924-311-0x0000000073510000-0x0000000073BFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3924-312-0x0000000006F00000-0x0000000006F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3924-313-0x0000000006F00000-0x0000000006F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3924-314-0x0000000007FE0000-0x0000000008330000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3924-315-0x0000000008910000-0x000000000895B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3924-339-0x0000000009950000-0x00000000099F5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/3924-340-0x0000000006F00000-0x0000000006F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3924-502-0x0000000073510000-0x0000000073BFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3924-539-0x0000000006F00000-0x0000000006F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4068-1048-0x0000000004700000-0x0000000004AF8000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4068-1802-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4068-1812-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4068-1810-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4068-1049-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4068-1808-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4068-1070-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4068-1806-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4068-1805-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4068-1788-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4068-1216-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4068-1331-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4088-828-0x0000000006C50000-0x0000000006C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-1042-0x0000000073510000-0x0000000073BFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4088-804-0x0000000073510000-0x0000000073BFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4412-561-0x0000000006800000-0x0000000006810000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4412-560-0x0000000073510000-0x0000000073BFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4412-583-0x000000007EC10000-0x000000007EC20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4412-801-0x0000000073510000-0x0000000073BFE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4412-562-0x0000000006800000-0x0000000006810000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4412-588-0x0000000006800000-0x0000000006810000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4596-2-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4596-18-0x0000000004890000-0x000000000517B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4596-0-0x0000000004490000-0x0000000004888000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4596-302-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4596-1-0x0000000004890000-0x000000000517B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4596-305-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4596-14-0x0000000000400000-0x0000000002827000-memory.dmp

      Filesize

      36.2MB

      Download

    • memory/4596-17-0x0000000004490000-0x0000000004888000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4600-1803-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download