Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2023, 08:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    63e63d7595c1b6363f0f455c43fdf65feb76dd03f7372cc36430a45f533a1417.exe

  • Size

    4.2MB

  • MD5

    bb9c007f70d94f55848bd194b725b6f2

  • SHA1

    727b51284ff4b102df05946c2db440d4ab0186e3

  • SHA256

    63e63d7595c1b6363f0f455c43fdf65feb76dd03f7372cc36430a45f533a1417

  • SHA512

    0de12c7f1d9c6f64d3d80bdd45c080751ed18e48dc6472f6c973a3363e79d53571a74d1194154b83e909ddc24161392862c34577cd41a879b086d7eba27f22ec

  • SSDEEP

    98304:/11WaNJmojGoT+5wHxYPYoEH06YAZF3ibNtVf2XtFRY/w+/S/Qq8N7:/9NJmoj3TiwHxYPYoE0oZtyVeXZyY/R2

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 23 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\63e63d7595c1b6363f0f455c43fdf65feb76dd03f7372cc36430a45f533a1417.exe
    "C:\Users\Admin\AppData\Local\Temp\63e63d7595c1b6363f0f455c43fdf65feb76dd03f7372cc36430a45f533a1417.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4228
    • C:\Users\Admin\AppData\Local\Temp\63e63d7595c1b6363f0f455c43fdf65feb76dd03f7372cc36430a45f533a1417.exe
      "C:\Users\Admin\AppData\Local\Temp\63e63d7595c1b6363f0f455c43fdf65feb76dd03f7372cc36430a45f533a1417.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3368
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3676
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3380
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4048
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5032
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:620
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:960
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:1072
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1184
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3768
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1836
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:1500
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3728
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4120
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:4664
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 600
          3⤵
          • Program crash
          PID:3948
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 708
        2⤵
        • Program crash
        PID:2724
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1312 -ip 1312
      1⤵
        PID:2148
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1556 -ip 1556
        1⤵
          PID:4396
        • C:\Windows\windefender.exe
          C:\Windows\windefender.exe
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:3592

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_04qld5yk.3kv.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                Filesize

                281KB

                MD5

                d98e33b66343e7c96158444127a117f6

                SHA1

                bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                SHA256

                5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                SHA512

                705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                Filesize

                281KB

                MD5

                d98e33b66343e7c96158444127a117f6

                SHA1

                bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                SHA256

                5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                SHA512

                705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                3d086a433708053f9bf9523e1d87a4e8

                SHA1

                b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                SHA256

                6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                SHA512

                931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                8778db2e3b22e13d784fe84a86e77a15

                SHA1

                c817caefb0db17767ffa21d2bef6213cce7d21d7

                SHA256

                eb5fa604f4985da0dffc048cd9ebf88d3db7fd011257990a4734c91fd945819d

                SHA512

                60314ba2cac74afeec6e83d6a2f462252356ad48a1af950479677fa68ae59b2d81804859f1cf1ab13148feff688671533131957629e289948ca9c693f6c1aa0e

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                f3c5eb688c2378e662f264c1e96e7a46

                SHA1

                8cb94c84d19f08bf62bfadb21a85091a5a1ce3c1

                SHA256

                a4bcc07bb4e27e8705936ea9214c04a299824c5bfd61d65e419e64b10b08e65e

                SHA512

                b2e8b4f120af2f8c62e07637f478ba03b4fe741c0cab85600177fd5b326a6a6a49e94ce658eac3f5b911b3e0078dd5b4850440ac46fe773c576586adf1ff795d

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                0bad5dd2980b8d531251c1f4b0bb4c4a

                SHA1

                c967b1322a4a9d0297053589174fcda772a28f71

                SHA256

                04115d17667c2b61068fdc3bdeea5d5b04d4be869558eabe03d58b30c0c58a2c

                SHA512

                cd9d39b4c45800151e0c52acfe57e387c83d408cf2e770175ac80c33cca3ce6c8e5bd917c579883eefb36bf34dec645054a244d725f3f015b8f46b571fde1e3a

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                cfaa5cf43f1846b3bbdd15aeec542507

                SHA1

                7b121f41b5df4e4ceaeee8766960d6f23f984524

                SHA256

                c79a3094281ffdae7d8720337cf747f3cb988dfef5d99691ffa69b3aa1663029

                SHA512

                9f84a750479a2b5434697f084d9fd5273088054b317ca0bf91bf72fd6bc8b836ce65baa9adac3e38f6c29bd9d0d3c468da2d62377fbda491bfa2fc49ba39b814

                Download Submit

              • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                Filesize

                19KB

                MD5

                3f64d5c115f504d6a3ba61f36cadbee3

                SHA1

                701779131fb9fd9c5a99811224f29bdab8feda22

                SHA256

                c3b464aec04bd1bdda68a5c88e207978e169b93484a73d41b5ddc9dca3ca20ea

                SHA512

                a25895ca38e5f046466e7dba4077758111d2499103137f21d83c71f098c3f16fdca96b59557a5adc7692fb2660eaaabdfe3a96d6d309c23881eb7703adb27f21

                Download Submit

              • C:\Windows\rss\csrss.exe
                Filesize

                4.2MB

                MD5

                bb9c007f70d94f55848bd194b725b6f2

                SHA1

                727b51284ff4b102df05946c2db440d4ab0186e3

                SHA256

                63e63d7595c1b6363f0f455c43fdf65feb76dd03f7372cc36430a45f533a1417

                SHA512

                0de12c7f1d9c6f64d3d80bdd45c080751ed18e48dc6472f6c973a3363e79d53571a74d1194154b83e909ddc24161392862c34577cd41a879b086d7eba27f22ec

                Download Submit

              • C:\Windows\rss\csrss.exe
                Filesize

                4.2MB

                MD5

                bb9c007f70d94f55848bd194b725b6f2

                SHA1

                727b51284ff4b102df05946c2db440d4ab0186e3

                SHA256

                63e63d7595c1b6363f0f455c43fdf65feb76dd03f7372cc36430a45f533a1417

                SHA512

                0de12c7f1d9c6f64d3d80bdd45c080751ed18e48dc6472f6c973a3363e79d53571a74d1194154b83e909ddc24161392862c34577cd41a879b086d7eba27f22ec

                Download Submit

              • C:\Windows\windefender.exe
                Filesize

                2.0MB

                MD5

                8e67f58837092385dcf01e8a2b4f5783

                SHA1

                012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                SHA256

                166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                SHA512

                40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                Download Submit

              • C:\Windows\windefender.exe
                Filesize

                2.0MB

                MD5

                8e67f58837092385dcf01e8a2b4f5783

                SHA1

                012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                SHA256

                166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                SHA512

                40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                Download Submit

              • C:\Windows\windefender.exe
                Filesize

                2.0MB

                MD5

                8e67f58837092385dcf01e8a2b4f5783

                SHA1

                012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                SHA256

                166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                SHA512

                40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                Download Submit

              • memory/1312-2-0x0000000004A00000-0x00000000052EB000-memory.dmp

                Filesize

                8.9MB

                Download

              • memory/1312-32-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/1312-25-0x0000000004A00000-0x00000000052EB000-memory.dmp

                Filesize

                8.9MB

                Download

              • memory/1312-61-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/1312-49-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/1312-3-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/1312-1-0x00000000045F0000-0x00000000049F4000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/1312-24-0x00000000045F0000-0x00000000049F4000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/1556-97-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/1556-96-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/1556-91-0x0000000004380000-0x000000000477F000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/1556-157-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/1556-62-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/1556-149-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/1556-60-0x0000000004780000-0x000000000506B000-memory.dmp

                Filesize

                8.9MB

                Download

              • memory/1556-59-0x0000000004380000-0x000000000477F000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/3368-78-0x0000000070540000-0x000000007058C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3368-65-0x0000000004770000-0x0000000004780000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3368-95-0x00000000745A0000-0x0000000074D50000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3368-92-0x0000000007180000-0x0000000007194000-memory.dmp

                Filesize

                80KB

                Download

              • memory/3368-90-0x0000000007130000-0x0000000007141000-memory.dmp

                Filesize

                68KB

                Download

              • memory/3368-89-0x0000000006E30000-0x0000000006ED3000-memory.dmp

                Filesize

                652KB

                Download

              • memory/3368-79-0x0000000070CE0000-0x0000000071034000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/3368-77-0x0000000004770000-0x0000000004780000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3368-76-0x0000000006170000-0x00000000061BC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3368-75-0x00000000055B0000-0x0000000005904000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/3368-63-0x00000000745A0000-0x0000000074D50000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3368-64-0x0000000004770000-0x0000000004780000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3380-113-0x0000000070540000-0x000000007058C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3380-125-0x00000000745A0000-0x0000000074D50000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3380-99-0x00000000745A0000-0x0000000074D50000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/3380-100-0x0000000003070000-0x0000000003080000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3380-101-0x0000000003070000-0x0000000003080000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3380-112-0x0000000003070000-0x0000000003080000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3380-114-0x0000000070CE0000-0x0000000071034000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/3592-275-0x0000000000400000-0x00000000008DF000-memory.dmp

                Filesize

                4.9MB

                Download

              • memory/3592-271-0x0000000000400000-0x00000000008DF000-memory.dmp

                Filesize

                4.9MB

                Download

              • memory/3728-269-0x0000000000400000-0x00000000008DF000-memory.dmp

                Filesize

                4.9MB

                Download

              • memory/4048-126-0x00000000745A0000-0x0000000074D50000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4048-127-0x0000000002C30000-0x0000000002C40000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4048-138-0x0000000070540000-0x000000007058C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4048-139-0x0000000070CE0000-0x0000000071034000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/4228-30-0x0000000007C40000-0x0000000007C72000-memory.dmp

                Filesize

                200KB

                Download

              • memory/4228-47-0x0000000007E30000-0x0000000007EC6000-memory.dmp

                Filesize

                600KB

                Download

              • memory/4228-44-0x0000000007C20000-0x0000000007C3E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/4228-31-0x0000000070440000-0x000000007048C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4228-50-0x0000000007DD0000-0x0000000007DDE000-memory.dmp

                Filesize

                56KB

                Download

              • memory/4228-28-0x00000000080F0000-0x000000000876A000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/4228-51-0x00000000745A0000-0x0000000074D50000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4228-48-0x0000000007D90000-0x0000000007DA1000-memory.dmp

                Filesize

                68KB

                Download

              • memory/4228-34-0x00000000705C0000-0x0000000070914000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/4228-52-0x0000000007DE0000-0x0000000007DF4000-memory.dmp

                Filesize

                80KB

                Download

              • memory/4228-53-0x0000000007ED0000-0x0000000007EEA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/4228-54-0x0000000007E10000-0x0000000007E18000-memory.dmp

                Filesize

                32KB

                Download

              • memory/4228-27-0x00000000079F0000-0x0000000007A66000-memory.dmp

                Filesize

                472KB

                Download

              • memory/4228-33-0x000000007F990000-0x000000007F9A0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4228-57-0x00000000745A0000-0x0000000074D50000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4228-26-0x0000000003150000-0x0000000003160000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4228-23-0x0000000006C10000-0x0000000006C54000-memory.dmp

                Filesize

                272KB

                Download

              • memory/4228-22-0x0000000006700000-0x000000000674C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4228-21-0x00000000066B0000-0x00000000066CE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/4228-20-0x0000000006240000-0x0000000006594000-memory.dmp

                Filesize

                3.3MB

                Download

              • memory/4228-15-0x0000000006040000-0x00000000060A6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/4228-45-0x0000000007C80000-0x0000000007D23000-memory.dmp

                Filesize

                652KB

                Download

              • memory/4228-9-0x0000000005FD0000-0x0000000006036000-memory.dmp

                Filesize

                408KB

                Download

              • memory/4228-8-0x0000000005E30000-0x0000000005E52000-memory.dmp

                Filesize

                136KB

                Download

              • memory/4228-7-0x00000000057B0000-0x0000000005DD8000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/4228-46-0x0000000007D70000-0x0000000007D7A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/4228-29-0x0000000007A90000-0x0000000007AAA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/4228-4-0x00000000030C0000-0x00000000030F6000-memory.dmp

                Filesize

                216KB

                Download

              • memory/4228-6-0x0000000003150000-0x0000000003160000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4228-5-0x00000000745A0000-0x0000000074D50000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/5032-262-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/5032-261-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/5032-270-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/5032-260-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/5032-272-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/5032-274-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/5032-224-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/5032-276-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/5032-278-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/5032-280-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download

              • memory/5032-282-0x0000000000400000-0x0000000002676000-memory.dmp

                Filesize

                34.5MB

                Download