Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-1703_x64
  • resource
    win10-20231020-en
  • resource tags

    arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-11-2023 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37cb02c0bf7846fcc4289cb1c7a6971bbe1388cf0a4c1ed8ee9dff3b66244c6e.exe

  • Size

    4.2MB

  • MD5

    b4f5c79c6677981af25adef86b5ded28

  • SHA1

    6ed538eb7c9369a64971be518fb2f652f435022c

  • SHA256

    37cb02c0bf7846fcc4289cb1c7a6971bbe1388cf0a4c1ed8ee9dff3b66244c6e

  • SHA512

    caa2b66c8688c3fcc1e63ccb9fdeffbe38ed0ac6c3f532f0b1faa4181ffea88cab51b103cfbe21baa9fc307437aa48d615171206937b9c0e62a2971f2ea6d857

  • SSDEEP

    98304:93SE+75EMmyBBq5N7/U4wDnJZwOIVpGZqgFT:9ZK5RnBBqn78fnJKFOEgFT

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 23 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\37cb02c0bf7846fcc4289cb1c7a6971bbe1388cf0a4c1ed8ee9dff3b66244c6e.exe
    "C:\Users\Admin\AppData\Local\Temp\37cb02c0bf7846fcc4289cb1c7a6971bbe1388cf0a4c1ed8ee9dff3b66244c6e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2336
    • C:\Users\Admin\AppData\Local\Temp\37cb02c0bf7846fcc4289cb1c7a6971bbe1388cf0a4c1ed8ee9dff3b66244c6e.exe
      "C:\Users\Admin\AppData\Local\Temp\37cb02c0bf7846fcc4289cb1c7a6971bbe1388cf0a4c1ed8ee9dff3b66244c6e.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5004
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4060
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1644
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4004
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:316
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1164
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3616
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4504
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:4448
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2596
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:664
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2948
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4288
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2288
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3856
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:4260
          • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
            4⤵
            • Executes dropped EXE
            PID:3980
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /delete /tn "csrss" /f
              5⤵
                PID:1112
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /delete /tn "ScheduledUpdate" /f
                5⤵
                  PID:3168
        • C:\Windows\windefender.exe
          C:\Windows\windefender.exe
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:3988

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hledbex.4sw.ps1
          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
          Filesize

          3.2MB

          MD5

          f801950a962ddba14caaa44bf084b55c

          SHA1

          7cadc9076121297428442785536ba0df2d4ae996

          SHA256

          c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

          SHA512

          4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
          Filesize

          3.2MB

          MD5

          f801950a962ddba14caaa44bf084b55c

          SHA1

          7cadc9076121297428442785536ba0df2d4ae996

          SHA256

          c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

          SHA512

          4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          Filesize

          281KB

          MD5

          d98e33b66343e7c96158444127a117f6

          SHA1

          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

          SHA256

          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

          SHA512

          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          Filesize

          281KB

          MD5

          d98e33b66343e7c96158444127a117f6

          SHA1

          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

          SHA256

          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

          SHA512

          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          db01a2c1c7e70b2b038edf8ad5ad9826

          SHA1

          540217c647a73bad8d8a79e3a0f3998b5abd199b

          SHA256

          413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

          SHA512

          c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          18KB

          MD5

          f64f09ed81e40e16c9f7bbd6c905bfaa

          SHA1

          0bba43617709d5bf88a3aa5812a28ac364dc105a

          SHA256

          535fbcd19c7de0178921d375d6007049efff47a1c58d0e704ba42f5d0feb4b6f

          SHA512

          60231e92cee1a7246ac33efd272b23b18e510b7aa238f0e05000e1cf853613a6fb28841083356d95dd1725eb16295e01223faadf6e5150dbc155cc0b34b20f65

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          18KB

          MD5

          3852b523574f92512b3d38b0c6903ddc

          SHA1

          da4489cef1189d56e51ccc71014be8cf98235ae2

          SHA256

          824da6ae6f9f48781c60ca92fd53f44b921856c75e9e5cb6185183fccf12d205

          SHA512

          5cf9b05cd756af7ecb7804b125e1fbb5ada03abb1607262ad6e5ab521ea0b889c6803abf83054961f9c4e07cac01f38ffb556760e5bcf48d229ecaa34908c3be

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          18KB

          MD5

          e180113ee3a45bf7a135b64ecb9caa55

          SHA1

          2ac31acca8544cc4fde567c35bde533cf1bb4c4c

          SHA256

          c50e273935d231cb9b393e0b3c404c98b1c0f42e3fdac974f3d9a797c6658ac5

          SHA512

          2775d2730c64e4d8a0722a96b97b2a6177e401234e51f964d4947514ff216248ef2badc44b788da7729b2476e03e960604440156cb7c0772a51d1b13ca9ace38

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          18KB

          MD5

          40e45d3b2f6623074f7cab6407becd55

          SHA1

          ada89eb48b18442a2162c9d0b67625cedaa383c1

          SHA256

          0bc9df671c953f72cfd4aaaa1385b51ec0e6c3cb83090806ac3225e8ffc94dd3

          SHA512

          ca373950ddc3904ebc8167b31b0b34a1840425f54f6ada4b0e525bcb96ed0d0c21f6eab1286483f3efcbf431ffadf31b6a5d4a3ca8165acc1bfcc542ef7c4380

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          18KB

          MD5

          061d437140b8d8ca081e938ce8e5fa78

          SHA1

          8fd67800f5ec7e5674ee987be8f86bfbb78f67a7

          SHA256

          c4e3341435edbdde43340ebf7e13227e69c38568b28abbc8272deaf9ca533b06

          SHA512

          ebb0bc34d35e7653ac122aac6aa442c60433da8a265c1ca291e7741b420b80a188205592897b5f2560f1d42cdcadd8c0552cec9d4f974e4b28a55ee76bd4a422

          Download Submit

        • C:\Windows\rss\csrss.exe
          Filesize

          4.2MB

          MD5

          b4f5c79c6677981af25adef86b5ded28

          SHA1

          6ed538eb7c9369a64971be518fb2f652f435022c

          SHA256

          37cb02c0bf7846fcc4289cb1c7a6971bbe1388cf0a4c1ed8ee9dff3b66244c6e

          SHA512

          caa2b66c8688c3fcc1e63ccb9fdeffbe38ed0ac6c3f532f0b1faa4181ffea88cab51b103cfbe21baa9fc307437aa48d615171206937b9c0e62a2971f2ea6d857

          Download Submit

        • C:\Windows\rss\csrss.exe
          Filesize

          4.2MB

          MD5

          b4f5c79c6677981af25adef86b5ded28

          SHA1

          6ed538eb7c9369a64971be518fb2f652f435022c

          SHA256

          37cb02c0bf7846fcc4289cb1c7a6971bbe1388cf0a4c1ed8ee9dff3b66244c6e

          SHA512

          caa2b66c8688c3fcc1e63ccb9fdeffbe38ed0ac6c3f532f0b1faa4181ffea88cab51b103cfbe21baa9fc307437aa48d615171206937b9c0e62a2971f2ea6d857

          Download Submit

        • C:\Windows\windefender.exe
          Filesize

          2.0MB

          MD5

          8e67f58837092385dcf01e8a2b4f5783

          SHA1

          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

          SHA256

          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

          SHA512

          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

          Download Submit

        • C:\Windows\windefender.exe
          Filesize

          2.0MB

          MD5

          8e67f58837092385dcf01e8a2b4f5783

          SHA1

          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

          SHA256

          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

          SHA512

          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

          Download Submit

        • C:\Windows\windefender.exe
          Filesize

          2.0MB

          MD5

          8e67f58837092385dcf01e8a2b4f5783

          SHA1

          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

          SHA256

          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

          SHA512

          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

          Download Submit

        • memory/316-811-0x00000000065F0000-0x0000000006600000-memory.dmp

          Filesize

          64KB

          Download

        • memory/316-1051-0x0000000073400000-0x0000000073AEE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/316-838-0x00000000065F0000-0x0000000006600000-memory.dmp

          Filesize

          64KB

          Download

        • memory/316-833-0x0000000070180000-0x00000000704D0000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/316-832-0x0000000070130000-0x000000007017B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/316-810-0x0000000073400000-0x0000000073AEE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1164-1819-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1164-1059-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1164-1058-0x0000000002E00000-0x00000000031F9000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1164-1307-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1164-1804-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1164-1808-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1164-1817-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1164-1821-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1164-1823-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1164-1825-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1164-1827-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/1164-1835-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/2288-1816-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2336-77-0x000000007F330000-0x000000007F340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2336-85-0x0000000009BF0000-0x0000000009C95000-memory.dmp

          Filesize

          660KB

          Download

        • memory/2336-37-0x0000000008CC0000-0x0000000008CFC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2336-68-0x0000000008D80000-0x0000000008DF6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2336-75-0x0000000009BB0000-0x0000000009BE3000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2336-15-0x0000000007C10000-0x0000000007C2C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2336-6-0x0000000073300000-0x00000000739EE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2336-7-0x0000000006A40000-0x0000000006A50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2336-8-0x0000000004760000-0x0000000004796000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2336-9-0x0000000006A40000-0x0000000006A50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2336-78-0x0000000070010000-0x000000007005B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/2336-10-0x0000000007080000-0x00000000076A8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2336-11-0x0000000006E80000-0x0000000006EA2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2336-79-0x0000000070060000-0x00000000703B0000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2336-80-0x0000000009B90000-0x0000000009BAE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2336-14-0x0000000007820000-0x0000000007B70000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2336-12-0x0000000007000000-0x0000000007066000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2336-309-0x0000000073300000-0x00000000739EE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2336-16-0x0000000007C40000-0x0000000007C8B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/2336-13-0x00000000077B0000-0x0000000007816000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2336-307-0x0000000006A40000-0x0000000006A50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2336-87-0x0000000006A40000-0x0000000006A50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2336-88-0x0000000009E10000-0x0000000009EA4000-memory.dmp

          Filesize

          592KB

          Download

        • memory/2336-141-0x0000000073300000-0x00000000739EE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2336-144-0x0000000006A40000-0x0000000006A50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2336-306-0x000000007F330000-0x000000007F340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2336-289-0x0000000008120000-0x0000000008128000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2336-283-0x0000000009CE0000-0x0000000009CFA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3616-1063-0x0000000004980000-0x0000000004990000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3616-1062-0x0000000073360000-0x0000000073A4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3988-1818-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3988-1834-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3988-1822-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/4004-588-0x0000000070130000-0x000000007017B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4004-567-0x0000000073400000-0x0000000073AEE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4004-568-0x0000000007640000-0x0000000007990000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4004-807-0x0000000073400000-0x0000000073AEE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4004-589-0x0000000070180000-0x00000000704D0000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4004-594-0x00000000067D0000-0x00000000067E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4360-1055-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4360-544-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4360-347-0x00000000029E0000-0x0000000002DDC000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4360-831-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4360-314-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4360-313-0x0000000002EE0000-0x00000000037CB000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/4360-312-0x00000000029E0000-0x0000000002DDC000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4972-26-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4972-17-0x0000000002B20000-0x0000000002F28000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4972-310-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4972-76-0x0000000002F30000-0x000000000381B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/4972-1-0x0000000002B20000-0x0000000002F28000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4972-86-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/4972-2-0x0000000002F30000-0x000000000381B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/4972-3-0x0000000000400000-0x0000000000D1B000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/5004-341-0x00000000701A0000-0x00000000704F0000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5004-346-0x00000000098C0000-0x0000000009965000-memory.dmp

          Filesize

          660KB

          Download

        • memory/5004-340-0x0000000070130000-0x000000007017B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/5004-339-0x000000007EF00000-0x000000007EF10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5004-320-0x0000000008550000-0x000000000859B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/5004-319-0x0000000007D90000-0x00000000080E0000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5004-318-0x0000000006FD0000-0x0000000006FE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5004-558-0x0000000073400000-0x0000000073AEE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/5004-317-0x0000000073400000-0x0000000073AEE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/5004-563-0x0000000073400000-0x0000000073AEE000-memory.dmp

          Filesize

          6.9MB

          Download