Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-1703_x64
  • resource
    win10-20231020-en
  • resource tags

    arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11-12-2023 16:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2998eaad3c3529b60f0e3c21c26a844bd47ae089e2b6da5b485508605f7ce7bd.exe

  • Size

    4.1MB

  • MD5

    bf4e5ca5734158d8935ebe4609246704

  • SHA1

    2dbe97858c8f3874b96301bf2350b1443426390e

  • SHA256

    2998eaad3c3529b60f0e3c21c26a844bd47ae089e2b6da5b485508605f7ce7bd

  • SHA512

    27215da3730ae5add001df60ac71c73a500cd104fbdbdefb3cfc1d6366b9e2ac10992668511c3c601f916ec4d0f1e683064dae9344fec72fdbacdfc920bf3092

  • SSDEEP

    98304:GFfV3GNFg4XGQkhTpLXQUx8kN+eS+Tvida3ZJUOkV9qvDZPyn5X:CajmdLXQY8SRTqapJUBPq7Z2

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 22 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2998eaad3c3529b60f0e3c21c26a844bd47ae089e2b6da5b485508605f7ce7bd.exe
    "C:\Users\Admin\AppData\Local\Temp\2998eaad3c3529b60f0e3c21c26a844bd47ae089e2b6da5b485508605f7ce7bd.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
    • C:\Users\Admin\AppData\Local\Temp\2998eaad3c3529b60f0e3c21c26a844bd47ae089e2b6da5b485508605f7ce7bd.exe
      "C:\Users\Admin\AppData\Local\Temp\2998eaad3c3529b60f0e3c21c26a844bd47ae089e2b6da5b485508605f7ce7bd.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3596
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1684
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4328
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3136
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1484
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3792
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
            PID:3428
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:2776
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3080
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /delete /tn ScheduledUpdate /f
            4⤵
              PID:4596
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              4⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4208
            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:3156
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              4⤵
              • Creates scheduled task(s)
              PID:3804
            • C:\Windows\windefender.exe
              "C:\Windows\windefender.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2648
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3220
                • C:\Windows\SysWOW64\sc.exe
                  sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                  6⤵
                  • Drops file in System32 directory
                  • Launches sc.exe
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3428
      • C:\Windows\windefender.exe
        C:\Windows\windefender.exe
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:1060

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_juzkvkma.3iq.ps1
        Filesize

        1B

        MD5

        c4ca4238a0b923820dcc509a6f75849b

        SHA1

        356a192b7913b04c54574d18c28d46e6395428ab

        SHA256

        6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

        SHA512

        4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        Filesize

        281KB

        MD5

        d98e33b66343e7c96158444127a117f6

        SHA1

        bb716c5509a2bf345c6c1152f6e3e1452d39d50d

        SHA256

        5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

        SHA512

        705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        Filesize

        243KB

        MD5

        8e96b640c37ed8f568162785a45037ed

        SHA1

        fb338bdb0b835409278543dcc7b0b6a72d85c49d

        SHA256

        985a8dffc50471fd4d917bb2203c57f690e5f348334e046807171fd9ee7aedd2

        SHA512

        7a992c77263a36c6c90afa285ba07e24ebdef100223bdcf329f2da0932a920c42a2af84ff4c09e0afe59c7c386b3b5678436669a5f58da02eca96006aa5d87b5

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        1c19c16e21c97ed42d5beabc93391fc5

        SHA1

        8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

        SHA256

        1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

        SHA512

        7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        18KB

        MD5

        b92857f47f80ba3c0928a04f1c1495a7

        SHA1

        359629a555029c49f2940c3b5519d43c00471e52

        SHA256

        41cfff8fd79c9cbe808f28dfc27e37dcab41dc69c666b519af8c6b792331fd51

        SHA512

        6a58cbdcd8e201c508e7f7f84f88155d4e02100b6710f62963668f29927995ddc46ef724d48a7207a78f7b51149cb1f36f9be4c77a9c8d0713055b8fc3ed7c41

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        18KB

        MD5

        48d2b5c9879042948e65ba7a4424c8c1

        SHA1

        cffd4b41da2c7bfe00e02c89776817180dea1623

        SHA256

        f7bdff74dc6702d6da9cfafc963e55a0f11b428027636a59309c40d24772de3a

        SHA512

        c17cf0d20b6d9de48cf156e5e2ed35d81614d4bf12822a8a7df912694d80c4b35bc62198d4571a293b7639e3dcd79870ccb5a4b2b21557f29d1b6ea820e4cc48

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        1KB

        MD5

        b0918052571ed0a9c5fab720851421e1

        SHA1

        2fca778d9a4db1a13d6e77ef1d7086b08263036c

        SHA256

        918cb755d36463784f96a683a2c04b396ce7ea53b9fda7874ba5bceecc9e319c

        SHA512

        8fa896cf06097edeb74e385f15d43112dfd038c8fe843188b201b2cb959cea8fb882457fe2d87d0435342d8af342dfba4c346ba58007e0d41969e980268035e3

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        18KB

        MD5

        5e168f7e334bb7469ec228e16d69fd64

        SHA1

        e8dbf69bdd934c2ae536ad79a15f56ca87f7d9e5

        SHA256

        c27ae08d0b7b73ff5a3704ea28c7071ec990a66bfe38abd167f2734947cd6bd2

        SHA512

        610c0c48deadcd58aa1f58469e7f3978de953c034916ed8696f5ce5596e8221cb985f52a77ef182dbfce8951d5f4f13a1380e803250dd5d6a3990ec9e98c629f

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        18KB

        MD5

        a2ffc05f69a13ec433d93d742218a22e

        SHA1

        64a8a5f6b8c93b28c39dd9eb1feac7f6b9f9983b

        SHA256

        5c48536f3aa18c0bfa4e45dac0fb28e78850d10a7e87ccb9cec87af410277ce3

        SHA512

        e07cc470718fbc082d6d924458df2a3f75137ce1a4e5f569cfb74a0587d312b40862fb4ba8f0ff5afb1af2806dba5a548838b443d7158c1e99719b566c6ad8d7

        Download Submit

      • C:\Windows\rss\csrss.exe
        Filesize

        486KB

        MD5

        8ac8635bd8dfe975f998eadac41d4db0

        SHA1

        18c64514108313f350930568c385aab36fadf42b

        SHA256

        500a42b08335a75237e1775fe6e5e39adb2d71d24500e261080cbd4b6c48e254

        SHA512

        74d134cb10c6405dcd69bc600e0f765ba9ddd28ed19c35a572fd3a244368412f8a45eafdf5fd8264c7c97b94fb4e99fc371fcfc61e4d6aeb9eb929eea7a275bc

        Download Submit

      • C:\Windows\rss\csrss.exe
        Filesize

        276KB

        MD5

        739d55a5d333cfa8ebfda44b880b63fe

        SHA1

        790368ac6117eb14b00975e19d4e413d375fe99b

        SHA256

        72534eb29c5924f9fff6c342cb72b58b4c0ae50153a9bc9b99daf4797a777a98

        SHA512

        390e6f7e88a80fa76fc0bc1711e8618621afa6fca2eed757fb545fc291210895514768d703019fb4796d27c2b1dff2209712bcd33bab623b80b9af3732893ace

        Download Submit

      • C:\Windows\windefender.exe
        Filesize

        880KB

        MD5

        3884b2056b313a087f6b5f28deb5a4c1

        SHA1

        641585f01838892d11e16a56c54e6187ca1667f1

        SHA256

        0a0527ec5bfcab86b83c3252422794dd07af088208bc3d91dc39b3a281eabce6

        SHA512

        5d5ae21662511c5d1876d04cafc3ae45d31c756a22e15cb9c282a27c9bdf8b0abec1ed2921e41efd1f9a303a2008ccfbe61ac59ff0270fc31318668e5834cfc7

        Download Submit

      • C:\Windows\windefender.exe
        Filesize

        476KB

        MD5

        1447af5b94238da7e97f143f13ee3b12

        SHA1

        b26afab4d36a4f58f1d65363cd906f05d56b9b85

        SHA256

        7632e8255b8c6fe8b4bc7e823c9d2e687f390b60d8e2041bc68799cc64788c9f

        SHA512

        bd9199905ceb2fff743263b5eb44b4cf27164e2eb06ffae70391a9f63d724180419dcf30ebf4a2bf89af40b5f95de3e8c0e85da35b2dc3187c95b97e2a04a4e3

        Download Submit

      • C:\Windows\windefender.exe
        Filesize

        532KB

        MD5

        2e6743aca59166438911d1b56346f904

        SHA1

        2c2be4be05d9915ee2172eef89e2b47ebad8d4ee

        SHA256

        16443908b198166485521034df4775cf1fa8080bbfbe54ec8160810378067f4c

        SHA512

        b34e9933033e45271ab8554886ef1fd2fc093b1b270067b5c6cc78b8b8eb1e541dd910b2dc5bf432266d67b1a20cd8b7e9153cc296fd929ed4683b2d9e793932

        Download Submit

      • memory/1060-1815-0x0000000000400000-0x00000000008DF000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/1060-1819-0x0000000000400000-0x00000000008DF000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/1484-1049-0x0000000073230000-0x000000007391E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1484-829-0x000000007F020000-0x000000007F030000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1484-808-0x0000000007330000-0x0000000007340000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1484-830-0x000000006FF60000-0x000000006FFAB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/1484-805-0x0000000008160000-0x00000000084B0000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1484-831-0x000000006FFD0000-0x0000000070320000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1484-806-0x0000000073230000-0x000000007391E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1484-807-0x0000000007330000-0x0000000007340000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1484-836-0x0000000007330000-0x0000000007340000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2648-1812-0x0000000000400000-0x00000000008DF000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/2932-15-0x00000000081C0000-0x00000000081DC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2932-300-0x0000000073130000-0x000000007381E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2932-281-0x000000000A300000-0x000000000A308000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2932-276-0x000000000A320000-0x000000000A33A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2932-83-0x000000000A3C0000-0x000000000A454000-memory.dmp

        Filesize

        592KB

        Download

      • memory/2932-82-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2932-81-0x000000000A1A0000-0x000000000A245000-memory.dmp

        Filesize

        660KB

        Download

      • memory/2932-76-0x000000000A140000-0x000000000A15E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2932-75-0x000000006FE90000-0x00000000701E0000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2932-74-0x000000006FE40000-0x000000006FE8B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2932-73-0x000000000A160000-0x000000000A193000-memory.dmp

        Filesize

        204KB

        Download

      • memory/2932-66-0x0000000009330000-0x00000000093A6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2932-35-0x0000000009270000-0x00000000092AC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2932-16-0x0000000008720000-0x000000000876B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/2932-14-0x0000000007E20000-0x0000000008170000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2932-12-0x0000000007D40000-0x0000000007DA6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2932-13-0x0000000007DB0000-0x0000000007E16000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2932-11-0x0000000007430000-0x0000000007452000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2932-10-0x0000000007530000-0x0000000007B58000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2932-9-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2932-8-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2932-7-0x00000000049D0000-0x0000000004A06000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2932-6-0x0000000073130000-0x000000007381E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/3136-561-0x0000000006EA0000-0x0000000006EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3136-559-0x0000000006EA0000-0x0000000006EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3136-582-0x000000007FA90000-0x000000007FAA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3136-583-0x000000006FFB0000-0x0000000070300000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3136-588-0x0000000006EA0000-0x0000000006EB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3136-801-0x0000000073230000-0x000000007391E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/3136-581-0x000000006FF60000-0x000000006FFAB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3136-558-0x0000000073230000-0x000000007391E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/3428-1060-0x0000000073190000-0x000000007387E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/3596-340-0x0000000007220000-0x0000000007230000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3596-309-0x0000000073230000-0x000000007391E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/3596-554-0x0000000073230000-0x000000007391E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/3596-310-0x0000000007220000-0x0000000007230000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3596-339-0x0000000009BE0000-0x0000000009C85000-memory.dmp

        Filesize

        660KB

        Download

      • memory/3596-334-0x000000006FFB0000-0x0000000070300000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3596-311-0x0000000007220000-0x0000000007230000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3596-333-0x000000006FF60000-0x000000006FFAB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3596-332-0x000000007F080000-0x000000007F090000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3596-313-0x00000000089F0000-0x0000000008A3B000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3596-312-0x00000000080A0000-0x00000000083F0000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3792-1822-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3792-1816-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3792-1057-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3792-1828-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3792-1820-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3792-1832-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3792-1824-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3792-1831-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3792-1818-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3792-1056-0x0000000003000000-0x00000000033F9000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3792-1826-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3792-1804-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3792-1814-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3792-1813-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/4520-298-0x0000000002AA0000-0x0000000002EA3000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4520-301-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/4520-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/4520-302-0x0000000002EB0000-0x000000000379B000-memory.dmp

        Filesize

        8.9MB

        Download

      • memory/4520-2-0x0000000002EB0000-0x000000000379B000-memory.dmp

        Filesize

        8.9MB

        Download

      • memory/4520-1-0x0000000002AA0000-0x0000000002EA3000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4940-1053-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/4940-304-0x0000000002AD0000-0x0000000002ECF000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4940-305-0x0000000002ED0000-0x00000000037BB000-memory.dmp

        Filesize

        8.9MB

        Download

      • memory/4940-306-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/4940-804-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/4940-560-0x0000000002AD0000-0x0000000002ECF000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4940-828-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download