Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06-06-2023 17:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab191a177fefdce19b54cecabf760c92955595bdbbb18efaf73e01c60f1f1d3a.exe

  • Size

    4.2MB

  • MD5

    e2bd07c3657d4c22c63a3323ceaba1a6

  • SHA1

    15847f4cf3a74478a17157a9e855a468faedd6fd

  • SHA256

    ab191a177fefdce19b54cecabf760c92955595bdbbb18efaf73e01c60f1f1d3a

  • SHA512

    5cb6d54d1585885e7992d7ea1db69af416f444a0acaf26a09b85abd1c4d07db2007ff9a90236588389b56e621b3fdf20218bbdb1133f37e7ec059c4c085aa318

  • SSDEEP

    98304:lZWb6LD0a8dfSnswbp9eN1HIelZhKeDO/efdW8UMpwvziYHL9SE6:l0YD0agSnT/eN1oel3HO1g

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab191a177fefdce19b54cecabf760c92955595bdbbb18efaf73e01c60f1f1d3a.exe
    "C:\Users\Admin\AppData\Local\Temp\ab191a177fefdce19b54cecabf760c92955595bdbbb18efaf73e01c60f1f1d3a.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5064
    • C:\Users\Admin\AppData\Local\Temp\ab191a177fefdce19b54cecabf760c92955595bdbbb18efaf73e01c60f1f1d3a.exe
      "C:\Users\Admin\AppData\Local\Temp\ab191a177fefdce19b54cecabf760c92955595bdbbb18efaf73e01c60f1f1d3a.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:96
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3984
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:2240
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5036
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1508
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5064
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:192
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3164
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:5072
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1016
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4956
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3772
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:364
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4796
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4232
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:4536
          • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
            4⤵
            • Executes dropped EXE
            PID:4976
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:1960

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Disabling Security Tools

    2
    T1089

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iykk4ia3.jgj.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      Filesize

      3.2MB

      MD5

      f801950a962ddba14caaa44bf084b55c

      SHA1

      7cadc9076121297428442785536ba0df2d4ae996

      SHA256

      c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

      SHA512

      4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      Filesize

      3.2MB

      MD5

      f801950a962ddba14caaa44bf084b55c

      SHA1

      7cadc9076121297428442785536ba0df2d4ae996

      SHA256

      c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

      SHA512

      4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      6d64520126cf81c020aad69762b3ed00

      SHA1

      08c2277a5f02358a826b99f765f39d3b3e009d18

      SHA256

      9558e2f47d5c4510594aa3fd813d735b2447e392b0a715c6fc4dc09909bae388

      SHA512

      94a5e153ef1513c3772ad63580f955931a4e089aa1e9245617b5c70fa45151e424f73900fb3bcee55b7cfba410515569681e3b8659d09362072b638b07eb41fb

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      b726a9e8031534fba0edb55525f209ec

      SHA1

      4b83d0ff47cd4e31f5013a30f71c0c50d7a62c2b

      SHA256

      49088d484db446170705bfd7df4ce860e7081906f1819db819aa0462c2f9e648

      SHA512

      9fb0739da4c994366772064c06b5eaccaa7902f0f938a71738b1d2d5638b9805a2c87ae22d84cf8f82f90ad56a13a18ff82d9935c3f0484caa484e4e1201e400

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      10cf052500f7c28f6b38f28f9dfc0d17

      SHA1

      db86463d5f588ddcf31f98f92f5de05adf8781c8

      SHA256

      b255b385bbbdc6214da2e428242c2164b1f1676863eb10ab1e51ce06a5bdcb04

      SHA512

      e6ccc3b7c75f0db3b71f33021e49acc5d043193f71858ad64b3f7fe43594b16732a2ac14f956c6a3e8aa60dbd8230bc82ac3327b24ead0d2819772c1f751f211

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      75f5f6316d8b12e09373042e7fcc79ae

      SHA1

      924b1820f44fc7fee53a89efbc3c0a4e8a2c7b80

      SHA256

      12ed1085a26b604cf1ac4bd8b7bc2a8c8dc9677411706fd3064839020076ac93

      SHA512

      b483eb2b3919f4c28039270553ce15a3de4259d1eb2e5e490359b692c73533271c9772fd2c67f6e4f207ccdd02e7521a881241d67bbd0c7c0c0fe63601a8c386

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      3baa1f3a18c4f967d13b06952121db95

      SHA1

      27766db241ee6b853eb7fe4a4738bcf14e67a6e1

      SHA256

      6eb864d8a622c0ee8ecdf62678a25f24d59157f2b5ffaf3967305f94562487f5

      SHA512

      28ec86777e389b44e92862ec54ee9bec934214d9c4dbf96e5e29a6fd275ebccc0fc203ae98bdad63763f2612e507a524d4ba6bac6ce311b716822843349e85bf

      Download Submit
    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      e2bd07c3657d4c22c63a3323ceaba1a6

      SHA1

      15847f4cf3a74478a17157a9e855a468faedd6fd

      SHA256

      ab191a177fefdce19b54cecabf760c92955595bdbbb18efaf73e01c60f1f1d3a

      SHA512

      5cb6d54d1585885e7992d7ea1db69af416f444a0acaf26a09b85abd1c4d07db2007ff9a90236588389b56e621b3fdf20218bbdb1133f37e7ec059c4c085aa318

      Download Submit
    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      e2bd07c3657d4c22c63a3323ceaba1a6

      SHA1

      15847f4cf3a74478a17157a9e855a468faedd6fd

      SHA256

      ab191a177fefdce19b54cecabf760c92955595bdbbb18efaf73e01c60f1f1d3a

      SHA512

      5cb6d54d1585885e7992d7ea1db69af416f444a0acaf26a09b85abd1c4d07db2007ff9a90236588389b56e621b3fdf20218bbdb1133f37e7ec059c4c085aa318

      Download Submit
    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit
    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit
    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit
    • memory/96-418-0x0000000007FB0000-0x0000000008300000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/96-451-0x0000000004F30000-0x0000000004F40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/96-449-0x000000007F2F0000-0x000000007F300000-memory.dmp
      Filesize

      64KB

      Download
    • memory/96-442-0x0000000009940000-0x00000000099E5000-memory.dmp
      Filesize

      660KB

      Download
    • memory/96-419-0x0000000008940000-0x000000000898B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/192-1156-0x0000000007AC0000-0x0000000007B0B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/192-1228-0x00000000047A0000-0x00000000047B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/192-1227-0x000000007F150000-0x000000007F160000-memory.dmp
      Filesize

      64KB

      Download
    • memory/192-1155-0x00000000047A0000-0x00000000047B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/192-1154-0x00000000047A0000-0x00000000047B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/192-1179-0x0000000008F90000-0x0000000009035000-memory.dmp
      Filesize

      660KB

      Download
    • memory/192-1152-0x00000000076C0000-0x0000000007A10000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1016-1401-0x0000000008910000-0x000000000895B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1016-1420-0x000000007F550000-0x000000007F560000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-1425-0x0000000009960000-0x0000000009A05000-memory.dmp
      Filesize

      660KB

      Download
    • memory/1016-1494-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-1400-0x0000000008050000-0x00000000083A0000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1016-1398-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-1397-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1508-935-0x00000000071C0000-0x00000000071D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1508-904-0x00000000071C0000-0x00000000071D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1508-906-0x00000000071C0000-0x00000000071D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1508-932-0x000000007EC50000-0x000000007EC60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1960-1893-0x0000000000400000-0x00000000008DF000-memory.dmp
      Filesize

      4.9MB

      Download
    • memory/1960-1901-0x0000000000400000-0x00000000008DF000-memory.dmp
      Filesize

      4.9MB

      Download
    • memory/1960-1909-0x0000000000400000-0x00000000008DF000-memory.dmp
      Filesize

      4.9MB

      Download
    • memory/2548-893-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/2548-415-0x0000000005210000-0x0000000005AFB000-memory.dmp
      Filesize

      8.9MB

      Download
    • memory/2548-1146-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/2548-649-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/4264-413-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/4264-120-0x00000000052C0000-0x0000000005BAB000-memory.dmp
      Filesize

      8.9MB

      Download
    • memory/4264-284-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/4796-1892-0x0000000000400000-0x00000000008DF000-memory.dmp
      Filesize

      4.9MB

      Download
    • memory/4796-1890-0x0000000000400000-0x00000000008DF000-memory.dmp
      Filesize

      4.9MB

      Download
    • memory/4956-1644-0x0000000007190000-0x00000000071A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4956-1667-0x0000000007190000-0x00000000071A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4956-1643-0x0000000007190000-0x00000000071A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4976-1907-0x0000000000400000-0x0000000000C25000-memory.dmp
      Filesize

      8.1MB

      Download
    • memory/4976-1911-0x0000000000400000-0x0000000000C25000-memory.dmp
      Filesize

      8.1MB

      Download
    • memory/5036-663-0x0000000004CB0000-0x0000000004CC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5036-756-0x0000000004CB0000-0x0000000004CC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5036-664-0x0000000004CB0000-0x0000000004CC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5036-683-0x000000007F400000-0x000000007F410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5064-131-0x0000000008830000-0x000000000887B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/5064-390-0x0000000008BF0000-0x0000000008C0A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/5064-1642-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/5064-188-0x000000000A660000-0x000000000A693000-memory.dmp
      Filesize

      204KB

      Download
    • memory/5064-189-0x000000000A640000-0x000000000A65E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/5064-194-0x000000000A6A0000-0x000000000A745000-memory.dmp
      Filesize

      660KB

      Download
    • memory/5064-150-0x0000000008C70000-0x0000000008CAC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/5064-195-0x000000000A8A0000-0x000000000A934000-memory.dmp
      Filesize

      592KB

      Download
    • memory/5064-1885-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/5064-130-0x00000000086D0000-0x00000000086EC000-memory.dmp
      Filesize

      112KB

      Download
    • memory/5064-129-0x0000000008310000-0x0000000008660000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/5064-264-0x0000000005230000-0x0000000005240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5064-128-0x0000000008180000-0x00000000081E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5064-181-0x00000000097F0000-0x0000000009866000-memory.dmp
      Filesize

      472KB

      Download
    • memory/5064-127-0x0000000008030000-0x0000000008096000-memory.dmp
      Filesize

      408KB

      Download
    • memory/5064-1894-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/5064-1896-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/5064-1898-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/5064-1900-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/5064-126-0x0000000007860000-0x0000000007882000-memory.dmp
      Filesize

      136KB

      Download
    • memory/5064-125-0x0000000007950000-0x0000000007F78000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/5064-124-0x0000000005230000-0x0000000005240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/5064-395-0x0000000007570000-0x0000000007578000-memory.dmp
      Filesize

      32KB

      Download
    • memory/5064-1908-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/5064-123-0x0000000005240000-0x0000000005276000-memory.dmp
      Filesize

      216KB

      Download
    • memory/5064-1910-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download
    • memory/5064-1394-0x0000000000400000-0x00000000030D0000-memory.dmp
      Filesize

      44.8MB

      Download