Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07-06-2023 04:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c802135a37db67e60a254382f3a3075ec54025ffdda8c09b5da555f9d4a83d2.exe

  • Size

    4.2MB

  • MD5

    ed5c87772a5712ca9aabfef82435f7b2

  • SHA1

    ed5c90d94f9ee59ee52d4cf977e97b9423f23732

  • SHA256

    6c802135a37db67e60a254382f3a3075ec54025ffdda8c09b5da555f9d4a83d2

  • SHA512

    1bca97953981156be76082c580f5e8b4a34d656d191bd92118670e2fae321e9090754ef0cac920c6cfde015ad182efe247dff0e2f9c64368d6983582e3ab1083

  • SSDEEP

    98304:+wxLTHiVfND5jI8y46oyWY2H3chRPWTrgRgGL/Yh55yA:+wxHode46pGHKwrgacy5b

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 17 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c802135a37db67e60a254382f3a3075ec54025ffdda8c09b5da555f9d4a83d2.exe
    "C:\Users\Admin\AppData\Local\Temp\6c802135a37db67e60a254382f3a3075ec54025ffdda8c09b5da555f9d4a83d2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4540
    • C:\Users\Admin\AppData\Local\Temp\6c802135a37db67e60a254382f3a3075ec54025ffdda8c09b5da555f9d4a83d2.exe
      "C:\Users\Admin\AppData\Local\Temp\6c802135a37db67e60a254382f3a3075ec54025ffdda8c09b5da555f9d4a83d2.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:220
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5056
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:5028
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4920
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3760
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2440
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4252
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3940
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3984
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4784
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4072
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:440
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4260
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4164
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:1808
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2560

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Disabling Security Tools

    2
    T1089

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5y4yhjx1.mig.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      7b7739b47d174128508d9eb8f7ff3ec5

      SHA1

      10be9bb43aefa977613a10f330adcb61ebac3cd8

      SHA256

      72a961827edb6a616dbe3fc19ad7d9e072792c621091d6f31ca58affaa0de5ef

      SHA512

      bd7a3db0ce06cffc1568632cee902f0552c929d10d6f69c133d837dda9edc2ac52cc54e113b9ca0a5698ed578b00b08309da886e99323057738ba1204ed7a6be

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      abbc12fe34476da6a850fd4880634d91

      SHA1

      eed32d8e358fe1a73ae15f2ad5f4ea463d0a0b0b

      SHA256

      98ce05aef58aef419a6055bff0818fca36b80831b85bac6f855948f99c6c1c48

      SHA512

      bd0455719eb89c2f264774f07cff26636052a9c43b1956a9585264c7987f94a78866d35a91cdbc731b80c38ccf27956b08197c10e8091019a1c69d3b8e2e0edf

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      125062189b808c8c46b359d23ada2269

      SHA1

      3d5f8c1b14b226a1740792463145de773257e5dc

      SHA256

      78b6be960b09cc544aa2feb96ba04edb6177949a06b0e97502f6f7eabeba890f

      SHA512

      fa5165b4af712c10200df6237451e7d2da74212c3ae737ce55b29d9ba3ea39a8ae24b0832cbe619185e0ec616bbdeb3b7b1b1656f5fcdd35809852dee286a4d6

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      7171bf2b2559335312f0d937828a5894

      SHA1

      6b684bb6e738324c2db6cd6aa423c8dd7cdc253f

      SHA256

      61f4665a8659ea6542fa2c523471b381fba129e412421ab5ca81f8304bda76f3

      SHA512

      02ed988dfae64577a14b43ce481358781c2947bbf56989b1a4a052321625f3dd9d6bb8115023f0d662768f02958bf50db525a1f5b3d631a93fe34b924f48be45

      Download Submit
    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      d2b101d7fcce5512da6b4d7e1549e6bd

      SHA1

      266d49d80a2d08e894c9f942115f615aaa86256a

      SHA256

      460dfc4bcaa3b345010f92f007129b432e65fed6931608aab44128060ff78d18

      SHA512

      505298a92194ea70e26316094650d26e137cb03a993c003fa460d7994dd267fcc49746af7896eb35d9185b845a878b7e45bb4bef288a723d697b3bfa11c89cfe

      Download Submit
    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      ed5c87772a5712ca9aabfef82435f7b2

      SHA1

      ed5c90d94f9ee59ee52d4cf977e97b9423f23732

      SHA256

      6c802135a37db67e60a254382f3a3075ec54025ffdda8c09b5da555f9d4a83d2

      SHA512

      1bca97953981156be76082c580f5e8b4a34d656d191bd92118670e2fae321e9090754ef0cac920c6cfde015ad182efe247dff0e2f9c64368d6983582e3ab1083

      Download Submit
    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      ed5c87772a5712ca9aabfef82435f7b2

      SHA1

      ed5c90d94f9ee59ee52d4cf977e97b9423f23732

      SHA256

      6c802135a37db67e60a254382f3a3075ec54025ffdda8c09b5da555f9d4a83d2

      SHA512

      1bca97953981156be76082c580f5e8b4a34d656d191bd92118670e2fae321e9090754ef0cac920c6cfde015ad182efe247dff0e2f9c64368d6983582e3ab1083

      Download Submit
    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit
    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit
    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit
    • memory/220-765-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/220-1057-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/220-547-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/220-1155-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/2152-658-0x0000000006D00000-0x0000000006D10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2152-423-0x0000000007D70000-0x00000000080C0000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2152-450-0x0000000006D00000-0x0000000006D10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2152-449-0x000000007EEA0000-0x000000007EEB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2152-448-0x0000000009670000-0x0000000009715000-memory.dmp
      Filesize

      660KB

      Download
    • memory/2152-425-0x0000000006D00000-0x0000000006D10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2152-424-0x00000000084F0000-0x000000000853B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/2440-1187-0x0000000008EA0000-0x0000000008F45000-memory.dmp
      Filesize

      660KB

      Download
    • memory/2440-1160-0x0000000007420000-0x0000000007770000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2440-1188-0x000000007F0D0000-0x000000007F0E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2440-1243-0x00000000067B0000-0x00000000067C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2440-1163-0x00000000067B0000-0x00000000067C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2440-1162-0x00000000067B0000-0x00000000067C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2440-1164-0x00000000079B0000-0x00000000079FB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/2560-1906-0x0000000000400000-0x00000000008DF000-memory.dmp
      Filesize

      4.9MB

      Download
    • memory/2560-1900-0x0000000000400000-0x00000000008DF000-memory.dmp
      Filesize

      4.9MB

      Download
    • memory/2612-1639-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/2612-1893-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/2612-1911-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/2612-1909-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/2612-1907-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/2612-1361-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/2612-1901-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/2612-1903-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/2612-1905-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/3200-417-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/3200-122-0x0000000004C70000-0x000000000555B000-memory.dmp
      Filesize

      8.9MB

      Download
    • memory/3200-419-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/3200-185-0x0000000000400000-0x0000000002958000-memory.dmp
      Filesize

      37.3MB

      Download
    • memory/3760-914-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3760-937-0x000000007F470000-0x000000007F480000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3760-1006-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3760-913-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-1440-0x000000007EA80000-0x000000007EA90000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-1405-0x0000000007630000-0x0000000007980000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3984-1442-0x0000000006770000-0x0000000006780000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-1432-0x0000000009040000-0x00000000090E5000-memory.dmp
      Filesize

      660KB

      Download
    • memory/3984-1409-0x0000000006770000-0x0000000006780000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-1408-0x0000000006770000-0x0000000006780000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3984-1407-0x0000000007DB0000-0x0000000007DFB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4260-1899-0x0000000000400000-0x00000000008DF000-memory.dmp
      Filesize

      4.9MB

      Download
    • memory/4540-223-0x0000000007280000-0x0000000007290000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4540-131-0x0000000008290000-0x00000000082F6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4540-125-0x0000000007280000-0x0000000007290000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4540-395-0x000000000A360000-0x000000000A37A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4540-400-0x000000000A350000-0x000000000A358000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4540-126-0x0000000007220000-0x0000000007256000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4540-127-0x00000000078C0000-0x0000000007EE8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4540-200-0x000000000A830000-0x000000000A8C4000-memory.dmp
      Filesize

      592KB

      Download
    • memory/4540-128-0x0000000007280000-0x0000000007290000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4540-199-0x000000000A670000-0x000000000A715000-memory.dmp
      Filesize

      660KB

      Download
    • memory/4540-129-0x0000000007F30000-0x0000000007F52000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4540-194-0x00000000086F0000-0x000000000870E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4540-130-0x00000000080B0000-0x0000000008116000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4540-272-0x0000000007280000-0x0000000007290000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4540-193-0x000000007FC50000-0x000000007FC60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4540-192-0x000000000A630000-0x000000000A663000-memory.dmp
      Filesize

      204KB

      Download
    • memory/4540-184-0x0000000009820000-0x0000000009896000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4540-153-0x0000000009720000-0x000000000975C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4540-134-0x0000000008BC0000-0x0000000008C0B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4540-133-0x0000000007530000-0x000000000754C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/4540-132-0x0000000008300000-0x0000000008650000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4784-1692-0x0000000004B40000-0x0000000004B50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4784-1689-0x000000007F370000-0x000000007F380000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4784-1650-0x0000000004B40000-0x0000000004B50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4920-695-0x000000007F3F0000-0x000000007F400000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4920-672-0x0000000004C80000-0x0000000004C90000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4920-671-0x0000000004C80000-0x0000000004C90000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4920-669-0x0000000007FA0000-0x00000000082F0000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4920-696-0x0000000004C80000-0x0000000004C90000-memory.dmp
      Filesize

      64KB

      Download