glupteba | 9371ca0ca0eb53e4f9359d9a98eaf6230e59da36630eb798e8bed18643026544

Analysis

max time kernel
55s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca627643bb7b7b47e9a5df13b9e3965d.exe
Size

38KB
MD5

ca627643bb7b7b47e9a5df13b9e3965d
SHA1

c2628970d91a3170c169074849ac6e9f1e0a8bbc
SHA256

9371ca0ca0eb53e4f9359d9a98eaf6230e59da36630eb798e8bed18643026544
SHA512

4e305286fc33b0b7c91f4fc8385bd2e9306c69ad98157113255c1505eeb8bb6aaf9b27b1afd0dbd2daaedde4b6b79b0d4ff9654376b90bf817157e894badfc72
SSDEEP

768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

Score

10^/10

glupteba redline smokeloader stealc 777 livetraffic up3 backdoor dropper evasion infostealer loader stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:13856

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

redline

Botnet

777

195.20.16.103:20440

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3424-92-0x0000000002FA0000-0x000000000388B000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/936-259-0x0000000000400000-0x0000000000490000-memory.dmp	family_redline
behavioral2/memory/5268-760-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

5516 netsh.exe
Deletes itself 1 IoCs

Processes:

pid process

3408
Executes dropped EXE 2 IoCs

Processes:

AC9.exe2065.exe

pid process

1804 AC9.exe
2516 2065.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
5516	netsh.exe

pid	process
3408

pid	process
1804	AC9.exe
2516	2065.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3924	460	WerFault.exe	toolspub2.exe
5600	772	WerFault.exe	tuc4.tmp
5804	5976	WerFault.exe	explorer.exe
2836	5444	WerFault.exe	explorer.exe
5784	2328	WerFault.exe	explorer.exe
2336	4912	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ca627643bb7b7b47e9a5df13b9e3965d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ca627643bb7b7b47e9a5df13b9e3965d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ca627643bb7b7b47e9a5df13b9e3965d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ca627643bb7b7b47e9a5df13b9e3965d.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4988 schtasks.exe
5396 schtasks.exe
Runs net.exe

pid	process
4988	schtasks.exe
5396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ca627643bb7b7b47e9a5df13b9e3965d.exe

pid	process
3964	ca627643bb7b7b47e9a5df13b9e3965d.exe
3964	ca627643bb7b7b47e9a5df13b9e3965d.exe
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408
3408

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ca627643bb7b7b47e9a5df13b9e3965d.exe

pid process

3964 ca627643bb7b7b47e9a5df13b9e3965d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

description	pid	target process
PID 3408 wrote to memory of 1804	3408	AC9.exe
PID 3408 wrote to memory of 1804	3408	AC9.exe
PID 3408 wrote to memory of 1804	3408	AC9.exe
PID 3408 wrote to memory of 2516	3408	2065.exe
PID 3408 wrote to memory of 2516	3408	2065.exe
PID 3408 wrote to memory of 2516	3408	2065.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ca627643bb7b7b47e9a5df13b9e3965d.exe
"C:\Users\Admin\AppData\Local\Temp\ca627643bb7b7b47e9a5df13b9e3965d.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3964

C:\Users\Admin\AppData\Local\Temp\AC9.exe
C:\Users\Admin\AppData\Local\Temp\AC9.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:5268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:5856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\2065.exe
C:\Users\Admin\AppData\Local\Temp\2065.exe
1⤵
- Executes dropped EXE
PID:2516

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
PID:3424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
PID:3924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:5468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5892

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:5160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2752

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:5132

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:5548

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:5396

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
2⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\is-42LM2.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-42LM2.tmp\tuc4.tmp" /SL5="$E0056,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
3⤵
PID:772

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 23
4⤵
PID:660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 23
5⤵
PID:2072

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -i
4⤵
PID:2692

C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe
"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -s
4⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1120
4⤵
- Program crash
PID:5600

C:\Users\Admin\AppData\Local\Temp\etopt.exe
"C:\Users\Admin\AppData\Local\Temp\etopt.exe"
2⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
2⤵
PID:1868

C:\ProgramData\Java Updater\g15wkewm.exe
/prstb
3⤵
PID:5728

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 1128
5⤵
- Program crash
PID:2836

C:\ProgramData\Java Updater\g15wkewm.exe
/prstb
3⤵
PID:5696

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1140
5⤵
- Program crash
PID:5784

C:\ProgramData\Java Updater\g15wkewm.exe
/prstb
3⤵
PID:5848

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1152
5⤵
- Program crash
PID:2336

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
1⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
1⤵
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 332
2⤵
- Program crash
PID:3924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\28B3.exe
C:\Users\Admin\AppData\Local\Temp\28B3.exe
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 460 -ip 460
1⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\nsb3A58.tmp.exe
C:\Users\Admin\AppData\Local\Temp\nsb3A58.tmp.exe
1⤵
PID:2116

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:5516

C:\Users\Admin\AppData\Local\Temp\8B94.exe
C:\Users\Admin\AppData\Local\Temp\8B94.exe
1⤵
PID:5644

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 1092
3⤵
- Program crash
PID:5804

C:\Users\Admin\AppData\Local\Temp\9327.exe
C:\Users\Admin\AppData\Local\Temp\9327.exe
1⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
2⤵
PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 772 -ip 772
1⤵
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5976 -ip 5976
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5444 -ip 5444
1⤵
PID:6124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2328 -ip 2328
1⤵
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4912 -ip 4912
1⤵
PID:5536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2065.exe
Filesize
156KB

MD5
2f6be8567bf1a8b7f7ad7e48c7096003

SHA1
0bb9201821c076c15703dc2ecb6452d5f323309a

SHA256
37eec6b7de96da6587e2bfc64c05bfa9289bd5b3903c02c3ddd84f6beeb30273

SHA512
b93820e6e43dbec0c60834ba5c0ed062eb8523537b35058d15822463dfb698f8c521f12b2f494492558b569cf7b335b478894e4536569fa5476e41b185f6cb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2065.exe
Filesize
893KB

MD5
09b5fd8f5e6122d69ff2caea8caa22c1

SHA1
e9b344b3c6da36a61e8ac3434c81642192342084

SHA256
0923e1075c106f13c6d841f0fec904dc11aefcab6447c1a89abacc4ee24a5df7

SHA512
7f9039e50ee7fcdee484eeb77347e10eb9936b0576369f2acf2585f7584f345503dd41a69b367afed1fb1e48811a780bc3e5cff1a528d6c1fe2bb10a13b31398

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC9.exe
Filesize
896KB

MD5
ba1f70f59b1d8b348944c2ff25f495ff

SHA1
009d0851f4f0a8856094c7f92d17e78926e4a5bf

SHA256
5d32a3b4b94d852221f9a1af7ddbdb89b46a037e5baf89b12b008c460b8676de

SHA512
0663e8f6947f5dd3e11d49a30d9cc2307270457bd06a04d4b6d947e7acaab58205c01688e28a74ca8e10d714b5d27a9ae7015bfde236d7e1a43595475ae00fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC9.exe
Filesize
196KB

MD5
0e235ebf1a6e7bd3d89d739b17ab9c17

SHA1
cbc11541ebf585db5f05898e3250af3734b872d5

SHA256
90031fa17304c6f0cdee7e3bcea993f328b04a6afebe6136fb5398413750e603

SHA512
b67755ab3acd85295554fc2bee05739fe774d7df90189b27055d989bb0d349b65943989e54204d5541e419cf05cdcce4b04b83feed590b5eaaad29d3289a73d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
283KB

MD5
2d24e3baa2a16e47bee10e91381e6391

SHA1
013b59b2cd69e93694196dfb34fddc8684cfd619

SHA256
ff2e975c649d66476c48ac9fe64455eb0727fede676d000728d09d62d2dc6db4

SHA512
be515895b29390e1c9c44620f7b18c8ae57d08627b8bbf7484b551ccf079011f95baa78e71c1a2a6280b544dd06444b509b7c9ba126b525d813afd68010b03e7

Download Submit
memory/460-548-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/460-75-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/460-81-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/772-129-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/772-620-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/828-742-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/936-280-0x0000000007F00000-0x0000000007F3C000-memory.dmp

Filesize
240KB

Download
memory/936-274-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/936-259-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/936-273-0x0000000006500000-0x0000000006B18000-memory.dmp

Filesize
6.1MB

Download
memory/936-279-0x0000000007EA0000-0x0000000007EB2000-memory.dmp

Filesize
72KB

Download
memory/936-270-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/936-271-0x0000000005200000-0x000000000520A000-memory.dmp

Filesize
40KB

Download
memory/936-266-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/936-289-0x0000000008080000-0x00000000080CC000-memory.dmp

Filesize
304KB

Download
memory/936-268-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/936-264-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1804-121-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1804-12-0x0000000000810000-0x0000000000BD6000-memory.dmp

Filesize
3.8MB

Download
memory/1804-13-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1804-14-0x0000000005440000-0x00000000054DC000-memory.dmp

Filesize
624KB

Download
memory/2116-562-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/2116-559-0x0000000000B40000-0x0000000000C40000-memory.dmp

Filesize
1024KB

Download
memory/2116-794-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2116-560-0x0000000000970000-0x000000000098C000-memory.dmp

Filesize
112KB

Download
memory/2300-257-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2300-66-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2300-602-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2516-91-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/2516-20-0x0000000000DB0000-0x000000000208E000-memory.dmp

Filesize
18.9MB

Download
memory/2516-19-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/2692-596-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2692-591-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3088-515-0x0000000004D10000-0x0000000004D76000-memory.dmp

Filesize
408KB

Download
memory/3088-579-0x00000000071E0000-0x00000000071FE000-memory.dmp

Filesize
120KB

Download
memory/3088-563-0x0000000007630000-0x0000000007CAA000-memory.dmp

Filesize
6.5MB

Download
memory/3088-569-0x000000006C1E0000-0x000000006C534000-memory.dmp

Filesize
3.3MB

Download
memory/3088-565-0x00000000071A0000-0x00000000071D2000-memory.dmp

Filesize
200KB

Download
memory/3088-567-0x00000000714B0000-0x00000000714FC000-memory.dmp

Filesize
304KB

Download
memory/3088-508-0x0000000002630000-0x0000000002666000-memory.dmp

Filesize
216KB

Download
memory/3088-509-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/3088-510-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/3088-511-0x0000000004DD0000-0x00000000053F8000-memory.dmp

Filesize
6.2MB

Download
memory/3088-552-0x0000000006F30000-0x0000000006FA6000-memory.dmp

Filesize
472KB

Download
memory/3088-568-0x000000007F810000-0x000000007F820000-memory.dmp

Filesize
64KB

Download
memory/3088-514-0x0000000004B40000-0x0000000004B62000-memory.dmp

Filesize
136KB

Download
memory/3088-526-0x0000000005820000-0x0000000005B74000-memory.dmp

Filesize
3.3MB

Download
memory/3088-521-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/3088-512-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/3088-535-0x0000000005C20000-0x0000000005C3E000-memory.dmp

Filesize
120KB

Download
memory/3088-581-0x0000000007200000-0x00000000072A3000-memory.dmp

Filesize
652KB

Download
memory/3088-584-0x00000000072F0000-0x00000000072FA000-memory.dmp

Filesize
40KB

Download
memory/3088-580-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/3088-547-0x0000000006170000-0x00000000061B4000-memory.dmp

Filesize
272KB

Download
memory/3088-564-0x0000000006FE0000-0x0000000006FFA000-memory.dmp

Filesize
104KB

Download
memory/3408-1-0x0000000001720000-0x0000000001736000-memory.dmp

Filesize
88KB

Download
memory/3408-536-0x0000000001510000-0x0000000001526000-memory.dmp

Filesize
88KB

Download
memory/3424-561-0x0000000002FA0000-0x000000000388B000-memory.dmp

Filesize
8.9MB

Download
memory/3424-513-0x0000000002B90000-0x0000000002F92000-memory.dmp

Filesize
4.0MB

Download
memory/3424-92-0x0000000002FA0000-0x000000000388B000-memory.dmp

Filesize
8.9MB

Download
memory/3424-128-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3424-603-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3424-566-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3424-88-0x0000000002B90000-0x0000000002F92000-memory.dmp

Filesize
4.0MB

Download
memory/3488-71-0x0000000001F50000-0x0000000001F59000-memory.dmp

Filesize
36KB

Download
memory/3488-69-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/3492-156-0x0000000004250000-0x0000000004E78000-memory.dmp

Filesize
12.2MB

Download
memory/3492-137-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/3492-240-0x0000000004E80000-0x0000000004EBA000-memory.dmp

Filesize
232KB

Download
memory/3492-108-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/3924-743-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3964-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3964-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4332-74-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4332-269-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4560-204-0x0000000000790000-0x0000000000830000-memory.dmp

Filesize
640KB

Download
memory/4560-238-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4560-267-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4560-239-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/4560-242-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4560-261-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/5160-776-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5268-760-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5644-777-0x0000000002150000-0x00000000021B6000-memory.dmp

Filesize
408KB

Download
memory/5644-774-0x0000000000010000-0x000000000006D000-memory.dmp

Filesize
372KB

Download
memory/5976-784-0x0000000000F10000-0x0000000001344000-memory.dmp

Filesize
4.2MB

Download
memory/5976-786-0x0000000000F10000-0x0000000001344000-memory.dmp

Filesize
4.2MB

Download
memory/5976-788-0x0000000000A60000-0x0000000000B24000-memory.dmp

Filesize
784KB

Download