Overview

overview

10

Static

static

1

90c2c0a385...7e.exe

windows7-x64

10

90c2c0a385...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2024 07:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90c2c0a3850e702555c86672dfccf87e.exe

  • Size

    4.2MB

  • MD5

    90c2c0a3850e702555c86672dfccf87e

  • SHA1

    547237f6c49839d5b52c21541e3ef97e70c09e14

  • SHA256

    5d60502a5cb4d285aa1292f7d1fd6297e07e310babf6fc52bcdc86ef0c9e06bb

  • SHA512

    bef33bcfe5c99260d7e3d4a1f874606b166a8ee6307780140ce3350df0e1c7804695596fdcd252a9ce5445439afc2bb6a8b33d99bf175fb722f89213197367f9

  • SSDEEP

    98304:teW8UzsHIbLf9dWRHWVRhdNR5S1sJRNc/DhpLv/dFcsAkZ5X:q0L1dWRH6Rb9w/n3rVAk3

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 20 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\90c2c0a3850e702555c86672dfccf87e.exe
    "C:\Users\Admin\AppData\Local\Temp\90c2c0a3850e702555c86672dfccf87e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3368
    • C:\Users\Admin\AppData\Local\Temp\90c2c0a3850e702555c86672dfccf87e.exe
      "C:\Users\Admin\AppData\Local\Temp\90c2c0a3850e702555c86672dfccf87e.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2016
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:752
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4944
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4000
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1008
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3352
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:224
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3216
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1156
            • C:\Windows\System32\Conhost.exe
              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              5⤵
                PID:3368
            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:1592
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              4⤵
              • Creates scheduled task(s)
              PID:1092
            • C:\Windows\windefender.exe
              "C:\Windows\windefender.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2120
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4512
                • C:\Windows\SysWOW64\sc.exe
                  sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                  6⤵
                  • Launches sc.exe
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4608
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 652
            3⤵
            • Program crash
            PID:3092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 956
          2⤵
          • Program crash
          PID:3232
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1564 -ip 1564
        1⤵
          PID:4140
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1664 -ip 1664
          1⤵
            PID:4816
          • C:\Windows\windefender.exe
            C:\Windows\windefender.exe
            1⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:1944

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2syg5ycq.esw.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            Filesize

            281KB

            MD5

            d98e33b66343e7c96158444127a117f6

            SHA1

            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

            SHA256

            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

            SHA512

            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            968cb9309758126772781b83adb8a28f

            SHA1

            8da30e71accf186b2ba11da1797cf67f8f78b47c

            SHA256

            92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

            SHA512

            4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            19KB

            MD5

            32cba14f8dfea31e24728ae8ea60f958

            SHA1

            9213ebcb50193ca768319e8cabcc6cd512c53ee1

            SHA256

            a63a3fdc796c341bcf290601277313cc6e61928436bad51f94e995ec83fcd05a

            SHA512

            38dd596f1c2780b1232b08ef8806644890ddff0739b2f6711f98971732c966061887e7ba8f0ed89dd7c476eb617cf13cf68db4c8b851016b7216d7ae181a2cd2

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            19KB

            MD5

            b5eba14f5cbd3d61bfd970e946d3f917

            SHA1

            6217cae0ef86a12b7d7e4ded3715fe214f5e0ade

            SHA256

            943ae6d736663fae008320443d6a16a1e35a0194a2531615e3f73bec3af56ae2

            SHA512

            cb176b7476ea7822454ab866965831dc522791ff8a073a39469fa35087be3013a02f586c4c0b409b4a8624cfa699d7521432fa28798a3a8c0a25169a5ecaab47

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            19KB

            MD5

            a66fb3f4fe5849ce2d4dd65d1e4b7edd

            SHA1

            a53c898641373943d55873f1f898a15677edad8e

            SHA256

            a7f47a7dc42a478c46df93b0edb84eb65eb761d90cf2706aa15784d79b0f487a

            SHA512

            2ae96f8ce1f006e04e4a42e244137038c07795a14e9d1ef7710e8245edfbe46e2d1b4011d7b68fc5bc1ed1dda1ac86b7ce14c333eb304cf5b19fa97994b88ec6

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            19KB

            MD5

            928e8af1bf05c347e2476454c02fb285

            SHA1

            35972d3375a31b75422976e14e0f904bb31aace0

            SHA256

            ad1e4fd051445daccb7106f91f3e8a898dd7872fb0835cc6bd7bb7ae66a183ce

            SHA512

            a832bd75509d4dfbc3289f218863bfd1a8dca66cace47250e08de2eba6e14a7c1b5bc99ef9904b724cfaea804551cc7593f74760cfc33cbda47c3d643b97993b

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            19KB

            MD5

            2cd427c63fae53f8205764031a922d23

            SHA1

            180288bc957dbb2edc14ff1112ae5767fbc3bf91

            SHA256

            e9e9c5948a814cb253673f885217a5ad7e38160e2e4fce0a58509ee3c7986427

            SHA512

            0c9f4df40cc98f5563c2e9d1f9cd397926210a32638adb22d47faa151fcc302bc31561d7728aca788860696cf694662c21c2f5a5f51a2bbf6216a6666fb47e7a

            Download Submit

          • C:\Windows\rss\csrss.exe
            Filesize

            788KB

            MD5

            7da0af2e494232be8324f58fb2ee589d

            SHA1

            0efaa421402ab63b189ebb201b27b8cd04670ea5

            SHA256

            5239fc678d51f076d2917404feba3a3feab88040dfdc9c9aecb57ac346724e75

            SHA512

            75294935310425c5a3862c83456720d3c4117685319c6d04c58aa13c57ad6f97876d3dd3b8fc251134821e28eecf1cce23d83bd82031ada2c580325c00462b81

            Download Submit

          • C:\Windows\rss\csrss.exe
            Filesize

            1.1MB

            MD5

            15c7f048471eafe8ea4e2d05b585359c

            SHA1

            389d1c2748817dfb9bf8c41e78641c1dfd077386

            SHA256

            e04977d1578f7ddc69ac488671a62b33f9797d2bf301e0f802df831812629c87

            SHA512

            c16783cfe1d9cab59b0dc5cc8645955fcdf935e8bea807ebaa3c1bc30c4bd55b851be2d39f86f47a5047c2d818cd4ab6d7c376a4868c992c44950b90910254c4

            Download Submit

          • C:\Windows\windefender.exe
            Filesize

            1.1MB

            MD5

            de7305b93feafcd5c3e9ae8102afa19e

            SHA1

            002b6c585762ce3bff5374f0473092495893aff2

            SHA256

            a2f0679b1c04150bc6e4601e3a869da0bfb69e9205ed5ea1fd19a2173f89b7aa

            SHA512

            d6a32cb36d17b7e8186182cc041aafc68585456320ab9cd4aa9b6c35eddae475dbbb9784dbfa6cc1d13188c9ca60c0eca7cff1484a0f2f6a6e0b52b6a1fd4f58

            Download Submit

          • C:\Windows\windefender.exe
            Filesize

            2.0MB

            MD5

            8e67f58837092385dcf01e8a2b4f5783

            SHA1

            012c49cfd8c5d06795a6f67ea2baf2a082cf8625

            SHA256

            166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

            SHA512

            40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

            Download Submit

          • memory/1564-54-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/1564-56-0x0000000003E30000-0x000000000471B000-memory.dmp

            Filesize

            8.9MB

            Download

          • memory/1564-1-0x0000000003A20000-0x0000000003E23000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/1564-2-0x0000000003E30000-0x000000000471B000-memory.dmp

            Filesize

            8.9MB

            Download

          • memory/1564-3-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/1664-123-0x0000000003A20000-0x0000000003E19000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/1664-135-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/1664-57-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/1664-156-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/1664-55-0x0000000003A20000-0x0000000003E19000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/1944-272-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/1944-268-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/2016-72-0x000000007F4A0000-0x000000007F4B0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2016-85-0x0000000007570000-0x0000000007613000-memory.dmp

            Filesize

            652KB

            Download

          • memory/2016-90-0x0000000074380000-0x0000000074B30000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2016-87-0x00000000078A0000-0x00000000078B4000-memory.dmp

            Filesize

            80KB

            Download

          • memory/2016-86-0x0000000007850000-0x0000000007861000-memory.dmp

            Filesize

            68KB

            Download

          • memory/2016-73-0x0000000070280000-0x00000000702CC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2016-84-0x0000000002A10000-0x0000000002A20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2016-74-0x0000000070A20000-0x0000000070D74000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2016-71-0x00000000068F0000-0x000000000693C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2016-61-0x0000000005CB0000-0x0000000006004000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2016-58-0x0000000074380000-0x0000000074B30000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2016-59-0x0000000002A10000-0x0000000002A20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2016-60-0x0000000002A10000-0x0000000002A20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2120-266-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/2784-258-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/2784-273-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/2784-275-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/2784-277-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/2784-279-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/2784-269-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/2784-281-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/2784-283-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/2784-267-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/2784-285-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/2784-287-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/2784-289-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/2784-271-0x0000000000400000-0x0000000001E17000-memory.dmp

            Filesize

            26.1MB

            Download

          • memory/3368-8-0x0000000005990000-0x0000000005FB8000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/3368-30-0x0000000070180000-0x00000000701CC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/3368-44-0x0000000008730000-0x00000000087C6000-memory.dmp

            Filesize

            600KB

            Download

          • memory/3368-26-0x00000000080B0000-0x000000000872A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/3368-45-0x0000000007F80000-0x0000000007F91000-memory.dmp

            Filesize

            68KB

            Download

          • memory/3368-46-0x0000000007FC0000-0x0000000007FCE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3368-47-0x0000000007FD0000-0x0000000007FE4000-memory.dmp

            Filesize

            80KB

            Download

          • memory/3368-48-0x0000000008020000-0x000000000803A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3368-49-0x0000000008010000-0x0000000008018000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3368-52-0x00000000742E0000-0x0000000074A90000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3368-42-0x0000000007E70000-0x0000000007F13000-memory.dmp

            Filesize

            652KB

            Download

          • memory/3368-31-0x0000000070300000-0x0000000070654000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3368-27-0x0000000007A50000-0x0000000007A6A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3368-4-0x0000000005240000-0x0000000005276000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3368-41-0x0000000007E50000-0x0000000007E6E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/3368-25-0x00000000079B0000-0x0000000007A26000-memory.dmp

            Filesize

            472KB

            Download

          • memory/3368-24-0x0000000006DF0000-0x0000000006E34000-memory.dmp

            Filesize

            272KB

            Download

          • memory/3368-6-0x0000000005350000-0x0000000005360000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3368-23-0x00000000068C0000-0x000000000690C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/3368-22-0x0000000006880000-0x000000000689E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/3368-21-0x00000000064B0000-0x0000000006804000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3368-16-0x00000000061D0000-0x0000000006236000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3368-10-0x0000000006030000-0x0000000006096000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3368-9-0x0000000005830000-0x0000000005852000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3368-43-0x0000000007F60000-0x0000000007F6A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3368-29-0x0000000007E10000-0x0000000007E42000-memory.dmp

            Filesize

            200KB

            Download

          • memory/3368-7-0x0000000005350000-0x0000000005360000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3368-5-0x00000000742E0000-0x0000000074A90000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3368-28-0x000000007F500000-0x000000007F510000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4000-124-0x0000000005140000-0x0000000005150000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4000-137-0x000000007EF80000-0x000000007EF90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4000-122-0x0000000074380000-0x0000000074B30000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4000-130-0x0000000005140000-0x0000000005150000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4944-121-0x0000000074380000-0x0000000074B30000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4944-93-0x0000000005470000-0x0000000005480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4944-94-0x0000000005470000-0x0000000005480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4944-119-0x0000000005470000-0x0000000005480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4944-118-0x0000000005470000-0x0000000005480000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4944-108-0x0000000070420000-0x0000000070774000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4944-107-0x0000000070280000-0x00000000702CC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4944-106-0x000000007EF10000-0x000000007EF20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4944-104-0x0000000006360000-0x00000000066B4000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4944-92-0x0000000074380000-0x0000000074B30000-memory.dmp

            Filesize

            7.7MB

            Download