Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    304s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15/03/2024, 00:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0b5bcbdf1fcc378dbe0643a576e2c386035daab70aafce96d5a694eaa7ba5460.exe

  • Size

    4.1MB

  • MD5

    5c452c28469676ceae8bb01cdaef4ae7

  • SHA1

    fd7686c3f11eb3f0dd9577ea1ca3d93f3a5c539b

  • SHA256

    0b5bcbdf1fcc378dbe0643a576e2c386035daab70aafce96d5a694eaa7ba5460

  • SHA512

    51f4103e5f65eb93af5cc7953c1a4ad621f18e5863cd34964e987e21563ab0aec9fb3bb9f0ecfb54f0541bf74c131b0e6329176296c29838c80acd0e2fe2b34a

  • SSDEEP

    98304:vpZ3BslI2HXHhL8caWS9URUM/Ogdf6Diy8PWZiZExHzDU1EHF01:vL+I6XBL8caW5SAuZiZEBDU111

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 37 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b5bcbdf1fcc378dbe0643a576e2c386035daab70aafce96d5a694eaa7ba5460.exe
    "C:\Users\Admin\AppData\Local\Temp\0b5bcbdf1fcc378dbe0643a576e2c386035daab70aafce96d5a694eaa7ba5460.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:68
    • C:\Users\Admin\AppData\Local\Temp\0b5bcbdf1fcc378dbe0643a576e2c386035daab70aafce96d5a694eaa7ba5460.exe
      "C:\Users\Admin\AppData\Local\Temp\0b5bcbdf1fcc378dbe0643a576e2c386035daab70aafce96d5a694eaa7ba5460.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:644
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:5100
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3528
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3772
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4740
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4508
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2812
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2332
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2928
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2524
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3000
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4976
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1052
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4656
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:1212
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:3800
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:4960

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_31k2yw4j.yfu.ps1
            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            Filesize

            281KB

            MD5

            d98e33b66343e7c96158444127a117f6

            SHA1

            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

            SHA256

            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

            SHA512

            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            1c19c16e21c97ed42d5beabc93391fc5

            SHA1

            8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

            SHA256

            1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

            SHA512

            7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            18KB

            MD5

            5c6908bd79d335f97dbaa9c3786b168c

            SHA1

            10c9b5aff0eb6049335e72ffe319bcd8b77a0e6e

            SHA256

            2a514afc4f6fd7ea0c1f76e3b8cf76db5104bcec2742139f512fa5e8d2d03a2b

            SHA512

            0d3f198e4faebf47f1485ac3e0403eb1885b0f6535549adb7ab1a701cf19837881087a3f18fc93963e7eec873ed74c1f3bbdc8548d2ebed3b2188c0aca6bfd76

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            18KB

            MD5

            ffd3106416df1968684db4f94556a192

            SHA1

            4b025169470ec688641c8a09603f8d15ab5066bf

            SHA256

            1654fd9f4da89f2c53a025919bd1b3393f9d2677e436bab139388b193728b791

            SHA512

            15b048fa98ca44f3a73442f6d5ad1fcbd0acfefc4ff98a000d64550d40185458dfd348f0510b72611aeda1036b9d8f347ef90da969581d329115cd1c2969c931

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            18KB

            MD5

            11f0b620dfa4d5259185f0b237732b61

            SHA1

            15b6a4f3bd80b40fda11f217d70aee6d87e16e84

            SHA256

            4e3ca4450090923d42266e880ec800738e0beb22e53ae313982a248669e4007e

            SHA512

            99be5a14887e1ca94af904b5f5eb066d6b2fcd1e9d37acbdd9497b523e494e87d42c2fc5bee3c0f3598bf924eac48abd6f7d2389f6ed36a59f4f6b2300871d53

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            18KB

            MD5

            25be78f1cf17fa79449ede94e5e91557

            SHA1

            cbe717d6da3befaa12698f0a0b291c2793d4a9ad

            SHA256

            13c46c6780261a18f8493680f2e47e48d51380c77f53ebf22ada49058362fac0

            SHA512

            e24d3496a54800742f3c0375b85baefcc0276b54cef916683e00ce4008bbb5bd76da57f6df6dc040c8585fde82792c759d546e19fd290aef14d418e91d776465

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            18KB

            MD5

            6daba588e7d14930fce237a27247a0fd

            SHA1

            a32a1b216d2e7d231686bd142162287e7a3fea66

            SHA256

            0f318dee8d7c68c84ee0f3cdd9400cca85447d67b3aaa810fbf51b552c9a1843

            SHA512

            0b49ec4dc2f70b5661b0850b42ab427e68921139448aa02fadb438b1efcb4b7bfe17ac1d71599b7420b11c59afa69591b021180cd68127f755d4cd2dc01db9ad

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            18KB

            MD5

            9b70c8be3b630097af3850459bfefbb9

            SHA1

            bcff75b8bc3f81ac2d8003bf1392372db8d262ec

            SHA256

            6a0038df252ac60f6cd11649938adbb21708c2a7a568c09b49dbea929aa49103

            SHA512

            5b0a038b9d9618f1eb5c66c007e0a35897bb9723c0837d240910a9dac2779e57f17453cd8670b734e29ff20b9a7638c42ea02f77203c3473bc3e3581158c9fb2

            Download Submit

          • C:\Windows\rss\csrss.exe
            Filesize

            2.8MB

            MD5

            2192e1f2ff85020c8bffdedcd29e344e

            SHA1

            b17f3fee3ff01660359ca3117c9f51ff3a228950

            SHA256

            6d1ca450a261d1b1b73d7facb251d0a36da43f6dc0529b383d1629dcaf4a7515

            SHA512

            79e08fc9574fc97572017ac5f52e8fbf4825633491b5e135de22186245d7ab9f6a3530ba5c9b2c94b4e6c70dbc959299b328f40a1b8c046b98e98515191ce9bc

            Download Submit

          • C:\Windows\rss\csrss.exe
            Filesize

            2.5MB

            MD5

            a924c5c505e16758405d06b90418967b

            SHA1

            a84adac62f3d33da2734aa97b564b975df9a96d9

            SHA256

            a212b9abfc91746f6fcf168887a0712e7558d858e9539a5577b53221c32a9361

            SHA512

            b03cb6b509940ac4c7de97bcbd008be5714370c401c94d18d80f359df0935ce6d266a24d4abf8a33a3c3497aeb6178ead4c4ea82b9bbcdd876355e101b3b9f67

            Download Submit

          • C:\Windows\windefender.exe
            Filesize

            2.0MB

            MD5

            8e67f58837092385dcf01e8a2b4f5783

            SHA1

            012c49cfd8c5d06795a6f67ea2baf2a082cf8625

            SHA256

            166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

            SHA512

            40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

            Download Submit

          • C:\Windows\windefender.exe
            Filesize

            1.9MB

            MD5

            b66e64bfc696538cd1161fd631e2eea5

            SHA1

            8a4c4501839a447e5473695564722f478967ccee

            SHA256

            b241f64f98771ab5a860a4724aea96e5811d719e34aa67db89b12cff6962b776

            SHA512

            02d97113b17233fc74ceab5c03bad399577bae9b0b1390bff4f33c7bf2bac50ace2cc6fece213f58cc74082aeb411b369d3340909545eaf22f41af937db201c3

            Download Submit

          • C:\Windows\windefender.exe
            Filesize

            1.5MB

            MD5

            ae50567488951d9c9b7a26d3b96d52b3

            SHA1

            d7d81d26e80f201521908a655cabfa15700a5186

            SHA256

            b69952006b53ccf41554216cb82d10efa718739d6246c596a5fc2a0e21c56db8

            SHA512

            cfc3274b7331963f711ce7c1f80097d61bd7997e30a56c05f565f4002b9b9835c3a8ef4f48ed93466d450c985cec513e1e03269df2a0d8a4c0a24d24f716b5fb

            Download Submit

          • memory/68-300-0x0000000073470000-0x0000000073B5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/68-7-0x0000000073470000-0x0000000073B5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/68-66-0x0000000008A70000-0x0000000008AE6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/68-74-0x0000000009890000-0x00000000098C3000-memory.dmp

            Filesize

            204KB

            Download

          • memory/68-75-0x0000000070180000-0x00000000701CB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/68-76-0x00000000701D0000-0x0000000070520000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/68-82-0x00000000098D0000-0x0000000009975000-memory.dmp

            Filesize

            660KB

            Download

          • memory/68-77-0x0000000009870000-0x000000000988E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/68-73-0x000000007F050000-0x000000007F060000-memory.dmp

            Filesize

            64KB

            Download

          • memory/68-83-0x00000000067E0000-0x00000000067F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/68-84-0x0000000009AF0000-0x0000000009B84000-memory.dmp

            Filesize

            592KB

            Download

          • memory/68-277-0x0000000009A50000-0x0000000009A6A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/68-282-0x0000000009A30000-0x0000000009A38000-memory.dmp

            Filesize

            32KB

            Download

          • memory/68-6-0x00000000066A0000-0x00000000066D6000-memory.dmp

            Filesize

            216KB

            Download

          • memory/68-8-0x00000000067E0000-0x00000000067F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/68-15-0x00000000078F0000-0x000000000790C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/68-16-0x0000000007E10000-0x0000000007E5B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/68-14-0x0000000007550000-0x00000000078A0000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/68-9-0x00000000067E0000-0x00000000067F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/68-10-0x0000000006E20000-0x0000000007448000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/68-12-0x0000000006C20000-0x0000000006C86000-memory.dmp

            Filesize

            408KB

            Download

          • memory/68-11-0x0000000000C40000-0x0000000000C62000-memory.dmp

            Filesize

            136KB

            Download

          • memory/68-35-0x00000000089B0000-0x00000000089EC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/68-13-0x0000000006C90000-0x0000000006CF6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/368-821-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/368-1039-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/368-305-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/368-581-0x0000000002940000-0x0000000002D45000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/368-304-0x0000000002940000-0x0000000002D45000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/644-337-0x0000000009890000-0x0000000009935000-memory.dmp

            Filesize

            660KB

            Download

          • memory/644-548-0x0000000073570000-0x0000000073C5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/644-310-0x0000000005080000-0x0000000005090000-memory.dmp

            Filesize

            64KB

            Download

          • memory/644-309-0x0000000005080000-0x0000000005090000-memory.dmp

            Filesize

            64KB

            Download

          • memory/644-311-0x0000000007F40000-0x0000000008290000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/644-312-0x0000000008A90000-0x0000000008ADB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/644-308-0x0000000073570000-0x0000000073C5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/644-331-0x00000000702A0000-0x00000000702EB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/644-332-0x00000000702F0000-0x0000000070640000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/644-338-0x0000000005080000-0x0000000005090000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1052-1797-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/2968-302-0x0000000002E20000-0x000000000370B000-memory.dmp

            Filesize

            8.9MB

            Download

          • memory/2968-301-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/2968-1-0x0000000002A20000-0x0000000002E1B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/2968-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/2968-2-0x0000000002E20000-0x000000000370B000-memory.dmp

            Filesize

            8.9MB

            Download

          • memory/3528-576-0x00000000702F0000-0x0000000070640000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3528-554-0x0000000005220000-0x0000000005230000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3528-790-0x0000000073570000-0x0000000073C5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3528-575-0x00000000702A0000-0x00000000702EB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/3528-574-0x000000007F200000-0x000000007F210000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3528-552-0x0000000073570000-0x0000000073C5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3528-553-0x0000000005220000-0x0000000005230000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3772-1035-0x0000000073570000-0x0000000073C5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3772-822-0x0000000001220000-0x0000000001230000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3772-816-0x00000000702F0000-0x0000000070640000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3772-815-0x00000000702A0000-0x00000000702EB000-memory.dmp

            Filesize

            300KB

            Download

          • memory/3772-795-0x0000000001220000-0x0000000001230000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3772-794-0x0000000001220000-0x0000000001230000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3772-793-0x0000000073570000-0x0000000073C5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4508-1048-0x0000000006BC0000-0x0000000006BD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4508-1047-0x00000000734D0000-0x0000000073BBE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/4508-1049-0x0000000006BC0000-0x0000000006BD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4508-1050-0x0000000007830000-0x0000000007B80000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4508-1052-0x0000000007E20000-0x0000000007E6B000-memory.dmp

            Filesize

            300KB

            Download

          • memory/4740-1562-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1834-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1788-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1044-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1043-0x0000000003200000-0x0000000003AEB000-memory.dmp

            Filesize

            8.9MB

            Download

          • memory/4740-1798-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1042-0x0000000002E00000-0x00000000031F9000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/4740-1800-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1802-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1846-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1804-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1806-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1808-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1810-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1812-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1814-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1816-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1818-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1820-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1822-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1824-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1826-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1828-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1830-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1832-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1789-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1836-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1838-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1840-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1842-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4740-1844-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/4960-1803-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/4960-1799-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

            Download