Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-03-2024 07:46

General

  • Target

    3949c37bb29511d9d08a8967b10a007b6775aa6ae5ffcd8bf2f939c0614e0d64.exe

  • Size

    4.2MB

  • MD5

    0cf89b056c66bef40dedb8afc4f57eb6

  • SHA1

    d73ac89a4da0b120f296e9b0cb591aaa75d811e4

  • SHA256

    3949c37bb29511d9d08a8967b10a007b6775aa6ae5ffcd8bf2f939c0614e0d64

  • SHA512

    c11018a73ad05029644a4d43839e3e65a7692202e719c40db5d9af67f0111a4252f17de36fa4a3315ed89ed5a34df99c6fdd7666b8c06f19c9b72b6244744915

  • SSDEEP

    98304:Jak2rBgQfQBO+kzrSFtHCULP6tfKPz4QF3r9WIw5oNx+N:Uz5TBz4iULCtkz4QV5Wt5ofc

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 20 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3949c37bb29511d9d08a8967b10a007b6775aa6ae5ffcd8bf2f939c0614e0d64.exe
    "C:\Users\Admin\AppData\Local\Temp\3949c37bb29511d9d08a8967b10a007b6775aa6ae5ffcd8bf2f939c0614e0d64.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3520
    • C:\Users\Admin\AppData\Local\Temp\3949c37bb29511d9d08a8967b10a007b6775aa6ae5ffcd8bf2f939c0614e0d64.exe
      "C:\Users\Admin\AppData\Local\Temp\3949c37bb29511d9d08a8967b10a007b6775aa6ae5ffcd8bf2f939c0614e0d64.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3116
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1444
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:2284
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4604
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4544
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2304
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3756
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3536
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1616
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2944
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3172
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4732
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4936
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2880
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:972
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:1828

    Network

    • flag-us
      DNS
      2f1a0cf5-0e65-4ccd-b2c8-a0571afe1c60.uuid.thestatsfiles.ru
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      2f1a0cf5-0e65-4ccd-b2c8-a0571afe1c60.uuid.thestatsfiles.ru
      IN TXT
      Response
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      stun.stunprotocol.org
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      stun.stunprotocol.org
      IN A
      Response
      stun.stunprotocol.org
      IN A
      127.0.0.1
    • flag-us
      DNS
      carsalessystem.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      carsalessystem.com
      IN A
      Response
      carsalessystem.com
      IN A
      172.67.221.71
      carsalessystem.com
      IN A
      104.21.94.82
    • flag-us
      DNS
      71.221.67.172.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      71.221.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      44.27.3.81.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      44.27.3.81.in-addr.arpa
      IN PTR
      Response
      44.27.3.81.in-addr.arpa
      IN PTR
      xmppipfireorg
    • flag-us
      DNS
      self.events.data.microsoft.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      self.events.data.microsoft.com
      IN A
      Response
      self.events.data.microsoft.com
      IN CNAME
      self-events-data.trafficmanager.net
      self-events-data.trafficmanager.net
      IN CNAME
      onedscolprdwus10.westus.cloudapp.azure.com
      onedscolprdwus10.westus.cloudapp.azure.com
      IN A
      20.189.173.11
    • flag-us
      DNS
      cdn.discordapp.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      cdn.discordapp.com
      IN A
      Response
      cdn.discordapp.com
      IN A
      162.159.133.233
      cdn.discordapp.com
      IN A
      162.159.134.233
      cdn.discordapp.com
      IN A
      162.159.130.233
      cdn.discordapp.com
      IN A
      162.159.129.233
      cdn.discordapp.com
      IN A
      162.159.135.233
    • flag-us
      DNS
      233.133.159.162.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      233.133.159.162.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      stun.ipfire.org
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      stun.ipfire.org
      IN A
      Response
      stun.ipfire.org
      IN CNAME
      xmpp.ipfire.org
      xmpp.ipfire.org
      IN A
      81.3.27.44
    • flag-us
      DNS
      23.236.111.52.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      23.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      server3.thestatsfiles.ru
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server3.thestatsfiles.ru
      IN A
      Response
      server3.thestatsfiles.ru
      IN A
      185.82.216.96
    • flag-us
      DNS
      96.216.82.185.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      96.216.82.185.in-addr.arpa
      IN PTR
      Response
      96.216.82.185.in-addr.arpa
      IN PTR
      dedic-mariadebommarez-1201693hosted-by-itldccom
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.111.236.23
    • flag-us
      DNS
      11.173.189.20.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      11.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 162.159.133.233:443
      cdn.discordapp.com
      tls
      csrss.exe
      1.2kB
      5.2kB
      13
      15
    • 185.82.216.96:443
      server3.thestatsfiles.ru
      tls
      csrss.exe
      1.4kB
      5.1kB
      13
      15
    • 172.67.221.71:443
      carsalessystem.com
      tls
      csrss.exe
      93.5kB
      2.2MB
      1716
      1612
    • 185.82.216.96:443
      server3.thestatsfiles.ru
      tls
      csrss.exe
      1.2kB
      4.7kB
      11
      13
    • 185.82.216.96:443
      server3.thestatsfiles.ru
      tls
      csrss.exe
      1.9kB
      4.7kB
      11
      14
    • 185.82.216.96:443
      server3.thestatsfiles.ru
      tls
      csrss.exe
      1.8kB
      4.5kB
      8
      9
    • 8.8.8.8:53
      2f1a0cf5-0e65-4ccd-b2c8-a0571afe1c60.uuid.thestatsfiles.ru
      dns
      csrss.exe
      518 B
      872 B
      7
      7

      DNS Request

      2f1a0cf5-0e65-4ccd-b2c8-a0571afe1c60.uuid.thestatsfiles.ru

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      stun.stunprotocol.org

      DNS Response

      127.0.0.1

      DNS Request

      carsalessystem.com

      DNS Response

      172.67.221.71
      104.21.94.82

      DNS Request

      71.221.67.172.in-addr.arpa

      DNS Request

      44.27.3.81.in-addr.arpa

      DNS Request

      self.events.data.microsoft.com

      DNS Response

      20.189.173.11

    • 8.8.8.8:53
      cdn.discordapp.com
      dns
      csrss.exe
      271 B
      534 B
      4
      4

      DNS Request

      cdn.discordapp.com

      DNS Response

      162.159.133.233
      162.159.134.233
      162.159.130.233
      162.159.129.233
      162.159.135.233

      DNS Request

      233.133.159.162.in-addr.arpa

      DNS Request

      stun.ipfire.org

      DNS Response

      81.3.27.44

      DNS Request

      23.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      server3.thestatsfiles.ru
      dns
      csrss.exe
      290 B
      520 B
      4
      4

      DNS Request

      server3.thestatsfiles.ru

      DNS Response

      185.82.216.96

      DNS Request

      96.216.82.185.in-addr.arpa

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.111.236.23

      DNS Request

      11.173.189.20.in-addr.arpa

    • 127.0.0.1:3478
      csrss.exe
    • 81.3.27.44:3478
      stun.ipfire.org
      csrss.exe
      48 B
      80 B
      1
      1

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohtb4neh.1df.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      ac4917a885cf6050b1a483e4bc4d2ea5

      SHA1

      b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

      SHA256

      e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

      SHA512

      092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      8ba02873e7a449f83af345ecde0116d9

      SHA1

      5cece8a526b1735389486e73621ddd4e888e32da

      SHA256

      6fd8df6318ede39801e3cb946281e93bf8c1f4cb7c2272a9eb286d5540f230db

      SHA512

      65580465720f583ee93e258e6d6ac35b92c39b4a10321db5233ff96a1c94f488dcdb6c30950cedec00ede15d9375928f7fa8f04d0afbdae56de0057c529084b8

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      38a762f36ff0f539ee743c6484f890f3

      SHA1

      6075d134dd573ac5eff2ac20b67ed0589bad21f5

      SHA256

      a4f5d32e4dbbbdd55f0b1a809032e3d95ae4c2783d0f04042ead8d15693dbbdb

      SHA512

      01e6a7005134d76d84219dab3c39a79a45f097e1d5a194ce7c8db68a0d8971c1a3b6f777e97d603b9edb8782d34d324a3703230c7baf9320bdf0c9dd063f4398

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      59ad01bb898ed6803940b9f749b3b927

      SHA1

      ededa119fe8490974ef0fe4a57cd0113489785e8

      SHA256

      ee320111062bca7a1a2b75d55e6131a5dfc23c18f580d4fcff141d6f6519bada

      SHA512

      adcc3e02f5563e34645af05d662965935dfc35dd9529d52a50378b30dc7c423d2a4a578641e4e3fbe1d3176e93f9dbb9fef7eecb59ae8921a514af147a84f3e7

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      ed5fd8d34c37c1fc2fc3cab14e002046

      SHA1

      5bac359220d2f9f8f3acdcfa9d4020b3c626ecab

      SHA256

      4f0dad8a48a5b7f8d33c85e685a6620b012a837ddb454594b34501d6de96ace7

      SHA512

      8b906697f03eaee8e6df3e52692084e7fdf61e3cd72a97a979e2ebeeb4ca193ad6fb06cb3359582f5b438a7cb2c72a808248e09647bf480f7a5bf41e6643437c

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

      Filesize

      19KB

      MD5

      dfb78b6bad834de7ef50bc60a9f51a84

      SHA1

      964715d44ab8784849abb6ffa3b984bb60b732fb

      SHA256

      e8e7721be55dc521d375fcc3a4f4cb5a48db0c6123a03fbaba6ebe4b1d1de6be

      SHA512

      9a94782f7d0d0d1c2611fca0c9601f7a5ce8c82e8727a619bcd8eeb820e254d3c694f52f39a7a96aac9e283b9f99e9f1b57f7f3d2dcd3807c07cb5e97cf5087d

    • C:\Windows\rss\csrss.exe

      Filesize

      2.3MB

      MD5

      b71cc0a2386e758bdad949296afb9e56

      SHA1

      7fddfdc21aeb303077e4d0683bfffc8a672807d4

      SHA256

      9401bc5b5e07fd43663e8d580ae8be5605dd0d50dcdef70fae358b5c34d92f82

      SHA512

      a3270a712b7a6917d9239818b621b736aee2885914e0dadb947fcf546dbb8a00c2fe80c64ca3670a9f9f0b8752c9c20be6a97e3ba001e48aad30a18f9e17206b

    • C:\Windows\rss\csrss.exe

      Filesize

      2.7MB

      MD5

      7141071518c9398f76c78fdb7a97703c

      SHA1

      87b07861990d125570f1ae01e4ac66cc5cc91b8f

      SHA256

      b6de5c6a0d95b76021e24caa6b11dd1f89e88c0e3112d2fbe1bbde92db0698bf

      SHA512

      62f41e1fca8f10098c56483a3905fc954b7b36253e9a04b1c214b192b23351544f5b817d02a3c693322a634a5732d2cdb39ba08f3bf48cc727b77d7b5aff86ed

    • C:\Windows\windefender.exe

      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

    • memory/1672-145-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/1672-128-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/1672-52-0x00000000030E0000-0x00000000039CB000-memory.dmp

      Filesize

      8.9MB

    • memory/1672-53-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/1672-110-0x0000000002CE0000-0x00000000030DF000-memory.dmp

      Filesize

      4.0MB

    • memory/1672-50-0x0000000002CE0000-0x00000000030DF000-memory.dmp

      Filesize

      4.0MB

    • memory/1828-253-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

    • memory/1828-258-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

    • memory/1828-268-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

    • memory/1928-99-0x000000007F4D0000-0x000000007F4E0000-memory.dmp

      Filesize

      64KB

    • memory/1928-101-0x0000000070BF0000-0x0000000070F47000-memory.dmp

      Filesize

      3.3MB

    • memory/1928-96-0x00000000055F0000-0x0000000005947000-memory.dmp

      Filesize

      3.3MB

    • memory/1928-87-0x00000000022E0000-0x00000000022F0000-memory.dmp

      Filesize

      64KB

    • memory/1928-86-0x00000000022E0000-0x00000000022F0000-memory.dmp

      Filesize

      64KB

    • memory/1928-85-0x0000000074770000-0x0000000074F21000-memory.dmp

      Filesize

      7.7MB

    • memory/1928-100-0x00000000709E0000-0x0000000070A2C000-memory.dmp

      Filesize

      304KB

    • memory/1928-111-0x00000000022E0000-0x00000000022F0000-memory.dmp

      Filesize

      64KB

    • memory/1928-113-0x0000000074770000-0x0000000074F21000-memory.dmp

      Filesize

      7.7MB

    • memory/3116-80-0x0000000007CE0000-0x0000000007CF5000-memory.dmp

      Filesize

      84KB

    • memory/3116-67-0x000000007FDA0000-0x000000007FDB0000-memory.dmp

      Filesize

      64KB

    • memory/3116-83-0x0000000074770000-0x0000000074F21000-memory.dmp

      Filesize

      7.7MB

    • memory/3116-79-0x0000000007C90000-0x0000000007CA1000-memory.dmp

      Filesize

      68KB

    • memory/3116-78-0x00000000033E0000-0x00000000033F0000-memory.dmp

      Filesize

      64KB

    • memory/3116-77-0x0000000007960000-0x0000000007A04000-memory.dmp

      Filesize

      656KB

    • memory/3116-54-0x0000000074770000-0x0000000074F21000-memory.dmp

      Filesize

      7.7MB

    • memory/3116-55-0x00000000033E0000-0x00000000033F0000-memory.dmp

      Filesize

      64KB

    • memory/3116-56-0x00000000033E0000-0x00000000033F0000-memory.dmp

      Filesize

      64KB

    • memory/3116-65-0x00000000709E0000-0x0000000070A2C000-memory.dmp

      Filesize

      304KB

    • memory/3116-68-0x0000000070B60000-0x0000000070EB7000-memory.dmp

      Filesize

      3.3MB

    • memory/3520-4-0x0000000004F40000-0x0000000004F76000-memory.dmp

      Filesize

      216KB

    • memory/3520-20-0x00000000063A0000-0x00000000063BE000-memory.dmp

      Filesize

      120KB

    • memory/3520-43-0x0000000007AA0000-0x0000000007AB5000-memory.dmp

      Filesize

      84KB

    • memory/3520-44-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

      Filesize

      104KB

    • memory/3520-5-0x0000000074770000-0x0000000074F21000-memory.dmp

      Filesize

      7.7MB

    • memory/3520-48-0x0000000074770000-0x0000000074F21000-memory.dmp

      Filesize

      7.7MB

    • memory/3520-45-0x0000000007B10000-0x0000000007B18000-memory.dmp

      Filesize

      32KB

    • memory/3520-42-0x0000000007A90000-0x0000000007A9E000-memory.dmp

      Filesize

      56KB

    • memory/3520-41-0x0000000007A40000-0x0000000007A51000-memory.dmp

      Filesize

      68KB

    • memory/3520-40-0x0000000007B30000-0x0000000007BC6000-memory.dmp

      Filesize

      600KB

    • memory/3520-39-0x0000000007A20000-0x0000000007A2A000-memory.dmp

      Filesize

      40KB

    • memory/3520-38-0x00000000079E0000-0x00000000079FA000-memory.dmp

      Filesize

      104KB

    • memory/3520-37-0x0000000008020000-0x000000000869A000-memory.dmp

      Filesize

      6.5MB

    • memory/3520-36-0x00000000078B0000-0x0000000007954000-memory.dmp

      Filesize

      656KB

    • memory/3520-35-0x0000000007890000-0x00000000078AE000-memory.dmp

      Filesize

      120KB

    • memory/3520-26-0x0000000070B60000-0x0000000070EB7000-memory.dmp

      Filesize

      3.3MB

    • memory/3520-25-0x00000000709E0000-0x0000000070A2C000-memory.dmp

      Filesize

      304KB

    • memory/3520-24-0x0000000007850000-0x0000000007884000-memory.dmp

      Filesize

      208KB

    • memory/3520-23-0x000000007F750000-0x000000007F760000-memory.dmp

      Filesize

      64KB

    • memory/3520-6-0x0000000004F30000-0x0000000004F40000-memory.dmp

      Filesize

      64KB

    • memory/3520-7-0x00000000055B0000-0x0000000005BDA000-memory.dmp

      Filesize

      6.2MB

    • memory/3520-8-0x00000000054E0000-0x0000000005502000-memory.dmp

      Filesize

      136KB

    • memory/3520-22-0x0000000007520000-0x0000000007566000-memory.dmp

      Filesize

      280KB

    • memory/3520-9-0x0000000005CE0000-0x0000000005D46000-memory.dmp

      Filesize

      408KB

    • memory/3520-10-0x0000000005D50000-0x0000000005DB6000-memory.dmp

      Filesize

      408KB

    • memory/3520-19-0x0000000005E40000-0x0000000006197000-memory.dmp

      Filesize

      3.3MB

    • memory/3520-21-0x00000000063F0000-0x000000000643C000-memory.dmp

      Filesize

      304KB

    • memory/4544-265-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4544-259-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4544-252-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4544-256-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4544-279-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4544-277-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4544-274-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4544-271-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4544-240-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4544-267-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4544-262-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4544-250-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4544-283-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4604-114-0x0000000074770000-0x0000000074F21000-memory.dmp

      Filesize

      7.7MB

    • memory/4604-127-0x0000000070BF0000-0x0000000070F47000-memory.dmp

      Filesize

      3.3MB

    • memory/4604-137-0x000000007FD40000-0x000000007FD50000-memory.dmp

      Filesize

      64KB

    • memory/4604-138-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

    • memory/4604-115-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

    • memory/4604-122-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

    • memory/4604-126-0x00000000709E0000-0x0000000070A2C000-memory.dmp

      Filesize

      304KB

    • memory/4796-3-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4796-1-0x0000000002EB0000-0x00000000032B2000-memory.dmp

      Filesize

      4.0MB

    • memory/4796-2-0x00000000032C0000-0x0000000003BAB000-memory.dmp

      Filesize

      8.9MB

    • memory/4796-66-0x0000000000400000-0x0000000000ED4000-memory.dmp

      Filesize

      10.8MB

    • memory/4796-51-0x0000000002EB0000-0x00000000032B2000-memory.dmp

      Filesize

      4.0MB

    • memory/4936-249-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.