Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16/04/2024, 23:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9cf33dbf3eb1d2090bf76dcaa66e5bb14e9f81b4c22eceaf72df21bfa2e433db.exe

  • Size

    4.2MB

  • MD5

    81094d131377ab691d6f6283aa430ff3

  • SHA1

    2682bab9ff90c6ffaa85ab1dd73a00b7b3d169e2

  • SHA256

    9cf33dbf3eb1d2090bf76dcaa66e5bb14e9f81b4c22eceaf72df21bfa2e433db

  • SHA512

    f6678d569036205dc78ac705d095ac0f8fd3442658ea28d693d884f0077aa0590be15e3ef5b180556d519d808839ee92654541a42d0105aee93275bd2af7db00

  • SSDEEP

    98304:E11nBFm7L477O3ZxwksExFmebn837tJkH5flyKdl:ELnBF77OZOE3mebnMLQdl

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 18 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cf33dbf3eb1d2090bf76dcaa66e5bb14e9f81b4c22eceaf72df21bfa2e433db.exe
    "C:\Users\Admin\AppData\Local\Temp\9cf33dbf3eb1d2090bf76dcaa66e5bb14e9f81b4c22eceaf72df21bfa2e433db.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:696
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:104
    • C:\Users\Admin\AppData\Local\Temp\9cf33dbf3eb1d2090bf76dcaa66e5bb14e9f81b4c22eceaf72df21bfa2e433db.exe
      "C:\Users\Admin\AppData\Local\Temp\9cf33dbf3eb1d2090bf76dcaa66e5bb14e9f81b4c22eceaf72df21bfa2e433db.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4088
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:768
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3136
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1028
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4252
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2600
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:104
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:444
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4004
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:324
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3464
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:792
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3680
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2112
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:1620
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:4324

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqlk5tud.m10.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      ac4917a885cf6050b1a483e4bc4d2ea5

      SHA1

      b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

      SHA256

      e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

      SHA512

      092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      346f2eb8c10a0239cabf79e3d6394771

      SHA1

      8715b0cf845aa5714efda9425e810f8131a48f62

      SHA256

      2ff6eb527a1bea52c853a57a1a1bc81fdaa720fd1ce4fa2f16ce2f1e5d0e46a7

      SHA512

      b92644bd7006d201a963ded1cd18393dc8993f1e945431e20e5d9853a5510b88fa0becbb8cbf4c9c032f167ace155b063ee4b8fba6d50a0d466df34e9095c267

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      14b9ce7b3b665e628dff2b51c9dce34b

      SHA1

      6e0f4ddff89cd65b6763a1a11c26cc99c2ed2588

      SHA256

      b42d29b913a67ce5e9d391efa175809961c1a3dd923a683535205f0091652bf2

      SHA512

      cbde23f370c446fde6c7ac3fc5723876c2c7b40036599cfc3793e2580daa3e521add7d98ad892ab4d78718a0c8474c7ba3d7b52e0cf6604141b12e320ebc8e67

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      60f3e23e4c207c1457f9ff0ac0aa0191

      SHA1

      64efc3cee1967cfc1697c2d8049407121d0fb3c6

      SHA256

      ff38c0b0478c28c9ef05b67a297e57384423e49c69e7e4a2c6b1c258cc9bb845

      SHA512

      44102e96466852ec22674d2abae96069da4693374d2747dafe8d18fdf780a15ffac0af26969c0bf52d4fd94663ae3268031efffda403b0d9df8f1fb4e264e9ab

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      20406fb9fcf45719fad4c44223024b0e

      SHA1

      8415872d93f31d672c8b47c87a6058a27f465a3c

      SHA256

      5bff877af78b02dffd937817d061c8bbe7aa484c3cbefb7fc0a76544435c6830

      SHA512

      235fe7d142254a78dcc55b8de118013ac163b72cf10966501e3adfa14f6487593e80155ccfc475c226b81ffcb3853bfa7466dc527a73cb74ca8529e979ec07c3

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      cc5d9e57e18fbc4ed8a95a094a54a5f7

      SHA1

      3ee782e79558354f6c0bd41093172dc6a612f59c

      SHA256

      6b23b16943b47d77e4d1fe373377c343b85c8a0734332e541fc6a38a2eb97fed

      SHA512

      a76e74add925473fc42d7fde93d74918ff7474af567502bbbfb9ac49b639fec2eee60a9fc87de61e2fac6e58b396d2a785b04e54b3f1475d451a7723b249e5e8

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      81094d131377ab691d6f6283aa430ff3

      SHA1

      2682bab9ff90c6ffaa85ab1dd73a00b7b3d169e2

      SHA256

      9cf33dbf3eb1d2090bf76dcaa66e5bb14e9f81b4c22eceaf72df21bfa2e433db

      SHA512

      f6678d569036205dc78ac705d095ac0f8fd3442658ea28d693d884f0077aa0590be15e3ef5b180556d519d808839ee92654541a42d0105aee93275bd2af7db00

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/104-38-0x0000000007AB0000-0x000000000812A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/104-43-0x0000000007520000-0x000000000752E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/104-20-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/104-21-0x0000000005F00000-0x0000000005F4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/104-22-0x0000000006480000-0x00000000064C6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/104-23-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/104-24-0x000000007F320000-0x000000007F330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/104-25-0x0000000007100000-0x0000000007134000-memory.dmp

      Filesize

      208KB

      Download

    • memory/104-26-0x0000000070270000-0x00000000702BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/104-27-0x00000000703F0000-0x0000000070747000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/104-36-0x00000000070E0000-0x00000000070FE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/104-37-0x0000000007340000-0x00000000073E4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/104-10-0x0000000005830000-0x0000000005896000-memory.dmp

      Filesize

      408KB

      Download

    • memory/104-39-0x0000000007470000-0x000000000748A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/104-40-0x00000000074B0000-0x00000000074BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/104-41-0x0000000007570000-0x0000000007606000-memory.dmp

      Filesize

      600KB

      Download

    • memory/104-42-0x00000000074E0000-0x00000000074F1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/104-19-0x0000000005AC0000-0x0000000005E17000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/104-44-0x0000000007530000-0x0000000007545000-memory.dmp

      Filesize

      84KB

      Download

    • memory/104-45-0x0000000007630000-0x000000000764A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/104-6-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/104-47-0x0000000007650000-0x0000000007658000-memory.dmp

      Filesize

      32KB

      Download

    • memory/104-50-0x0000000074000000-0x00000000747B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/104-5-0x0000000074000000-0x00000000747B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/104-4-0x0000000004A10000-0x0000000004A46000-memory.dmp

      Filesize

      216KB

      Download

    • memory/104-7-0x0000000005120000-0x000000000574A000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/104-9-0x00000000057C0000-0x0000000005826000-memory.dmp

      Filesize

      408KB

      Download

    • memory/104-8-0x0000000004FF0000-0x0000000005012000-memory.dmp

      Filesize

      136KB

      Download

    • memory/696-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/696-53-0x0000000002F80000-0x000000000386B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/696-52-0x00000000011E0000-0x00000000015DF000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/696-46-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/696-1-0x00000000011E0000-0x00000000015DF000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/696-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/696-2-0x0000000002F80000-0x000000000386B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/1028-132-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1028-134-0x0000000070270000-0x00000000702BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1028-133-0x000000007F990000-0x000000007F9A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1028-135-0x00000000703F0000-0x0000000070747000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1028-129-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1028-120-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1028-119-0x0000000074000000-0x00000000747B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1368-117-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1368-91-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1368-57-0x0000000001170000-0x000000000156C000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1368-151-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1368-98-0x0000000001170000-0x000000000156C000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1368-144-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1368-58-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3136-104-0x0000000004A80000-0x0000000004A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3136-118-0x0000000074000000-0x00000000747B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3136-92-0x0000000004A80000-0x0000000004A90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3136-107-0x0000000070480000-0x00000000707D7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3136-90-0x0000000074000000-0x00000000747B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3136-106-0x0000000070270000-0x00000000702BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3136-105-0x000000007F8E0000-0x000000007F8F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3136-99-0x0000000005760000-0x0000000005AB7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3680-256-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4088-71-0x000000007FDF0000-0x000000007FE00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-82-0x00000000075E0000-0x0000000007684000-memory.dmp

      Filesize

      656KB

      Download

    • memory/4088-72-0x0000000070270000-0x00000000702BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4088-70-0x0000000002E50000-0x0000000002E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-73-0x00000000703F0000-0x0000000070747000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4088-61-0x0000000002E50000-0x0000000002E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-60-0x0000000002E50000-0x0000000002E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-84-0x00000000078D0000-0x00000000078E5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4088-59-0x0000000074000000-0x00000000747B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4088-83-0x0000000007880000-0x0000000007891000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4088-88-0x0000000074000000-0x00000000747B1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4252-247-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4252-216-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4252-257-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4252-260-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4252-263-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4252-266-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4252-269-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4324-259-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4324-265-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download