Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/04/2024, 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e45c74fce0369066e0918bf98bbb75af67642036dae661878f125afd98e67e2f.exe

  • Size

    4.2MB

  • MD5

    b3dfe493bea72db1cf25c2ecf858f2f6

  • SHA1

    4e38e39c15cf96bd1ed9d5a85ba09f35a1bc6219

  • SHA256

    e45c74fce0369066e0918bf98bbb75af67642036dae661878f125afd98e67e2f

  • SHA512

    271642301a276cfa2dd674f41468cf5254438665dc2dc1fdfdd0d43beb84cc7de803486e10431190b2009f2048467c284be5ed114d2c3519b679e909c02033d2

  • SSDEEP

    98304:VBy5JAu+Hk0Et5Mgg8VWlfA2+5+VVv7Fm6fCi:OAu+ENnjVyYiVNw4D

Score
10/10
gluptebadiscoverydropperevasionloaderpersistenceupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 15 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e45c74fce0369066e0918bf98bbb75af67642036dae661878f125afd98e67e2f.exe
    "C:\Users\Admin\AppData\Local\Temp\e45c74fce0369066e0918bf98bbb75af67642036dae661878f125afd98e67e2f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5064
    • C:\Users\Admin\AppData\Local\Temp\e45c74fce0369066e0918bf98bbb75af67642036dae661878f125afd98e67e2f.exe
      "C:\Users\Admin\AppData\Local\Temp\e45c74fce0369066e0918bf98bbb75af67642036dae661878f125afd98e67e2f.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1644
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3240
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2044
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4548
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:3952
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4356
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2852
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3520
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1524
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5036
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1688
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4728
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1376
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4124
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:1116
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Modifies data under HKEY_USERS
      PID:3140

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vq3ngqcj.wot.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d0c46cad6c0778401e21910bd6b56b70

      SHA1

      7be418951ea96326aca445b8dfe449b2bfa0dca6

      SHA256

      9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

      SHA512

      057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      1d9000677fa409a436713fa72c1a03de

      SHA1

      e08abeecfe42e04fa1356258cf19618394db7903

      SHA256

      5026bcafaeb06b7cb047c0a36720e7a92a8a3b82bfd688998569cfbd53fb035e

      SHA512

      fca302ded63aa4f6e57b9a4690e87693c6a7bdd1dc782835e30f269054d0978a76c7ee890fe53b2c2aca5c4fdb2e4b4aeb0c4384fdd8fcbaba279d5f786d6a3e

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      6a0e90349dc90188d6b697b762cfe22a

      SHA1

      74b5d58c74663abf44948f9b749000e66f03f397

      SHA256

      afbd5b190f4112242f95baa737aee58ea8b2ee638b20bf71de0e28036f2693b4

      SHA512

      ded2563a5f379edc7f692df955e12e030337215a2e7709dfea3905ea7b94c29f4656ebc928eee23cebad8474fdf42d30d197dffd09b1056612e4446bc55c5355

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      6fd47704e60341a313fa64a00ced0ff7

      SHA1

      74caacd9a94bb76ae02b41170fdd48160eae21d4

      SHA256

      a7b459b96ce539dedecc97e960a35eb80729c34adb42b3278a49f9029ce69ca1

      SHA512

      f27fc0656c16379abe0d46758c5d5616f528081044786c6ec1cd3467dcf169684a11ab65ade0c52c936fb3edae92f4a3786e0507bea7506330fa2bad61a33b94

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      296623a7907b80be27c46ae532f196b9

      SHA1

      e1ba2be914748e4d6384ac12a05bcdb64bb3bd67

      SHA256

      3da8951e56c39a46debc2aa7ba41969bb5680cd147bfbc78bde3f24025efe24e

      SHA512

      d0f3569d07ac459741eeece59e03babe3cc69c9d9b1d181e55d1368bf5427b2ea240381e4b39a7434038f9eb69fbb202abdeeaa26e571d5c0de4e4acfdc5047a

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      de977f7ea172148609fa2cbc076ab9b0

      SHA1

      07d0a9fab5914b120715fd5df4529c6aca9a98ab

      SHA256

      37deeadd8898736a5582906af9e8d89c4fec1f57f291a7f8396936fdb454c673

      SHA512

      df44eb1913c0076436267f34558a75bf8e74ee8f25d4936f5eb17dce8c543826ae84e18b6eb386462db752ebe5f02d83c5260eb57682ccff779edbc55af45a86

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      b3dfe493bea72db1cf25c2ecf858f2f6

      SHA1

      4e38e39c15cf96bd1ed9d5a85ba09f35a1bc6219

      SHA256

      e45c74fce0369066e0918bf98bbb75af67642036dae661878f125afd98e67e2f

      SHA512

      271642301a276cfa2dd674f41468cf5254438665dc2dc1fdfdd0d43beb84cc7de803486e10431190b2009f2048467c284be5ed114d2c3519b679e909c02033d2

      Download Submit

    • memory/840-54-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/840-133-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/840-109-0x0000000003BE0000-0x0000000003FDC000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/840-51-0x0000000003BE0000-0x0000000003FDC000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/840-53-0x0000000003FE0000-0x00000000048CB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/840-196-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/1376-239-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1644-58-0x0000000005460000-0x00000000057B7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1644-80-0x0000000002580000-0x0000000002590000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1644-55-0x0000000074A90000-0x0000000075241000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1644-56-0x0000000002580000-0x0000000002590000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1644-57-0x0000000002580000-0x0000000002590000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1644-67-0x0000000070D00000-0x0000000070D4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1644-85-0x0000000074A90000-0x0000000075241000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1644-82-0x0000000006FA0000-0x0000000006FB5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1644-68-0x0000000070F50000-0x00000000712A7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1644-81-0x0000000006F50000-0x0000000006F61000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1644-79-0x000000007FA00000-0x000000007FA10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1644-78-0x0000000006C00000-0x0000000006CA4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/2044-99-0x0000000070D00000-0x0000000070D4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2044-111-0x0000000074A90000-0x0000000075241000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2044-100-0x0000000070F50000-0x00000000712A7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2044-87-0x0000000074A90000-0x0000000075241000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2044-88-0x0000000004920000-0x0000000004930000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2932-77-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2932-1-0x0000000003D00000-0x00000000040F9000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2932-52-0x0000000003D00000-0x00000000040F9000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2932-3-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/2932-2-0x0000000004100000-0x00000000049EB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3140-288-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3140-256-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3952-258-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/3952-242-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/3952-322-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/3952-306-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/3952-290-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/3952-274-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/3952-226-0x0000000075310000-0x0000000075377000-memory.dmp

      Filesize

      412KB

      Download

    • memory/3952-228-0x00000000752F0000-0x000000007530E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3952-249-0x0000000075280000-0x00000000752C1000-memory.dmp

      Filesize

      260KB

      Download

    • memory/3952-244-0x0000000075310000-0x0000000075377000-memory.dmp

      Filesize

      412KB

      Download

    • memory/3952-338-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/3952-224-0x0000000000400000-0x0000000001DFD000-memory.dmp

      Filesize

      26.0MB

      Download

    • memory/3952-229-0x00000000752D0000-0x00000000752E1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4356-142-0x0000000074A90000-0x0000000075241000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4548-134-0x000000007EEE0000-0x000000007EEF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4548-123-0x0000000070D00000-0x0000000070D4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4548-138-0x0000000074A90000-0x0000000075241000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4548-135-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4548-113-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4548-112-0x0000000074A90000-0x0000000075241000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4548-136-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4548-124-0x0000000070E80000-0x00000000711D7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5064-38-0x0000000007940000-0x0000000007FBA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/5064-26-0x0000000070E80000-0x00000000711D7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5064-45-0x0000000007410000-0x000000000742A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5064-43-0x00000000073B0000-0x00000000073BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5064-42-0x0000000007360000-0x0000000007371000-memory.dmp

      Filesize

      68KB

      Download

    • memory/5064-46-0x0000000007430000-0x0000000007438000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5064-41-0x0000000007450000-0x00000000074E6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/5064-40-0x0000000007340000-0x000000000734A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5064-39-0x0000000007300000-0x000000000731A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5064-49-0x0000000074A90000-0x0000000075241000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5064-36-0x00000000071E0000-0x0000000007284000-memory.dmp

      Filesize

      656KB

      Download

    • memory/5064-37-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5064-35-0x00000000071C0000-0x00000000071DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5064-44-0x00000000073C0000-0x00000000073D5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/5064-23-0x000000007FAE0000-0x000000007FAF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5064-25-0x0000000070D00000-0x0000000070D4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5064-24-0x0000000007180000-0x00000000071B4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/5064-22-0x0000000006280000-0x00000000062C6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/5064-21-0x0000000005D10000-0x0000000005D5C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5064-20-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5064-19-0x00000000058B0000-0x0000000005C07000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5064-10-0x00000000056B0000-0x0000000005716000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5064-9-0x0000000005640000-0x00000000056A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5064-8-0x0000000004E10000-0x0000000004E32000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5064-5-0x0000000074A90000-0x0000000075241000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5064-7-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5064-6-0x0000000004EA0000-0x00000000054CA000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/5064-4-0x0000000004830000-0x0000000004866000-memory.dmp

      Filesize

      216KB

      Download