glupteba | 399f3ed5f8121b200b3871318314e2bbdfbfbdd9083089b5bff37fafd8102625

Analysis

max time kernel
19s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

399f3ed5f8121b200b3871318314e2bbdfbfbdd9083089b5bff37fafd8102625.exe
Size

4.1MB
MD5

7f97943a4052d43ceec059028b7bd791
SHA1

a995e417536f67d9ae380e844682a6c685a595ac
SHA256

399f3ed5f8121b200b3871318314e2bbdfbfbdd9083089b5bff37fafd8102625
SHA512

1c23a7afa170eaf4dd1d21c5985a66b92e3eb3eb17e9079e1b2b8cbcd4b340d20196dfa36ae9f5cef28afe5a1b0b8509e19ea87114b43fc3d1f6edf2275b9253
SSDEEP

98304:NFddrpuoRE7tl1yJ8vae/QmLpm2XHwIZYQzHZc5g5rp30lCUzjm:3LdBQ1yJ8Sedm2XHUQNc5Xga6

Score

10^/10

glupteba dropper evasion loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4036-2-0x0000000006680000-0x0000000006F6B000-memory.dmp	family_glupteba
behavioral1/memory/4036-22-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/4036-47-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/4036-48-0x0000000006680000-0x0000000006F6B000-memory.dmp	family_glupteba
behavioral1/memory/4036-85-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/924-105-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/924-107-0x00000000048B0000-0x0000000004CB8000-memory.dmp	family_glupteba
behavioral1/memory/924-169-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/5100-218-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/5100-253-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/5100-265-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/5100-268-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/5100-272-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/5100-276-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/5100-280-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/5100-284-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba
behavioral1/memory/5100-289-0x0000000000400000-0x0000000004416000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2992 netsh.exe

pid	process
2992	netsh.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
behavioral1/memory/3780-262-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4240-266-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4240-274-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4240-287-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1424 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2236 schtasks.exe
1752 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3980 powershell.exe
3980 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3980 powershell.exe

pid	process
1424	sc.exe

pid	process
2236	schtasks.exe
1752	schtasks.exe

pid	process
3980	powershell.exe
3980	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3980	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

399f3ed5f8121b200b3871318314e2bbdfbfbdd9083089b5bff37fafd8102625.exe

description	pid	process	target process
PID 4036 wrote to memory of 3980	4036	399f3ed5f8121b200b3871318314e2bbdfbfbdd9083089b5bff37fafd8102625.exe	powershell.exe
PID 4036 wrote to memory of 3980	4036	399f3ed5f8121b200b3871318314e2bbdfbfbdd9083089b5bff37fafd8102625.exe	powershell.exe
PID 4036 wrote to memory of 3980	4036	399f3ed5f8121b200b3871318314e2bbdfbfbdd9083089b5bff37fafd8102625.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\399f3ed5f8121b200b3871318314e2bbdfbfbdd9083089b5bff37fafd8102625.exe
"C:\Users\Admin\AppData\Local\Temp\399f3ed5f8121b200b3871318314e2bbdfbfbdd9083089b5bff37fafd8102625.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Users\Admin\AppData\Local\Temp\399f3ed5f8121b200b3871318314e2bbdfbfbdd9083089b5bff37fafd8102625.exe
"C:\Users\Admin\AppData\Local\Temp\399f3ed5f8121b200b3871318314e2bbdfbfbdd9083089b5bff37fafd8102625.exe"
2⤵
PID:924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:932

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:2992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4484

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
PID:5100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3780

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2236

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:1812

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
PID:4972

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1752

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:5088

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:1060

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qmbbdzti.1pj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
4e51e85071a239ab1a1e82568056f165

SHA1
85633cb3b81841be913013dab2afdbd6a7b86394

SHA256
57591bc0e419381b5018a77604b8c707492b4485116562984f6ccf2f50dbd9ce

SHA512
0da1cbce4646f2b18402f413371b661d425990e2b8b86d9739b57b52cff285d5b5d108692f6f3e8b20cadfbb7f0ea5f81e3f506306c099650ebcee7a493cc4bc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
28c157844ee96266083e58bb20a8fb5d

SHA1
e746320ba85e8c815cad7dab07c8b0d41e7bffcb

SHA256
7daa1006c6f433847b206305f8ffe64bc3eaa88a373935f57fe907c94b7dbf46

SHA512
ab1e3090ed11be9344c2c3c649122a1dcd89f479ab66816bcbd9fe0b289c0c6e2ffe735375d2e5c58f90aa353932bffec749285654e49f6901bdd78065d3cbff

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
710305dd73c5c3558ac48bc58cedbb4f

SHA1
f2e5f56b153d2507678d4cc2d3a92b803b281b95

SHA256
8120468a02e44e5ee7a1da7f1a9a80903a853f6c3ed922d2ed773d1287d68623

SHA512
1803faf758186694af4538a6c4042b01d97405370b66a5bbc0dd0d458c6f85d42b6954515c344b21b401c43b05d404c3aa58297ad4368aac1a8beda9471d2936

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
f88c94e1d5f098a7b3454e7e2ecd6301

SHA1
1e4f7420152ca9f4208a517607eff3ee079d508e

SHA256
3ca80fafd42285d52b50c6b90504c072047af7fd8ea81e96049da194d8f7f8e4

SHA512
942785d12615740db3cbce7fa71df285214d980e106089d31e74e49eb3a03ca09e480626eb29d73fcf5de9062a94e7040053a8cf3be8655821e9d0aa289c5a2f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
efedef798f155ee11fe7009cb3b81baa

SHA1
ff1e27329ca8a9a63a78a7752a84446c0e9e669b

SHA256
e06b3a700c3c9ac918bea9001fc66f5988d04510237ac15394cff21893fff363

SHA512
6fbfab9b57ef474095ca6c35447f96b87d1d3fd55a8ff757e5795b799f9ec280fda03f12050aecf683ba70d630c30bf12166aa167d7467d63d725931c55a7b3c

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
7f97943a4052d43ceec059028b7bd791

SHA1
a995e417536f67d9ae380e844682a6c685a595ac

SHA256
399f3ed5f8121b200b3871318314e2bbdfbfbdd9083089b5bff37fafd8102625

SHA512
1c23a7afa170eaf4dd1d21c5985a66b92e3eb3eb17e9079e1b2b8cbcd4b340d20196dfa36ae9f5cef28afe5a1b0b8509e19ea87114b43fc3d1f6edf2275b9253

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/924-57-0x00000000048B0000-0x0000000004CB8000-memory.dmp

Filesize
4.0MB

Download
memory/924-107-0x00000000048B0000-0x0000000004CB8000-memory.dmp

Filesize
4.0MB

Download
memory/924-105-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/924-169-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/2548-91-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/2548-120-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/2548-108-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/2548-109-0x0000000071430000-0x0000000071784000-memory.dmp

Filesize
3.3MB

Download
memory/2548-106-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/2548-103-0x0000000005970000-0x0000000005CC4000-memory.dmp

Filesize
3.3MB

Download
memory/2548-93-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/2548-92-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/3536-89-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/3536-86-0x0000000007BC0000-0x0000000007BD4000-memory.dmp

Filesize
80KB

Download
memory/3536-84-0x0000000007B50000-0x0000000007B61000-memory.dmp

Filesize
68KB

Download
memory/3536-83-0x0000000007860000-0x0000000007903000-memory.dmp

Filesize
652KB

Download
memory/3536-73-0x0000000071410000-0x0000000071764000-memory.dmp

Filesize
3.3MB

Download
memory/3536-72-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/3536-71-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/3536-66-0x0000000005F90000-0x00000000062E4000-memory.dmp

Filesize
3.3MB

Download
memory/3536-60-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/3536-59-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/3536-58-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/3780-156-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/3780-262-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3980-32-0x0000000071080000-0x00000000713D4000-memory.dmp

Filesize
3.3MB

Download
memory/3980-4-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/3980-52-0x0000000007EB0000-0x0000000007EB8000-memory.dmp

Filesize
32KB

Download
memory/3980-51-0x0000000007EC0000-0x0000000007EDA000-memory.dmp

Filesize
104KB

Download
memory/3980-50-0x0000000007E80000-0x0000000007E94000-memory.dmp

Filesize
80KB

Download
memory/3980-49-0x0000000007E70000-0x0000000007E7E000-memory.dmp

Filesize
56KB

Download
memory/3980-3-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/3980-55-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/3980-46-0x0000000007E20000-0x0000000007E31000-memory.dmp

Filesize
68KB

Download
memory/3980-45-0x0000000007EF0000-0x0000000007F86000-memory.dmp

Filesize
600KB

Download
memory/3980-44-0x0000000007E00000-0x0000000007E0A000-memory.dmp

Filesize
40KB

Download
memory/3980-43-0x0000000007D10000-0x0000000007DB3000-memory.dmp

Filesize
652KB

Download
memory/3980-5-0x00000000030D0000-0x0000000003106000-memory.dmp

Filesize
216KB

Download
memory/3980-42-0x0000000007CB0000-0x0000000007CCE000-memory.dmp

Filesize
120KB

Download
memory/3980-6-0x0000000005790000-0x0000000005DB8000-memory.dmp

Filesize
6.2MB

Download
memory/3980-31-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/3980-29-0x000000007F080000-0x000000007F090000-memory.dmp

Filesize
64KB

Download
memory/3980-30-0x0000000007CD0000-0x0000000007D02000-memory.dmp

Filesize
200KB

Download
memory/3980-7-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/3980-27-0x0000000007B00000-0x0000000007B1A000-memory.dmp

Filesize
104KB

Download
memory/3980-26-0x0000000008180000-0x00000000087FA000-memory.dmp

Filesize
6.5MB

Download
memory/3980-25-0x0000000007A80000-0x0000000007AF6000-memory.dmp

Filesize
472KB

Download
memory/3980-24-0x0000000003120000-0x0000000003130000-memory.dmp

Filesize
64KB

Download
memory/3980-23-0x0000000006C10000-0x0000000006C54000-memory.dmp

Filesize
272KB

Download
memory/3980-8-0x0000000005EC0000-0x0000000005F26000-memory.dmp

Filesize
408KB

Download
memory/3980-21-0x00000000067E0000-0x000000000682C000-memory.dmp

Filesize
304KB

Download
memory/3980-9-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/3980-15-0x00000000060E0000-0x0000000006434000-memory.dmp

Filesize
3.3MB

Download
memory/3980-20-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/4036-28-0x0000000004AE0000-0x0000000004EDE000-memory.dmp

Filesize
4.0MB

Download
memory/4036-2-0x0000000006680000-0x0000000006F6B000-memory.dmp

Filesize
8.9MB

Download
memory/4036-48-0x0000000006680000-0x0000000006F6B000-memory.dmp

Filesize
8.9MB

Download
memory/4036-47-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/4036-85-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/4036-1-0x0000000004AE0000-0x0000000004EDE000-memory.dmp

Filesize
4.0MB

Download
memory/4036-22-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/4240-274-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4240-266-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4240-287-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4484-138-0x0000000070E30000-0x0000000071184000-memory.dmp

Filesize
3.3MB

Download
memory/4484-131-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/4484-121-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-133-0x00000000030D0000-0x00000000030E0000-memory.dmp

Filesize
64KB

Download
memory/4484-149-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-137-0x0000000070C90000-0x0000000070CDC000-memory.dmp

Filesize
304KB

Download
memory/4484-136-0x000000007FA90000-0x000000007FAA0000-memory.dmp

Filesize
64KB

Download
memory/4484-132-0x0000000006130000-0x0000000006484000-memory.dmp

Filesize
3.3MB

Download
memory/5100-155-0x0000000004E00000-0x0000000005200000-memory.dmp

Filesize
4.0MB

Download
memory/5100-265-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/5100-268-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/5100-272-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/5100-253-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/5100-276-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/5100-280-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/5100-284-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/5100-218-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/5100-289-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download
memory/5100-292-0x0000000000400000-0x0000000004416000-memory.dmp

Filesize
64.1MB

Download