Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/05/2024, 19:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4a8fa4fa050c76c244adccf3b531b604ccb97fecf91a218882dd988cc43947e6.exe

  • Size

    4.2MB

  • MD5

    9163ad206b7eebb91ecb8f9423f5803b

  • SHA1

    08bf992452dce5f0257f682cef4ea722c64dc0ad

  • SHA256

    4a8fa4fa050c76c244adccf3b531b604ccb97fecf91a218882dd988cc43947e6

  • SHA512

    01cb583bf13f827098f60e017928fe0d9c42acbe0e8eae3809bb64c746a520bb081c4805bde3aa1f430c138117ea42e6e5b78092025794eba5f7f03ebf77fe08

  • SSDEEP

    98304:LwI55FRIfsmtYhw63zMBnKz9mF45iI1/hI:Ln55zQC3zMBnKzsIx2

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 18 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a8fa4fa050c76c244adccf3b531b604ccb97fecf91a218882dd988cc43947e6.exe
    "C:\Users\Admin\AppData\Local\Temp\4a8fa4fa050c76c244adccf3b531b604ccb97fecf91a218882dd988cc43947e6.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1636
    • C:\Users\Admin\AppData\Local\Temp\4a8fa4fa050c76c244adccf3b531b604ccb97fecf91a218882dd988cc43947e6.exe
      "C:\Users\Admin\AppData\Local\Temp\4a8fa4fa050c76c244adccf3b531b604ccb97fecf91a218882dd988cc43947e6.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1936
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:576
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4704
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1156
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1116
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4508
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4636
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3720
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1356
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3840
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3180
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:5020
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1864
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:5104
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:3536
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:4528

    Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Scheduled Task/Job

          1
          T1053

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Scheduled Task/Job

          1
          T1053

          Defense Evasion

          Impair Defenses

          1
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3pkiisy5.rp1.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            Filesize

            281KB

            MD5

            d98e33b66343e7c96158444127a117f6

            SHA1

            bb716c5509a2bf345c6c1152f6e3e1452d39d50d

            SHA256

            5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

            SHA512

            705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d0c46cad6c0778401e21910bd6b56b70

            SHA1

            7be418951ea96326aca445b8dfe449b2bfa0dca6

            SHA256

            9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

            SHA512

            057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            19KB

            MD5

            d9240970c4c12826050ed595136ef313

            SHA1

            cc0cf5fe249018de3e3b6f1779299bdc030fe094

            SHA256

            4a4a31f67004638a21d604e0e2b7684df54b29ef8b999cad8a9574904ec7113e

            SHA512

            0a9db0a2e01809d64deb54ad19908524f2758e20379e4febc7e0c7a613edec5727da1a802bd9c096f0f264bfe156b3be81d80451acdcd49c4fc2593027dff96d

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            19KB

            MD5

            818e7eeadb42c218f52c9667eec4215b

            SHA1

            4f11027de3f1e9b63643ad3ed88adc9494d87b72

            SHA256

            dbc2c3adabb515baba81f8fa694c0631d039e4dc3e34e36ecaa7abeef656b163

            SHA512

            3e5f17d80ec2b6b6a95f7b9a6e60a30f4a92cf96dd9094c49e68c454d1a0b52b093ea41444d50b6a6334a84f3dae2257e595dd3eef6901bc51063884fd2bf648

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            19KB

            MD5

            d948fdb8cc61a1353321a1b2be361233

            SHA1

            11086c7e8500688e1669cec99466cce65a9859ce

            SHA256

            01e149725deae1f880da54e84028dec8ae3fdee5e5fbf909246b1547b1c2d18e

            SHA512

            5ab2aa245ebbdf07ff282cba9bcd228d3ec67151e5eace41101c0d703ef27d8d32ede3cfbfe10979906a085156a4862d19e0cebedbba8acb924420dcf05c1342

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            19KB

            MD5

            86f89dfcc0079bc44cdd366b045d6a54

            SHA1

            3fb1284d030d8b4d17ef8a270865005dd367a6c6

            SHA256

            4c8a7e564150c7da789add2727e4da7655be64a43be545ae0277b504c979b6a0

            SHA512

            1e0897ed103d2b49f55c162225d9393ded2ec5da1a3d4ca36fed08e93b920ad191be1558944d3257a11544c56a17a37d5565b7ba89f0f074a362128c2bca41ba

            Download Submit

          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
            Filesize

            19KB

            MD5

            e619d9e094648af6002493177e53a356

            SHA1

            1871f7a1aa7d9d2f051f7cea7e012e11baa98f5f

            SHA256

            e05686a436cdfb1c957e975741f5631bdfb4b5f44d618242bf44d8b7c1c5d797

            SHA512

            c58055edc16298a50ba0713001eed30d371898533e238411d0d73e64c9d3cdd98ebe12ad4d721d21b732762eea532ef6941f40f4d38e8a8381841de3aef6254f

            Download Submit

          • C:\Windows\rss\csrss.exe
            Filesize

            4.2MB

            MD5

            9163ad206b7eebb91ecb8f9423f5803b

            SHA1

            08bf992452dce5f0257f682cef4ea722c64dc0ad

            SHA256

            4a8fa4fa050c76c244adccf3b531b604ccb97fecf91a218882dd988cc43947e6

            SHA512

            01cb583bf13f827098f60e017928fe0d9c42acbe0e8eae3809bb64c746a520bb081c4805bde3aa1f430c138117ea42e6e5b78092025794eba5f7f03ebf77fe08

            Download Submit

          • C:\Windows\windefender.exe
            Filesize

            2.0MB

            MD5

            8e67f58837092385dcf01e8a2b4f5783

            SHA1

            012c49cfd8c5d06795a6f67ea2baf2a082cf8625

            SHA256

            166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

            SHA512

            40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

            Download Submit

          • memory/932-124-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-207-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-218-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-224-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-216-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-202-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-228-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-226-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-222-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-234-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-220-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-214-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-232-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1116-230-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/1156-111-0x0000000070ED0000-0x0000000071227000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1156-110-0x0000000070C80000-0x0000000070CCC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1156-108-0x00000000061B0000-0x0000000006507000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1356-162-0x0000000006210000-0x000000000625C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1356-160-0x0000000005930000-0x0000000005C87000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1356-163-0x0000000070B00000-0x0000000070B4C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1356-164-0x0000000070C80000-0x0000000070FD7000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1356-173-0x0000000006FB0000-0x0000000007054000-memory.dmp

            Filesize

            656KB

            Download

          • memory/1356-174-0x00000000072D0000-0x00000000072E1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1356-175-0x0000000005680000-0x0000000005695000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1636-39-0x0000000007B90000-0x0000000007B9A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1636-38-0x0000000007B50000-0x0000000007B6A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1636-4-0x000000007490E000-0x000000007490F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1636-5-0x0000000002DA0000-0x0000000002DD6000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1636-7-0x0000000074900000-0x00000000750B1000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1636-6-0x0000000005910000-0x0000000005F3A000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/1636-8-0x00000000056E0000-0x0000000005702000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1636-10-0x0000000006020000-0x0000000006086000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1636-9-0x0000000005FB0000-0x0000000006016000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1636-19-0x0000000074900000-0x00000000750B1000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1636-20-0x0000000006180000-0x00000000064D7000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1636-21-0x0000000006580000-0x000000000659E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1636-22-0x00000000065D0000-0x000000000661C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1636-23-0x0000000007710000-0x0000000007756000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1636-48-0x0000000074900000-0x00000000750B1000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1636-45-0x0000000007C80000-0x0000000007C88000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1636-44-0x0000000007C60000-0x0000000007C7A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1636-43-0x0000000007C10000-0x0000000007C25000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1636-35-0x0000000007A00000-0x0000000007A1E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1636-42-0x0000000007C00000-0x0000000007C0E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/1636-36-0x0000000007A20000-0x0000000007AC4000-memory.dmp

            Filesize

            656KB

            Download

          • memory/1636-26-0x0000000070CF0000-0x0000000071047000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1636-25-0x0000000070B70000-0x0000000070BBC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1636-24-0x00000000079A0000-0x00000000079D4000-memory.dmp

            Filesize

            208KB

            Download

          • memory/1636-37-0x0000000008190000-0x000000000880A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/1636-40-0x0000000007CA0000-0x0000000007D36000-memory.dmp

            Filesize

            600KB

            Download

          • memory/1636-41-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1864-213-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/1864-208-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/1936-64-0x0000000070E00000-0x0000000071157000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1936-62-0x0000000006740000-0x000000000678C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1936-73-0x00000000078E0000-0x0000000007984000-memory.dmp

            Filesize

            656KB

            Download

          • memory/1936-63-0x0000000070C80000-0x0000000070CCC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1936-74-0x0000000007C40000-0x0000000007C51000-memory.dmp

            Filesize

            68KB

            Download

          • memory/1936-75-0x0000000007C90000-0x0000000007CA5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/1936-61-0x0000000006310000-0x0000000006667000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/2800-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/2800-2-0x0000000005090000-0x000000000597B000-memory.dmp

            Filesize

            8.9MB

            Download

          • memory/2800-49-0x0000000000400000-0x0000000002EE9000-memory.dmp

            Filesize

            42.9MB

            Download

          • memory/2800-50-0x0000000000400000-0x0000000000D1C000-memory.dmp

            Filesize

            9.1MB

            Download

          • memory/2800-52-0x0000000005090000-0x000000000597B000-memory.dmp

            Filesize

            8.9MB

            Download

          • memory/2800-1-0x0000000003680000-0x0000000003A79000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/3840-185-0x00000000057A0000-0x0000000005AF7000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3840-188-0x0000000070CA0000-0x0000000070FF7000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3840-187-0x0000000070B00000-0x0000000070B4C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4508-137-0x00000000066C0000-0x000000000670C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4508-149-0x00000000076E0000-0x00000000076F1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/4508-148-0x00000000073C0000-0x0000000007464000-memory.dmp

            Filesize

            656KB

            Download

          • memory/4508-139-0x0000000070E30000-0x0000000071187000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4508-132-0x0000000005B80000-0x0000000005ED7000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4508-138-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4508-150-0x0000000005F40000-0x0000000005F55000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4528-215-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/4528-219-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/4528-211-0x0000000000400000-0x00000000008DF000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/4704-87-0x0000000005B40000-0x0000000005E97000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4704-89-0x0000000070C80000-0x0000000070CCC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4704-90-0x0000000070E20000-0x0000000071177000-memory.dmp

            Filesize

            3.3MB

            Download