Overview

overview

10

Static

static

1

89a723b9d1...59.exe

windows7-x64

10

89a723b9d1...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 23:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89a723b9d1e021e444a9468f4cfa944183f10c7d40fa87a9f77a4270f1301c59.exe

  • Size

    4.1MB

  • MD5

    5eaf807b6bc23c645654ed83a20a91b9

  • SHA1

    d5f0d8e488feb8a20d389a79baa7cff7cbc44e6d

  • SHA256

    89a723b9d1e021e444a9468f4cfa944183f10c7d40fa87a9f77a4270f1301c59

  • SHA512

    8be6918792709927e9ce33917185442f8b551cfb04ebabbcd5c907a46db58a24b428b7b718588f59af79a16192302be626b84ccd67af2d8d7f668b6fafd13453

  • SSDEEP

    98304:c5XFTlMyMZVAWF8SeH6tiBW2iadSy01pM0vGwbSOXmAlvt:clM/Z/sBW2vMzM6G+VHvt

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 19 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 17 IoCs
  • Detects executables Discord URL observed in first stage droppers 17 IoCs
  • Detects executables containing URLs to raw contents of a Github gist 17 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 17 IoCs
  • Detects executables referencing many varying, potentially fake Windows User-Agents 17 IoCs
  • UPX dump on OEP (original entry point) 6 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\89a723b9d1e021e444a9468f4cfa944183f10c7d40fa87a9f77a4270f1301c59.exe
    "C:\Users\Admin\AppData\Local\Temp\89a723b9d1e021e444a9468f4cfa944183f10c7d40fa87a9f77a4270f1301c59.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4196
    • C:\Users\Admin\AppData\Local\Temp\89a723b9d1e021e444a9468f4cfa944183f10c7d40fa87a9f77a4270f1301c59.exe
      "C:\Users\Admin\AppData\Local\Temp\89a723b9d1e021e444a9468f4cfa944183f10c7d40fa87a9f77a4270f1301c59.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5100
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3176
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:836
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4452
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3160
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3552
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2888
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3660
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:4844
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2076
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3608
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4784
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:2936
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4960
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2116
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:4476
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:1192

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qbexjaam.ufj.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      b791d98413c96f233cbdd0622a25b254

      SHA1

      b958834da13ab950da9e65fc6cdc8d3a95f29896

      SHA256

      f770dc782af16103101147510dec8c1065dca3bffe66e66931468b907a902d4d

      SHA512

      f89eee64b71964bb825be85a9d67a453360838f19abb9327143ad8b5bdd02be4c7b3bd4722986d97dde574af6dfe09e4c15892976de5c90167bf31aadad3d8f4

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      a66e2dbea8d030be36bcb7920e3d1866

      SHA1

      1372891e549f9e51e11620500c727f9901c3d125

      SHA256

      756760844c6c767a864aa59204286d319ff6ef799234274099978d421740f055

      SHA512

      31ba8cec4afcbb2100b14547c4fd377c375596567345a4d1dc409b18344949b0116296bc5feea26a52a7a0203ddf941f8f5ac15dda07c541b79977f40adb7c98

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      249fbf0514c391c9f75c99bc53ce5421

      SHA1

      9fd05ac6e0c54a1ea8524cf01c3ab08571836e4a

      SHA256

      2b6259ed5d66748deb6515e4aeaa0be1f588bf929ac09133f8baaab2b339d470

      SHA512

      9f682d768034989063019c57c5b900cc5af68ad4f9f5c70f5817002619b8bcb6ef26676a124fa270c3aacbb05df0be26ab370ac10b5d1cb2f647527a48746227

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      45c1a9fbb8dc902519dd8a312c79e455

      SHA1

      3dde20e6a0f4e83846bab2b2909abc48338e64ce

      SHA256

      edca5fabca5c34763be34c2e1552e0531a2c5fba4b69c6dd75ce61316bf98a7d

      SHA512

      3321388b8c207111d22429e0838b5e330521f628392f5c15d44982f0526c74e5ac2f2c51f9c504abe8ff57d5108d3bab799dc883b84e6e942d70b8f97e708610

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      aeebe02744dc26780cf423f54b7b7efa

      SHA1

      839b18742949d1c2d872fd16789b8e15c4a25445

      SHA256

      98e0c245ccd08efcd8869b9f55e9fce2f99604695f867320b74334c71823eee9

      SHA512

      8b309e901df3b988e3a571c6f3a9a7c3f87e208ed5d10d5bc60c5c593260bf75db9a1ec99ad03fd0dae29730467e9440d51197ad157e2bb44734c7bac57ca4f1

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      5eaf807b6bc23c645654ed83a20a91b9

      SHA1

      d5f0d8e488feb8a20d389a79baa7cff7cbc44e6d

      SHA256

      89a723b9d1e021e444a9468f4cfa944183f10c7d40fa87a9f77a4270f1301c59

      SHA512

      8be6918792709927e9ce33917185442f8b551cfb04ebabbcd5c907a46db58a24b428b7b718588f59af79a16192302be626b84ccd67af2d8d7f668b6fafd13453

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/1192-229-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1192-233-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1192-237-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2076-189-0x00000000077D0000-0x0000000007873000-memory.dmp

      Filesize

      652KB

      Download

    • memory/2076-191-0x0000000006360000-0x0000000006374000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2076-171-0x0000000005E90000-0x00000000061E4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2076-177-0x0000000006620000-0x000000000666C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2076-178-0x00000000700F0000-0x000000007013C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2076-179-0x0000000070880000-0x0000000070BD4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2076-190-0x0000000007AC0000-0x0000000007AD1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2312-136-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/2312-119-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/2888-162-0x0000000007320000-0x00000000073C3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/2888-150-0x0000000006610000-0x000000000665C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2888-148-0x00000000059D0000-0x0000000005D24000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2888-151-0x00000000701D0000-0x000000007021C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2888-152-0x00000000705F0000-0x0000000070944000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2888-163-0x0000000007490000-0x00000000074A1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2888-164-0x00000000059A0000-0x00000000059B4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3160-122-0x0000000070A10000-0x0000000070D64000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3160-121-0x0000000070270000-0x00000000702BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3552-248-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/3552-246-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/3552-238-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/3552-236-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/3552-240-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/3552-216-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/3552-225-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/3552-234-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/3552-232-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/3552-250-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/3552-244-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/3552-242-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/3608-205-0x0000000070270000-0x00000000705C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3608-202-0x00000000061E0000-0x0000000006534000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3608-204-0x00000000700F0000-0x000000007013C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4196-4-0x00000000742DE000-0x00000000742DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4196-51-0x0000000007F00000-0x0000000007F08000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4196-42-0x0000000007D60000-0x0000000007E03000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4196-43-0x00000000742D0000-0x0000000074A80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4196-11-0x0000000006130000-0x0000000006196000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4196-24-0x0000000006CF0000-0x0000000006D34000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4196-25-0x0000000007AC0000-0x0000000007B36000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4196-26-0x00000000081C0000-0x000000000883A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4196-10-0x00000000060C0000-0x0000000006126000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4196-27-0x0000000007B40000-0x0000000007B5A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4196-29-0x0000000070170000-0x00000000701BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4196-9-0x00000000742D0000-0x0000000074A80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4196-28-0x0000000007D00000-0x0000000007D32000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4196-5-0x0000000003190000-0x00000000031C6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4196-31-0x00000000742D0000-0x0000000074A80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4196-45-0x00000000742D0000-0x0000000074A80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4196-54-0x00000000742D0000-0x0000000074A80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4196-7-0x00000000058C0000-0x0000000005EE8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4196-50-0x0000000007FB0000-0x0000000007FCA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4196-8-0x0000000005EF0000-0x0000000005F12000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4196-49-0x0000000007EC0000-0x0000000007ED4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4196-48-0x0000000007EB0000-0x0000000007EBE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4196-47-0x0000000007E70000-0x0000000007E81000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4196-30-0x00000000702F0000-0x0000000070644000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4196-21-0x00000000062A0000-0x00000000065F4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4196-41-0x0000000007D40000-0x0000000007D5E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4196-46-0x0000000007F10000-0x0000000007FA6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4196-6-0x00000000742D0000-0x0000000074A80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4196-22-0x0000000006780000-0x000000000679E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4196-23-0x00000000067C0000-0x000000000680C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4196-44-0x0000000007E50000-0x0000000007E5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4452-92-0x0000000005EB0000-0x0000000006204000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4452-99-0x0000000070A10000-0x0000000070D64000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4452-98-0x0000000070270000-0x00000000702BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4960-231-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4960-226-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/5048-57-0x0000000003EC0000-0x00000000047AB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/5048-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/5048-2-0x0000000003EC0000-0x00000000047AB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/5048-1-0x0000000003AC0000-0x0000000003EB9000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/5048-55-0x0000000000400000-0x0000000001DE6000-memory.dmp

      Filesize

      25.9MB

      Download

    • memory/5048-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/5100-83-0x0000000007130000-0x0000000007144000-memory.dmp

      Filesize

      80KB

      Download

    • memory/5100-68-0x00000000056B0000-0x0000000005A04000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5100-69-0x0000000005C60000-0x0000000005CAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5100-71-0x00000000703F0000-0x0000000070744000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5100-70-0x0000000070270000-0x00000000702BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5100-81-0x0000000006DD0000-0x0000000006E73000-memory.dmp

      Filesize

      652KB

      Download

    • memory/5100-82-0x00000000070E0000-0x00000000070F1000-memory.dmp

      Filesize

      68KB

      Download