Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    290s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/05/2024, 22:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    119a409ea2f3794f031644a853f1ffa5646cba8cd7ef4caa1344dbe195569234.exe

  • Size

    4.1MB

  • MD5

    40e0bb419e2a513ea5a313fa855a7fb1

  • SHA1

    9db36e0b0258609a7126e4cfade72eaa0bc55241

  • SHA256

    119a409ea2f3794f031644a853f1ffa5646cba8cd7ef4caa1344dbe195569234

  • SHA512

    83ab0ea0067bc06bd5f4be539858f96ca4f37f7f30166bfc5f9ea71b0d886f048b8f22eb2302da7f5491a9103116aee393c96e1a739db7792185a65b6370caff

  • SSDEEP

    98304:XqpMRaJi3sEqIr6ilJJkay2XIp4ZT71i5GwG4N1PBcavz8a0:XqpMRJcE1nJkaVIp4ZT7zwBrzd0

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 31 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\119a409ea2f3794f031644a853f1ffa5646cba8cd7ef4caa1344dbe195569234.exe
    "C:\Users\Admin\AppData\Local\Temp\119a409ea2f3794f031644a853f1ffa5646cba8cd7ef4caa1344dbe195569234.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4128
    • C:\Users\Admin\AppData\Local\Temp\119a409ea2f3794f031644a853f1ffa5646cba8cd7ef4caa1344dbe195569234.exe
      "C:\Users\Admin\AppData\Local\Temp\119a409ea2f3794f031644a853f1ffa5646cba8cd7ef4caa1344dbe195569234.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4744
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:2480
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:656
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5084
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2624
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2796
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2244
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3928
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2612
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:5104
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:628
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4756
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3476
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:4076
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:4944

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    3
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kajvis3a.p0r.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      474be298b1118243bafbbe991708baf0

      SHA1

      f60ba9eadf670ffc0e032bf866966a16b401293e

      SHA256

      90330bb0e2cf3a0389851d662cdedb3cbec5e3cd898c0a627d5a240ef4b5a46c

      SHA512

      74ccb96c3a31eec2b165b1d847c0cef57283307698d54b69e4395a6d18adcec7453f448dc91e79a4f2dcb3fef1ae89f199ac623f1789ec3958bed088a9c16d6b

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      5b3e3111afcb92469c1d481e62c94b4a

      SHA1

      05325d28baa1a1a902f61f2fc2e897c0d6cb2fe9

      SHA256

      9f29817660ff446f17a859bf471afc1b128aae5211e88bdbaed78cb596766b21

      SHA512

      b3f1baa1ee09a527b044a83bc32807238fd00aef5dda9cf391951e8f5b0d78cfc664f6da36b766c1da3ba9de2919725116b2bb43aab5197d7455c470bf008e45

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      0f69d0cc58a5c91efe885c4420413722

      SHA1

      2c7781301850d41ff7de0b559125f3e53d4a90ff

      SHA256

      3d752db571c80c526bb93f5e3c5c806bfc1b8161d76d655e21f91c421a1e0cd4

      SHA512

      dd4ef40546d6f2c28b35ce4b90975a6328c90895fa8f8cff20cabe3eb04a4aca997fb00d84f9a58db182b1eadb34d0f823f0796a389a64ec9f6fc82ecef9420b

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      b6b1fd65a3fbbe6e165c125454e2554e

      SHA1

      f6a45cba6b6b51eceabe8451397f984deeaf1bf0

      SHA256

      531ab680062e70ea04de148297d0c1604093341896f5e17a278f0bfc2cc537ac

      SHA512

      30db5e55e1e31f38518db5a60f070cdb6cd5a3bfa501503bae71fe30ab9a19569bc60a76ee716ad517cd86fd06eac79244272c7f20e0b89dac1624381c578845

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      1644844f55f2bd07c3e3bd53d315b161

      SHA1

      94717e91c4e9e88629d168301b1a4d5f11a83bbb

      SHA256

      75e9c4f3b8dbca5d96cf6db5092db59071edda4ad5f6dbd17fcd24376989bdfa

      SHA512

      b68370ef0e6a5896bd6f681ded3f2ea5e5f889a631245e2aeee287820a094e96a9e4f9126ff5f3d5ce62fe95310ee38b2a78caa5b385b8486b2ed30ea3bfb960

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      40e0bb419e2a513ea5a313fa855a7fb1

      SHA1

      9db36e0b0258609a7126e4cfade72eaa0bc55241

      SHA256

      119a409ea2f3794f031644a853f1ffa5646cba8cd7ef4caa1344dbe195569234

      SHA512

      83ab0ea0067bc06bd5f4be539858f96ca4f37f7f30166bfc5f9ea71b0d886f048b8f22eb2302da7f5491a9103116aee393c96e1a739db7792185a65b6370caff

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/656-565-0x0000000070490000-0x00000000704DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/656-566-0x00000000704E0000-0x0000000070830000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2612-1518-0x0000000070BD0000-0x0000000070F20000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2612-1517-0x0000000070B80000-0x0000000070BCB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2624-1043-0x00000000703F0000-0x000000007043B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2624-1022-0x0000000007CB0000-0x0000000008000000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2624-1024-0x00000000083D0000-0x000000000841B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2624-1044-0x0000000070460000-0x00000000707B0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2624-1049-0x00000000098E0000-0x0000000009985000-memory.dmp

      Filesize

      660KB

      Download

    • memory/2908-11-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/2908-303-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2908-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2908-2-0x0000000004CD0000-0x00000000055BB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/2908-1-0x00000000048C0000-0x0000000004CC2000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2908-300-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/2908-301-0x0000000004CD0000-0x00000000055BB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3084-1771-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1783-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1751-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1753-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1747-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1740-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1755-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1757-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1731-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1759-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1761-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1763-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1765-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1767-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1769-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1789-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1773-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1775-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1787-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1777-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1779-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1781-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1749-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3084-1785-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3928-1287-0x0000000009DA0000-0x0000000009E45000-memory.dmp

      Filesize

      660KB

      Download

    • memory/3928-1260-0x0000000008360000-0x00000000086B0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3928-1282-0x0000000070BD0000-0x0000000070F20000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3928-1262-0x0000000008840000-0x000000000888B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3928-1281-0x0000000070B80000-0x0000000070BCB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4128-83-0x000000000A230000-0x000000000A2C4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4128-82-0x000000000A040000-0x000000000A0E5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4128-6-0x000000007376E000-0x000000007376F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4128-7-0x0000000004BA0000-0x0000000004BD6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4128-13-0x00000000079C0000-0x0000000007A26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4128-14-0x0000000007C10000-0x0000000007C76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4128-15-0x0000000007C80000-0x0000000007FD0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4128-16-0x0000000008050000-0x000000000806C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4128-17-0x0000000008410000-0x000000000845B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4128-36-0x0000000008460000-0x000000000849C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4128-67-0x0000000009290000-0x0000000009306000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4128-77-0x0000000009FE0000-0x0000000009FFE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4128-12-0x00000000072C0000-0x00000000072E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4128-8-0x0000000073760000-0x0000000073E4E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4128-299-0x0000000073760000-0x0000000073E4E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4128-9-0x0000000007390000-0x00000000079B8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4128-281-0x000000000A1A0000-0x000000000A1A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4128-276-0x000000000A1B0000-0x000000000A1CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4128-74-0x000000000A000000-0x000000000A033000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4128-10-0x0000000073760000-0x0000000073E4E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4128-75-0x0000000070BB0000-0x0000000070BFB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4128-76-0x0000000070C00000-0x0000000070F50000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4176-1017-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/4176-308-0x0000000000400000-0x0000000002B0C000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/4744-306-0x00000000082F0000-0x0000000008640000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4744-307-0x0000000008C50000-0x0000000008C9B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4744-328-0x00000000704E0000-0x0000000070830000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4744-327-0x0000000070490000-0x00000000704DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4744-333-0x0000000009D20000-0x0000000009DC5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4756-1746-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4756-1741-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4944-1744-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4944-1758-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4944-1752-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4944-1748-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/5084-800-0x0000000070490000-0x00000000704DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/5084-801-0x00000000704E0000-0x0000000070830000-memory.dmp

      Filesize

      3.3MB

      Download