Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/05/2024, 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72c78347f13522c6550af1a4667efb63aac7ee6944caf3cf8584a1e116d33f43.exe

  • Size

    4.1MB

  • MD5

    9fffb87f1af54a27370f5313e12ec33c

  • SHA1

    5d8ef239ed414317f4ca90d1e648f24e088160b8

  • SHA256

    72c78347f13522c6550af1a4667efb63aac7ee6944caf3cf8584a1e116d33f43

  • SHA512

    60a7c2984e2e56366e2a584c71b6c8622a1053596f3c93c2aec7e5201ec56017241b76c6eb88312778e9f3b0b6a8cf9dc559aa2114cb480cc6ab90b8639fcdfb

  • SSDEEP

    98304:EOx+yLAsWcX5ANOp80aGDbz4ZHRnWgYq13pS/Dvn0Yngv:kE1pj8JRnW2pojn0Ygv

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkittrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 33 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\72c78347f13522c6550af1a4667efb63aac7ee6944caf3cf8584a1e116d33f43.exe
    "C:\Users\Admin\AppData\Local\Temp\72c78347f13522c6550af1a4667efb63aac7ee6944caf3cf8584a1e116d33f43.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Users\Admin\AppData\Local\Temp\72c78347f13522c6550af1a4667efb63aac7ee6944caf3cf8584a1e116d33f43.exe
      "C:\Users\Admin\AppData\Local\Temp\72c78347f13522c6550af1a4667efb63aac7ee6944caf3cf8584a1e116d33f43.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4548
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:196
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:3384
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4152
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1936
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4904
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4232
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:4148
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:32
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1128
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1020
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:1156

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    3
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ezasgiw.xuj.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      db01a2c1c7e70b2b038edf8ad5ad9826

      SHA1

      540217c647a73bad8d8a79e3a0f3998b5abd199b

      SHA256

      413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

      SHA512

      c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      3d6f18db515df2c80e0510b05fc20a6e

      SHA1

      2f9a4d46155b75d48ff0d735425942ac8ee50bb4

      SHA256

      42b28e39fddbae37931482bc6a41d3ffe8d9e3dd4face1557602689e807ab492

      SHA512

      2430581073db1aae09b2e822c5065dd169e90ac1fc2ea075ca14e712c219da3afea83fb43cb29d8814d722632bdc18cf552f420142def53c036657794ba40f39

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      632ce6322f8b6cce8d782bb6ad01d7da

      SHA1

      6a02755b6ce6a8992c20c7353ee4ef0e0324c029

      SHA256

      19fe48e6526328b9eeb683f250cc18948bfa4b2696cc9c10beed9ad4c349d836

      SHA512

      6156273596969975e218408cd18a68575aaae04afb3fa79a2752f9f9be481b79082162aeb163edd4e1e4106ce70231ac14b1d3f26e22b83d7f2103244dbcaee4

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      30cdb6cd7d2d0568c68826133b7402c1

      SHA1

      58a5620712bd956768685fc465eab538352c745c

      SHA256

      e92601a49c899ffd9a13a6375dd09319f8a77ec819b0d67e621db1f8a134377a

      SHA512

      faa0951cef2bcd93fe775186265f9437e720b650342b4fffcaa1dfba3136a0744a88139c49a29500f66c06f3945b4983b64f831c1c187e6b3e39d4a5f828ea65

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      8a95cb6bcf6e8ca200ed600aed0d1dca

      SHA1

      f739129b82177824596d48e6f8f3f0234577d1ef

      SHA256

      1fd1ab6c117b10b149b1c0fd3359098929b895efb54a724b57496aad73e8ae9f

      SHA512

      b94dbc2a105ee5537afd79f29b2e6cd20d54d608dbcc97fd44e3603259d0dd4b180d7038ce71fbba29e7b792c29fe67fca6742d7af83234e82c234f3ca494697

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      ca296d922d7d73969cf6e294bdbb2373

      SHA1

      a86459fcbee8e061b7984f3b318001f46f0732e5

      SHA256

      ea666c0f9a793a417a6ca817b75970f856e84f0dbdfac170d778479bdd987b9a

      SHA512

      2e794e5b6ae1ae02925b4848d902d2cbc3ffa7bed909a419f1d1761a5517f8c548242a7c7eb8ac8ecd59b8e4a1e4b1ae01b434a33e5b8331062a2cdd8d9b52a7

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      9fffb87f1af54a27370f5313e12ec33c

      SHA1

      5d8ef239ed414317f4ca90d1e648f24e088160b8

      SHA256

      72c78347f13522c6550af1a4667efb63aac7ee6944caf3cf8584a1e116d33f43

      SHA512

      60a7c2984e2e56366e2a584c71b6c8622a1053596f3c93c2aec7e5201ec56017241b76c6eb88312778e9f3b0b6a8cf9dc559aa2114cb480cc6ab90b8639fcdfb

      Download Submit

    • memory/32-1291-0x00000000703E0000-0x0000000070730000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/32-1290-0x00000000723A0000-0x00000000723EB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/32-1296-0x0000000009BA0000-0x0000000009C45000-memory.dmp

      Filesize

      660KB

      Download

    • memory/32-1270-0x00000000088F0000-0x000000000893B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1128-1526-0x00000000723A0000-0x00000000723EB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1128-1527-0x00000000703E0000-0x0000000070730000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1320-1026-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/1320-539-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/1936-810-0x0000000072210000-0x0000000072560000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1936-809-0x00000000721A0000-0x00000000721EB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2216-300-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/2216-1-0x00000000045A0000-0x00000000049A6000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2216-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2216-2-0x00000000049B0000-0x000000000529B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/2216-69-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/2216-302-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2216-301-0x00000000049B0000-0x000000000529B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4152-571-0x00000000721F0000-0x0000000072540000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4152-570-0x00000000721A0000-0x00000000721EB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4152-550-0x0000000007C40000-0x0000000007F90000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4520-74-0x000000000A410000-0x000000000A443000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4520-9-0x0000000073A40000-0x000000007412E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4520-6-0x0000000073A4E000-0x0000000073A4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4520-7-0x0000000004CB0000-0x0000000004CE6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4520-8-0x00000000077C0000-0x0000000007DE8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4520-10-0x0000000073A40000-0x000000007412E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4520-299-0x0000000073A40000-0x000000007412E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4520-281-0x000000000A5C0000-0x000000000A5C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4520-276-0x000000000A680000-0x000000000A69A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4520-83-0x000000000A5E0000-0x000000000A674000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4520-82-0x000000000A450000-0x000000000A4F5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4520-76-0x00000000703E0000-0x0000000070730000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4520-77-0x000000000A3F0000-0x000000000A40E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4520-75-0x00000000723D0000-0x000000007241B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4520-66-0x00000000095C0000-0x0000000009636000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4520-35-0x0000000009500000-0x000000000953C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4520-16-0x00000000084B0000-0x00000000084FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4520-11-0x00000000076E0000-0x0000000007702000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4520-15-0x0000000008470000-0x000000000848C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4520-12-0x0000000007FD0000-0x0000000008036000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4520-13-0x0000000008040000-0x00000000080A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4520-14-0x00000000080B0000-0x0000000008400000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4548-332-0x0000000008DE0000-0x0000000008E85000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4548-307-0x0000000007F90000-0x0000000007FDB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4548-326-0x00000000721A0000-0x00000000721EB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4548-327-0x0000000072210000-0x0000000072560000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4548-306-0x0000000007750000-0x0000000007AA0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4848-1752-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1754-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1769-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1285-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1768-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1767-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1745-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1746-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1747-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1748-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1749-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1750-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1751-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1766-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1753-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1765-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1755-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1756-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1757-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1758-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1759-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1760-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1761-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1762-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1763-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4848-1764-0x0000000000400000-0x0000000002959000-memory.dmp

      Filesize

      37.3MB

      Download

    • memory/4904-1031-0x0000000007820000-0x0000000007B70000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4904-1058-0x0000000009280000-0x0000000009325000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4904-1053-0x0000000072170000-0x00000000724C0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4904-1052-0x00000000706E0000-0x000000007072B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4904-1033-0x0000000007D20000-0x0000000007D6B000-memory.dmp

      Filesize

      300KB

      Download