glupteba | 5d1a3240fe06eced09f713043805545fe063ecd5333355630253f07925edd0f1

Analysis

max time kernel
1s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d1a3240fe06eced09f713043805545fe063ecd5333355630253f07925edd0f1.exe
Size

4.1MB
MD5

a105392d32bfd7dae76a497e10c5ada5
SHA1

47bbb13eefac2a35e7bfea20eb613aae37a49046
SHA256

5d1a3240fe06eced09f713043805545fe063ecd5333355630253f07925edd0f1
SHA512

3760476519ce1e23cac9d97e863b9da95fcfd166c343f28007036a958bf8d332b989bd9626ef1da46d0586acc1f0cd6504cfffc87abea188854df39c7d56f8e0
SSDEEP

98304:cmJz+EAFuKpzA6GjnwtAd4VH0G8BBOAZM6KCBe84j:Jh+Eouw86GbIivMwMVCB8j

Score

10^/10

glupteba dropper evasion execution loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

resource	yara_rule
behavioral1/memory/4008-2-0x0000000004D00000-0x00000000055EB000-memory.dmp	family_glupteba
behavioral1/memory/4008-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4008-55-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/4008-53-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/4416-133-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-218-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-226-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-228-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-230-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-232-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-234-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-236-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-238-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-240-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-242-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-244-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-246-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral1/memory/3532-248-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1196	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000023432-222.dat	upx
behavioral1/memory/1636-223-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1636-225-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4504-227-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4504-231-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4504-237-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4436	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4452	powershell.exe
4900	powershell.exe
4536	powershell.exe
3688	powershell.exe
4744	powershell.exe
4372	powershell.exe
1160	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
800	schtasks.exe
4380	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4452	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 4452	4008	5d1a3240fe06eced09f713043805545fe063ecd5333355630253f07925edd0f1.exe	86
PID 4008 wrote to memory of 4452	4008	5d1a3240fe06eced09f713043805545fe063ecd5333355630253f07925edd0f1.exe	86
PID 4008 wrote to memory of 4452	4008	5d1a3240fe06eced09f713043805545fe063ecd5333355630253f07925edd0f1.exe	86

C:\Users\Admin\AppData\Local\Temp\5d1a3240fe06eced09f713043805545fe063ecd5333355630253f07925edd0f1.exe
"C:\Users\Admin\AppData\Local\Temp\5d1a3240fe06eced09f713043805545fe063ecd5333355630253f07925edd0f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Users\Admin\AppData\Local\Temp\5d1a3240fe06eced09f713043805545fe063ecd5333355630253f07925edd0f1.exe
  "C:\Users\Admin\AppData\Local\Temp\5d1a3240fe06eced09f713043805545fe063ecd5333355630253f07925edd0f1.exe"
  2⤵
  PID:4416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:3176
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3688
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:3532
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4744
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:800
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:4768
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:4380
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:1636
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2656
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:4436

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u0whq4oh.t1p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b3ee93e8df696f4df2e3e3a12280fdd7

SHA1
db74186d820223290dd54e0cc22e95723c44111a

SHA256
89fdd75493a5c936a70579b1eeca23c9e70aa1824af9740a77450da84c8f6b8a

SHA512
9581569121f87da8fbecb03061def66d3713e773b24cb86d32ca69a03c2e85c39e685a6a5177b572dd3bf9759e0b450ae1068df79c548e27fa7e657b5408bfe8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
e219550861311f704b6b0c65f65bbfdf

SHA1
aadea6ead4e2f20124710ab0628195c285cb5036

SHA256
e9a20ef76731b9f3e61f94e7f0423a5358b4d38a61bffcf04f71a3ab850417fd

SHA512
082f6e8d3818d736ff82ad6e031db62fe065a1e3a177cfa2bd77bfae838923b3da1b62a0212c9f7eb5f43c6209981ec048fcada13608bdd7fbfa83d7f395b0e3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b6ea77d2feaeef723bc7d64c8c9f03e0

SHA1
3fed0ef77584c32d7099c56500b1742e35d9326c

SHA256
649d5f8de6b48b15b51b8fb64f02c62d04f10d747cf0e9ae3470e97d57ff0b84

SHA512
91fbeeb42b518f52391f18d37583e8ebdbddd4aebf4bb5ab2d94f9c6b4bfc3752b4ee702d6d639f965a9cfcac1e0dd9ec56174548d3ee2e33d6d24ebfee51e29

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
ba1a4b1ca7160a5d7073a404ccb8425c

SHA1
72a0c8e556fa63ecd92d2578eafc60f76a9b0607

SHA256
ca5a5b8862e83f266c978c855f83dedc158351631e014ee92a9be720224cc526

SHA512
757babe91f3b57503222609836500ebbc3872c5047c5dc05f653e56b4ceb60e20e9a8ebd3dc90294b00b5a01fe2d8937c8275efed8c6a64fa7974750398043d0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2a0d5364f54c4c1e9e23a9f5234bb5fb

SHA1
45fed1538b4204f07128f1d87d53baf215deedc3

SHA256
6095d1189999e2b9cac7918145c9f98d825771a690f91f6b42410ddc99c6f670

SHA512
3f3034c722274427be5d0c2af72ac9f4936b88f2f54caf5846e5860111ea30c627679f9295cbcee5550d789b923b042dad2463de68a4e0886c366465cab9554b

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
a105392d32bfd7dae76a497e10c5ada5

SHA1
47bbb13eefac2a35e7bfea20eb613aae37a49046

SHA256
5d1a3240fe06eced09f713043805545fe063ecd5333355630253f07925edd0f1

SHA512
3760476519ce1e23cac9d97e863b9da95fcfd166c343f28007036a958bf8d332b989bd9626ef1da46d0586acc1f0cd6504cfffc87abea188854df39c7d56f8e0

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/1160-190-0x00000000062B0000-0x0000000006604000-memory.dmp

Filesize
3.3MB

Download
memory/1160-201-0x00000000705F0000-0x000000007063C000-memory.dmp

Filesize
304KB

Download
memory/1160-202-0x0000000070D80000-0x00000000710D4000-memory.dmp

Filesize
3.3MB

Download
memory/1636-225-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1636-223-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3532-234-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3532-238-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3532-228-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3532-230-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3532-218-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3532-232-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3532-236-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3532-244-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3532-226-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3532-240-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3532-242-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3532-246-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3532-248-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/3688-118-0x0000000070770000-0x00000000707BC000-memory.dmp

Filesize
304KB

Download
memory/3688-119-0x00000000708F0000-0x0000000070C44000-memory.dmp

Filesize
3.3MB

Download
memory/3688-116-0x0000000005A80000-0x0000000005DD4000-memory.dmp

Filesize
3.3MB

Download
memory/4008-1-0x0000000004900000-0x0000000004CFE000-memory.dmp

Filesize
4.0MB

Download
memory/4008-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4008-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4008-53-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4008-56-0x0000000004D00000-0x00000000055EB000-memory.dmp

Filesize
8.9MB

Download
memory/4008-2-0x0000000004D00000-0x00000000055EB000-memory.dmp

Filesize
8.9MB

Download
memory/4372-187-0x0000000007580000-0x0000000007591000-memory.dmp

Filesize
68KB

Download
memory/4372-186-0x0000000007250000-0x00000000072F3000-memory.dmp

Filesize
652KB

Download
memory/4372-175-0x00000000705F0000-0x000000007063C000-memory.dmp

Filesize
304KB

Download
memory/4372-172-0x0000000005B50000-0x0000000005EA4000-memory.dmp

Filesize
3.3MB

Download
memory/4372-188-0x0000000005A00000-0x0000000005A14000-memory.dmp

Filesize
80KB

Download
memory/4372-176-0x0000000070770000-0x0000000070AC4000-memory.dmp

Filesize
3.3MB

Download
memory/4372-174-0x0000000006020000-0x000000000606C000-memory.dmp

Filesize
304KB

Download
memory/4416-133-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4452-42-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/4452-25-0x00000000082D0000-0x000000000894A000-memory.dmp

Filesize
6.5MB

Download
memory/4452-4-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/4452-5-0x0000000005310000-0x0000000005346000-memory.dmp

Filesize
216KB

Download
memory/4452-6-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/4452-7-0x0000000005980000-0x0000000005FA8000-memory.dmp

Filesize
6.2MB

Download
memory/4452-9-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/4452-10-0x0000000006280000-0x00000000062E6000-memory.dmp

Filesize
408KB

Download
memory/4452-8-0x00000000058E0000-0x0000000005902000-memory.dmp

Filesize
136KB

Download
memory/4452-20-0x00000000062F0000-0x0000000006644000-memory.dmp

Filesize
3.3MB

Download
memory/4452-21-0x00000000068D0000-0x00000000068EE000-memory.dmp

Filesize
120KB

Download
memory/4452-22-0x0000000006950000-0x000000000699C000-memory.dmp

Filesize
304KB

Download
memory/4452-23-0x0000000007A50000-0x0000000007A94000-memory.dmp

Filesize
272KB

Download
memory/4452-24-0x0000000007BD0000-0x0000000007C46000-memory.dmp

Filesize
472KB

Download
memory/4452-26-0x0000000007C70000-0x0000000007C8A000-memory.dmp

Filesize
104KB

Download
memory/4452-41-0x0000000007E90000-0x0000000007F33000-memory.dmp

Filesize
652KB

Download
memory/4452-29-0x0000000070D70000-0x00000000710C4000-memory.dmp

Filesize
3.3MB

Download
memory/4452-52-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/4452-48-0x00000000080E0000-0x00000000080FA000-memory.dmp

Filesize
104KB

Download
memory/4452-49-0x0000000008020000-0x0000000008028000-memory.dmp

Filesize
32KB

Download
memory/4452-47-0x0000000007FF0000-0x0000000008004000-memory.dmp

Filesize
80KB

Download
memory/4452-46-0x0000000007FE0000-0x0000000007FEE000-memory.dmp

Filesize
56KB

Download
memory/4452-45-0x0000000007FA0000-0x0000000007FB1000-memory.dmp

Filesize
68KB

Download
memory/4452-44-0x0000000008040000-0x00000000080D6000-memory.dmp

Filesize
600KB

Download
memory/4452-27-0x0000000007E30000-0x0000000007E62000-memory.dmp

Filesize
200KB

Download
memory/4452-28-0x0000000070670000-0x00000000706BC000-memory.dmp

Filesize
304KB

Download
memory/4452-43-0x0000000007F80000-0x0000000007F8A000-memory.dmp

Filesize
40KB

Download
memory/4452-39-0x0000000007E70000-0x0000000007E8E000-memory.dmp

Filesize
120KB

Download
memory/4452-40-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/4504-227-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4504-237-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4504-231-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4536-96-0x0000000070F00000-0x0000000071254000-memory.dmp

Filesize
3.3MB

Download
memory/4536-95-0x0000000070770000-0x00000000707BC000-memory.dmp

Filesize
304KB

Download
memory/4744-147-0x00000000068E0000-0x000000000692C000-memory.dmp

Filesize
304KB

Download
memory/4744-160-0x0000000007BC0000-0x0000000007BD1000-memory.dmp

Filesize
68KB

Download
memory/4744-159-0x0000000007880000-0x0000000007923000-memory.dmp

Filesize
652KB

Download
memory/4744-148-0x00000000706D0000-0x000000007071C000-memory.dmp

Filesize
304KB

Download
memory/4744-149-0x0000000070E60000-0x00000000711B4000-memory.dmp

Filesize
3.3MB

Download
memory/4744-145-0x0000000005F30000-0x0000000006284000-memory.dmp

Filesize
3.3MB

Download
memory/4744-161-0x00000000063E0000-0x00000000063F4000-memory.dmp

Filesize
80KB

Download
memory/4900-62-0x0000000005880000-0x0000000005BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4900-68-0x0000000070770000-0x00000000707BC000-memory.dmp

Filesize
304KB

Download
memory/4900-79-0x0000000007100000-0x00000000071A3000-memory.dmp

Filesize
652KB

Download
memory/4900-69-0x0000000070F00000-0x0000000071254000-memory.dmp

Filesize
3.3MB

Download
memory/4900-80-0x0000000007420000-0x0000000007431000-memory.dmp

Filesize
68KB

Download
memory/4900-81-0x0000000007470000-0x0000000007484000-memory.dmp

Filesize
80KB

Download
memory/4900-67-0x0000000006470000-0x00000000064BC000-memory.dmp

Filesize
304KB

Download