glupteba | b4139c3a227d8454b613ba81d1febb49e16e3aaf82a6baa7a0f15ed036eb16ec

Analysis

max time kernel
2s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
17-05-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4139c3a227d8454b613ba81d1febb49e16e3aaf82a6baa7a0f15ed036eb16ec.exe
Size

4.1MB
MD5

9d4896bddbae7bc69e3eefbbf2ce1c86
SHA1

67b500f2923c0f4cbb0f8062bffc293a404e51b6
SHA256

b4139c3a227d8454b613ba81d1febb49e16e3aaf82a6baa7a0f15ed036eb16ec
SHA512

da357c7aefb1b46233b9cea7257afd8777ef8e6e05a8d7f1edacbd73ccca37802350561a10038c384715fcce3e63f6b534205f7a25d347257126188686080b5a
SSDEEP

98304:BqqJgO7W9SnF2QTYg7Hzo9TU2Df9e/pZ+O7BTR2yKUN:BqqJgO7W9SnJ3gf8jHXKu

Score

10^/10

glupteba dropper evasion execution loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral2/memory/4864-2-0x0000000004D70000-0x000000000565B000-memory.dmp	family_glupteba
behavioral2/memory/4864-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4864-53-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/4864-54-0x0000000004D70000-0x000000000565B000-memory.dmp	family_glupteba
behavioral2/memory/4864-51-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/5052-125-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-204-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-214-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-216-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-218-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-220-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-222-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-224-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-226-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-228-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-230-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-232-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-234-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba
behavioral2/memory/4992-236-0x0000000000400000-0x0000000002B08000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
280	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1552-209-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/files/0x000200000002aa1f-210.dat	upx
behavioral2/memory/1580-212-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1552-213-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1580-215-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/1580-219-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1728	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4564	powershell.exe
244	powershell.exe
2976	powershell.exe
492	powershell.exe
620	powershell.exe
1012	powershell.exe
5060	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2636	schtasks.exe
3112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4564	powershell.exe
4564	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4564	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 4564	4864	b4139c3a227d8454b613ba81d1febb49e16e3aaf82a6baa7a0f15ed036eb16ec.exe	78
PID 4864 wrote to memory of 4564	4864	b4139c3a227d8454b613ba81d1febb49e16e3aaf82a6baa7a0f15ed036eb16ec.exe	78
PID 4864 wrote to memory of 4564	4864	b4139c3a227d8454b613ba81d1febb49e16e3aaf82a6baa7a0f15ed036eb16ec.exe	78

C:\Users\Admin\AppData\Local\Temp\b4139c3a227d8454b613ba81d1febb49e16e3aaf82a6baa7a0f15ed036eb16ec.exe
"C:\Users\Admin\AppData\Local\Temp\b4139c3a227d8454b613ba81d1febb49e16e3aaf82a6baa7a0f15ed036eb16ec.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\b4139c3a227d8454b613ba81d1febb49e16e3aaf82a6baa7a0f15ed036eb16ec.exe
  "C:\Users\Admin\AppData\Local\Temp\b4139c3a227d8454b613ba81d1febb49e16e3aaf82a6baa7a0f15ed036eb16ec.exe"
  2⤵
  PID:5052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:244
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:1196
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:492
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:4992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:620
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:3112
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1012
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:2948
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2636
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:1552
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:1032
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:1728

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cgamqida.kwc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
792b635444efae7a72adceb3561b99dd

SHA1
56d81f4ba2a0799e936fa9453a4f2901d30fd023

SHA256
5f905c2ef7a182aa12a66a42453f12bd22704d135f15ceaf9b7e0150fc1e8188

SHA512
c79490b9e338f46acff0d0b3919d2e191602c8694f56f13bbf698c0ffe1618d856f0ef3239eb9180713610544769c23f254bbd49f7ac074f21aabd5154c524b8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
98cc547609dcebfdf20a79256d084ea5

SHA1
fde650cfa7e3833a3ccbbb73edfe6cda348535a0

SHA256
08a8c9d4f7136037d6c692f9a9fb18eca7d73a909f05ac26da2b449463e9f415

SHA512
1e57ea56b6f39c22d41c7cabf6ce994d94641a1ef61343fa5f979ae1fe24732bbdfcf10f2c8129bb33f21b4d1f392980ac7fd514730b9132ce7543dd41d67751

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d99c5754af82a7fc5082d706532bd239

SHA1
3dba74389d8c00afa562b4b02a3421c47850e6a9

SHA256
a8c261c318e627c42929d2f439b11e60fa40cc64dbc2f63edf007ca30c5fccb3

SHA512
a9a36dd347f15ff5b99ea04fc29b88d9a2402fbc98951b4ee347715e96e016bcdef7bdeb5c5fb52e9c6640027cb2ac616293f8520d005147c67504398a2822a4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6da855f0ae23fc6b0b054018a12846cd

SHA1
292dcc9acb18fd54e139cf72eac994a876a230e5

SHA256
37059723f9544a5ef503ffa465995033bc0f1ee3fa37d6b37b80573b4220b48b

SHA512
a773a531047a9aa49607af88857bf57efa46fd3df875a31f3852e4cde427a0262568da12b5d96603fd16e2d940deef265ff5211fac8a68a7ffd31cce732e9edd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
6d4171ae4a960f830a9d5d95307bb179

SHA1
bdbd00c7458b63221ca7ac8f13075af74c3f588b

SHA256
d44d024827eac2ee64ed78f0a20f7ee8cab607a8187ae3eb9c8d99c0e73b8316

SHA512
4e9eb6a0ddc0141484e5a6cecd55ffab822f11dcab2090cf62dbc7e77a4994a4cbf9f56fd5dc2e7580e0ee3114c7e70efe8239200d91484644eae0de34047675

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
9d4896bddbae7bc69e3eefbbf2ce1c86

SHA1
67b500f2923c0f4cbb0f8062bffc293a404e51b6

SHA256
b4139c3a227d8454b613ba81d1febb49e16e3aaf82a6baa7a0f15ed036eb16ec

SHA512
da357c7aefb1b46233b9cea7257afd8777ef8e6e05a8d7f1edacbd73ccca37802350561a10038c384715fcce3e63f6b534205f7a25d347257126188686080b5a

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/244-76-0x00000000070B0000-0x00000000070C1000-memory.dmp

Filesize
68KB

Download
memory/244-77-0x0000000007100000-0x0000000007115000-memory.dmp

Filesize
84KB

Download
memory/244-65-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

Filesize
304KB

Download
memory/244-66-0x0000000070F30000-0x0000000071287000-memory.dmp

Filesize
3.3MB

Download
memory/244-63-0x0000000005660000-0x00000000059B7000-memory.dmp

Filesize
3.3MB

Download
memory/244-64-0x0000000006080000-0x00000000060CC000-memory.dmp

Filesize
304KB

Download
memory/244-75-0x0000000006D80000-0x0000000006E24000-memory.dmp

Filesize
656KB

Download
memory/492-112-0x0000000070F30000-0x0000000071287000-memory.dmp

Filesize
3.3MB

Download
memory/492-111-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

Filesize
304KB

Download
memory/620-151-0x00000000065A0000-0x00000000065B5000-memory.dmp

Filesize
84KB

Download
memory/620-139-0x0000000070C50000-0x0000000070C9C000-memory.dmp

Filesize
304KB

Download
memory/620-140-0x0000000070DF0000-0x0000000071147000-memory.dmp

Filesize
3.3MB

Download
memory/620-149-0x00000000079C0000-0x0000000007A64000-memory.dmp

Filesize
656KB

Download
memory/620-138-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/620-150-0x0000000007D00000-0x0000000007D11000-memory.dmp

Filesize
68KB

Download
memory/620-136-0x00000000061D0000-0x0000000006527000-memory.dmp

Filesize
3.3MB

Download
memory/1012-164-0x0000000070B70000-0x0000000070BBC000-memory.dmp

Filesize
304KB

Download
memory/1012-163-0x00000000065C0000-0x000000000660C000-memory.dmp

Filesize
304KB

Download
memory/1012-161-0x0000000006180000-0x00000000064D7000-memory.dmp

Filesize
3.3MB

Download
memory/1012-165-0x0000000070CF0000-0x0000000071047000-memory.dmp

Filesize
3.3MB

Download
memory/1012-174-0x00000000077C0000-0x0000000007864000-memory.dmp

Filesize
656KB

Download
memory/1012-175-0x00000000079A0000-0x00000000079B1000-memory.dmp

Filesize
68KB

Download
memory/1012-176-0x0000000005EE0000-0x0000000005EF5000-memory.dmp

Filesize
84KB

Download
memory/1552-209-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1552-213-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1580-212-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1580-215-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1580-219-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2976-91-0x0000000070CF0000-0x0000000070D3C000-memory.dmp

Filesize
304KB

Download
memory/2976-89-0x0000000005990000-0x0000000005CE7000-memory.dmp

Filesize
3.3MB

Download
memory/2976-92-0x0000000070EF0000-0x0000000071247000-memory.dmp

Filesize
3.3MB

Download
memory/4564-21-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/4564-4-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/4564-47-0x0000000007A70000-0x0000000007A78000-memory.dmp

Filesize
32KB

Download
memory/4564-10-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/4564-20-0x0000000005ED0000-0x0000000006227000-memory.dmp

Filesize
3.3MB

Download
memory/4564-50-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/4564-5-0x0000000002EE0000-0x0000000002F16000-memory.dmp

Filesize
216KB

Download
memory/4564-45-0x0000000007A00000-0x0000000007A15000-memory.dmp

Filesize
84KB

Download
memory/4564-44-0x00000000079F0000-0x00000000079FE000-memory.dmp

Filesize
56KB

Download
memory/4564-43-0x00000000079A0000-0x00000000079B1000-memory.dmp

Filesize
68KB

Download
memory/4564-42-0x0000000007A90000-0x0000000007B26000-memory.dmp

Filesize
600KB

Download
memory/4564-7-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/4564-25-0x0000000070BE0000-0x0000000070C2C000-memory.dmp

Filesize
304KB

Download
memory/4564-40-0x0000000007940000-0x000000000795A000-memory.dmp

Filesize
104KB

Download
memory/4564-41-0x0000000007980000-0x000000000798A000-memory.dmp

Filesize
40KB

Download
memory/4564-39-0x0000000007F80000-0x00000000085FA000-memory.dmp

Filesize
6.5MB

Download
memory/4564-26-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/4564-38-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/4564-27-0x0000000070D60000-0x00000000710B7000-memory.dmp

Filesize
3.3MB

Download
memory/4564-37-0x0000000007810000-0x00000000078B4000-memory.dmp

Filesize
656KB

Download
memory/4564-36-0x00000000077F0000-0x000000000780E000-memory.dmp

Filesize
120KB

Download
memory/4564-24-0x00000000077B0000-0x00000000077E4000-memory.dmp

Filesize
208KB

Download
memory/4564-23-0x00000000067C0000-0x0000000006806000-memory.dmp

Filesize
280KB

Download
memory/4564-22-0x0000000006420000-0x000000000646C000-memory.dmp

Filesize
304KB

Download
memory/4564-8-0x0000000074970000-0x0000000075121000-memory.dmp

Filesize
7.7MB

Download
memory/4564-6-0x0000000005660000-0x0000000005C8A000-memory.dmp

Filesize
6.2MB

Download
memory/4564-46-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/4564-11-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/4564-9-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/4864-54-0x0000000004D70000-0x000000000565B000-memory.dmp

Filesize
8.9MB

Download
memory/4864-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4864-2-0x0000000004D70000-0x000000000565B000-memory.dmp

Filesize
8.9MB

Download
memory/4864-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4864-51-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4864-1-0x0000000004970000-0x0000000004D6F000-memory.dmp

Filesize
4.0MB

Download
memory/4992-232-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4992-230-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4992-214-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4992-236-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4992-204-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4992-234-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4992-218-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4992-216-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4992-220-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4992-222-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4992-224-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4992-226-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/4992-228-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/5052-125-0x0000000000400000-0x0000000002B08000-memory.dmp

Filesize
39.0MB

Download
memory/5060-189-0x00000000714C0000-0x0000000071817000-memory.dmp

Filesize
3.3MB

Download
memory/5060-188-0x0000000070B70000-0x0000000070BBC000-memory.dmp

Filesize
304KB

Download
memory/5060-186-0x00000000058A0000-0x0000000005BF7000-memory.dmp

Filesize
3.3MB

Download