Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-05-2024 12:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b80e64e4418450b4580c3cd9cca87ff83be04acc66cc723f965be248cbd73b2d.exe

  • Size

    4.1MB

  • MD5

    d5f48a08e2e3406463731fbd2fa7efe3

  • SHA1

    ac7072f7abf4ce4b8f35d14f334d325018214131

  • SHA256

    b80e64e4418450b4580c3cd9cca87ff83be04acc66cc723f965be248cbd73b2d

  • SHA512

    15d090a20495c1726225b2a812429ca67c78da00e0881f3f63f7c5ea781c2e9e05e375a16344968ed1c442bb9cb12b8c0bd31a4c2ea6cf1303ce39ee3049c46f

  • SSDEEP

    98304:Md7tSzSG1TEQyj2soCVZzfOSLUhtCaFAX/iUIATxmmpvA2aCdQuFREnErD:ORMSLQaVNfPUP9FaqUIATxXaCdFFREnS

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b80e64e4418450b4580c3cd9cca87ff83be04acc66cc723f965be248cbd73b2d.exe
    "C:\Users\Admin\AppData\Local\Temp\b80e64e4418450b4580c3cd9cca87ff83be04acc66cc723f965be248cbd73b2d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3040
    • C:\Users\Admin\AppData\Local\Temp\b80e64e4418450b4580c3cd9cca87ff83be04acc66cc723f965be248cbd73b2d.exe
      "C:\Users\Admin\AppData\Local\Temp\b80e64e4418450b4580c3cd9cca87ff83be04acc66cc723f965be248cbd73b2d.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3240
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:2356
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1440
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4784
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3348
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2588
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3460
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4948
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:32
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1920
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4156
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2392
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:244
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:4964
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:1904

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwzlmim0.zly.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      ac4917a885cf6050b1a483e4bc4d2ea5

      SHA1

      b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

      SHA256

      e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

      SHA512

      092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      4162f991a11f10c58f1b81c47f640064

      SHA1

      8fe6e83deac6745742a31eed0ec1955c3e9e4942

      SHA256

      2e134a9a8ac8ab63990d7f50851b2d8269e579016fc8e6743598e98513637d1f

      SHA512

      43fca2cde9432b741efc8ddf34aa1602e053f7d08aeb9b1ce291ebd87f6bfbee76a4c6d3cbe9278bf56fb07d339c8da033951b6d0050480c4c1e6185ad72ac7b

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      ac3185900d9f0f34ab0cfb514bb8d73a

      SHA1

      c9d01c66d2ea5297a85eefba4be301f1f67888ba

      SHA256

      214c33d7d44c374e82470ab5145ae08c343a804a9b97b2efb5552df80e2af485

      SHA512

      5ac6757d680e58163408d46e339fac56e959815148a3d49848b8ffd7bbfc8be293aac92717f445869ee9a4d541571c5e15fb71b8e7697b84b204a7305ea297f4

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      951a86afb013aac8309884f8bf4a1227

      SHA1

      d0381b1e36a95f101902e56f4e95bd003a36f98e

      SHA256

      c81aa572e7f397b52a597dc53141135a72058ac38c92716b9515d624fde87dfd

      SHA512

      02f7921cc364e8b4191115f27700368287402d52eedf5140f10ae586059b8f3f78091c2985984ab76fdc2025486e640d8f9660a5c8ad01a4062ce2531d07507c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      0348ffdfdfbff1aa3c7c0a2764a4c85b

      SHA1

      87e06ca97474ff31b99da4ac14906f7d878e71b5

      SHA256

      1ac12c1af3c1ce5fb8707d12d46dec01996a6f254a239fe55c6769610d4dcc61

      SHA512

      d8b868885d66c115647fdbbc8ac64af99c22c8a2753901fb2aea28097a3193a70e94a9d1e5a689af6399cfdc4518d7564dac6051e73191254ec33787981efbec

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      2defddc32f32849b65a42df2c106e5a5

      SHA1

      633ee04604456a97dec7d1d7a392fb50fadf6fce

      SHA256

      ba5d79708b5b052c7d27611d6c3afa6fba00fe1673599739f9cb7218a4186c8a

      SHA512

      5c00092927fdc6863964b8800cceb8a667de74298651d1005714bf22503de0761ca293c40ef2c71e753fbbb8c3289017dd779747e1b3886a9513f090c0b0a776

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      d5f48a08e2e3406463731fbd2fa7efe3

      SHA1

      ac7072f7abf4ce4b8f35d14f334d325018214131

      SHA256

      b80e64e4418450b4580c3cd9cca87ff83be04acc66cc723f965be248cbd73b2d

      SHA512

      15d090a20495c1726225b2a812429ca67c78da00e0881f3f63f7c5ea781c2e9e05e375a16344968ed1c442bb9cb12b8c0bd31a4c2ea6cf1303ce39ee3049c46f

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/32-190-0x0000000070660000-0x00000000709B7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/32-189-0x00000000704E0000-0x000000007052C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/32-187-0x00000000055A0000-0x00000000058F7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1016-113-0x00000000705C0000-0x000000007060C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1016-103-0x0000000006230000-0x0000000006587000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1016-114-0x0000000070810000-0x0000000070B67000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1440-93-0x00000000707D0000-0x0000000070B27000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1440-92-0x00000000705C0000-0x000000007060C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1884-53-0x0000000004960000-0x0000000004D68000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1884-2-0x0000000004D70000-0x000000000565B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/1884-54-0x0000000004D70000-0x000000000565B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/1884-1-0x0000000004960000-0x0000000004D68000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1884-24-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/1884-55-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/1884-65-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1884-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1904-219-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1904-225-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1904-214-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2392-211-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2392-216-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2416-128-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/2416-79-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3040-36-0x0000000007700000-0x000000000771E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3040-9-0x0000000005CE0000-0x0000000005D46000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3040-48-0x00000000079F0000-0x00000000079F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3040-47-0x0000000007A10000-0x0000000007A2A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3040-4-0x000000007435E000-0x000000007435F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3040-46-0x0000000007910000-0x0000000007925000-memory.dmp

      Filesize

      84KB

      Download

    • memory/3040-5-0x0000000004DE0000-0x0000000004E16000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3040-6-0x0000000074350000-0x0000000074B01000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3040-7-0x0000000005540000-0x0000000005B6A000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3040-8-0x00000000053F0000-0x0000000005412000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3040-51-0x0000000074350000-0x0000000074B01000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3040-45-0x0000000007900000-0x000000000790E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3040-44-0x00000000078D0000-0x00000000078E1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3040-43-0x0000000007950000-0x00000000079E6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3040-42-0x0000000007890000-0x000000000789A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3040-41-0x0000000007850000-0x000000000786A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3040-40-0x0000000007E90000-0x000000000850A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3040-39-0x0000000074350000-0x0000000074B01000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3040-38-0x0000000074350000-0x0000000074B01000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3040-37-0x0000000007720000-0x00000000077C4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/3040-27-0x00000000707D0000-0x0000000070B27000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3040-25-0x00000000076A0000-0x00000000076D4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/3040-10-0x0000000005D50000-0x0000000005DB6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3040-26-0x00000000705C0000-0x000000007060C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3040-11-0x0000000074350000-0x0000000074B01000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3040-20-0x0000000005DC0000-0x0000000006117000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3040-21-0x0000000006290000-0x00000000062AE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3040-23-0x00000000066E0000-0x0000000006726000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3040-22-0x00000000062D0000-0x000000000631C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3240-64-0x0000000005D70000-0x00000000060C7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3240-66-0x00000000705C0000-0x000000007060C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3240-67-0x0000000070740000-0x0000000070A97000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3240-76-0x00000000073B0000-0x0000000007454000-memory.dmp

      Filesize

      656KB

      Download

    • memory/3240-77-0x00000000076E0000-0x00000000076F1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3240-78-0x0000000007730000-0x0000000007745000-memory.dmp

      Filesize

      84KB

      Download

    • memory/3348-142-0x00000000705C0000-0x000000007060C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3348-143-0x0000000070810000-0x0000000070B67000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4784-221-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4784-218-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4784-132-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4784-239-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4784-236-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4784-210-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4784-233-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4784-230-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4784-227-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4784-200-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4784-224-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4948-165-0x0000000070710000-0x0000000070A67000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4948-164-0x00000000704E0000-0x000000007052C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4948-174-0x0000000007510000-0x00000000075B4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/4948-175-0x0000000007880000-0x0000000007891000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4948-176-0x00000000060A0000-0x00000000060B5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4948-163-0x00000000067F0000-0x000000000683C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4948-158-0x0000000005C50000-0x0000000005FA7000-memory.dmp

      Filesize

      3.3MB

      Download