Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-05-2024 13:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfcb56c53320dc38e4a3537d38f88a027af42181e41f93ed8a4b10bf04fb8729.exe

  • Size

    4.1MB

  • MD5

    1bacb5aadaabb6e4b152ff2ce5fbd65b

  • SHA1

    2b3768b2b80a5ea2ce90de1026e68bbd4943dd33

  • SHA256

    bfcb56c53320dc38e4a3537d38f88a027af42181e41f93ed8a4b10bf04fb8729

  • SHA512

    df1d9660df44e66ba67bbfd12084e6bac3cc7c4f1bfcd95c4567dece92d964a2e737f2e11e1581117a14cc66491106c1dbd3ca9c9dbdbb074951d1c31da864f3

  • SSDEEP

    98304:MQJMl/iXMhTmfDhNRe9xfYVEx7xkD10HZd3scl3XzHAtmo0Fq:Hb8hTmbBIxHPR3rn3oKq

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfcb56c53320dc38e4a3537d38f88a027af42181e41f93ed8a4b10bf04fb8729.exe
    "C:\Users\Admin\AppData\Local\Temp\bfcb56c53320dc38e4a3537d38f88a027af42181e41f93ed8a4b10bf04fb8729.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1196
    • C:\Users\Admin\AppData\Local\Temp\bfcb56c53320dc38e4a3537d38f88a027af42181e41f93ed8a4b10bf04fb8729.exe
      "C:\Users\Admin\AppData\Local\Temp\bfcb56c53320dc38e4a3537d38f88a027af42181e41f93ed8a4b10bf04fb8729.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2716
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:2676
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1692
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3572
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3160
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5004
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2944
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:132
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2124
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2460
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3148
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:1224
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 728
          3⤵
          • Program crash
          PID:2680
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 788
        2⤵
        • Program crash
        PID:1920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3440 -ip 3440
      1⤵
        PID:2328
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 400 -ip 400
        1⤵
          PID:1608

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a0swfjdr.gzx.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          Filesize

          281KB

          MD5

          d98e33b66343e7c96158444127a117f6

          SHA1

          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

          SHA256

          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

          SHA512

          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d0c46cad6c0778401e21910bd6b56b70

          SHA1

          7be418951ea96326aca445b8dfe449b2bfa0dca6

          SHA256

          9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

          SHA512

          057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          2ac9dc33fdd84a0ff849c5ba9ac5338b

          SHA1

          a62d1d0316b7f9970c5faa1cb71ee8284ea8fea4

          SHA256

          f3fb5f25f2514532e8b80705b6ae407e4113cc7a01cd5bfd77ddf1085eb212d7

          SHA512

          7743df2087d11c1ed13459abeadff444b2e86b43afcc3f25f548d61a658f9e4cb53a40700e803173fe2c6ea13008409e45e5a3c2843ea1b45dc96e12262d5826

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          bb829dcccbaeba005a46edc32a30d9e3

          SHA1

          821acd79d7107ca539748e7ecfeedc6a5ff21675

          SHA256

          7615784e1e3e88f7924f4da24d13a5da284d088a8f5475ecb2dbb88f99e76dd3

          SHA512

          527bca46dbf10739a82a5dd6908796b4c34b31cfc2d0579d564137cc4d305a9d4b9ee73fde5690fc1cd61b22aaea20d5e9c17576743d90124adc0dcdb0a1fe7f

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          868d0b853c87fc27e1ac706293b70b17

          SHA1

          078a5981718e82fe99884c23ff48905fcfbf85a1

          SHA256

          29510a86422fa923ec860f0d318a0fd1af4d6f9ac70671d3367653fb5b7963c0

          SHA512

          409be77fb4c62098b87af080c3aa5f5204822a76b5b12e3842f9b2d0713fe24da73d054d8141527d48a5298afb67f5ac24b2418d0af51ef83f6e79606c889715

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          2ccfab499ee8cb62ec25bd8a8b51a0a7

          SHA1

          881a4448e336c6d5d9a719ea314fe95b99c47fdc

          SHA256

          9fb4c7dd90c17a87da5d6103cee7d8a535a81f263acbcfbb6ce2f848f50aba44

          SHA512

          f0241781aaae7d36f1471ab14aec587f38dfd3bcef8602dd09333237371a248186c528c5a9f23503a80e384444ee46b9a4658078309e9eab8aa3730550adeddf

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          a8268512fe45bb7eee15b059a78bb149

          SHA1

          bc9c3b55658124bd38e44ff33f1281bdf157e784

          SHA256

          8a9fc3a3670083a9cd1697c4cff6efd19a7bcc9c76b632377cb51a36d0d1ade0

          SHA512

          0a01f6f94d1d4a10c69d532fff84abce38029c25597d7458a622ae8a6b79ba32a7039d956c1bf99ffed908657203eae29b696675086be6fdf38a6c6e1f4042a5

          Download Submit

        • C:\Windows\rss\csrss.exe
          Filesize

          4.1MB

          MD5

          1bacb5aadaabb6e4b152ff2ce5fbd65b

          SHA1

          2b3768b2b80a5ea2ce90de1026e68bbd4943dd33

          SHA256

          bfcb56c53320dc38e4a3537d38f88a027af42181e41f93ed8a4b10bf04fb8729

          SHA512

          df1d9660df44e66ba67bbfd12084e6bac3cc7c4f1bfcd95c4567dece92d964a2e737f2e11e1581117a14cc66491106c1dbd3ca9c9dbdbb074951d1c31da864f3

          Download Submit

        • memory/400-122-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/400-129-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/1196-26-0x0000000071120000-0x0000000071477000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1196-42-0x0000000007690000-0x0000000007726000-memory.dmp

          Filesize

          600KB

          Download

        • memory/1196-21-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1196-22-0x0000000006080000-0x00000000060CC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1196-23-0x0000000006550000-0x0000000006596000-memory.dmp

          Filesize

          280KB

          Download

        • memory/1196-25-0x0000000070FA0000-0x0000000070FEC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1196-36-0x0000000007440000-0x000000000745E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1196-37-0x0000000007460000-0x0000000007504000-memory.dmp

          Filesize

          656KB

          Download

        • memory/1196-27-0x0000000074D30000-0x00000000754E1000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1196-11-0x0000000005B00000-0x0000000005B66000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1196-38-0x0000000074D30000-0x00000000754E1000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1196-40-0x0000000007590000-0x00000000075AA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1196-39-0x0000000007BD0000-0x000000000824A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1196-24-0x0000000007400000-0x0000000007434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1196-41-0x00000000075D0000-0x00000000075DA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1196-20-0x0000000005BB0000-0x0000000005F07000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1196-43-0x0000000007600000-0x0000000007611000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1196-44-0x0000000007640000-0x000000000764E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1196-45-0x0000000007650000-0x0000000007665000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1196-46-0x0000000007750000-0x000000000776A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1196-47-0x0000000007730000-0x0000000007738000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1196-50-0x0000000074D30000-0x00000000754E1000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1196-10-0x00000000053A0000-0x0000000005406000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1196-8-0x0000000074D30000-0x00000000754E1000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1196-9-0x0000000005140000-0x0000000005162000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1196-6-0x0000000005460000-0x0000000005A8A000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1196-7-0x0000000074D30000-0x00000000754E1000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1196-5-0x00000000027C0000-0x00000000027F6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1196-4-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1692-92-0x0000000071250000-0x00000000715A7000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1692-91-0x00000000710B0000-0x00000000710FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1692-89-0x00000000061E0000-0x0000000006537000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2124-157-0x00000000064F0000-0x0000000006847000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2124-176-0x0000000007CA0000-0x0000000007D44000-memory.dmp

          Filesize

          656KB

          Download

        • memory/2124-165-0x0000000006FA0000-0x0000000006FEC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2124-166-0x0000000070F30000-0x0000000070F7C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2124-178-0x0000000006450000-0x0000000006465000-memory.dmp

          Filesize

          84KB

          Download

        • memory/2124-177-0x0000000007FF0000-0x0000000008001000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2124-167-0x0000000071180000-0x00000000714D7000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2460-190-0x0000000071180000-0x00000000714D7000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2460-189-0x0000000070F30000-0x0000000070F7C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2716-66-0x0000000071230000-0x0000000071587000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2716-63-0x0000000006500000-0x0000000006857000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2716-77-0x0000000007EB0000-0x0000000007EC5000-memory.dmp

          Filesize

          84KB

          Download

        • memory/2716-64-0x00000000069B0000-0x00000000069FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2716-75-0x0000000007B30000-0x0000000007BD4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/2716-65-0x00000000710B0000-0x00000000710FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2716-76-0x0000000007E60000-0x0000000007E71000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3160-212-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3160-208-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3160-207-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3160-206-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3160-199-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3160-209-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3160-210-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3160-211-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3160-213-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3160-214-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3160-215-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3160-216-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3440-52-0x0000000000400000-0x0000000002B0D000-memory.dmp

          Filesize

          39.1MB

          Download

        • memory/3440-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3440-54-0x0000000004D10000-0x00000000055FB000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/3440-1-0x0000000004910000-0x0000000004D0C000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3440-2-0x0000000004D10000-0x00000000055FB000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/3440-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3572-102-0x0000000005FE0000-0x0000000006337000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3572-112-0x00000000710B0000-0x00000000710FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3572-113-0x0000000071300000-0x0000000071657000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5004-151-0x0000000007BE0000-0x0000000007C84000-memory.dmp

          Filesize

          656KB

          Download

        • memory/5004-140-0x0000000006C50000-0x0000000006C9C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/5004-141-0x0000000071010000-0x000000007105C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/5004-138-0x0000000006470000-0x00000000067C7000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5004-142-0x0000000071950000-0x0000000071CA7000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5004-152-0x0000000007F20000-0x0000000007F31000-memory.dmp

          Filesize

          68KB

          Download

        • memory/5004-153-0x00000000063B0000-0x00000000063C5000-memory.dmp

          Filesize

          84KB

          Download