Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    13s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-05-2024 21:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02bfeb198ff33bab507fe542f4e6ed8249ca435c732826e13f83ed91c0896fbc.exe

  • Size

    4.1MB

  • MD5

    0da2a3b5eea4e789c4d9f8c2789b6bb9

  • SHA1

    93f4f90c12ed3682ddbae93a9b6f982b11ed5135

  • SHA256

    02bfeb198ff33bab507fe542f4e6ed8249ca435c732826e13f83ed91c0896fbc

  • SHA512

    7fc383d8db899ec0115bc07761dd08eea513a2243aeea64cc32984e0176161f1a2822d53e18e839aa761f548f5bb6de8f33675ea788ac00ae3730cc153f8198f

  • SSDEEP

    98304:BsVQ+hudF4keJeyEqK0evsENr9r54Wa5Cc1nHXivs:Bs5hioeyE6OsERj43nD

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistenceupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 17 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\02bfeb198ff33bab507fe542f4e6ed8249ca435c732826e13f83ed91c0896fbc.exe
    "C:\Users\Admin\AppData\Local\Temp\02bfeb198ff33bab507fe542f4e6ed8249ca435c732826e13f83ed91c0896fbc.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1040
    • C:\Users\Admin\AppData\Local\Temp\02bfeb198ff33bab507fe542f4e6ed8249ca435c732826e13f83ed91c0896fbc.exe
      "C:\Users\Admin\AppData\Local\Temp\02bfeb198ff33bab507fe542f4e6ed8249ca435c732826e13f83ed91c0896fbc.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5028
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3584
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3732
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3720
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5080
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3132
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2760
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:1904
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            PID:4784
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Command and Scripting Interpreter: PowerShell
            PID:4668
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
              PID:4056
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              4⤵
              • Creates scheduled task(s)
              PID:4060
            • C:\Windows\windefender.exe
              "C:\Windows\windefender.exe"
              4⤵
                PID:4460
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                  5⤵
                    PID:1124
                    • C:\Windows\SysWOW64\sc.exe
                      sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                      6⤵
                      • Launches sc.exe
                      PID:3596
          • C:\Windows\windefender.exe
            C:\Windows\windefender.exe
            1⤵
              PID:856

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Scheduled Task/Job

            1
            T1053

            Defense Evasion

            Impair Defenses

            1
            T1562

            Disable or Modify System Firewall

            1
            T1562.004

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mhlgumq0.dbt.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              Filesize

              281KB

              MD5

              d98e33b66343e7c96158444127a117f6

              SHA1

              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

              SHA256

              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

              SHA512

              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d0c46cad6c0778401e21910bd6b56b70

              SHA1

              7be418951ea96326aca445b8dfe449b2bfa0dca6

              SHA256

              9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

              SHA512

              057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              947082944860e1ea28e74b161f88d4cd

              SHA1

              154edf0463d09c161868b12b3028111a2888eda6

              SHA256

              4c043a2ca855a0dd6ceb2a062007da495f930fe695e0adbc8a16c0adbf18ee35

              SHA512

              60a4a5857210a81cb9cfa0eb4a8cf5bf1ea446cddb896f79da9a31d24c6729b54aaefecf58e7e04beb19d451597a0d66a3c17e6800b9188746483b26fceb6290

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              2f9d39e8437ee04b5850ab095c0f66d3

              SHA1

              3bd1d2643501acac331c424fb5897ee52695ad25

              SHA256

              d21eee464767e852c2544e74b69dd01b42b17b0a16268af7fde71fc32d15dc93

              SHA512

              e84d6571f97618c89439ecad1e5022eb62619a335712ed7bd205e29e7e59ea8924dc08a18c81905c12fbfb7cd8edc8f6c452fb84c4981d431a5c25394eb4025e

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              ad1be8c6188dd1f06bc98eea6398cea6

              SHA1

              02cb77b39094f6481abdf9782ad9e35f2856bf0b

              SHA256

              611b54f6e12c4afc874a08d0128bc56c734caa5924e8ee329b1144c7d6e30b39

              SHA512

              7121c49b3df63b6a34aec9484728015085a7bb15abd6dac7926d73fcfb2ed976543b0c6bbba0fd885b68bd934bf939ed8d467b719fba100ce405c4a68772ad16

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              201187ff5055097ffec476ca7df0477b

              SHA1

              abf04fac5cc1527a1ce780c4fdbbd0cab9cd1525

              SHA256

              c75b70b671785f669f2d133e6313cabb4f59af6349eb2a24ba88b26abb85eb38

              SHA512

              bd706ba63be8d0784d6cf97da06a6a3df6d138d4f200b5357c9810193d5f1695cc91385471fc0140ec9365ffdd27420c6f9de81ad7866f726958799f8dc5a101

              Download Submit

            • C:\Windows\rss\csrss.exe
              Filesize

              4.1MB

              MD5

              0da2a3b5eea4e789c4d9f8c2789b6bb9

              SHA1

              93f4f90c12ed3682ddbae93a9b6f982b11ed5135

              SHA256

              02bfeb198ff33bab507fe542f4e6ed8249ca435c732826e13f83ed91c0896fbc

              SHA512

              7fc383d8db899ec0115bc07761dd08eea513a2243aeea64cc32984e0176161f1a2822d53e18e839aa761f548f5bb6de8f33675ea788ac00ae3730cc153f8198f

              Download Submit

            • C:\Windows\windefender.exe
              Filesize

              2.0MB

              MD5

              8e67f58837092385dcf01e8a2b4f5783

              SHA1

              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

              SHA256

              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

              SHA512

              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

              Download Submit

            • memory/856-200-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/856-192-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/856-187-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/1040-41-0x0000000007D40000-0x0000000007D4A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/1040-24-0x0000000007B70000-0x0000000007BA4000-memory.dmp

              Filesize

              208KB

              Download

            • memory/1040-22-0x0000000006790000-0x00000000067DC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1040-23-0x0000000006D00000-0x0000000006D46000-memory.dmp

              Filesize

              280KB

              Download

            • memory/1040-37-0x0000000007BD0000-0x0000000007C74000-memory.dmp

              Filesize

              656KB

              Download

            • memory/1040-36-0x0000000074010000-0x00000000747C1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1040-38-0x0000000074010000-0x00000000747C1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1040-40-0x0000000007D00000-0x0000000007D1A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1040-20-0x00000000062A0000-0x00000000065F7000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1040-39-0x0000000008340000-0x00000000089BA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/1040-42-0x0000000007E50000-0x0000000007EE6000-memory.dmp

              Filesize

              600KB

              Download

            • memory/1040-43-0x0000000007D60000-0x0000000007D71000-memory.dmp

              Filesize

              68KB

              Download

            • memory/1040-35-0x0000000007BB0000-0x0000000007BCE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1040-26-0x0000000070400000-0x0000000070757000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1040-25-0x0000000070280000-0x00000000702CC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/1040-21-0x0000000006740000-0x000000000675E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1040-44-0x0000000007DB0000-0x0000000007DBE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1040-45-0x0000000007DC0000-0x0000000007DD5000-memory.dmp

              Filesize

              84KB

              Download

            • memory/1040-46-0x0000000007E10000-0x0000000007E2A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/1040-47-0x0000000007E30000-0x0000000007E38000-memory.dmp

              Filesize

              32KB

              Download

            • memory/1040-50-0x0000000074010000-0x00000000747C1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1040-10-0x0000000005950000-0x00000000059B6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1040-11-0x0000000006130000-0x0000000006196000-memory.dmp

              Filesize

              408KB

              Download

            • memory/1040-9-0x00000000058B0000-0x00000000058D2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1040-8-0x0000000074010000-0x00000000747C1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1040-4-0x000000007401E000-0x000000007401F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1040-5-0x00000000052B0000-0x00000000052E6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/1040-7-0x0000000005A90000-0x00000000060BA000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1040-6-0x0000000074010000-0x00000000747C1000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/1940-136-0x0000000070400000-0x0000000070757000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/1940-135-0x0000000070280000-0x00000000702CC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2852-172-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/2852-2-0x00000000048B0000-0x000000000519B000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/2852-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/2852-1-0x00000000044A0000-0x00000000048A6000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2852-132-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/2852-134-0x00000000048B0000-0x000000000519B000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/2852-133-0x00000000044A0000-0x00000000048A6000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2864-108-0x0000000070420000-0x0000000070777000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2864-105-0x0000000005830000-0x0000000005B87000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2864-107-0x0000000070280000-0x00000000702CC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3132-218-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3132-230-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3132-214-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3132-210-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3132-206-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3132-202-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3132-190-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3132-198-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3132-194-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3132-222-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3132-226-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3132-234-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3132-179-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/3584-71-0x0000000006CE0000-0x0000000006D84000-memory.dmp

              Filesize

              656KB

              Download

            • memory/3584-62-0x00000000704F0000-0x0000000070847000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/3584-60-0x00000000055A0000-0x00000000058F7000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/3584-61-0x0000000070280000-0x00000000702CC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3584-73-0x0000000007050000-0x0000000007065000-memory.dmp

              Filesize

              84KB

              Download

            • memory/3584-72-0x0000000007000000-0x0000000007011000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4460-185-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/4460-188-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/4668-154-0x0000000005A30000-0x0000000005D87000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4668-158-0x0000000070350000-0x00000000706A7000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4668-167-0x0000000007270000-0x0000000007314000-memory.dmp

              Filesize

              656KB

              Download

            • memory/4668-156-0x0000000006530000-0x000000000657C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4668-157-0x00000000701A0000-0x00000000701EC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4668-168-0x0000000007580000-0x0000000007591000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4668-169-0x0000000005DC0000-0x0000000005DD5000-memory.dmp

              Filesize

              84KB

              Download

            • memory/5028-171-0x0000000000400000-0x0000000002732000-memory.dmp

              Filesize

              35.2MB

              Download

            • memory/5080-87-0x0000000070400000-0x0000000070757000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/5080-86-0x0000000070280000-0x00000000702CC000-memory.dmp

              Filesize

              304KB

              Download