Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-05-2024 08:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32144afe2f1eed5830db36a119df61b1a9b610ede5c15acae277e51ebd75e430.exe

  • Size

    4.1MB

  • MD5

    66d70e5f88d34091c21978f0bf70930b

  • SHA1

    4f9ed440c66a6da03fadab9b90441fa7f014e331

  • SHA256

    32144afe2f1eed5830db36a119df61b1a9b610ede5c15acae277e51ebd75e430

  • SHA512

    3dd1eedbe61e3b63589cf82715e31149422c418a5cb9430f2dc3e3fa2392cc2863920854b492cc8be6ae545b63f59e3d0fdc5947857f81a9a87618576e237f9b

  • SSDEEP

    98304:YcO3d23DP4WvcTQUVFyLidGODnX7vlp0fAiBu1UOo5GU75c1WMsxMj:YcO3d2wQ4Q8FyLwnXJ+AxvtU75c1jsa

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\32144afe2f1eed5830db36a119df61b1a9b610ede5c15acae277e51ebd75e430.exe
    "C:\Users\Admin\AppData\Local\Temp\32144afe2f1eed5830db36a119df61b1a9b610ede5c15acae277e51ebd75e430.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:852
    • C:\Users\Admin\AppData\Local\Temp\32144afe2f1eed5830db36a119df61b1a9b610ede5c15acae277e51ebd75e430.exe
      "C:\Users\Admin\AppData\Local\Temp\32144afe2f1eed5830db36a119df61b1a9b610ede5c15acae277e51ebd75e430.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2996
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1276
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1828
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1048
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2096
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3312
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2144
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1180
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:940
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4920
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4788
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2412
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:5084

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uqzrvqpj.zu5.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      ac4917a885cf6050b1a483e4bc4d2ea5

      SHA1

      b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

      SHA256

      e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

      SHA512

      092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      ecabc8e96db7f016bcbbe73a44dd516a

      SHA1

      3a917c120c54e2f0138903c57f9bbbf017bfcfc6

      SHA256

      474d4bf32a0d8411fd682726d7bf0f308fbee30da406edccfed262286a3f79be

      SHA512

      e3833e4dbec0726a722f22683d3dbd8f029ccf7c2821e394b4c8abf93ac320ff48bc480966f74b7cbfa2be18e4fcce4c5fa4068269a9ad94e3330e3702626287

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      2edcdc5f534c9b1bb17429363559fc10

      SHA1

      42861d9f651868e5ab47a6dac2548c310b54e054

      SHA256

      e9ba1f9bfb9797fab1967b9a498cf18353e3f193fd82367fd6fe085bbe6be4e3

      SHA512

      1b9199c89db8b590e2848555f5d26023bedbd30e7970afb08777f18a6cf9bc81278d874b2818ddc10885dee28464971b0f751336d7d13eb1521a3c81a4f5ecc7

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      e89f6995aa696eda94821917f1fa3a05

      SHA1

      e65a540a1051c9d38f2704bd56e01b619240b861

      SHA256

      25120c7e0dcb1114ace8f68e4d089dee5eea509adc4954c8d8c990a9940df321

      SHA512

      e2d0c678e877edaa929cf6e0740aec17ea28606945a05fbd0ad2deabff7e673764654f49af2982f7fb0a388ec3be1155085e2a1a3f12085386792e7f72f99d68

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      6db4d4863bb1c4aa010bf26ed6321d9b

      SHA1

      702da860a74148bb7cd2b40d4097a51c060ede05

      SHA256

      33d69e3c5ec9d44b1e5eb52be450b3ca7c6f10025799a3e181f70e8fd4c484f6

      SHA512

      dcd5928ba77371b911dfa312bc3b43cc0a3e0e25cb054be15d15497e15ba6d6bc37dfe58d9ddd97fab0454f8dabde4473f3aecc0f79b4be01d1319472e0c6ebc

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      0acf5b0f111376fb1bc0223307708fcc

      SHA1

      dabe95050f2e677032c096d334e519a19bc348d4

      SHA256

      fe1b77b802bf489f46d347155624611ebd7765cad0a8ed73f0c569e2cd95100f

      SHA512

      6aac8fc9a4134ee75c12d81077a24cee8020f1edc54f9033c1daca87cf11c1e09bc47397707f47030b3772179233ed0eafeb430deff5a464c337ab83f10be48c

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      66d70e5f88d34091c21978f0bf70930b

      SHA1

      4f9ed440c66a6da03fadab9b90441fa7f014e331

      SHA256

      32144afe2f1eed5830db36a119df61b1a9b610ede5c15acae277e51ebd75e430

      SHA512

      3dd1eedbe61e3b63589cf82715e31149422c418a5cb9430f2dc3e3fa2392cc2863920854b492cc8be6ae545b63f59e3d0fdc5947857f81a9a87618576e237f9b

      Download Submit

    • memory/852-25-0x0000000070A90000-0x0000000070ADC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/852-6-0x00000000053A0000-0x00000000059CA000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/852-10-0x00000000059D0000-0x0000000005A36000-memory.dmp

      Filesize

      408KB

      Download

    • memory/852-20-0x0000000005B20000-0x0000000005E77000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/852-21-0x0000000005F80000-0x0000000005F9E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/852-4-0x000000007482E000-0x000000007482F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/852-23-0x00000000063B0000-0x00000000063F6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/852-24-0x00000000073A0000-0x00000000073D4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/852-27-0x0000000070C20000-0x0000000070F77000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/852-26-0x0000000074820000-0x0000000074FD1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/852-36-0x0000000007400000-0x000000000741E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/852-5-0x0000000002AD0000-0x0000000002B06000-memory.dmp

      Filesize

      216KB

      Download

    • memory/852-37-0x0000000007420000-0x00000000074C4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/852-38-0x0000000074820000-0x0000000074FD1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/852-39-0x0000000007B90000-0x000000000820A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/852-40-0x0000000007540000-0x000000000755A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/852-41-0x0000000007580000-0x000000000758A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/852-42-0x0000000007690000-0x0000000007726000-memory.dmp

      Filesize

      600KB

      Download

    • memory/852-43-0x00000000075A0000-0x00000000075B1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/852-44-0x00000000075F0000-0x00000000075FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/852-45-0x0000000007600000-0x0000000007615000-memory.dmp

      Filesize

      84KB

      Download

    • memory/852-46-0x0000000007650000-0x000000000766A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/852-47-0x0000000007670000-0x0000000007678000-memory.dmp

      Filesize

      32KB

      Download

    • memory/852-50-0x0000000074820000-0x0000000074FD1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/852-7-0x0000000074820000-0x0000000074FD1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/852-11-0x0000000005AB0000-0x0000000005B16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/852-22-0x0000000006040000-0x000000000608C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/852-8-0x0000000074820000-0x0000000074FD1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/852-9-0x00000000050E0000-0x0000000005102000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1048-91-0x0000000070CE0000-0x0000000071037000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1048-90-0x0000000070A90000-0x0000000070ADC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1048-77-0x0000000006350000-0x00000000066A7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2096-110-0x0000000070A90000-0x0000000070ADC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2096-111-0x0000000070CE0000-0x0000000071037000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2144-138-0x0000000070CC0000-0x0000000071017000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2144-137-0x0000000070A90000-0x0000000070ADC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2144-132-0x0000000005830000-0x0000000005B87000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2996-73-0x0000000007750000-0x0000000007765000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2996-61-0x0000000070A90000-0x0000000070ADC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2996-62-0x0000000070CA0000-0x0000000070FF7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2996-71-0x00000000073E0000-0x0000000007484000-memory.dmp

      Filesize

      656KB

      Download

    • memory/2996-60-0x0000000005C70000-0x0000000005FC7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2996-72-0x0000000007700000-0x0000000007711000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3308-89-0x0000000004D50000-0x000000000563B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3308-1-0x0000000004950000-0x0000000004D4C000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3308-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3308-2-0x0000000004D50000-0x000000000563B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3308-147-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3308-87-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3308-88-0x0000000004950000-0x0000000004D4C000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3312-222-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3312-212-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3312-224-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3312-220-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3312-216-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3312-214-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3312-210-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3312-208-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3312-206-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3312-218-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3312-200-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3312-202-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3312-204-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/3916-124-0x0000000000400000-0x0000000002B08000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/4788-184-0x0000000070C00000-0x0000000070F57000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4788-183-0x00000000709B0000-0x00000000709FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4920-149-0x0000000005500000-0x0000000005857000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4920-172-0x0000000005880000-0x0000000005895000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4920-171-0x0000000007010000-0x0000000007021000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4920-159-0x0000000005C20000-0x0000000005C6C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4920-170-0x0000000006AA0000-0x0000000006B44000-memory.dmp

      Filesize

      656KB

      Download

    • memory/4920-160-0x00000000709B0000-0x00000000709FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4920-161-0x0000000070C00000-0x0000000070F57000-memory.dmp

      Filesize

      3.3MB

      Download