glupteba | 4c71ce019072db6763adc78098d30159743f6dd1a2672b4f743392352acde788 | Triage

Analysis

max time kernel
1s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
19/05/2024, 21:46 UTC

Sharing

Report Analysis Logs

General

Target

4c71ce019072db6763adc78098d30159743f6dd1a2672b4f743392352acde788.exe
Size

4.1MB
MD5

452b6c70c86f7ad78c84af5407d4c769
SHA1

240f462eb3e7d06dfc3b7aef55684e3c48f47c65
SHA256

4c71ce019072db6763adc78098d30159743f6dd1a2672b4f743392352acde788
SHA512

7ac958df103493e28ed1411de2259b658ee07ece24ee3ddf0c754570a4d4d0466aeb2b92bfcb15180efe4a91d03ce8d4a85dfb1b367618eda1e10e6f9a43c25a
SSDEEP

98304:UX33DbWGkLHuFK+TwQmBC6reQ4TTNXYvI8KgvjrB0r/:UXPWAwQyCdJYw8Kgg/

Score

10^/10

glupteba dropper evasion execution loader upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

resource	yara_rule
behavioral2/memory/3884-2-0x00000000048D0000-0x00000000051BB000-memory.dmp	family_glupteba
behavioral2/memory/3884-3-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/3884-119-0x00000000048D0000-0x00000000051BB000-memory.dmp	family_glupteba
behavioral2/memory/3884-117-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3884-193-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5096-192-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3496-201-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3496-213-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3496-217-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3496-221-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3496-225-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3496-229-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3496-233-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3496-237-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3496-241-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3496-245-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3496-249-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba
behavioral2/memory/3496-253-0x0000000000400000-0x0000000002733000-memory.dmp	family_glupteba

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

Disable or Modify System Firewall

pid	Process
2768	netsh.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/files/0x000200000002aa3e-206.dat	upx
behavioral2/memory/2424-207-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/2424-211-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/5116-210-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/5116-215-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/5116-223-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
416	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

PowerShell

pid	Process
3772	powershell.exe
2268	powershell.exe
3588	powershell.exe
1044	powershell.exe
1720	powershell.exe
1884	powershell.exe
652	powershell.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
2352	schtasks.exe
812	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4c71ce019072db6763adc78098d30159743f6dd1a2672b4f743392352acde788.exe
"C:\Users\Admin\AppData\Local\Temp\4c71ce019072db6763adc78098d30159743f6dd1a2672b4f743392352acde788.exe"
1⤵
PID:3884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -nologo -noprofile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1044
- C:\Users\Admin\AppData\Local\Temp\4c71ce019072db6763adc78098d30159743f6dd1a2672b4f743392352acde788.exe
  "C:\Users\Admin\AppData\Local\Temp\4c71ce019072db6763adc78098d30159743f6dd1a2672b4f743392352acde788.exe"
  2⤵
  PID:5096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2256
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:2768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1884
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:652
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe
    3⤵
    PID:3496
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3772
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2352
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /tn ScheduledUpdate /f
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
      4⤵
      PID:4748
  - - C:\Windows\SYSTEM32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:812
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:2424
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:5080
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        Launches sc.exe
        
        PID:416

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5116

Network

DNS

1431ea3b-5546-4ffb-9dc3-aa6ab2c9bdb2.uuid.databaseupgrade.ru

Remote address:

8.8.8.8:53

Request

1431ea3b-5546-4ffb-9dc3-aa6ab2c9bdb2.uuid.databaseupgrade.ru

IN TXT

Response
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

stun.ipfire.org

Remote address:

8.8.8.8:53

Request

stun.ipfire.org

IN A

Response

stun.ipfire.org

IN CNAME

xmpp.ipfire.org

xmpp.ipfire.org

IN A

81.3.27.44
DNS

44.27.3.81.in-addr.arpa

Remote address:

8.8.8.8:53

Request

44.27.3.81.in-addr.arpa

IN PTR

Response

44.27.3.81.in-addr.arpa

IN PTR

xmppipfireorg
DNS

self.events.data.microsoft.com

Remote address:

8.8.8.8:53

Request

self.events.data.microsoft.com

IN A

Response

self.events.data.microsoft.com

IN CNAME

self-events-data.trafficmanager.net

self-events-data.trafficmanager.net

IN CNAME

onedscolprdwus17.westus.cloudapp.azure.com

onedscolprdwus17.westus.cloudapp.azure.com

IN A

20.189.173.16
DNS

cdn.discordapp.com

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.129.233

cdn.discordapp.com

IN A

162.159.130.233
DNS

carsalessystem.com

Remote address:

8.8.8.8:53

Request

carsalessystem.com

IN A

Response

carsalessystem.com

IN A

104.21.94.82

carsalessystem.com

IN A

172.67.221.71
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
DNS

server15.databaseupgrade.ru

Remote address:

8.8.8.8:53

Request

server15.databaseupgrade.ru

IN A

Response

server15.databaseupgrade.ru

IN A

185.82.216.108
DNS

nexusrules.officeapps.live.com

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.229.48
DNS

16.173.189.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

16.173.189.20.in-addr.arpa

IN PTR

Response

162.159.133.233:443

cdn.discordapp.com

tls

1.4kB
6.1kB
16
18
185.82.216.108:443

server15.databaseupgrade.ru

tls

1.6kB
5.4kB
13
14
104.21.94.82:443

carsalessystem.com

tls

89.6kB
1.9MB
1508
1436
185.82.216.108:443

server15.databaseupgrade.ru

tls

1.9kB
4.7kB
11
13
185.82.216.108:443

server15.databaseupgrade.ru

tls

1.7kB
4.5kB
8
9

8.8.8.8:53

1431ea3b-5546-4ffb-9dc3-aa6ab2c9bdb2.uuid.databaseupgrade.ru

dns

378 B
654 B
5
5

DNS Request

1431ea3b-5546-4ffb-9dc3-aa6ab2c9bdb2.uuid.databaseupgrade.ru

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

stun.ipfire.org

DNS Response

81.3.27.44

DNS Request

44.27.3.81.in-addr.arpa

DNS Request

self.events.data.microsoft.com

DNS Response

20.189.173.16
8.8.8.8:53

cdn.discordapp.com

dns

200 B
398 B
3
3

DNS Request

cdn.discordapp.com

DNS Response

162.159.133.233

162.159.135.233

162.159.134.233

162.159.129.233

162.159.130.233

DNS Request

carsalessystem.com

DNS Response

104.21.94.82

172.67.221.71

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

server15.databaseupgrade.ru

dns

221 B
388 B
3
3

DNS Request

server15.databaseupgrade.ru

DNS Response

185.82.216.108

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.229.48

DNS Request

16.173.189.20.in-addr.arpa
81.3.27.44:3478

stun.ipfire.org

48 B
80 B
1
1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1f4qmt4k.rvy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
813181ee586a3cf8dce41dd44ac66b1c

SHA1
e60d96df5de49df6eadb7969c70b060d58ecd634

SHA256
f536c498d1ca92ecdb4f79e66aceaf846c3d816542bfad7744f084c3b1b7f343

SHA512
6bedef49931759d1c19596f7614cf733abb358acfa883d488e1eed3bba12025d04b6dc042facd5cff46a6e1fb2ec2e22567c7d73670cd07655a159511bf54ced

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
fa9c9fe3520222a5b1b737e94f543793

SHA1
173048e7b26eca2c6fcafb6e6d168e7a902e625d

SHA256
d533edf5d710a0d276f73a452a2719fcf841e85d25a9194a7da0e61e2c6de347

SHA512
0d7ce06c01dc9dc8a6a445ca71e67f224c07a3f49a175730fbc90eafa28b2ede2bef542b0a0ddf14460dd0622dd785368044a87bfdc7d6c6144d9f58235ab9c0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
40b499c8dd4c0bc8d6a4435417bd56e7

SHA1
48329f8bced4fffc30fc3d12df96c42af828bf5f

SHA256
604a12a2eead0ac9d1b8f6fbf04eb7a91e0471468263a3433cede4bb2888cc0d

SHA512
e4cb9f53c334e2545a2711549b8cf26354713507df6070dcaa64fed94414d2d9edf80f5bb14d8f6fd122b781b2c4c54a4370e8dd835d0635bf698e87e38dfaaa

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
7b948ecb238d67d44a14d5cf3b5b4ebc

SHA1
524289b8fb8b21d7179d55bbb34c6ff0355ce71a

SHA256
f9d94fd8f35a125a1ef764e85789a4354fbb20d81c6d4467f8efd677e2135582

SHA512
71d25077a9bff68c3ad12e66f413bd97f527274146829bb6921798edd17822f7dc1c9c75c4827f94703bac654ce33eabb5105781452c3ab9dc4dda3796aeb0e5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c59c49e4716dfd2b055f75c6057bdf39

SHA1
71c2b91d6ae480ff0ee1b2e831ee4053755cceca

SHA256
53cf5549ccdf9aa9e3ab1d5918245951e1b25ca93a1412b8309f82d9df257641

SHA512
6a08a1edb874f6789fbd27f89a21d81b6f06a21db7b8a15ada434c72cb5bc95ac539b5403130364634f64110655db7467807c02bdd71df82119be1bd9f44a7b9

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
452b6c70c86f7ad78c84af5407d4c769

SHA1
240f462eb3e7d06dfc3b7aef55684e3c48f47c65

SHA256
4c71ce019072db6763adc78098d30159743f6dd1a2672b4f743392352acde788

SHA512
7ac958df103493e28ed1411de2259b658ee07ece24ee3ddf0c754570a4d4d0466aeb2b92bfcb15180efe4a91d03ce8d4a85dfb1b367618eda1e10e6f9a43c25a

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/652-108-0x0000000070BA0000-0x0000000070EF7000-memory.dmp

Filesize
3.3MB

Download
memory/652-107-0x0000000070950000-0x000000007099C000-memory.dmp

Filesize
304KB

Download
memory/1044-38-0x00000000746E0000-0x0000000074E91000-memory.dmp

Filesize
7.7MB

Download
memory/1044-7-0x00000000746E0000-0x0000000074E91000-memory.dmp

Filesize
7.7MB

Download
memory/1044-22-0x0000000005D20000-0x0000000005D6C000-memory.dmp

Filesize
304KB

Download
memory/1044-23-0x0000000006250000-0x0000000006296000-memory.dmp

Filesize
280KB

Download
memory/1044-24-0x0000000007100000-0x0000000007134000-memory.dmp

Filesize
208KB

Download
memory/1044-36-0x0000000007140000-0x000000000715E000-memory.dmp

Filesize
120KB

Download
memory/1044-27-0x00000000746E0000-0x0000000074E91000-memory.dmp

Filesize
7.7MB

Download
memory/1044-37-0x0000000007160000-0x0000000007204000-memory.dmp

Filesize
656KB

Download
memory/1044-26-0x0000000070BA0000-0x0000000070EF7000-memory.dmp

Filesize
3.3MB

Download
memory/1044-25-0x0000000070950000-0x000000007099C000-memory.dmp

Filesize
304KB

Download
memory/1044-4-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/1044-40-0x0000000007290000-0x00000000072AA000-memory.dmp

Filesize
104KB

Download
memory/1044-39-0x00000000078D0000-0x0000000007F4A000-memory.dmp

Filesize
6.5MB

Download
memory/1044-41-0x00000000072D0000-0x00000000072DA000-memory.dmp

Filesize
40KB

Download
memory/1044-42-0x0000000007390000-0x0000000007426000-memory.dmp

Filesize
600KB

Download
memory/1044-43-0x0000000007300000-0x0000000007311000-memory.dmp

Filesize
68KB

Download
memory/1044-44-0x0000000007340000-0x000000000734E000-memory.dmp

Filesize
56KB

Download
memory/1044-45-0x0000000007350000-0x0000000007365000-memory.dmp

Filesize
84KB

Download
memory/1044-46-0x0000000007450000-0x000000000746A000-memory.dmp

Filesize
104KB

Download
memory/1044-47-0x0000000007430000-0x0000000007438000-memory.dmp

Filesize
32KB

Download
memory/1044-50-0x00000000746E0000-0x0000000074E91000-memory.dmp

Filesize
7.7MB

Download
memory/1044-5-0x0000000002810000-0x0000000002846000-memory.dmp

Filesize
216KB

Download
memory/1044-21-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

Filesize
120KB

Download
memory/1044-6-0x0000000004FD0000-0x00000000055FA000-memory.dmp

Filesize
6.2MB

Download
memory/1044-8-0x0000000004E20000-0x0000000004E42000-memory.dmp

Filesize
136KB

Download
memory/1044-9-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/1044-10-0x00000000746E0000-0x0000000074E91000-memory.dmp

Filesize
7.7MB

Download
memory/1044-20-0x00000000057E0000-0x0000000005B37000-memory.dmp

Filesize
3.3MB

Download
memory/1044-11-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/1720-62-0x0000000070B80000-0x0000000070ED7000-memory.dmp

Filesize
3.3MB

Download
memory/1720-73-0x0000000007940000-0x0000000007955000-memory.dmp

Filesize
84KB

Download
memory/1720-72-0x00000000078F0000-0x0000000007901000-memory.dmp

Filesize
68KB

Download
memory/1720-71-0x00000000075B0000-0x0000000007654000-memory.dmp

Filesize
656KB

Download
memory/1720-60-0x0000000005E50000-0x00000000061A7000-memory.dmp

Filesize
3.3MB

Download
memory/1720-61-0x0000000070950000-0x000000007099C000-memory.dmp

Filesize
304KB

Download
memory/1884-87-0x0000000070950000-0x000000007099C000-memory.dmp

Filesize
304KB

Download
memory/1884-88-0x0000000070AF0000-0x0000000070E47000-memory.dmp

Filesize
3.3MB

Download
memory/1884-85-0x00000000059A0000-0x0000000005CF7000-memory.dmp

Filesize
3.3MB

Download
memory/2268-170-0x0000000005A80000-0x0000000005A95000-memory.dmp

Filesize
84KB

Download
memory/2268-168-0x0000000006EF0000-0x0000000006F94000-memory.dmp

Filesize
656KB

Download
memory/2268-169-0x0000000007230000-0x0000000007241000-memory.dmp

Filesize
68KB

Download
memory/2268-155-0x00000000056C0000-0x0000000005A17000-memory.dmp

Filesize
3.3MB

Download
memory/2268-159-0x0000000070A80000-0x0000000070DD7000-memory.dmp

Filesize
3.3MB

Download
memory/2268-157-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

Filesize
304KB

Download
memory/2268-158-0x0000000070870000-0x00000000708BC000-memory.dmp

Filesize
304KB

Download
memory/2424-211-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2424-207-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3496-253-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3496-245-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3496-237-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3496-241-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3496-233-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3496-229-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3496-257-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3496-225-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3496-221-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3496-217-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3496-213-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3496-201-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3496-249-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3588-182-0x0000000070870000-0x00000000708BC000-memory.dmp

Filesize
304KB

Download
memory/3588-183-0x0000000070AC0000-0x0000000070E17000-memory.dmp

Filesize
3.3MB

Download
memory/3588-172-0x0000000006260000-0x00000000065B7000-memory.dmp

Filesize
3.3MB

Download
memory/3772-134-0x0000000005630000-0x0000000005987000-memory.dmp

Filesize
3.3MB

Download
memory/3772-136-0x0000000070950000-0x000000007099C000-memory.dmp

Filesize
304KB

Download
memory/3772-137-0x0000000070B60000-0x0000000070EB7000-memory.dmp

Filesize
3.3MB

Download
memory/3884-1-0x00000000044C0000-0x00000000048C7000-memory.dmp

Filesize
4.0MB

Download
memory/3884-193-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3884-2-0x00000000048D0000-0x00000000051BB000-memory.dmp

Filesize
8.9MB

Download
memory/3884-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3884-117-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/3884-118-0x00000000044C0000-0x00000000048C7000-memory.dmp

Filesize
4.0MB

Download
memory/3884-119-0x00000000048D0000-0x00000000051BB000-memory.dmp

Filesize
8.9MB

Download
memory/5096-192-0x0000000000400000-0x0000000002733000-memory.dmp

Filesize
35.2MB

Download
memory/5116-223-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5116-215-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5116-210-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download