Overview

overview

10

Static

static

1

5469493967...9d.exe

windows7-x64

10

5469493967...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5469493967b62a9d55e0e0f7895df32d37e909aa77a7ca7ec6bade23c17b649d.exe

  • Size

    4.1MB

  • MD5

    983f78a4179867e5818b73db3e5e8b1d

  • SHA1

    aeeaa70a50f085930e3a5f6dbc381b199282fa15

  • SHA256

    5469493967b62a9d55e0e0f7895df32d37e909aa77a7ca7ec6bade23c17b649d

  • SHA512

    3e47961b20fba86879f682a63aa75ae9e008a80663421e490c1aafe0d806a8c8e978eed92c4b2103803fd4193d6bf81427046ec014c2ee7f7e86cc2e08e8c2f6

  • SSDEEP

    98304:gvCQaDBnSWO/B+XxjapSyZlG1PnsYHdaWgIg92gsnC3bzMZh6P1+:gvC3DFSWO/BjYGk1PnXHoWWZ1za6N+

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5469493967b62a9d55e0e0f7895df32d37e909aa77a7ca7ec6bade23c17b649d.exe
    "C:\Users\Admin\AppData\Local\Temp\5469493967b62a9d55e0e0f7895df32d37e909aa77a7ca7ec6bade23c17b649d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1444
    • C:\Users\Admin\AppData\Local\Temp\5469493967b62a9d55e0e0f7895df32d37e909aa77a7ca7ec6bade23c17b649d.exe
      "C:\Users\Admin\AppData\Local\Temp\5469493967b62a9d55e0e0f7895df32d37e909aa77a7ca7ec6bade23c17b649d.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1492
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4856
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3292
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:812
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2556
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2988
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3668
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:4500
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3832
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2028
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:812
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:3164
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 832
        2⤵
        • Program crash
        PID:664
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2892 -ip 2892
      1⤵
        PID:4608

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dtzr1t4f.50k.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        Filesize

        281KB

        MD5

        d98e33b66343e7c96158444127a117f6

        SHA1

        bb716c5509a2bf345c6c1152f6e3e1452d39d50d

        SHA256

        5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

        SHA512

        705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        3d086a433708053f9bf9523e1d87a4e8

        SHA1

        b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

        SHA256

        6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

        SHA512

        931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        21f5ccb90761e10e8520d4c69980cbc4

        SHA1

        ae1da0b0878cdcc67e4d25af5302768dff20d428

        SHA256

        18c3fd725843a61815ffc62d435890110dad5ce47cfa2258c5af3769dc768ce4

        SHA512

        689342ab69f5a15d69838e6bbe82e24915ecdbe717c167865fa9194d97b28f0153b8f77a992a599de48aa5e3a927fbbd384ed8c2ff6fe9fe5dc37ca9534c7597

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        441aac0f4dd39c20e3f459144c8624ba

        SHA1

        284d125ffef645586ad86fcec818e0bed9f84b89

        SHA256

        3e7b3d2f746c8679e837b68d810155c4785a0f2594629d3d84bb6d3c1e4ad985

        SHA512

        4269f1eb6708ce150e607e43b4e057d5191f4c944790d9317f3dbadfb7480a89508932086d6fd96bd508729ced33f610822d11dff45c9bd9c2efdb3112fce01a

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        a2875e128f75ed4f6bea47e0ac4825d0

        SHA1

        840a45c164d38a6d9430a498e885c7bad75b7515

        SHA256

        b2d847e8a8b9b17c1158376c5331a17ac4ff371c066ed04184b53832e87177ee

        SHA512

        9eae37a2a24e9bbb9d4ef5c65b780fc86ac4dab27a1a41d7f349347cc6fdd52624a08ca234b548626d9de53cce0923d5848c7b77e65bb7d8f28cc35c0ceff09e

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        b504145947e6f1655bb7df65dd97e727

        SHA1

        93bbe7d747d24f34bf2f3b42812d5c319b5148c6

        SHA256

        f95457665c099ba062c2604157a5dabc39994cad8d7283d91259fc8578f537ee

        SHA512

        833c8755317e335bcd5c13430f6c95e245d3411017c28479835b9084780ce93c18ce2b6c25abc4863d90a40a3b98c488490ef6f92e16eb5f7a74e5206a90448d

        Download Submit

      • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        19KB

        MD5

        19ec5c0628f5846d234dea2a05032f43

        SHA1

        c22fd6caee88dcb5c5ba6467cd988582aba67c31

        SHA256

        c8590ac2f4d467ada86855e257ba170e99f2848b434844becc9a659d6d089f2e

        SHA512

        4207d6810add0842af0fe403c849b5770d27e51d8f4eca7ab2361452d2cc908078bec4d7d443ff7d29f0e38a4381ab7db17e131b5a344eb0bffbe5bb445f0478

        Download Submit

      • C:\Windows\rss\csrss.exe
        Filesize

        4.1MB

        MD5

        983f78a4179867e5818b73db3e5e8b1d

        SHA1

        aeeaa70a50f085930e3a5f6dbc381b199282fa15

        SHA256

        5469493967b62a9d55e0e0f7895df32d37e909aa77a7ca7ec6bade23c17b649d

        SHA512

        3e47961b20fba86879f682a63aa75ae9e008a80663421e490c1aafe0d806a8c8e978eed92c4b2103803fd4193d6bf81427046ec014c2ee7f7e86cc2e08e8c2f6

        Download Submit

      • memory/812-98-0x0000000070140000-0x0000000070494000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/812-97-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/812-95-0x0000000005E00000-0x0000000006154000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1444-31-0x0000000070620000-0x0000000070974000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1444-6-0x0000000074000000-0x00000000747B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1444-23-0x0000000006040000-0x000000000608C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1444-24-0x00000000065A0000-0x00000000065E4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/1444-25-0x0000000007340000-0x00000000073B6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1444-26-0x0000000007A40000-0x00000000080BA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1444-27-0x00000000073C0000-0x00000000073DA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1444-30-0x0000000074000000-0x00000000747B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1444-29-0x000000006FEA0000-0x000000006FEEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1444-28-0x0000000007580000-0x00000000075B2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/1444-4-0x000000007400E000-0x000000007400F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1444-41-0x00000000075C0000-0x00000000075DE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1444-42-0x00000000075E0000-0x0000000007683000-memory.dmp

        Filesize

        652KB

        Download

      • memory/1444-43-0x0000000074000000-0x00000000747B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1444-44-0x00000000076D0000-0x00000000076DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1444-45-0x0000000007790000-0x0000000007826000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1444-46-0x00000000076F0000-0x0000000007701000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1444-47-0x0000000007730000-0x000000000773E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1444-48-0x0000000007740000-0x0000000007754000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1444-49-0x0000000007830000-0x000000000784A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1444-50-0x0000000007770000-0x0000000007778000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1444-53-0x0000000074000000-0x00000000747B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1444-5-0x0000000004A40000-0x0000000004A76000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1444-7-0x0000000005160000-0x0000000005788000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1444-22-0x0000000006010000-0x000000000602E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1444-8-0x0000000005070000-0x0000000005092000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1444-9-0x0000000074000000-0x00000000747B0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1444-11-0x0000000005970000-0x00000000059D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1444-10-0x0000000005900000-0x0000000005966000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1444-17-0x00000000059F0000-0x0000000005D44000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1492-81-0x0000000007C80000-0x0000000007C91000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1492-82-0x0000000007CD0000-0x0000000007CE4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1492-80-0x0000000007960000-0x0000000007A03000-memory.dmp

        Filesize

        652KB

        Download

      • memory/1492-70-0x0000000070740000-0x0000000070A94000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1492-69-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1492-68-0x00000000067D0000-0x000000000681C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1492-67-0x0000000006010000-0x0000000006364000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2028-202-0x000000006FE20000-0x000000006FE6C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2028-203-0x00000000705B0000-0x0000000070904000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2028-200-0x0000000005E40000-0x0000000006194000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2108-231-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2108-222-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2108-220-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2108-219-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2108-221-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2108-229-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2108-224-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2108-225-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2108-226-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2108-227-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2108-230-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2108-228-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2108-223-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2556-120-0x0000000070740000-0x0000000070A94000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2556-119-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2892-2-0x0000000004650000-0x0000000004F3B000-memory.dmp

        Filesize

        8.9MB

        Download

      • memory/2892-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/2892-1-0x0000000004250000-0x000000000464B000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2892-55-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download

      • memory/2892-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/2892-57-0x0000000004650000-0x0000000004F3B000-memory.dmp

        Filesize

        8.9MB

        Download

      • memory/2988-160-0x0000000007830000-0x00000000078D3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2988-148-0x0000000006B90000-0x0000000006BDC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2988-149-0x000000006FF00000-0x000000006FF4C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2988-146-0x0000000006150000-0x00000000064A4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2988-150-0x0000000070080000-0x00000000703D4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2988-161-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2988-162-0x0000000005850000-0x0000000005864000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3832-175-0x0000000006480000-0x00000000064CC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3832-189-0x0000000005C70000-0x0000000005C84000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3832-188-0x00000000078E0000-0x00000000078F1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3832-187-0x00000000075B0000-0x0000000007653000-memory.dmp

        Filesize

        652KB

        Download

      • memory/3832-177-0x000000006FFA0000-0x00000000702F4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3832-176-0x000000006FE20000-0x000000006FE6C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3832-173-0x0000000005E10000-0x0000000006164000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3884-134-0x0000000000400000-0x0000000002365000-memory.dmp

        Filesize

        31.4MB

        Download