Overview

overview

10

Static

static

1

bf012a5a38...c3.exe

windows7-x64

10

bf012a5a38...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf012a5a3808044d4c7a5f251cceefd2b70dd0a30787e5cdeb5699e78e0aeac3.exe

  • Size

    4.1MB

  • MD5

    1250c2afc46194b4d63ca011316d2f28

  • SHA1

    2b1d8c1b13faca320cfeb1e3d3040407ff36f9d8

  • SHA256

    bf012a5a3808044d4c7a5f251cceefd2b70dd0a30787e5cdeb5699e78e0aeac3

  • SHA512

    b4e394bb8dc1a336701a5c0aa14166f3ea2b6c7e9860e7d3d80d253eb2c5b4ed50b95518b609fe43d068f09d2f4dcebcf4c026e2a071a3ff3e1b62ee69eb14de

  • SSDEEP

    98304:2k/C6baF9NNXYvR+SQPyohxfWe3/GY9pAEj6B:2n6bazjovoyoHfX3/GYHq

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf012a5a3808044d4c7a5f251cceefd2b70dd0a30787e5cdeb5699e78e0aeac3.exe
    "C:\Users\Admin\AppData\Local\Temp\bf012a5a3808044d4c7a5f251cceefd2b70dd0a30787e5cdeb5699e78e0aeac3.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1612
    • C:\Users\Admin\AppData\Local\Temp\bf012a5a3808044d4c7a5f251cceefd2b70dd0a30787e5cdeb5699e78e0aeac3.exe
      "C:\Users\Admin\AppData\Local\Temp\bf012a5a3808044d4c7a5f251cceefd2b70dd0a30787e5cdeb5699e78e0aeac3.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5724
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3124
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3884
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2640
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2848
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4324
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:5132
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5212
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2380
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:6104
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:5344
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 904
          3⤵
          • Program crash
          PID:2508
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 780
        2⤵
        • Program crash
        PID:5440
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3620 -ip 3620
      1⤵
        PID:2376
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2760 -ip 2760
        1⤵
          PID:2448

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hwh55aw.shh.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          Filesize

          281KB

          MD5

          d98e33b66343e7c96158444127a117f6

          SHA1

          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

          SHA256

          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

          SHA512

          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          d924004dab30fe9355647a002594aa35

          SHA1

          4709eb3ce8978b5dd1a86e11ad3e821fcc616f77

          SHA256

          b1fb4b683e55654c07297ec9381870290fd1fed08a3e6511989dd77f934360b3

          SHA512

          e8617227d06ff20220fc2db2516f767aded54ac09dccb2c28f763c81c208ae6f2be8d008ae0444de822b0a8261ac56251d3210642e32c076ae9eb5bc854e82b7

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          9d5075b2c3514e372d2c92751211176e

          SHA1

          ad204cf1303f5b08e2f8ae8e6fe34be02f1d05a0

          SHA256

          5f5e2b1f604b9930e0671c5caa93eaef0d04946f21ebe806af07fdd402f73ec2

          SHA512

          5aae995efc52e97f9c5140833b6c8304e99298d00fd5df558cf0512355a31449ad48ad187227eff45a01db5cd4a01553bdf948561d15f179a89b023d80f508e8

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          0374c04b42a4ac8c9a2c1b4a0990f280

          SHA1

          edb3e3dcf6aa68f5f6c35e9037e12621b9b2f8c8

          SHA256

          22f8bf33db7961fe450a621ce066ee4c47489f2448e12d67c785a7ee5590b144

          SHA512

          5d454801576dc796f8bc829bb8b1f2d3a9115f32d48ade2173ca4c7013c151c4b885ea119486e28abaead578673065cddc6f5d03fed626e1d89e2042f38e18bd

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          d732a061bc34b2631ef9767bb91ecafa

          SHA1

          0fa34a7bf911efdc77c15ba7f0477f03ea45801a

          SHA256

          3142781206513857bd33151febc3ab1845f83666dd4985db3d23d9110750c2b3

          SHA512

          2634f1847da57c2d5cff814916a1d44030efd20c4c4da49bff29bea3a1e6c2a26d833ed058a91ec2f39f285a2adc18be93003500bf2094342305a9b75a988d59

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          88774eb067496e0d38adb72cd43270e0

          SHA1

          88d1a49128e52239f7a1faa27d6f3b214211a568

          SHA256

          1f6161697d263b47f94de94ae68bd430e1ddb6a62204724481a2046d4f8a8148

          SHA512

          39cd2b7455b9eb7bde10086bf5bd3a53236ad89fe1564e0a930f68749b7b68d22984e0f850d22b9e197a53c191705f19eca8c3cf760881e7ca0d32b66ac4645e

          Download Submit

        • C:\Windows\rss\csrss.exe
          Filesize

          4.1MB

          MD5

          1250c2afc46194b4d63ca011316d2f28

          SHA1

          2b1d8c1b13faca320cfeb1e3d3040407ff36f9d8

          SHA256

          bf012a5a3808044d4c7a5f251cceefd2b70dd0a30787e5cdeb5699e78e0aeac3

          SHA512

          b4e394bb8dc1a336701a5c0aa14166f3ea2b6c7e9860e7d3d80d253eb2c5b4ed50b95518b609fe43d068f09d2f4dcebcf4c026e2a071a3ff3e1b62ee69eb14de

          Download Submit

        • memory/1612-31-0x0000000070F70000-0x00000000712C4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1612-44-0x0000000007EF0000-0x0000000007EFA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1612-10-0x00000000058F0000-0x0000000005956000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1612-21-0x0000000006220000-0x0000000006574000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1612-22-0x0000000006800000-0x000000000681E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1612-23-0x0000000006B60000-0x0000000006BAC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1612-24-0x0000000006DB0000-0x0000000006DF4000-memory.dmp

          Filesize

          272KB

          Download

        • memory/1612-25-0x0000000007940000-0x00000000079B6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/1612-27-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1612-26-0x0000000008240000-0x00000000088BA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1612-28-0x0000000007DA0000-0x0000000007DD2000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1612-30-0x00000000749D0000-0x0000000075180000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1612-29-0x0000000070870000-0x00000000708BC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1612-9-0x0000000005850000-0x0000000005872000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1612-41-0x0000000007DE0000-0x0000000007DFE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1612-42-0x0000000007E00000-0x0000000007EA3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/1612-43-0x00000000749D0000-0x0000000075180000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1612-11-0x0000000005960000-0x00000000059C6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1612-45-0x0000000008000000-0x0000000008096000-memory.dmp

          Filesize

          600KB

          Download

        • memory/1612-46-0x0000000007F00000-0x0000000007F11000-memory.dmp

          Filesize

          68KB

          Download

        • memory/1612-47-0x0000000007F40000-0x0000000007F4E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1612-48-0x0000000007F60000-0x0000000007F74000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1612-49-0x0000000007FA0000-0x0000000007FBA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1612-50-0x0000000007F90000-0x0000000007F98000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1612-53-0x00000000749D0000-0x0000000075180000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1612-4-0x00000000749DE000-0x00000000749DF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1612-8-0x00000000749D0000-0x0000000075180000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1612-5-0x0000000003230000-0x0000000003266000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1612-7-0x00000000749D0000-0x0000000075180000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1612-6-0x0000000005AF0000-0x0000000006118000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2152-121-0x0000000071110000-0x0000000071464000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2152-120-0x0000000070970000-0x00000000709BC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2152-109-0x0000000005ED0000-0x0000000006224000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2380-201-0x00000000064D0000-0x0000000006824000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2380-203-0x00000000707F0000-0x000000007083C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2380-204-0x0000000070990000-0x0000000070CE4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2640-95-0x00000000059A0000-0x0000000005CF4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2640-97-0x0000000070970000-0x00000000709BC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2640-98-0x0000000070AF0000-0x0000000070E44000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2760-137-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/2848-150-0x00000000708D0000-0x000000007091C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2848-147-0x0000000006190000-0x00000000064E4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2848-149-0x0000000006C30000-0x0000000006C7C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2848-163-0x0000000005F20000-0x0000000005F34000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2848-151-0x0000000070A70000-0x0000000070DC4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2848-161-0x0000000007990000-0x0000000007A33000-memory.dmp

          Filesize

          652KB

          Download

        • memory/2848-162-0x0000000007C50000-0x0000000007C61000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3620-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3620-57-0x0000000004590000-0x0000000004E7B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/3620-55-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/3620-2-0x0000000004590000-0x0000000004E7B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/3620-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

          Download

        • memory/3620-1-0x0000000004180000-0x0000000004587000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/4956-228-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/4956-226-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/4956-225-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/4956-224-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/4956-227-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/4956-223-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/4956-222-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/4956-221-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/4956-220-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/4956-229-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/4956-230-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/4956-231-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/4956-232-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

          Download

        • memory/5212-177-0x00000000707F0000-0x000000007083C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/5212-174-0x0000000006110000-0x0000000006464000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5212-189-0x0000000007BD0000-0x0000000007BE1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/5212-178-0x0000000070970000-0x0000000070CC4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5212-188-0x0000000007920000-0x00000000079C3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/5212-176-0x0000000006BE0000-0x0000000006C2C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/5212-190-0x0000000005EE0000-0x0000000005EF4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/5724-67-0x0000000005FC0000-0x0000000006314000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5724-68-0x00000000065B0000-0x00000000065FC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/5724-69-0x0000000070970000-0x00000000709BC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/5724-70-0x0000000071120000-0x0000000071474000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/5724-80-0x0000000007750000-0x00000000077F3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/5724-81-0x0000000007A60000-0x0000000007A71000-memory.dmp

          Filesize

          68KB

          Download

        • memory/5724-82-0x0000000007AB0000-0x0000000007AC4000-memory.dmp

          Filesize

          80KB

          Download