Overview

overview

10

Static

static

1

c1294b82b2...a2.exe

windows7-x64

10

c1294b82b2...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-05-2024 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1294b82b257fcd3d2238d1e7b53dab6f180411c7e0ec52eb4d4e4a2855822a2.exe

  • Size

    4.1MB

  • MD5

    bfdcd054dc39209e7aa494194c41cd68

  • SHA1

    b384b9076668c6da2ddc756d50e8fdaf75014933

  • SHA256

    c1294b82b257fcd3d2238d1e7b53dab6f180411c7e0ec52eb4d4e4a2855822a2

  • SHA512

    f1bd66a230540d33f580be662e2f84750d77b1e0329127bf49207088746901bb831755aaaf000b48ce5645455433c4a80cddbf1237f0867b9b5cdfad8cf0f718

  • SSDEEP

    98304:+k/C6baF9NNXYvR+SQPyohxfWe3/GY9pAEj6P:+n6bazjovoyoHfX3/GYH4

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1294b82b257fcd3d2238d1e7b53dab6f180411c7e0ec52eb4d4e4a2855822a2.exe
    "C:\Users\Admin\AppData\Local\Temp\c1294b82b257fcd3d2238d1e7b53dab6f180411c7e0ec52eb4d4e4a2855822a2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4040
    • C:\Users\Admin\AppData\Local\Temp\c1294b82b257fcd3d2238d1e7b53dab6f180411c7e0ec52eb4d4e4a2855822a2.exe
      "C:\Users\Admin\AppData\Local\Temp\c1294b82b257fcd3d2238d1e7b53dab6f180411c7e0ec52eb4d4e4a2855822a2.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3976
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3488
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1444
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3392
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4316
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2856
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4052
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:744
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1036
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5104
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4940
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:1268

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1qadpza0.t5x.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      8f92e8e1c57cd8bcbcd56de0e075085e

      SHA1

      1aa86842113fd1b019b02675458dc90af1605c9f

      SHA256

      963be6accab9ff9035ebd4cc10c78a1cd7a0863d46b707e7a0f391eaff876f05

      SHA512

      e638bf92c14dc5b90af5a0f6c47373e178946d116b7ab60334f083c95d8df29d5356be879c2544086192d49fb0047584db98b3d447e4da2d4a3470ea501759b5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      52e82a6a4569b2f6f3faad6627db1fa3

      SHA1

      3ddec3e29649cec50b7157a5d2e67ea0ed9e9384

      SHA256

      b176bde2dba8a8d252d6b765155b3c0246b941a9f4fdcae66c8695fc16ec4f9d

      SHA512

      2f379de7ef20d1e132103aa90160113dc5c76f2e7c50bf10ec161f536ced70f30fb5bc2aa77814fb291d68b08c0e93b53fe2d94dde50a5758e96c6b118928012

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      9e6ee2ab1a9a7e581ba63d9f58b87b75

      SHA1

      6aeb218d25d46e56e38739e0db87ade94f063baf

      SHA256

      7a248fc3b4f4a8a2eabfc646fa4ebb4be6fd6723ed07cf9e371a3693a5767cb1

      SHA512

      304f2af845a4b4e93440403db20420b9edba7b22814ad9f2f8f1acb7bb19eac89516619c2da1433eee191a2734b1a3a8e51afad63a427f214c8f20a3c23212a4

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      6662031b6da37e202fa17a88a82c622a

      SHA1

      dff440e17c8103dc04d18abdce15215a49630f9c

      SHA256

      35cb9e0a717f90f536e4f41f7716000a28e8cf2608962f1fc5c31c9b6a1ae311

      SHA512

      975b7abdf359817dcf29422c1168a47a0a847c8d5afc0a799efc0f1064ceb303a06d7c62a94f1229fd3ef67b930ee88e03b657a1bc3f699da5f8d11aed7307b6

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      14c1dca9a45962d1ad7dab65d06a6324

      SHA1

      a97786ed7c755dc68a1216461a26e880b2e61228

      SHA256

      ea79e1cb9f52d0939a3422e85ed4874aed8bd5f596d676fb53c9492db6460f44

      SHA512

      dc5ce0a2c0d39455b8437ef30ccad7956e508423cd41c1ba58c285ad7bae64fab90491c6a10250d1a71f1c59e6f75e81fca585d839fa58ae37eeb8e2e0c7c10f

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      bfdcd054dc39209e7aa494194c41cd68

      SHA1

      b384b9076668c6da2ddc756d50e8fdaf75014933

      SHA256

      c1294b82b257fcd3d2238d1e7b53dab6f180411c7e0ec52eb4d4e4a2855822a2

      SHA512

      f1bd66a230540d33f580be662e2f84750d77b1e0329127bf49207088746901bb831755aaaf000b48ce5645455433c4a80cddbf1237f0867b9b5cdfad8cf0f718

      Download Submit

    • memory/1036-176-0x000000006FEE0000-0x000000006FF2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1036-177-0x0000000070670000-0x00000000709C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1036-175-0x0000000006680000-0x00000000066CC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1036-187-0x00000000075A0000-0x0000000007643000-memory.dmp

      Filesize

      652KB

      Download

    • memory/1036-188-0x0000000007710000-0x0000000007721000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1036-189-0x0000000006130000-0x0000000006144000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1036-164-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2024-223-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2024-226-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2024-220-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2024-221-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2024-222-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2024-224-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2024-225-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2024-228-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2024-227-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2024-231-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2024-230-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2024-219-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2024-229-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2388-134-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/2856-160-0x0000000007510000-0x00000000075B3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/2856-148-0x0000000006680000-0x00000000066CC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2856-147-0x0000000006030000-0x0000000006384000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2856-149-0x000000006FFC0000-0x000000007000C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2856-150-0x0000000070140000-0x0000000070494000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2856-161-0x0000000007880000-0x0000000007891000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2856-162-0x0000000005C50000-0x0000000005C64000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3392-95-0x0000000006510000-0x0000000006864000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3392-98-0x00000000701E0000-0x0000000070534000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3392-97-0x0000000070060000-0x00000000700AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3976-69-0x0000000070060000-0x00000000700AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3976-70-0x0000000070800000-0x0000000070B54000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3976-80-0x0000000006E00000-0x0000000006EA3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/3976-81-0x0000000007100000-0x0000000007111000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3976-82-0x0000000007150000-0x0000000007164000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3976-63-0x0000000005580000-0x00000000058D4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3976-68-0x0000000006140000-0x000000000618C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4040-23-0x0000000006700000-0x000000000674C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4040-27-0x0000000007880000-0x000000000789A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4040-4-0x00000000740CE000-0x00000000740CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4040-5-0x00000000030D0000-0x0000000003106000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4040-7-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4040-6-0x0000000005A40000-0x0000000006068000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4040-53-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4040-50-0x0000000007E30000-0x0000000007E38000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4040-49-0x0000000007E40000-0x0000000007E5A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4040-48-0x0000000007E00000-0x0000000007E14000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4040-47-0x0000000007DF0000-0x0000000007DFE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4040-46-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4040-45-0x0000000008560000-0x00000000085F6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4040-44-0x0000000007D90000-0x0000000007D9A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4040-28-0x0000000007C40000-0x0000000007C72000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4040-43-0x0000000007CA0000-0x0000000007D43000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4040-42-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4040-41-0x0000000007C80000-0x0000000007C9E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4040-31-0x00000000706A0000-0x00000000709F4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4040-30-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4040-29-0x000000006FF60000-0x000000006FFAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4040-8-0x00000000740C0000-0x0000000074870000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4040-26-0x0000000007EE0000-0x000000000855A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4040-9-0x0000000005700000-0x0000000005722000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4040-25-0x00000000077E0000-0x0000000007856000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4040-10-0x00000000058A0000-0x0000000005906000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4040-11-0x0000000006070000-0x00000000060D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4040-24-0x0000000006BF0000-0x0000000006C34000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4040-21-0x00000000060E0000-0x0000000006434000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4040-22-0x00000000066C0000-0x00000000066DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4304-1-0x0000000004030000-0x0000000004434000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4304-57-0x0000000004440000-0x0000000004D2B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4304-55-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4304-54-0x0000000000400000-0x0000000002364000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/4304-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4304-2-0x0000000004440000-0x0000000004D2B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4316-120-0x0000000070800000-0x0000000070B54000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4316-119-0x0000000070060000-0x00000000700AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5104-203-0x0000000070060000-0x00000000703B4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5104-202-0x000000006FEE0000-0x000000006FF2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5104-200-0x0000000006140000-0x0000000006494000-memory.dmp

      Filesize

      3.3MB

      Download