Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    303s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-05-2024 00:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    942893be9543258a4290f15162e51847b081f46aad850c902cb5ace6244af9f6.exe

  • Size

    4.1MB

  • MD5

    3600b9a82907a9f072c5086fdc376220

  • SHA1

    0553de1e76929adf821c5d78516a8ad2a86eb503

  • SHA256

    942893be9543258a4290f15162e51847b081f46aad850c902cb5ace6244af9f6

  • SHA512

    1389f017f0ff4cb31d068a1f9add60cd0f1670a271ab8463ed5a68e65464f9e60943a9daa48a6cc9ad9fe42d38a80cd123ac51ff8b7bb4aa6a0f22ac7291a5a5

  • SSDEEP

    98304:MxfL9oyIkrku4AJMBJNRxIbk0RddEjk9Pc8cg301s2mGvl:6RrVrv4XbNRWhj2o9k8f3CspGvl

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkittrojan

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 34 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\942893be9543258a4290f15162e51847b081f46aad850c902cb5ace6244af9f6.exe
    "C:\Users\Admin\AppData\Local\Temp\942893be9543258a4290f15162e51847b081f46aad850c902cb5ace6244af9f6.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3424
    • C:\Users\Admin\AppData\Local\Temp\942893be9543258a4290f15162e51847b081f46aad850c902cb5ace6244af9f6.exe
      "C:\Users\Admin\AppData\Local\Temp\942893be9543258a4290f15162e51847b081f46aad850c902cb5ace6244af9f6.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4344
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:64
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:2080
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:508
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4208
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3228
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4500
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2560
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:1416
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1816
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4624
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3452
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:3608

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    3
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gezm21wk.dg1.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      db01a2c1c7e70b2b038edf8ad5ad9826

      SHA1

      540217c647a73bad8d8a79e3a0f3998b5abd199b

      SHA256

      413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

      SHA512

      c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      a66591cf7ec3a0dca9c3c7cfaf169d9c

      SHA1

      a77c7360fa944744825db06e7c646adbe21a746e

      SHA256

      233eab7abaa8afed5de70aed127b8d921b91f560a1ab271a880ed81338448acd

      SHA512

      05ee119eb0c21898679b31eb49fdf24bf773e7f9798d38ea713941d8bb8c58c7c1e08989c480755c7c352a58d1b84516c8be5306edf2de3fce4ab75a94798eac

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      9a3df805fc1623b1e0c566e52451f6c3

      SHA1

      5b6165188b0b87953cb35f0d3cb3b36b9e9fd70a

      SHA256

      c4b11c910067c18cf210f38de88f044f3a38342fb29424fd35eff618f95d6cb4

      SHA512

      b0c42586deed64e3d20575da87e86a56bb71a9790a7db740f8d3fe38836f3f948456c7b2f54b49e3f336cff8743d13d42cf327b9735a83ba21ae8acb7a078143

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      3fe753ce1eb1dc0f30e50437ddba99cd

      SHA1

      e0efa275831ecd7780d6851f0995ac2fc3356946

      SHA256

      16d2976f123cdf903410e0b317fbe52e1543bb6a74b91f5ec33ab44c02c28d3d

      SHA512

      e87e1e56c8dad27f5640420d7bb74c57214e5b8defe2126e735d24cbb0bcefe2bd1b67c7695f2869be698e7b1d14a5593d655cb07321db61a4ba005bf1930e18

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      c81cae171868e1d0f6c89bda0fb1b292

      SHA1

      2bac70fdf60359ab05e1d47bb253415ff213a8fd

      SHA256

      fbf917a48e7b7ceab66c990a6a9d25c312d5295c84c9df53b07515c3d6ee9f66

      SHA512

      343f77d502ec6faaf045ab31a50068cb04450d6781e7052feaa2a740c88d6742a981069ab638eaff7f8eee99816ba2a97a4738856bdc18ac4af83a735a41e242

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      183cc98fcac54971ba9fa2b04e430284

      SHA1

      324cfa60627cfcff9cd8bf6be6cd51743ce72809

      SHA256

      34524854cd9e871733ca0eba359c14d15981c0f0564a9aba38e9965734872eed

      SHA512

      2e1f19e836e17c8cb16f98591cf733166ade0102a3ca00e9a977dc4eaf11ac4063d7706403878f287a082fc2087758a4e9acfef00626f9cde57f7741bf8f6149

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      3600b9a82907a9f072c5086fdc376220

      SHA1

      0553de1e76929adf821c5d78516a8ad2a86eb503

      SHA256

      942893be9543258a4290f15162e51847b081f46aad850c902cb5ace6244af9f6

      SHA512

      1389f017f0ff4cb31d068a1f9add60cd0f1670a271ab8463ed5a68e65464f9e60943a9daa48a6cc9ad9fe42d38a80cd123ac51ff8b7bb4aa6a0f22ac7291a5a5

      Download Submit

    • memory/508-572-0x0000000070A00000-0x0000000070D50000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/508-551-0x0000000008090000-0x00000000083E0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/508-571-0x0000000070990000-0x00000000709DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1816-1299-0x0000000070840000-0x000000007088B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1816-1278-0x0000000007900000-0x0000000007C50000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1816-1305-0x0000000009080000-0x0000000009125000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1816-1300-0x00000000708B0000-0x0000000070C00000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1816-1280-0x0000000007EF0000-0x0000000007F3B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2920-285-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/2920-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2920-2-0x0000000004BE0000-0x00000000054CB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/2920-301-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/2920-304-0x0000000004BE0000-0x00000000054CB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/2920-1-0x00000000047E0000-0x0000000004BDA000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2920-303-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2920-298-0x00000000047E0000-0x0000000004BDA000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3228-1778-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1774-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1767-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1769-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1770-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1771-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1766-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1765-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1764-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1763-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1772-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1535-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1773-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1768-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1775-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1776-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1777-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1779-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1780-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1781-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1782-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1783-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1784-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1785-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1786-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3228-1787-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/3424-82-0x000000000A9B0000-0x000000000AA44000-memory.dmp

      Filesize

      592KB

      Download

    • memory/3424-15-0x0000000008460000-0x000000000847C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3424-6-0x0000000073B6E000-0x0000000073B6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3424-7-0x0000000007350000-0x0000000007386000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3424-8-0x0000000073B60000-0x000000007424E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3424-9-0x0000000007AD0000-0x00000000080F8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3424-10-0x0000000073B60000-0x000000007424E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3424-11-0x0000000007A20000-0x0000000007A42000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3424-12-0x0000000008100000-0x0000000008166000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3424-13-0x0000000008170000-0x00000000081D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3424-14-0x0000000008500000-0x0000000008850000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3424-16-0x0000000008B00000-0x0000000008B4B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3424-35-0x0000000008D60000-0x0000000008D9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3424-66-0x0000000009970000-0x00000000099E6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3424-73-0x000000000A750000-0x000000000A783000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3424-74-0x0000000070870000-0x00000000708BB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3424-75-0x00000000708C0000-0x0000000070C10000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3424-300-0x0000000073B60000-0x000000007424E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3424-280-0x0000000008B70000-0x0000000008B78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3424-275-0x0000000008B80000-0x0000000008B9A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3424-81-0x000000000A790000-0x000000000A835000-memory.dmp

      Filesize

      660KB

      Download

    • memory/3424-76-0x000000000A730000-0x000000000A74E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4208-810-0x0000000070990000-0x00000000709DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4208-811-0x0000000070A00000-0x0000000070D50000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4224-547-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4224-1031-0x0000000000400000-0x0000000002B0D000-memory.dmp

      Filesize

      39.1MB

      Download

    • memory/4344-308-0x0000000008AF0000-0x0000000008B3B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4344-327-0x0000000070990000-0x00000000709DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4344-328-0x00000000709E0000-0x0000000070D30000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4344-333-0x0000000009C30000-0x0000000009CD5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4344-307-0x0000000008240000-0x0000000008590000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4500-1036-0x00000000073B0000-0x0000000007700000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4500-1063-0x0000000009010000-0x00000000090B5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4500-1038-0x0000000007C10000-0x0000000007C5B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4500-1057-0x00000000708F0000-0x000000007093B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4500-1058-0x0000000070960000-0x0000000070CB0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4624-1540-0x0000000070840000-0x000000007088B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4624-1541-0x00000000708B0000-0x0000000070C00000-memory.dmp

      Filesize

      3.3MB

      Download