Overview

overview

10

Static

static

1

5edd03b5dd...6d.exe

windows7-x64

10

5edd03b5dd...6d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2024 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d.exe

  • Size

    4.1MB

  • MD5

    2857da9224b13fed53a8a164b68378c2

  • SHA1

    249f40f1880247a5195c2d05be4611f2dc3e59ef

  • SHA256

    5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d

  • SHA512

    0762a209bd2dd2dea9ab309b03fc54b1bc57dc39c3132d2cb77aea1ae8d36ebd733eae7470a41b8901c7d6333bafa14f11ee75d5f563ac08eb1a2a3a17aaa682

  • SSDEEP

    98304:wX9T5zY+neAgaWGUopMVtlg/ngaxdvvigMwWx:U9+TAmopMOgafvPTWx

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistenceprivilege_escalationrootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 20 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d.exe
    "C:\Users\Admin\AppData\Local\Temp\5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4084
    • C:\Users\Admin\AppData\Local\Temp\5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d.exe
      "C:\Users\Admin\AppData\Local\Temp\5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1640
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2768
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4640
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4260
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2260
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1196
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:4916
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3580
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4348
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1108

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qdibkoky.01p.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      3d086a433708053f9bf9523e1d87a4e8

      SHA1

      b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

      SHA256

      6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

      SHA512

      931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      878a37a0e8cf377f854179646979dde9

      SHA1

      09e3bd0e85e5dc44334e4c03465d1bc2f9e157b8

      SHA256

      0be371ad8d8d2de89141255b212c3502a7797a4461d24d7cb3eb88f2f20211da

      SHA512

      cab8d46464b8d0541953bf6e9e40ae672ca7493099623c6b18e95a9002f3b227d946c0f7ed65487d18bd5c069ed6482f32e4412b394173da79eb5d4d20124b40

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      f1dcf7a76a372d762efa6edde8cfe9d1

      SHA1

      3faca30138b989958872d4331e8407f515162fb4

      SHA256

      1db94b662f4bbcedb533d5cae30d89f07f49a7eb03a1291bfae9608cb6c09b98

      SHA512

      0994895716b0083ab714b87607f632b5df9fed0475a3abc600e685bde75a5b8e60280e2dcc88eb3f1c494c78f21a714bf00b3f8ab724cdf9a0140d8da7da7883

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      7859b9e84ebe3de0224850b15c423baa

      SHA1

      18371932002c594ed856b4dfc6acfd0a7f1a549a

      SHA256

      e81e5f28f906285252d8f723c9538d88729d64cb4df4e5a07802c86d70e2c155

      SHA512

      ea6b2bd11d740e2cc9c58cc633a649dd4a7e14a3ebf34f9c834f0df13d6e86dfad5878b2003fcbd20c6f0ae885b5954e5b820582009c385fe7661c2fc221a906

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      253352f52494aa2625aa28d75f4ce01d

      SHA1

      6746802901d347be6daa9b62f20fc11559350220

      SHA256

      bb22c24eefcd6e7716f4249100d5cc69bd3fce3f5ff1d73098457e372087baed

      SHA512

      e921044075a0a568c55121f5aef4febf2db7b5edd71be69c8b6bffd94acf9a27414fff46efb570513d344f55e4ea40c84ddffbd07d31b88786bda2d48baa03bb

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      4d15a7f6aa6ff6a27163a44a0e25c924

      SHA1

      590852e0fe6f274a58f3ce3f1b964cf5b2114097

      SHA256

      2bd0edf15a347611f0ea173e32cfdaf21c1efc010612fb9a7f5c3a0346c87fd3

      SHA512

      7eecfa8d9e0a640f38e966665b004150c59592f28409076613eaf3f83ae16978f35c45f7b8e08c013085224c6860279bef0552831ac36e380996b3a8055ff8d9

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      2857da9224b13fed53a8a164b68378c2

      SHA1

      249f40f1880247a5195c2d05be4611f2dc3e59ef

      SHA256

      5edd03b5ddbf162a0e63c16d7d579433d11f34e199fcbdcb7fbeb581ff3af86d

      SHA512

      0762a209bd2dd2dea9ab309b03fc54b1bc57dc39c3132d2cb77aea1ae8d36ebd733eae7470a41b8901c7d6333bafa14f11ee75d5f563ac08eb1a2a3a17aaa682

      Download Submit

    • memory/1640-69-0x0000000006220000-0x0000000006574000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1640-83-0x0000000007D70000-0x0000000007D84000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1640-82-0x0000000007D20000-0x0000000007D31000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1640-81-0x0000000007A20000-0x0000000007AC3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/1640-71-0x0000000070C70000-0x0000000070FC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1640-70-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1672-174-0x0000000070A10000-0x0000000070A5C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1672-187-0x0000000005A90000-0x0000000005AA4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1672-171-0x0000000005C30000-0x0000000005F84000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1672-173-0x0000000006060000-0x00000000060AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1672-175-0x0000000070B90000-0x0000000070EE4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1672-185-0x0000000007280000-0x0000000007323000-memory.dmp

      Filesize

      652KB

      Download

    • memory/1672-186-0x00000000075B0000-0x00000000075C1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2260-150-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2260-151-0x0000000070C70000-0x0000000070FC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2396-237-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2396-234-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2396-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2396-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2396-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2396-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2396-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2396-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2396-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2396-240-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2396-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2396-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2460-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2460-59-0x0000000002BA0000-0x0000000002FA3000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2460-120-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2460-133-0x0000000002BA0000-0x0000000002FA3000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3580-201-0x0000000070A10000-0x0000000070A5C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3580-198-0x00000000056E0000-0x0000000005A34000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3580-202-0x0000000071160000-0x00000000714B4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3608-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3608-1-0x00000000029D0000-0x0000000002DD1000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3608-42-0x00000000029D0000-0x0000000002DD1000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3608-43-0x0000000002DE0000-0x00000000036CB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3608-56-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3608-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3608-2-0x0000000002DE0000-0x00000000036CB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4084-51-0x00000000080B0000-0x00000000080CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4084-46-0x0000000008010000-0x00000000080A6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4084-26-0x00000000080D0000-0x000000000874A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4084-27-0x0000000007A50000-0x0000000007A6A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4084-30-0x0000000074C50000-0x0000000075400000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4084-6-0x0000000074C50000-0x0000000075400000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4084-5-0x00000000032D0000-0x0000000003306000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4084-29-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4084-8-0x0000000074C50000-0x0000000075400000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4084-31-0x0000000070EA0000-0x00000000711F4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4084-4-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4084-9-0x00000000058B0000-0x00000000058D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4084-10-0x0000000006130000-0x0000000006196000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4084-11-0x0000000006250000-0x00000000062B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4084-21-0x00000000062C0000-0x0000000006614000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4084-22-0x0000000006870000-0x000000000688E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4084-23-0x0000000006920000-0x000000000696C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4084-24-0x0000000006DC0000-0x0000000006E04000-memory.dmp

      Filesize

      272KB

      Download

    • memory/4084-55-0x0000000074C50000-0x0000000075400000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4084-52-0x0000000007FF0000-0x0000000007FF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4084-25-0x00000000079D0000-0x0000000007A46000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4084-50-0x0000000007FC0000-0x0000000007FD4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4084-49-0x0000000007FB0000-0x0000000007FBE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4084-48-0x0000000074C50000-0x0000000075400000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4084-47-0x0000000007F70000-0x0000000007F81000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4084-7-0x0000000005B00000-0x0000000006128000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4084-45-0x0000000007F50000-0x0000000007F5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4084-28-0x0000000007E00000-0x0000000007E32000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4084-44-0x0000000007E60000-0x0000000007F03000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4084-41-0x0000000007E40000-0x0000000007E5E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4260-122-0x0000000071270000-0x00000000715C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4260-121-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4640-96-0x0000000005E30000-0x0000000006184000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4640-98-0x0000000070AF0000-0x0000000070B3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4640-99-0x0000000071270000-0x00000000715C4000-memory.dmp

      Filesize

      3.3MB

      Download