Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06/10/2023, 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a0de394c88d8afa6ed0341660f11c72498bfa701f68fe369ec21a08388c77e8.exe

  • Size

    4.2MB

  • MD5

    3662e78734c099ef064c3ba163e12e85

  • SHA1

    a0ff10f57eaf34e085a06b01f5e366c29e9ec269

  • SHA256

    2a0de394c88d8afa6ed0341660f11c72498bfa701f68fe369ec21a08388c77e8

  • SHA512

    8ce0f2972bc93bd673cd71e23719c627bda54efa799f3958a6be13d6b7ba1bbfd5da63b80be2dd3f34d825ae9a78eb665f34d86a4a68fd097c5673f568d3a606

  • SSDEEP

    98304:mfntmAf7xsSzrKtyGeV4GzPQK9NoUFOsXwk3mPL8TJ2htI:8m6xfm7eHPQK9No49XwkWPVtI

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 23 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a0de394c88d8afa6ed0341660f11c72498bfa701f68fe369ec21a08388c77e8.exe
    "C:\Users\Admin\AppData\Local\Temp\2a0de394c88d8afa6ed0341660f11c72498bfa701f68fe369ec21a08388c77e8.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3012
    • C:\Users\Admin\AppData\Local\Temp\2a0de394c88d8afa6ed0341660f11c72498bfa701f68fe369ec21a08388c77e8.exe
      "C:\Users\Admin\AppData\Local\Temp\2a0de394c88d8afa6ed0341660f11c72498bfa701f68fe369ec21a08388c77e8.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4296
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1920
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3416
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1500
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4500
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3620
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3596
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:32
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2996
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2896
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4296
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2404
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3400
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:3112
          • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
            4⤵
            • Executes dropped EXE
            PID:1836
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:3412

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0knedkt.xqh.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      Filesize

      3.2MB

      MD5

      f801950a962ddba14caaa44bf084b55c

      SHA1

      7cadc9076121297428442785536ba0df2d4ae996

      SHA256

      c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

      SHA512

      4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
      Filesize

      3.2MB

      MD5

      f801950a962ddba14caaa44bf084b55c

      SHA1

      7cadc9076121297428442785536ba0df2d4ae996

      SHA256

      c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

      SHA512

      4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      c23630e0b4fe9facab7e70edfc49a8ef

      SHA1

      46d43587dc91800ae9d340d010f34f20f42c63f4

      SHA256

      df24da3de45300c97c846a4fd19a8d451d92a9b9025e166d7fd5b5fa64be1dfa

      SHA512

      960a57ed0ae5e59d924221c57e522c62eec9e50fad13ecc93d629cae065d43b5aaa10539ef934a97c6efaa374d42fa17d03e54099932bd45d4e178e4850b08a6

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      260e3368b75fe0c8f3456496ec427478

      SHA1

      48bf68630868b08dc6135d2fcd28393a45c75e50

      SHA256

      20b8d1b8fce8433d9d1484fc23349fd27b26ab1488a35025f99635d6a5680f30

      SHA512

      4e385eb62a2a61027a825afef2197a86729c45dc7f9eb34fb0ab34a386ddc8c4d726d4a2c42161c3ad7b77e7cb08adb3b6252ee4a2fb392722e82f84bb22fa48

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      6dfe510ca3f013348acc176ffeba33e1

      SHA1

      6d24247699f1d5173743c6a58417248a0a784ced

      SHA256

      0e93bd56b8c80bf31278ffc93d61f9707fac9d607a8508f55abb62197ec40885

      SHA512

      fc058b6f0bc69b515f583e9e2c9e22863600a02269cd41cfabdddc3cf7f0d6324a6262362f57ecc983d22af786a8ba1c2150ca082dc4f4ec99c58b0dc2858706

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      8feec192c62b90c5c4f35fae82e641a6

      SHA1

      cdd21470953d6a74a78ac28d1f244176dd2b3c71

      SHA256

      7f2d4a93aa3034f2bf866765c8f9aa990d9abf37dbecc6ab94fe9e11e0bb3f4d

      SHA512

      3e24fd73b68c84d83197748eac5a7aad79778ec95059eb22f4b384ef9b88162940dc332795cf70dbff0fdd3c3fa9e077bdb54ac3dade199badd6b07105d3341c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      5fd541363fd17aa198b56c87b754b3c1

      SHA1

      73b749b52cadc7f93960758803d9131fa6575375

      SHA256

      32ddde757fd2d9bb63bc234e5df4f414d47846ed446e52cc97dd14baa8a99bd6

      SHA512

      401a1281eeb45457480c695c0dc15c9768503fe747049586f7953b51e40da8005f62db7809d882532f38b0bf4a4457f6cd9130f6c45db185bcc9f83700e4c800

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      3662e78734c099ef064c3ba163e12e85

      SHA1

      a0ff10f57eaf34e085a06b01f5e366c29e9ec269

      SHA256

      2a0de394c88d8afa6ed0341660f11c72498bfa701f68fe369ec21a08388c77e8

      SHA512

      8ce0f2972bc93bd673cd71e23719c627bda54efa799f3958a6be13d6b7ba1bbfd5da63b80be2dd3f34d825ae9a78eb665f34d86a4a68fd097c5673f568d3a606

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      3662e78734c099ef064c3ba163e12e85

      SHA1

      a0ff10f57eaf34e085a06b01f5e366c29e9ec269

      SHA256

      2a0de394c88d8afa6ed0341660f11c72498bfa701f68fe369ec21a08388c77e8

      SHA512

      8ce0f2972bc93bd673cd71e23719c627bda54efa799f3958a6be13d6b7ba1bbfd5da63b80be2dd3f34d825ae9a78eb665f34d86a4a68fd097c5673f568d3a606

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/1388-26-0x0000000004370000-0x0000000004776000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1388-67-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/1388-68-0x0000000004780000-0x000000000506B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/1388-71-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/1388-3-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/1388-305-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/1388-2-0x0000000004780000-0x000000000506B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/1388-302-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/1388-1-0x0000000004370000-0x0000000004776000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1500-810-0x0000000072EE0000-0x00000000735CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1500-1051-0x0000000072EE0000-0x00000000735CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1500-812-0x0000000006F00000-0x0000000006F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1500-838-0x0000000006F00000-0x0000000006F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1500-811-0x0000000006F00000-0x0000000006F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1500-832-0x000000006FC10000-0x000000006FC5B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1500-833-0x000000006FC60000-0x000000006FFB0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2404-1815-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2576-790-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2576-308-0x00000000046C0000-0x0000000004FAB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/2576-309-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2576-1055-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2576-307-0x00000000041B0000-0x00000000045B6000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2576-412-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2900-1807-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2900-1310-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2900-1824-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2900-1822-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2900-1835-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2900-1820-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2900-1818-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2900-1826-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2900-1058-0x0000000004900000-0x0000000004CF9000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2900-1816-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2900-1587-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/2900-1059-0x0000000000400000-0x0000000002676000-memory.dmp

      Filesize

      34.5MB

      Download

    • memory/3012-79-0x000000006FB40000-0x000000006FE90000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3012-80-0x0000000009C10000-0x0000000009C2E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3012-9-0x00000000072A0000-0x00000000078C8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3012-7-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3012-8-0x0000000004AB0000-0x0000000004AE6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3012-6-0x0000000072DE0000-0x00000000734CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3012-10-0x00000000070F0000-0x0000000007112000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3012-304-0x0000000072DE0000-0x00000000734CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3012-285-0x000000000A0C0000-0x000000000A0C8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3012-280-0x000000000A0D0000-0x000000000A0EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3012-87-0x000000000A130000-0x000000000A1C4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/3012-86-0x0000000004B70000-0x0000000004B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3012-85-0x0000000009FB0000-0x000000000A055000-memory.dmp

      Filesize

      660KB

      Download

    • memory/3012-11-0x00000000078D0000-0x0000000007936000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3012-78-0x000000006FAF0000-0x000000006FB3B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3012-77-0x0000000009C50000-0x0000000009C83000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3012-75-0x0000000072DE0000-0x00000000734CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3012-66-0x00000000090F0000-0x0000000009166000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3012-35-0x0000000008590000-0x00000000085CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3012-15-0x0000000008490000-0x00000000084DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3012-14-0x0000000007F70000-0x0000000007F8C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3012-13-0x0000000007BC0000-0x0000000007F10000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3012-12-0x0000000007B20000-0x0000000007B86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3412-1817-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3412-1834-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3412-1821-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3416-564-0x0000000072EE0000-0x00000000735CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3416-565-0x0000000007190000-0x00000000071A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3416-566-0x0000000007190000-0x00000000071A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3416-807-0x0000000072EE0000-0x00000000735CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3416-593-0x0000000007190000-0x00000000071A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3416-588-0x000000006FC80000-0x000000006FFD0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3416-587-0x000000006FC10000-0x000000006FC5B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3416-567-0x0000000007F00000-0x0000000008250000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4296-550-0x00000000053C0000-0x00000000053D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4296-337-0x000000006FC60000-0x000000006FFB0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4296-560-0x0000000072EE0000-0x00000000735CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4296-312-0x0000000072EE0000-0x00000000735CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4296-542-0x0000000072EE0000-0x00000000735CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4296-343-0x00000000053C0000-0x00000000053D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4296-342-0x0000000009DA0000-0x0000000009E45000-memory.dmp

      Filesize

      660KB

      Download

    • memory/4296-314-0x00000000053C0000-0x00000000053D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4296-336-0x000000006FC10000-0x000000006FC5B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4296-335-0x000000007EF50000-0x000000007EF60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4296-316-0x0000000008D50000-0x0000000008D9B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4296-315-0x00000000083E0000-0x0000000008730000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4296-313-0x00000000053C0000-0x00000000053D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4500-1062-0x0000000072E40000-0x000000007352E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4500-1063-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

      Filesize

      64KB

      Download