Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10/10/2023, 03:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    977a2e45c0d236baf1ecdd444e9ce0617f4959006d98f7e087adc7729c9894b2.exe

  • Size

    4.1MB

  • MD5

    b46d217c0d5c4c03782f888c14494f9a

  • SHA1

    77ccfcee0e3c798c47072bf69647b154cd2e92f9

  • SHA256

    977a2e45c0d236baf1ecdd444e9ce0617f4959006d98f7e087adc7729c9894b2

  • SHA512

    2ae80257125cbb6f8b3f6f53751567c2b9b032b0e71656bbf69565f785e9fa4788fb91bc6450ff8cce8dfaebf54c00a10a00dc045ab41d68d9384646b64c41c0

  • SSDEEP

    98304:rP9dSxW/w3gvzHy8a/x5Aa8V5QELTGRVPw/uqGXKZAotd6Kb5tBagOS46FiH7:L9dSxE0QzS8a/MD5QsiRBYC6ZNtdt5t6

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 18 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\977a2e45c0d236baf1ecdd444e9ce0617f4959006d98f7e087adc7729c9894b2.exe
    "C:\Users\Admin\AppData\Local\Temp\977a2e45c0d236baf1ecdd444e9ce0617f4959006d98f7e087adc7729c9894b2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:376
    • C:\Users\Admin\AppData\Local\Temp\977a2e45c0d236baf1ecdd444e9ce0617f4959006d98f7e087adc7729c9894b2.exe
      "C:\Users\Admin\AppData\Local\Temp\977a2e45c0d236baf1ecdd444e9ce0617f4959006d98f7e087adc7729c9894b2.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4544
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          • Modifies data under HKEY_USERS
          PID:4260
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4372
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3460
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4544
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2792
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4696
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4464
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3808
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:1412
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2364
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4140
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:4768
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:4380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_va3gorbr.tga.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      db01a2c1c7e70b2b038edf8ad5ad9826

      SHA1

      540217c647a73bad8d8a79e3a0f3998b5abd199b

      SHA256

      413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

      SHA512

      c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      a59dae61889c7e9788f000f124e5a36d

      SHA1

      4fa50d479afacc99e579cc751821543d2c395a29

      SHA256

      9b252115a51637ee8a34b198dfa915a32cf563b48c5101eaaeace436393809ab

      SHA512

      7db9bd535f7a9b5a10988b02d98eb1475198646ab3eff29d82a54241cde66fff8b469f9792afaad25f2f91c976f50b7bb386f9248c70e53a78ed24852192032c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      81daacf4e25a685f69a11544d0c1bf56

      SHA1

      c2e37e6299a480774a2af7e77730217f988bd3a4

      SHA256

      0a6e452d60adf296ffb799188f78a9fdbb7a799820018f3d498f67c5f20ba7cd

      SHA512

      e3f2f06d7dd4e437af4b7d2dd8c7bd11eecd6787277c24a7f7c67da09dbf37f5a3450f6ea41540f69315202b2460f52ae4bd30e9183d6eeacfb555ce5bb0ae6d

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      b487c4dc37eb45e34897b1beec8faa6e

      SHA1

      1c65da8afa39f1f9ea1e2beb7472c2b77afcc54a

      SHA256

      93fb74bb9814e55aa717454b12bbb57845eec3756699d6bac3abae61b698090f

      SHA512

      a619c3aab734350854f1b9735fde3894ed46c4da057aae4a62f5f7a3780079873c930e15955d122c8c1dd6131097eb82f1a310b8bebc343530ec3996c7f5d59c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      327bbc733dac498d55adc7acbccf9517

      SHA1

      9f2b2101440a3cbfa02076a09ca8f3805990288a

      SHA256

      3e69e0e71b0b126c5af784872bc135dd474d53b6c2cc01f8abf43d7a3e0fd913

      SHA512

      242dad1c8116d40615065c75b0f1c1b2c099ec9f41e6d2aac03805aa5491f1b9e147d4bd3573866cd16bf46ebc3e2f8c7e1a9516cf4eca95387408d096f057dd

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      aeaea195de3a3b581cd3d45762a5e541

      SHA1

      e980e5495c0092324ab85215313bb8376e76579b

      SHA256

      8d5bf275a02924dab9974e1a983d5bca6cc4b36d1eeae06661dcafb27fd85ef0

      SHA512

      1e405acb152000dbb826ce05b788bf730769fe671594c61326a99e821670ba329b98b6742646676304ed647285f120eaaf0b1b39876541e5d30aa7904fd1697a

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      b46d217c0d5c4c03782f888c14494f9a

      SHA1

      77ccfcee0e3c798c47072bf69647b154cd2e92f9

      SHA256

      977a2e45c0d236baf1ecdd444e9ce0617f4959006d98f7e087adc7729c9894b2

      SHA512

      2ae80257125cbb6f8b3f6f53751567c2b9b032b0e71656bbf69565f785e9fa4788fb91bc6450ff8cce8dfaebf54c00a10a00dc045ab41d68d9384646b64c41c0

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      b46d217c0d5c4c03782f888c14494f9a

      SHA1

      77ccfcee0e3c798c47072bf69647b154cd2e92f9

      SHA256

      977a2e45c0d236baf1ecdd444e9ce0617f4959006d98f7e087adc7729c9894b2

      SHA512

      2ae80257125cbb6f8b3f6f53751567c2b9b032b0e71656bbf69565f785e9fa4788fb91bc6450ff8cce8dfaebf54c00a10a00dc045ab41d68d9384646b64c41c0

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/376-12-0x0000000007F00000-0x0000000007F66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/376-89-0x00000000739B0000-0x000000007409E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/376-16-0x0000000008990000-0x00000000089DB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/376-67-0x0000000009580000-0x00000000095F6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/376-15-0x00000000083F0000-0x000000000840C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/376-75-0x000000000A390000-0x000000000A3C3000-memory.dmp

      Filesize

      204KB

      Download

    • memory/376-14-0x0000000008010000-0x0000000008360000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/376-77-0x00000000706C0000-0x000000007070B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/376-78-0x000000007F120000-0x000000007F130000-memory.dmp

      Filesize

      64KB

      Download

    • memory/376-79-0x0000000070710000-0x0000000070A60000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/376-80-0x000000000A370000-0x000000000A38E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/376-85-0x000000000A3D0000-0x000000000A475000-memory.dmp

      Filesize

      660KB

      Download

    • memory/376-86-0x000000000A5F0000-0x000000000A684000-memory.dmp

      Filesize

      592KB

      Download

    • memory/376-35-0x0000000009480000-0x00000000094BC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/376-90-0x0000000005180000-0x0000000005190000-memory.dmp

      Filesize

      64KB

      Download

    • memory/376-281-0x000000000A550000-0x000000000A56A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/376-286-0x000000000A530000-0x000000000A538000-memory.dmp

      Filesize

      32KB

      Download

    • memory/376-304-0x00000000739B0000-0x000000007409E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/376-13-0x00000000076F0000-0x0000000007756000-memory.dmp

      Filesize

      408KB

      Download

    • memory/376-11-0x0000000007650000-0x0000000007672000-memory.dmp

      Filesize

      136KB

      Download

    • memory/376-10-0x00000000077D0000-0x0000000007DF8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/376-9-0x0000000005180000-0x0000000005190000-memory.dmp

      Filesize

      64KB

      Download

    • memory/376-8-0x0000000005180000-0x0000000005190000-memory.dmp

      Filesize

      64KB

      Download

    • memory/376-7-0x0000000004BC0000-0x0000000004BF6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/376-6-0x00000000739B0000-0x000000007409E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2204-1056-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2204-1805-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2204-1822-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2204-1055-0x0000000005200000-0x00000000055F9000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2204-1065-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2204-1820-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2204-1818-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2204-1816-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2204-1814-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2204-1555-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2364-1813-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2824-804-0x0000000073AB0000-0x000000007419E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2824-562-0x0000000073AB0000-0x000000007419E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2824-563-0x0000000006A20000-0x0000000006A30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2824-584-0x00000000707E0000-0x000000007082B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2824-585-0x0000000070830000-0x0000000070B80000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2824-590-0x0000000006A20000-0x0000000006A30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2824-564-0x0000000006A20000-0x0000000006A30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2908-307-0x0000000004CE0000-0x00000000050E7000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2908-661-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2908-341-0x0000000004CE0000-0x00000000050E7000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2908-1053-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2908-308-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/2908-333-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/3460-1062-0x0000000007E80000-0x00000000081D0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3460-1061-0x0000000003110000-0x0000000003120000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3460-1060-0x0000000003110000-0x0000000003120000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3460-1059-0x0000000073A10000-0x00000000740FE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4184-305-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/4184-76-0x0000000005170000-0x0000000005A5B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4184-2-0x0000000005170000-0x0000000005A5B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4184-1-0x0000000004D60000-0x0000000005166000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4184-3-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/4184-49-0x0000000004D60000-0x0000000005166000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4184-70-0x0000000000400000-0x0000000002FB3000-memory.dmp

      Filesize

      43.7MB

      Download

    • memory/4372-829-0x00000000707E0000-0x000000007082B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4372-835-0x0000000006D10000-0x0000000006D20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4372-809-0x0000000007D00000-0x0000000008050000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4372-808-0x0000000006D10000-0x0000000006D20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4372-807-0x0000000073AB0000-0x000000007419E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4372-830-0x0000000070850000-0x0000000070BA0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4372-1048-0x0000000073AB0000-0x000000007419E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4380-1819-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4380-1815-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4544-335-0x0000000070830000-0x0000000070B80000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4544-314-0x0000000008C10000-0x0000000008C5B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4544-312-0x0000000007220000-0x0000000007230000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4544-334-0x00000000707E0000-0x000000007082B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4544-558-0x0000000073AB0000-0x000000007419E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4544-311-0x0000000073AB0000-0x000000007419E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4544-548-0x0000000073AB0000-0x000000007419E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4544-343-0x0000000007220000-0x0000000007230000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4544-313-0x0000000008380000-0x00000000086D0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4544-342-0x000000007EE50000-0x000000007EE60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4544-340-0x0000000009BB0000-0x0000000009C55000-memory.dmp

      Filesize

      660KB

      Download