Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2023, 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a94b4d5dda264c9f7112318f5dc6980ba7a0115c63d0543f6ba8b320528f289f.exe

  • Size

    4.1MB

  • MD5

    c49e4510a4cb6efe67a897bc4cce6ea2

  • SHA1

    584f6746b873f4c005e2b3f4d8dcc078e7c511c2

  • SHA256

    a94b4d5dda264c9f7112318f5dc6980ba7a0115c63d0543f6ba8b320528f289f

  • SHA512

    c1a3eaa0829fcbce11a89605aaf50638a095a2eedbdadb635abe4d0cdd8ee59c5ca838f8a5e72fdd2e6e16fc2c997f0d93507f9c3c718b483346584a985ec9df

  • SSDEEP

    98304:7zOheenlRciUj4+ltdZjqyfYnp4ER4lOZoIQvIY8fg8E:7ze8c+LdZjzW8NQfBE

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a94b4d5dda264c9f7112318f5dc6980ba7a0115c63d0543f6ba8b320528f289f.exe
    "C:\Users\Admin\AppData\Local\Temp\a94b4d5dda264c9f7112318f5dc6980ba7a0115c63d0543f6ba8b320528f289f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
    • C:\Users\Admin\AppData\Local\Temp\a94b4d5dda264c9f7112318f5dc6980ba7a0115c63d0543f6ba8b320528f289f.exe
      "C:\Users\Admin\AppData\Local\Temp\a94b4d5dda264c9f7112318f5dc6980ba7a0115c63d0543f6ba8b320528f289f.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4128
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:208
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2668
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3268
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4380
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1172
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:4160
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4332
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4680
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1712
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4364
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:5108
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3644
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:2668
          • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
            4⤵
            • Executes dropped EXE
            PID:100
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /delete /tn "csrss" /f
              5⤵
                PID:2908
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /delete /tn "ScheduledUpdate" /f
                5⤵
                  PID:2904
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 704
              3⤵
              • Program crash
              PID:1904
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 800
            2⤵
            • Program crash
            PID:2896
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3068 -ip 3068
          1⤵
            PID:872
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1320 -ip 1320
            1⤵
              PID:3380
            • C:\Windows\windefender.exe
              C:\Windows\windefender.exe
              1⤵
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              PID:2820

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hsbk32ax.e2q.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
              Filesize

              3.2MB

              MD5

              f801950a962ddba14caaa44bf084b55c

              SHA1

              7cadc9076121297428442785536ba0df2d4ae996

              SHA256

              c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

              SHA512

              4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
              Filesize

              3.2MB

              MD5

              f801950a962ddba14caaa44bf084b55c

              SHA1

              7cadc9076121297428442785536ba0df2d4ae996

              SHA256

              c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

              SHA512

              4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
              Filesize

              99KB

              MD5

              09031a062610d77d685c9934318b4170

              SHA1

              880f744184e7774f3d14c1bb857e21cc7fe89a6d

              SHA256

              778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd

              SHA512

              9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              Filesize

              281KB

              MD5

              d98e33b66343e7c96158444127a117f6

              SHA1

              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

              SHA256

              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

              SHA512

              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              Filesize

              281KB

              MD5

              d98e33b66343e7c96158444127a117f6

              SHA1

              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

              SHA256

              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

              SHA512

              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              3d086a433708053f9bf9523e1d87a4e8

              SHA1

              b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

              SHA256

              6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

              SHA512

              931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              9fe5263de5f02b23efa3c0280ea61b70

              SHA1

              2333e22373fb3e1f848bd53a184207ba3ea271f8

              SHA256

              eb9ce556cf72f4121f3d81563422823db6472f5941f0df6f3e8b26d8aeb529f8

              SHA512

              f76b4cc1d52db48eb6ce7debbb29f752264b60ffa555cab5fbc1ba666c3e707aa518e3e7120816d593a998e0f23ae55f799a9b4109d4b2389718243f85d0ee4d

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              752a39d8e8f950a636fc41ecf4b21778

              SHA1

              e0583a927afda191a2d681066c1b4c7349ea3d02

              SHA256

              d945156531d0de91bf1df440552f939b8249de494fa4426f3c8d3178b551859a

              SHA512

              780d2e45211b8f1b18b6d77f1f5cdf154b698f83e578b7ac009a58649e6c3b30f06b194740e0b4831d96210ea9e60474d14db1755c387c4a81f64e3342737960

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              6b7c1fa94720e2e744a990ec7a43c54a

              SHA1

              90e52214a359918ac853c4f086c9ecce49165a47

              SHA256

              9b8aed415f55d8b3be357a54eec13104698404b3d9e2aca2c52e3df2c0dcdb9e

              SHA512

              b400f98dec6ee4d10954e1c42460698cf1ea99f77ba9927985e1e82fa9eb350b5caae1d8d729344848a7fb5d07861d03a8c0a26766281885a3e8ad667b70011f

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              be3d3fd5e734a3ee4297817bfa0e5c5b

              SHA1

              f5a0b0f10ad18eda74bff47c89fc11064a1e0ae6

              SHA256

              2aeab4f31cc7f1ead9145e500304c22e07896f5466fe8ea06b3108a2447e15f1

              SHA512

              5be49c9d74cb6b7573d9bde4ba0220f7414185033452109f386b5cfb6115d1599776666f6895d9261d2db575fe87b1a15825c8424d083d7627c06471a48b9df9

              Download Submit

            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              02e82a29a4377ee409900ee585505f97

              SHA1

              f4bf2710d83cf52cc3de19b31bb6421a3fb6dfc3

              SHA256

              fdb5352f19576ef77c6a8a8f16929cc91067725b9ead02351d8e8ede94183634

              SHA512

              4ee50cf4c87ce69ffa063c277f7ca18fe624e5a7a9f4b49ff5e4942fb6ce4275c61cf8c12a04efe29c1217ca201bb42523b712a2f41f4b19a3219fa25bce172b

              Download Submit

            • C:\Windows\rss\csrss.exe
              Filesize

              4.1MB

              MD5

              c49e4510a4cb6efe67a897bc4cce6ea2

              SHA1

              584f6746b873f4c005e2b3f4d8dcc078e7c511c2

              SHA256

              a94b4d5dda264c9f7112318f5dc6980ba7a0115c63d0543f6ba8b320528f289f

              SHA512

              c1a3eaa0829fcbce11a89605aaf50638a095a2eedbdadb635abe4d0cdd8ee59c5ca838f8a5e72fdd2e6e16fc2c997f0d93507f9c3c718b483346584a985ec9df

              Download Submit

            • C:\Windows\rss\csrss.exe
              Filesize

              4.1MB

              MD5

              c49e4510a4cb6efe67a897bc4cce6ea2

              SHA1

              584f6746b873f4c005e2b3f4d8dcc078e7c511c2

              SHA256

              a94b4d5dda264c9f7112318f5dc6980ba7a0115c63d0543f6ba8b320528f289f

              SHA512

              c1a3eaa0829fcbce11a89605aaf50638a095a2eedbdadb635abe4d0cdd8ee59c5ca838f8a5e72fdd2e6e16fc2c997f0d93507f9c3c718b483346584a985ec9df

              Download Submit

            • C:\Windows\windefender.exe
              Filesize

              2.0MB

              MD5

              8e67f58837092385dcf01e8a2b4f5783

              SHA1

              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

              SHA256

              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

              SHA512

              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

              Download Submit

            • C:\Windows\windefender.exe
              Filesize

              2.0MB

              MD5

              8e67f58837092385dcf01e8a2b4f5783

              SHA1

              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

              SHA256

              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

              SHA512

              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

              Download Submit

            • C:\Windows\windefender.exe
              Filesize

              2.0MB

              MD5

              8e67f58837092385dcf01e8a2b4f5783

              SHA1

              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

              SHA256

              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

              SHA512

              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

              Download Submit

            • memory/100-283-0x0000000000400000-0x0000000000C25000-memory.dmp

              Filesize

              8.1MB

              Download

            • memory/100-285-0x0000000000400000-0x0000000000C25000-memory.dmp

              Filesize

              8.1MB

              Download

            • memory/220-241-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/220-282-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/220-261-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/220-269-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/220-271-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/220-273-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/1320-62-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/1320-158-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/1320-151-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/1320-61-0x00000000029D0000-0x0000000002DCB000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/1320-93-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/1320-90-0x00000000029D0000-0x0000000002DCB000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2668-114-0x0000000071080000-0x00000000713D4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2668-112-0x0000000004AF0000-0x0000000004B00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2668-113-0x0000000070EF0000-0x0000000070F3C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2668-107-0x0000000005760000-0x0000000005AB4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2668-100-0x0000000004AF0000-0x0000000004B00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2668-99-0x0000000004AF0000-0x0000000004B00000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2668-98-0x0000000074FF0000-0x00000000757A0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2668-125-0x0000000074FF0000-0x00000000757A0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2820-281-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2820-274-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2820-270-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/2960-33-0x0000000070DF0000-0x0000000070E3C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2960-55-0x0000000007610000-0x0000000007618000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2960-4-0x0000000074F50000-0x0000000075700000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2960-5-0x00000000049C0000-0x00000000049D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2960-6-0x00000000048E0000-0x0000000004916000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2960-7-0x00000000049C0000-0x00000000049D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2960-8-0x0000000005000000-0x0000000005628000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2960-9-0x0000000004FD0000-0x0000000004FF2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2960-10-0x00000000056A0000-0x0000000005706000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2960-13-0x0000000005840000-0x00000000058A6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2960-21-0x00000000058B0000-0x0000000005C04000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2960-22-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2960-23-0x0000000005F00000-0x0000000005F4C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2960-24-0x0000000006430000-0x0000000006474000-memory.dmp

              Filesize

              272KB

              Download

            • memory/2960-58-0x0000000074F50000-0x0000000075700000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2960-32-0x0000000007440000-0x0000000007472000-memory.dmp

              Filesize

              200KB

              Download

            • memory/2960-54-0x00000000076D0000-0x00000000076EA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2960-53-0x00000000049C0000-0x00000000049D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2960-52-0x00000000075E0000-0x00000000075F4000-memory.dmp

              Filesize

              80KB

              Download

            • memory/2960-51-0x00000000075D0000-0x00000000075DE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/2960-50-0x0000000007590000-0x00000000075A1000-memory.dmp

              Filesize

              68KB

              Download

            • memory/2960-49-0x0000000007630000-0x00000000076C6000-memory.dmp

              Filesize

              600KB

              Download

            • memory/2960-48-0x0000000007570000-0x000000000757A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2960-47-0x0000000007480000-0x0000000007523000-memory.dmp

              Filesize

              652KB

              Download

            • memory/2960-28-0x00000000049C0000-0x00000000049D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2960-29-0x00000000071F0000-0x0000000007266000-memory.dmp

              Filesize

              472KB

              Download

            • memory/2960-30-0x00000000078F0000-0x0000000007F6A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/2960-46-0x0000000007420000-0x000000000743E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2960-31-0x0000000007290000-0x00000000072AA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/2960-35-0x000000007F5D0000-0x000000007F5E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2960-36-0x0000000070F70000-0x00000000712C4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/2960-34-0x0000000074F50000-0x0000000075700000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/3068-26-0x0000000002CC0000-0x00000000030C4000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/3068-1-0x0000000002CC0000-0x00000000030C4000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/3068-27-0x00000000030D0000-0x00000000039BB000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/3068-2-0x00000000030D0000-0x00000000039BB000-memory.dmp

              Filesize

              8.9MB

              Download

            • memory/3068-25-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/3068-3-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/3068-59-0x0000000000400000-0x0000000000D1B000-memory.dmp

              Filesize

              9.1MB

              Download

            • memory/3268-139-0x00000000030A0000-0x00000000030B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3268-137-0x0000000006090000-0x00000000063E4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/3268-127-0x00000000030A0000-0x00000000030B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3268-126-0x0000000074FF0000-0x00000000757A0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4128-79-0x0000000071070000-0x00000000713C4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4128-92-0x0000000007B20000-0x0000000007B34000-memory.dmp

              Filesize

              80KB

              Download

            • memory/4128-91-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4128-63-0x0000000074FF0000-0x00000000757A0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4128-89-0x00000000077B0000-0x0000000007853000-memory.dmp

              Filesize

              652KB

              Download

            • memory/4128-78-0x0000000070EF0000-0x0000000070F3C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4128-77-0x0000000003100000-0x0000000003110000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4128-76-0x00000000068F0000-0x000000000693C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4128-75-0x0000000006150000-0x00000000064A4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4128-64-0x0000000003100000-0x0000000003110000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4128-96-0x0000000074FF0000-0x00000000757A0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4128-65-0x0000000003100000-0x0000000003110000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5108-268-0x0000000000400000-0x00000000008DF000-memory.dmp

              Filesize

              4.9MB

              Download