Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2024, 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8fd268f71cf14f567150d24036a970b430f2394b2e59f3934f3ddc247c8bbf1.exe

  • Size

    4.2MB

  • MD5

    a3929426f6905faa5f4acb7953cc92ca

  • SHA1

    24e48ebb800b5b5b7a93c357f5da4aaf54a46ebb

  • SHA256

    a8fd268f71cf14f567150d24036a970b430f2394b2e59f3934f3ddc247c8bbf1

  • SHA512

    94d7fd056d52f4667ffbe4dbab0673b0ca21d12022f2dd317c67358ce788dae4b9bd1b764015454dcd2efa0a5d649c4a6c38e27ba84d63c271ede3517270da89

  • SSDEEP

    98304:hcc1VimWaGwQyR5Ub10pmF8uf1WAu/wu8XRZ5MLcu:6gqwQyDUbupZwu/38XH5MLh

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8fd268f71cf14f567150d24036a970b430f2394b2e59f3934f3ddc247c8bbf1.exe
    "C:\Users\Admin\AppData\Local\Temp\a8fd268f71cf14f567150d24036a970b430f2394b2e59f3934f3ddc247c8bbf1.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:812
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2452
    • C:\Users\Admin\AppData\Local\Temp\a8fd268f71cf14f567150d24036a970b430f2394b2e59f3934f3ddc247c8bbf1.exe
      "C:\Users\Admin\AppData\Local\Temp\a8fd268f71cf14f567150d24036a970b430f2394b2e59f3934f3ddc247c8bbf1.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:596
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4836
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3348
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4176
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3020
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4996
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4548
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2084
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2688
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:508
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:880
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3984
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:2484
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4164
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4964
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:5080
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 588
          3⤵
          • Program crash
          PID:4456
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 932
        2⤵
        • Program crash
        PID:1780
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 812 -ip 812
      1⤵
        PID:2200
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2592 -ip 2592
        1⤵
          PID:2252
        • C:\Windows\windefender.exe
          C:\Windows\windefender.exe
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:3048

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hl3qunau.z0a.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          Filesize

          181KB

          MD5

          0f315edff94dbd1e283b1b8d53fdf846

          SHA1

          7cf6a3e2be157598d0161befdc7654dc7e8640e2

          SHA256

          6b36ddc7cab7626b515e000a4d719f493280c90b49c51ae21e47607b55da57cc

          SHA512

          1e2b999716ef33b23c8a2c18b3a9c9b2412292d6a860c6c923cc3dcc0948d93ffd41a1d3cd5208abb0a794ee518d7fb4f725a2abc574fe4406042c7cf18b6cce

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
          Filesize

          57KB

          MD5

          1868d1207d734ac95ef900476b1d1fc2

          SHA1

          58dc6fd96a51edd9894302048989a40f239159c2

          SHA256

          7d75b5eb33370ba631f86ab8d9582866df942897066b2a12f10ae8b0202f48af

          SHA512

          ce2a0b5d43539278aebde9e7389db357e4bcaf864227f46abc8565361c17ccfbac0a9c0ef058b71f35cb0331b910a70f40de9c9f05232fd8f7d5044ffefc470c

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          3d086a433708053f9bf9523e1d87a4e8

          SHA1

          b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

          SHA256

          6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

          SHA512

          931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          0496fe8dd8f5c1f37030f1f471571de6

          SHA1

          84b1d26a069f2269791d61be4de5569458069c3b

          SHA256

          f47aa6aec65396ee27dbd22e632668beb556e3a67a6e8c5e88cb29eb88e80594

          SHA512

          147962e7c1c1677951ed60a8a85c1d7501439e91f6d387cd854509666695d80e2963892ec9719bb21c9c70ee2a57576b8005b1c0fcfa75dbd3e3938e8ccbb215

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          d502bcfc42016bff0031810c3ccf0992

          SHA1

          d37e5c42e4bfdd7158849608a29b74cdca57d184

          SHA256

          df2669a0b29d059ba7515d18e1df1579613bf4b3481f443a4a8a3b840cbb99b5

          SHA512

          54effaa752c803b1383eee826a240a21824020ff4e82e386a354f8d95a5db98404e030c44bd3384d43155668deed8b113412d5e19528216b3080deadf03abf41

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          76a499ba417acad43ac3c7d2579ca505

          SHA1

          e24fe3b9aeef903dcf3bbd6894ad4ef971549104

          SHA256

          ffe45405ce87a488a1b064eac1caf71edcd0d15c5e6997cc995e8650ecf153aa

          SHA512

          ccbfc86831f0791b9c5ac56a1a4fa9c686f5099150ffc87268946508dee2da8c8c9564d240f23aae3e88f1aeca691de0ecc85045dc01597b2c4a26ed99ea19b0

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          2db5ad1ceb84e0b38e8693298167eb7d

          SHA1

          80766bb515f37f51073b57dd893b7b0ecf102e1b

          SHA256

          4a7b2e5a68e145e135a6861efd9a44c08b915b1440a6047b0d5d4eee53c67538

          SHA512

          8e6ebd329ea3b2fd0368a82594675d9ff19a361aecdfbee043d8a5462e35b95dd4d01c70807a60d5dbbc4f88b8ad968b7b75a3356720a21a0e09349c821316f1

          Download Submit

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          19KB

          MD5

          5538ca782f3ef60fd517f963ba641d05

          SHA1

          211be20cd5f65d162e43c44d4a25bddc45549db6

          SHA256

          19d2cbbeaa5af0cb930b87affec636a38a2ed1fb727026e98816e7812b81df13

          SHA512

          ca3f1cd9915946b5ec6381505d3f2e2c36e25ae7333a1a301e1b733d8a3f22c5c534e13cd750931bbb44d95006f5eb01d61e8bfbc3558251b74249757545af3a

          Download Submit

        • C:\Windows\rss\csrss.exe
          Filesize

          335KB

          MD5

          22410ab9e244fd09cba39da0b05ba256

          SHA1

          aa14742109154add6bba5c7e52f22fad2721bb15

          SHA256

          df151511c991534d65936535b08522d0152605bfd6c15595df5da4cfe54b90e3

          SHA512

          94661960cf6c52d894b8599b70810dc546eb5846ee0afdf81de047b0f8f7036e197e4ed6f991bfa4f05e32341e28fd0e239a132fb342e262781ac49c365e467a

          Download Submit

        • C:\Windows\rss\csrss.exe
          Filesize

          425KB

          MD5

          113595a3aa17a5609d8b538690e89e9a

          SHA1

          3f2c302c7fb14686f179812bd200d95e5562996d

          SHA256

          124ceeed03adc5b7a95183b44b618b2ac7fafafffe78498d1293cef0fa57bb49

          SHA512

          7d4bc71e3c73ffc6b8bb6e42afbef4899a2a309f60efe904b484fe61debb8535f97701d3f33e05fd883be251b9d97ed22691750daef92c78f260617edc7e8594

          Download Submit

        • C:\Windows\windefender.exe
          Filesize

          2.0MB

          MD5

          8e67f58837092385dcf01e8a2b4f5783

          SHA1

          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

          SHA256

          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

          SHA512

          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

          Download Submit

        • memory/596-85-0x0000000002550000-0x0000000002560000-memory.dmp

          Filesize

          64KB

          Download

        • memory/596-72-0x0000000005E30000-0x0000000005E7C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/596-60-0x0000000002550000-0x0000000002560000-memory.dmp

          Filesize

          64KB

          Download

        • memory/596-61-0x0000000002550000-0x0000000002560000-memory.dmp

          Filesize

          64KB

          Download

        • memory/596-92-0x00000000749F0000-0x00000000751A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/596-89-0x00000000073A0000-0x00000000073B4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/596-88-0x0000000007350000-0x0000000007361000-memory.dmp

          Filesize

          68KB

          Download

        • memory/596-87-0x0000000002550000-0x0000000002560000-memory.dmp

          Filesize

          64KB

          Download

        • memory/596-75-0x0000000071080000-0x00000000713D4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/596-59-0x00000000749F0000-0x00000000751A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/596-86-0x0000000007040000-0x00000000070E3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/596-74-0x00000000708F0000-0x000000007093C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/596-73-0x000000007F040000-0x000000007F050000-memory.dmp

          Filesize

          64KB

          Download

        • memory/596-67-0x0000000005800000-0x0000000005B54000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/812-55-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/812-1-0x0000000002D30000-0x0000000003132000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/812-3-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/812-2-0x0000000003140000-0x0000000003A2B000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/2452-5-0x0000000074950000-0x0000000075100000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2452-24-0x0000000006890000-0x00000000068D4000-memory.dmp

          Filesize

          272KB

          Download

        • memory/2452-49-0x0000000007B60000-0x0000000007B7A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2452-53-0x0000000074950000-0x0000000075100000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2452-47-0x0000000007AF0000-0x0000000007AFE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2452-23-0x0000000006480000-0x00000000064CC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2452-50-0x0000000007B50000-0x0000000007B58000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2452-4-0x0000000002DE0000-0x0000000002E16000-memory.dmp

          Filesize

          216KB

          Download

        • memory/2452-48-0x0000000007B10000-0x0000000007B24000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2452-45-0x0000000007BB0000-0x0000000007C46000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2452-46-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

          Filesize

          68KB

          Download

        • memory/2452-28-0x000000007F500000-0x000000007F510000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2452-44-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2452-41-0x0000000007990000-0x00000000079AE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2452-43-0x00000000079B0000-0x0000000007A53000-memory.dmp

          Filesize

          652KB

          Download

        • memory/2452-42-0x0000000005060000-0x0000000005070000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2452-30-0x00000000707F0000-0x000000007083C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/2452-31-0x0000000070970000-0x0000000070CC4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2452-29-0x0000000007950000-0x0000000007982000-memory.dmp

          Filesize

          200KB

          Download

        • memory/2452-26-0x0000000007DD0000-0x000000000844A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2452-27-0x0000000007790000-0x00000000077AA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2452-25-0x0000000007670000-0x00000000076E6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2452-21-0x0000000005ED0000-0x0000000006224000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2452-6-0x00000000056A0000-0x0000000005CC8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2452-22-0x00000000063D0000-0x00000000063EE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2452-11-0x0000000005570000-0x00000000055D6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2452-8-0x0000000005060000-0x0000000005070000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2452-7-0x0000000005060000-0x0000000005070000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2452-9-0x00000000053E0000-0x0000000005402000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2452-10-0x0000000005490000-0x00000000054F6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2592-157-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2592-56-0x0000000002C00000-0x0000000003000000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/2592-57-0x0000000003000000-0x00000000038EB000-memory.dmp

          Filesize

          8.9MB

          Download

        • memory/2592-58-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2592-134-0x0000000002C00000-0x0000000003000000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/3020-137-0x00000000708F0000-0x000000007093C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3020-133-0x00000000059C0000-0x0000000005D14000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3020-122-0x00000000749F0000-0x00000000751A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3020-135-0x0000000004B50000-0x0000000004B60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3020-123-0x0000000004B50000-0x0000000004B60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3048-270-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3048-274-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/4164-268-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/4176-108-0x0000000071080000-0x00000000713D4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4176-94-0x00000000749F0000-0x00000000751A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4176-95-0x00000000052E0000-0x00000000052F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4176-107-0x00000000708F0000-0x000000007093C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4176-106-0x000000007F2D0000-0x000000007F2E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4176-121-0x00000000749F0000-0x00000000751A0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4176-118-0x00000000052E0000-0x00000000052F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4176-119-0x00000000052E0000-0x00000000052F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4996-269-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4996-271-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4996-273-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4996-260-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4996-275-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4996-277-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4996-279-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4996-281-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4996-283-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4996-285-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4996-287-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4996-289-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4996-291-0x0000000000400000-0x0000000000ED8000-memory.dmp

          Filesize

          10.8MB

          Download