Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

01180199.exe

windows7-x64

10

01180199.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2023, 12:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01180199.exe

  • Size

    4.2MB

  • MD5

    ab84fb215b438459888e7ccab1ab1229

  • SHA1

    798aceec1ef27c24197f65d1cb587a65106f6890

  • SHA256

    98768d4f722a184379396f330d277f28db6a45e33c1408c2762f6050e008f673

  • SHA512

    5cafa3282324f12e2458fbbb50b8c19a6860fc9886dc0e5c8b935ddf5fb4274ddfc2073839af0ec94f201e7ce4c0d090c3231807da5bdd679754a7c1887d269b

  • SSDEEP

    98304:WMx5MZVT9tUPwkx/Zp8dUN0XdtIlqz+mQ+MULINK20lBzXQiq:WJ/W4mpYluqz+mD/LINKXlZg

Score
10/10
gluptebadiscoverydropperevasionloaderpersistencerootkit

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 16 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\01180199.exe
    "C:\Users\Admin\AppData\Local\Temp\01180199.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2180
    • C:\Users\Admin\AppData\Local\Temp\01180199.exe
      "C:\Users\Admin\AppData\Local\Temp\01180199.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:760
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1480
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:3176
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4560
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3412
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4116
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:4640
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3424
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3284
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4220
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1304
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4908

    Network

    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      0.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      0.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      997cc68f-a799-4b7b-aa32-07299fa2ba71.uuid.zaoshang.ru
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      997cc68f-a799-4b7b-aa32-07299fa2ba71.uuid.zaoshang.ru
      IN TXT
      Response
    • flag-us
      DNS
      86.8.109.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.8.109.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      stun4.l.google.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      stun4.l.google.com
      IN A
      Response
      stun4.l.google.com
      IN A
      172.217.213.127
    • flag-us
      DNS
      server3.zaoshang.ru
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server3.zaoshang.ru
      IN A
      Response
      server3.zaoshang.ru
      IN A
      185.82.216.48
    • flag-us
      DNS
      cdn.discordapp.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      cdn.discordapp.com
      IN A
      Response
      cdn.discordapp.com
      IN A
      162.159.133.233
      cdn.discordapp.com
      IN A
      162.159.134.233
      cdn.discordapp.com
      IN A
      162.159.130.233
      cdn.discordapp.com
      IN A
      162.159.129.233
      cdn.discordapp.com
      IN A
      162.159.135.233
    • flag-us
      DNS
      twopixis.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      twopixis.com
      IN A
      Response
      twopixis.com
      IN A
      172.67.168.112
      twopixis.com
      IN A
      104.21.54.103
    • flag-us
      DNS
      127.213.217.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      127.213.217.172.in-addr.arpa
      IN PTR
      Response
      127.213.217.172.in-addr.arpa
      IN PTR
      hr-in-f1271e100net
    • flag-us
      DNS
      48.216.82.185.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      48.216.82.185.in-addr.arpa
      IN PTR
      Response
      48.216.82.185.in-addr.arpa
      IN PTR
      davidcom
    • flag-us
      DNS
      233.133.159.162.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      233.133.159.162.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      112.168.67.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      112.168.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      server3.zaoshang.ru
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server3.zaoshang.ru
      IN A
      Response
      server3.zaoshang.ru
      IN A
      185.82.216.48
    • 20.44.10.122:443
      322 B
       7
    • 52.152.110.14:443
      260 B
       5
    • 52.152.110.14:443
      260 B
       5
    • 162.159.133.233:443
      cdn.discordapp.com
      tls
      csrss.exe
      1.3kB
       5.7kB
       15
      16
    • 185.82.216.48:443
      server3.zaoshang.ru
      tls
      csrss.exe
      1.9kB
       8.8kB
       16
      20
    • 172.67.168.112:443
      twopixis.com
      tls
      csrss.exe
      1.4kB
       10.8kB
       17
      20
    • 8.238.179.126:80
      322 B
       7
    • 8.238.179.126:80
      322 B
       7
    • 173.223.113.164:443
      322 B
       7
    • 173.223.113.131:80
      322 B
       7
    • 131.253.33.203:80
      322 B
       7
    • 52.152.110.14:443
      260 B
       5
    • 52.152.110.14:443
      260 B
       5
    • 52.152.110.14:443
      260 B
       5
    • 52.152.110.14:443
      208 B
       4
    • 185.82.216.48:443
      server3.zaoshang.ru
      tls
      csrss.exe
      2.0kB
       8.5kB
       11
      14
    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      0.159.190.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      0.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      997cc68f-a799-4b7b-aa32-07299fa2ba71.uuid.zaoshang.ru
      dns
      csrss.exe
      99 B
       156 B
       1
      1

      DNS Request

      997cc68f-a799-4b7b-aa32-07299fa2ba71.uuid.zaoshang.ru

    • 8.8.8.8:53
      86.8.109.52.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      86.8.109.52.in-addr.arpa

    • 8.8.8.8:53
      stun4.l.google.com
      dns
      csrss.exe
      64 B
       80 B
       1
      1

      DNS Request

      stun4.l.google.com

      DNS Response

      172.217.213.127

    • 8.8.8.8:53
      server3.zaoshang.ru
      dns
      csrss.exe
      65 B
       81 B
       1
      1

      DNS Request

      server3.zaoshang.ru

      DNS Response

      185.82.216.48

    • 8.8.8.8:53
      cdn.discordapp.com
      dns
      csrss.exe
      64 B
       144 B
       1
      1

      DNS Request

      cdn.discordapp.com

      DNS Response

      162.159.133.233
      162.159.134.233
      162.159.130.233
      162.159.129.233
      162.159.135.233

    • 172.217.213.127:19302
      stun4.l.google.com
      csrss.exe
      48 B
       60 B
       1
      1
    • 8.8.8.8:53
      twopixis.com
      dns
      csrss.exe
      58 B
       90 B
       1
      1

      DNS Request

      twopixis.com

      DNS Response

      172.67.168.112
      104.21.54.103

    • 8.8.8.8:53
      127.213.217.172.in-addr.arpa
      dns
      74 B
       108 B
       1
      1

      DNS Request

      127.213.217.172.in-addr.arpa

    • 8.8.8.8:53
      48.216.82.185.in-addr.arpa
      dns
      72 B
       95 B
       1
      1

      DNS Request

      48.216.82.185.in-addr.arpa

    • 8.8.8.8:53
      233.133.159.162.in-addr.arpa
      dns
      74 B
       136 B
       1
      1

      DNS Request

      233.133.159.162.in-addr.arpa

    • 8.8.8.8:53
      112.168.67.172.in-addr.arpa
      dns
      73 B
       135 B
       1
      1

      DNS Request

      112.168.67.172.in-addr.arpa

    • 8.8.8.8:53
      server3.zaoshang.ru
      dns
      csrss.exe
      65 B
       81 B
       1
      1

      DNS Request

      server3.zaoshang.ru

      DNS Response

      185.82.216.48

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_elgyj1ew.mul.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      4e473a9868d6cc298da01eb0a8cc10bd

      SHA1

      fb222422d0b299647c9cf528636a8b02000097f6

      SHA256

      f7f66b3a406bd61a1f0c0011540326873ca2095926d1b4bac21e7ab42a88ce53

      SHA512

      d84813f2566313efc75eee8868f0fbef92a6e6552a3b747edf984cdd4d4338d15fbbf369cb3f894b0d4b146d5c70189f682e8941baf03999b10c19460a0ef13c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      ec70e23c8e6d266774505fe1aaa84543

      SHA1

      2e23fa3a76aa3f204ee339dfccdf03cadc1ce3ca

      SHA256

      8b3476169b08a16c096924b4c992b7422f621787f26afd61e434dfe399a3f1b3

      SHA512

      a63759d66f9f2843c3966ba0cd06ca1abc39202da75509fd6c374107ae8180776a2f70f3ba9c4c3e334fe345baec7385e7c6c423e7481a3b06687cb37f0e10b7

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      42e0fcac513a75ba9e087f37f5b3b635

      SHA1

      ac3daa5906d4b35720c9c4879170f4ad7c330210

      SHA256

      242fcc2361c6e4659e403befe8598ab985c6723d74957080bee757d7a73499f5

      SHA512

      ac69696145be2677c9dc15eac64c43ee6dd5fcacbcc99f70c62798564edecdacdc800a68b655a23a47fc886067e411a2ad98b503100ad5de64c83c8ac3184594

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      c1b891300c83c26007ee692516304f2b

      SHA1

      e088aedfdbbe1669d66d1abb2c6ad3b01bf8b96f

      SHA256

      70af009f20b3c7231a33805d58dd33a4587be8ae1bc060c5b307002d5aa7fc83

      SHA512

      d19b44c90d1c0e5ed4d1ce8df6fc25fc75dcdf89f7a117a054da34224eeb46ab8296b10265ee010206ae1c8663960ddedfe541b5872c480ade928a844feb5610

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      2585398954054348c12ad2dc7155edf8

      SHA1

      20ae90a2b56d2e4cfaae11dbf59c209bc806bc3c

      SHA256

      8490823584ebf73384edfb994de8594392ef2a922fd5eec73293059daabe79cf

      SHA512

      cfe501201604f9413aaee8fdc35b50f88cc60c1731791bd07c29931d1413d28eb1a0684afeb9caf41903ffb05239acc5da8506624fe794f81c51ec0a1b688126

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      ab84fb215b438459888e7ccab1ab1229

      SHA1

      798aceec1ef27c24197f65d1cb587a65106f6890

      SHA256

      98768d4f722a184379396f330d277f28db6a45e33c1408c2762f6050e008f673

      SHA512

      5cafa3282324f12e2458fbbb50b8c19a6860fc9886dc0e5c8b935ddf5fb4274ddfc2073839af0ec94f201e7ce4c0d090c3231807da5bdd679754a7c1887d269b

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      ab84fb215b438459888e7ccab1ab1229

      SHA1

      798aceec1ef27c24197f65d1cb587a65106f6890

      SHA256

      98768d4f722a184379396f330d277f28db6a45e33c1408c2762f6050e008f673

      SHA512

      5cafa3282324f12e2458fbbb50b8c19a6860fc9886dc0e5c8b935ddf5fb4274ddfc2073839af0ec94f201e7ce4c0d090c3231807da5bdd679754a7c1887d269b

      Download Submit

    • memory/760-261-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/760-231-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1480-180-0x0000000004B90000-0x0000000004BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1480-203-0x000000007F5E0000-0x000000007F5F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1480-192-0x0000000071460000-0x00000000717B4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1480-193-0x0000000004B90000-0x0000000004BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1480-191-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1480-190-0x0000000004B90000-0x0000000004BA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2180-171-0x0000000007FC0000-0x0000000007FCA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2180-157-0x000000007F540000-0x000000007F550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2180-172-0x0000000008080000-0x0000000008116000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2180-173-0x0000000008020000-0x000000000802E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2180-174-0x0000000008120000-0x000000000813A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2180-175-0x0000000008060000-0x0000000008068000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2180-135-0x0000000005360000-0x0000000005396000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2180-170-0x0000000007E70000-0x0000000007E8E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2180-160-0x0000000070D40000-0x0000000071094000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2180-159-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2180-158-0x0000000007E90000-0x0000000007EC2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2180-136-0x0000000005B30000-0x0000000006158000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2180-138-0x0000000005930000-0x0000000005952000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2180-155-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2180-154-0x0000000008340000-0x00000000089BA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2180-139-0x00000000059D0000-0x0000000005A36000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2180-140-0x0000000005AB0000-0x0000000005B16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2180-137-0x00000000054F0000-0x0000000005500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2180-150-0x0000000006920000-0x000000000693E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2180-151-0x0000000006E60000-0x0000000006EA4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2180-153-0x00000000054F0000-0x0000000005500000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2180-152-0x0000000007C40000-0x0000000007CB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2668-352-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-354-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-346-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-312-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-350-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-351-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-353-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-345-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-347-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-348-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2668-349-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2976-156-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/2976-134-0x0000000002FE0000-0x00000000038CB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/2976-178-0x0000000000400000-0x0000000000D1B000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3284-299-0x0000000070B20000-0x0000000070B6C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3284-288-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3284-300-0x00000000712D0000-0x0000000071624000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3284-310-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3284-311-0x000000007F830000-0x000000007F840000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3284-287-0x0000000004C30000-0x0000000004C40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3412-246-0x0000000071440000-0x0000000071794000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3412-245-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3412-244-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3412-243-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4116-275-0x0000000070C00000-0x0000000070C4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4116-274-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4116-273-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4116-276-0x00000000713A0000-0x00000000716F4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4220-327-0x0000000070B20000-0x0000000070B6C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4220-338-0x000000007EE10000-0x000000007EE20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4220-328-0x00000000712B0000-0x0000000071604000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4220-326-0x0000000004C00000-0x0000000004C10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4220-325-0x0000000004C00000-0x0000000004C10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4220-324-0x0000000004C00000-0x0000000004C10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-230-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-220-0x0000000070E20000-0x0000000071174000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4560-219-0x0000000070CA0000-0x0000000070CEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4560-217-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4560-218-0x0000000004C80000-0x0000000004C90000-memory.dmp

      Filesize

      64KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.