Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/05/2024, 09:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    927c2dcf05cdb8eda3993b45975520790e17dca895ca3e43f0730bca958362af.exe

  • Size

    4.1MB

  • MD5

    dc50ff2d232e4edfb9016943fcd683c2

  • SHA1

    f193e3bcf59c3c5113e626f18b651e2f6623e59a

  • SHA256

    927c2dcf05cdb8eda3993b45975520790e17dca895ca3e43f0730bca958362af

  • SHA512

    682d95622264f694d1a62873264d882307da1559ea9ae97ebb38dafb61a8d7670c0031a49698fb939a88c0af3f2264bd240f6510ada0c81bded8b118ffc1d6d1

  • SSDEEP

    98304:QvCQaDBnSWO/B+XxjapSyZlG1PnsYHdaWgIg92gsnC3bzMZh6P15:QvC3DFSWO/BjYGk1PnXHoWWZ1za6N5

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\927c2dcf05cdb8eda3993b45975520790e17dca895ca3e43f0730bca958362af.exe
    "C:\Users\Admin\AppData\Local\Temp\927c2dcf05cdb8eda3993b45975520790e17dca895ca3e43f0730bca958362af.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
    • C:\Users\Admin\AppData\Local\Temp\927c2dcf05cdb8eda3993b45975520790e17dca895ca3e43f0730bca958362af.exe
      "C:\Users\Admin\AppData\Local\Temp\927c2dcf05cdb8eda3993b45975520790e17dca895ca3e43f0730bca958362af.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4872
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4888
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1252
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3044
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2952
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:3636
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2872
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3824
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2092
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4228
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:5032
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4492
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1472
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:3820
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2448

    Network

    • flag-us
      DNS
      00fa6aeb-a82e-4778-911e-e480756e05cc.uuid.alldatadump.org
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      00fa6aeb-a82e-4778-911e-e480756e05cc.uuid.alldatadump.org
      IN TXT
      Response
    • flag-us
      DNS
      cdn.discordapp.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      cdn.discordapp.com
      IN A
      Response
      cdn.discordapp.com
      IN A
      162.159.135.233
      cdn.discordapp.com
      IN A
      162.159.133.233
      cdn.discordapp.com
      IN A
      162.159.129.233
      cdn.discordapp.com
      IN A
      162.159.134.233
      cdn.discordapp.com
      IN A
      162.159.130.233
    • flag-us
      DNS
      233.135.159.162.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      233.135.159.162.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.111.229.19
    • flag-us
      DNS
      67.112.168.52.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      67.112.168.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      stun.stunprotocol.org
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      stun.stunprotocol.org
      IN A
      Response
      stun.stunprotocol.org
      IN A
      127.0.0.1
    • flag-us
      DNS
      carsalessystem.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      carsalessystem.com
      IN A
      Response
      carsalessystem.com
      IN A
      172.67.221.71
      carsalessystem.com
      IN A
      104.21.94.82
    • flag-us
      DNS
      71.221.67.172.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      71.221.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      129.250.125.74.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      129.250.125.74.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      self.events.data.microsoft.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      self.events.data.microsoft.com
      IN A
      Response
      self.events.data.microsoft.com
      IN CNAME
      self-events-data.trafficmanager.net
      self-events-data.trafficmanager.net
      IN CNAME
      onedscolprdeus04.eastus.cloudapp.azure.com
      onedscolprdeus04.eastus.cloudapp.azure.com
      IN A
      52.168.112.67
    • flag-us
      DNS
      server10.alldatadump.org
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server10.alldatadump.org
      IN A
      Response
      server10.alldatadump.org
      IN A
      185.82.216.108
    • flag-us
      DNS
      108.216.82.185.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      108.216.82.185.in-addr.arpa
      IN PTR
      Response
      108.216.82.185.in-addr.arpa
      IN PTR
      dedic-mariadebommarez-1201693hosted-by-itldccom
    • flag-us
      DNS
      stun2.l.google.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      stun2.l.google.com
      IN A
      Response
      stun2.l.google.com
      IN A
      74.125.250.129
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • 162.159.135.233:443
      cdn.discordapp.com
      tls
      csrss.exe
      1.3kB
       5.3kB
       16
      17
    • 185.82.216.108:443
      server10.alldatadump.org
      tls
      csrss.exe
      1.4kB
       5.1kB
       13
      15
    • 172.67.221.71:443
      carsalessystem.com
      tls
      csrss.exe
      104.0kB
       2.2MB
       1685
      1629
    • 185.82.216.108:443
      server10.alldatadump.org
      tls
      csrss.exe
      1.2kB
       4.7kB
       11
      13
    • 185.82.216.108:443
      server10.alldatadump.org
      tls
      csrss.exe
      1.9kB
       4.7kB
       11
      13
    • 8.8.8.8:53
      00fa6aeb-a82e-4778-911e-e480756e05cc.uuid.alldatadump.org
      dns
      csrss.exe
      389 B
       731 B
       5
      5

      DNS Request

      00fa6aeb-a82e-4778-911e-e480756e05cc.uuid.alldatadump.org

      DNS Request

      cdn.discordapp.com

      DNS Response

      162.159.135.233
      162.159.133.233
      162.159.129.233
      162.159.134.233
      162.159.130.233

      DNS Request

      233.135.159.162.in-addr.arpa

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.111.229.19

      DNS Request

      67.112.168.52.in-addr.arpa

    • 8.8.8.8:53
      stun.stunprotocol.org
      dns
      csrss.exe
      352 B
       640 B
       5
      5

      DNS Request

      stun.stunprotocol.org

      DNS Response

      127.0.0.1

      DNS Request

      carsalessystem.com

      DNS Response

      172.67.221.71
      104.21.94.82

      DNS Request

      71.221.67.172.in-addr.arpa

      DNS Request

      129.250.125.74.in-addr.arpa

      DNS Request

      self.events.data.microsoft.com

      DNS Response

      52.168.112.67

    • 8.8.8.8:53
      server10.alldatadump.org
      dns
      csrss.exe
      279 B
       460 B
       4
      4

      DNS Request

      server10.alldatadump.org

      DNS Response

      185.82.216.108

      DNS Request

      108.216.82.185.in-addr.arpa

      DNS Request

      stun2.l.google.com

      DNS Response

      74.125.250.129

      DNS Request

      19.229.111.52.in-addr.arpa

    • 127.0.0.1:3478
      csrss.exe
    • 74.125.250.129:19302
      stun2.l.google.com
      csrss.exe
      48 B
       60 B
       1
      1

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1rqyzuk5.4ui.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d0c46cad6c0778401e21910bd6b56b70

      SHA1

      7be418951ea96326aca445b8dfe449b2bfa0dca6

      SHA256

      9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

      SHA512

      057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      be2a9127f6fa74e300fd218d2b3dd9ba

      SHA1

      a46f0d2a5c37e2d52bb38354fda27d2680259702

      SHA256

      a73975be655f03354428164ccdba2d353f4bd2382abef0b0d609820543009720

      SHA512

      3db670cdfc31ffb12536499fdaef9eb39cf9a17d3b82160227546a91a1726bba5eb533ae7081acf67dbf405fd53fd33d46ea533eea6dcadafe2af3eecf3070af

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      9c3a468c7dd644194ff064e6c9b9d4d4

      SHA1

      c0cccba3048bcfb5891bce3823d4d35ac4ba5970

      SHA256

      445f3e1ca2e7edf1784e08c3548ba125db36168ff47561723d4add505fac6a37

      SHA512

      b5aaa2d38d54375641aa8571e5466529e43eeafe12832e6a110933dbc3eae23d4915268f7156d6681a037c0f716614773671551b469e0551e048e85a80184b14

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      ca4536818d792b1305400aabd23fa5fc

      SHA1

      0794e62c0a598b9999cb5ce67fb6b138ff5cbaac

      SHA256

      8c60ec04365974bd3c3cae985f479b79ca27079adfe65316ee2c441682ea0c0f

      SHA512

      ac786949f8e3abf3298711a2ef6553327aaa491fa6f2070ce3444566664d5822bb7f61736fdeb6674588fa1d9fab91a24429f81c76f1fcf54bf42d6f1020d96f

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      e1ceb80fababca2606b8a7c4ad870d7d

      SHA1

      55ea0714a64a2c2129891592ee79da696dcabda4

      SHA256

      2478a3fdb909c640227879feb56991159c096a0338101db1be7a7c48ee8dd820

      SHA512

      3efa10c917b218e2f878b4bb377c5cb10ff3afd591895b8369e7a33a646d030d8c98e294b144c949fe4fdd84605c5aa85d69172f6753920e4231b4b67b51d80a

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      d44c5d3082c0275c8c1289de28d382bd

      SHA1

      1c960e1876304041623b6aa7057147c6c63c0e28

      SHA256

      c27d790f79d13a30653cf853973c30bcbe8172b84c7444261c7b4de1ebc0cf45

      SHA512

      df6244fbb10befd5bc602e8e0f0adad77b3c5ae5e958ec59e0300261202d330d794809c928184ffdbccb3516014b08fa43ad1018829e4ee46977dd84f3cd4454

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      dc50ff2d232e4edfb9016943fcd683c2

      SHA1

      f193e3bcf59c3c5113e626f18b651e2f6623e59a

      SHA256

      927c2dcf05cdb8eda3993b45975520790e17dca895ca3e43f0730bca958362af

      SHA512

      682d95622264f694d1a62873264d882307da1559ea9ae97ebb38dafb61a8d7670c0031a49698fb939a88c0af3f2264bd240f6510ada0c81bded8b118ffc1d6d1

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/1252-112-0x0000000070500000-0x000000007054C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1252-113-0x0000000070680000-0x00000000709D7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1252-109-0x00000000064D0000-0x0000000006827000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2092-188-0x0000000070380000-0x00000000703CC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2092-189-0x0000000070500000-0x0000000070857000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2276-40-0x0000000007220000-0x000000000723A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2276-50-0x0000000074180000-0x0000000074931000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2276-27-0x0000000070640000-0x0000000070997000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2276-36-0x00000000070D0000-0x00000000070EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2276-25-0x00000000703F0000-0x000000007043C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2276-37-0x00000000070F0000-0x0000000007194000-memory.dmp

      Filesize

      656KB

      Download

    • memory/2276-24-0x0000000007070000-0x00000000070A4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2276-38-0x0000000074180000-0x0000000074931000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2276-39-0x0000000007860000-0x0000000007EDA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2276-23-0x00000000061D0000-0x0000000006216000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2276-41-0x0000000007260000-0x000000000726A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2276-42-0x0000000007370000-0x0000000007406000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2276-43-0x0000000007280000-0x0000000007291000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2276-44-0x00000000072D0000-0x00000000072DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2276-45-0x00000000072E0000-0x00000000072F5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2276-46-0x0000000007330000-0x000000000734A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2276-47-0x0000000007350000-0x0000000007358000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2276-26-0x0000000074180000-0x0000000074931000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2276-22-0x0000000005D00000-0x0000000005D4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2276-21-0x0000000005C60000-0x0000000005C7E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2276-12-0x0000000005770000-0x0000000005AC7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2276-4-0x000000007418E000-0x000000007418F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2276-5-0x0000000002790000-0x00000000027C6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2276-6-0x0000000004E30000-0x000000000545A000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2276-10-0x0000000005690000-0x00000000056F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2276-11-0x0000000005700000-0x0000000005766000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2276-9-0x0000000004DB0000-0x0000000004DD2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2276-8-0x0000000074180000-0x0000000074931000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2276-7-0x0000000074180000-0x0000000074931000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2448-211-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2448-224-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2448-218-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2448-215-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2772-65-0x0000000070500000-0x000000007054C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2772-75-0x0000000007140000-0x00000000071E4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/2772-60-0x00000000059E0000-0x0000000005D37000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2772-77-0x00000000074C0000-0x00000000074D5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2772-76-0x0000000007470000-0x0000000007481000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2772-64-0x0000000005F70000-0x0000000005FBC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2772-66-0x0000000070700000-0x0000000070A57000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2952-152-0x00000000059F0000-0x0000000005A05000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2952-129-0x0000000005650000-0x00000000059A7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2952-140-0x0000000070460000-0x00000000704AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2952-141-0x00000000706A0000-0x00000000709F7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2952-150-0x0000000006E20000-0x0000000006EC4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/2952-151-0x00000000059B0000-0x00000000059C1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2952-139-0x0000000005C50000-0x0000000005C9C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3044-227-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3044-213-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3044-219-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3044-233-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3044-217-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3044-214-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3044-222-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3044-221-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3044-225-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3044-204-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3044-229-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3044-230-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3780-111-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3780-126-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/3824-176-0x0000000005EF0000-0x0000000005F01000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3824-162-0x0000000005B90000-0x0000000005EE7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3824-164-0x0000000006120000-0x000000000616C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3824-177-0x0000000005F30000-0x0000000005F45000-memory.dmp

      Filesize

      84KB

      Download

    • memory/3824-165-0x0000000070380000-0x00000000703CC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3824-175-0x0000000007310000-0x00000000073B4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/3824-166-0x0000000070500000-0x0000000070857000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4452-1-0x0000000004110000-0x000000000450F000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4452-53-0x0000000004510000-0x0000000004DFB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4452-51-0x0000000000400000-0x0000000002365000-memory.dmp

      Filesize

      31.4MB

      Download

    • memory/4452-54-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4452-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/4452-2-0x0000000004510000-0x0000000004DFB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/4492-212-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4492-209-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4888-91-0x0000000070700000-0x0000000070A57000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4888-90-0x0000000070500000-0x000000007054C000-memory.dmp

      Filesize

      304KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.