Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/05/2024, 14:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe

  • Size

    4.1MB

  • MD5

    e58d1153bc8172c3df9e53d601aecbaf

  • SHA1

    eb36698471b8f27a30f112b4d813d9d7140b9a70

  • SHA256

    50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e

  • SHA512

    7eae257b03e4957930c2a318b19717f713e079432a5d30d83438d6386e90dca41973031128f7b324e8c00eacf68df23746ff5476a16c8876823c4d521f39e9f7

  • SSDEEP

    98304:IuOdAWE/bfbxbxBimum48oJjLrUZhWcgWy75MTps2CObMUZCzBSS:IuOpIddBi3V8Ojm7gWylM939C3

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
    "C:\Users\Admin\AppData\Local\Temp\50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4464
    • C:\Users\Admin\AppData\Local\Temp\50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe
      "C:\Users\Admin\AppData\Local\Temp\50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4368
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1456
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1296
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2028
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3908
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:872
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:1040
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:3924
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3956
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1820
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4484
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:2956
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2844
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3144
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:2228
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:4636

    Network

    • flag-us
      DNS
      1f76b29f-b928-4aa1-986c-3940b18f64c6.uuid.statscreate.org
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      1f76b29f-b928-4aa1-986c-3940b18f64c6.uuid.statscreate.org
      IN TXT
      Response
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      stun.l.google.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      stun.l.google.com
      IN A
      Response
      stun.l.google.com
      IN A
      74.125.250.129
    • flag-us
      DNS
      carsalessystem.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      carsalessystem.com
      IN A
      Response
      carsalessystem.com
      IN A
      172.67.221.71
      carsalessystem.com
      IN A
      104.21.94.82
    • flag-us
      DNS
      71.221.67.172.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      71.221.67.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      cdn.discordapp.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      cdn.discordapp.com
      IN A
      Response
      cdn.discordapp.com
      IN A
      162.159.134.233
      cdn.discordapp.com
      IN A
      162.159.135.233
      cdn.discordapp.com
      IN A
      162.159.133.233
      cdn.discordapp.com
      IN A
      162.159.129.233
      cdn.discordapp.com
      IN A
      162.159.130.233
    • flag-us
      DNS
      129.250.125.74.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      129.250.125.74.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      233.134.159.162.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      233.134.159.162.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.111.229.43
    • flag-us
      DNS
      server7.statscreate.org
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server7.statscreate.org
      IN A
      Response
      server7.statscreate.org
      IN A
      185.82.216.96
    • flag-us
      DNS
      96.216.82.185.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      96.216.82.185.in-addr.arpa
      IN PTR
      Response
      96.216.82.185.in-addr.arpa
      IN PTR
      dedic-mariadebommarez-1201693hosted-by-itldccom
    • flag-us
      DNS
      43.229.111.52.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      43.229.111.52.in-addr.arpa
      IN PTR
      Response
    • 162.159.134.233:443
      cdn.discordapp.com
      tls
      csrss.exe
      1.3kB
       6.0kB
       15
      18
    • 185.82.216.96:443
      server7.statscreate.org
      tls
      csrss.exe
      1.4kB
       5.1kB
       13
      14
    • 172.67.221.71:443
      carsalessystem.com
      tls
      csrss.exe
      80.4kB
       2.0MB
       1550
      1503
    • 185.82.216.96:443
      server7.statscreate.org
      tls
      csrss.exe
      1.8kB
       5.2kB
       13
      13
    • 185.82.216.96:443
      server7.statscreate.org
      tls
      csrss.exe
      1.9kB
       4.7kB
       12
      13
    • 127.0.0.1:31465
      csrss.exe
    • 8.8.8.8:53
      1f76b29f-b928-4aa1-986c-3940b18f64c6.uuid.statscreate.org
      dns
      csrss.exe
      368 B
       576 B
       5
      5

      DNS Request

      1f76b29f-b928-4aa1-986c-3940b18f64c6.uuid.statscreate.org

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      stun.l.google.com

      DNS Response

      74.125.250.129

      DNS Request

      carsalessystem.com

      DNS Response

      172.67.221.71
      104.21.94.82

      DNS Request

      71.221.67.172.in-addr.arpa

    • 8.8.8.8:53
      cdn.discordapp.com
      dns
      csrss.exe
      287 B
       554 B
       4
      4

      DNS Request

      cdn.discordapp.com

      DNS Response

      162.159.134.233
      162.159.135.233
      162.159.133.233
      162.159.129.233
      162.159.130.233

      DNS Request

      129.250.125.74.in-addr.arpa

      DNS Request

      233.134.159.162.in-addr.arpa

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.111.229.43

    • 8.8.8.8:53
      server7.statscreate.org
      dns
      csrss.exe
      213 B
       378 B
       3
      3

      DNS Request

      server7.statscreate.org

      DNS Response

      185.82.216.96

      DNS Request

      96.216.82.185.in-addr.arpa

      DNS Request

      43.229.111.52.in-addr.arpa

    • 74.125.250.129:19302
      stun.l.google.com
      csrss.exe
      48 B
       60 B
       1
      1

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ausqfy4y.nbt.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      ac4917a885cf6050b1a483e4bc4d2ea5

      SHA1

      b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

      SHA256

      e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

      SHA512

      092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      b8b0a3c57b9af7a7995c5a54e1f7b7f9

      SHA1

      6328c8a06a18b3b27df8959f74e5b9a3a11e9e75

      SHA256

      375c2f268a9c9b90417323a2999ca5bdf8af965d72d7ae44bcb3246bcd227ea7

      SHA512

      82786b718c0b4083609cc260634ad63dec1c50b118fad2b72751466e46836fb58818bc89f796c0bd6a03279fd69335d76efbc4492024410d7ef3c48ac624429b

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      967a70fa855b326eb88d140de7387891

      SHA1

      d522be40d0a9625fce5713cca5bbfcb0f9c39538

      SHA256

      2ea61d2204eefd887de3b3f326763569cebadf2f4560efd91ee18a0ffae1afb3

      SHA512

      630bd97debe9e5de7426ba55b92c87efc9f5d9d93b0c98661c3b91d8eadc88ef0a9467b1e2bab986d5d57e3ed85ed381c75a5445da7ca5c6a70092fc6b1e80ae

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      117b1c2d6c873934b35b940e2af556b4

      SHA1

      addd9195e3bc248b661696cdb60e056aefd74014

      SHA256

      6ac5d6daf42986717c198c4fdcd4099d0e87fbdeabd14eb70327cacd5c5d3358

      SHA512

      0145e8756d4ba4c5671779845d9fa7c8f4628e7392f955d3d1cb2d328ce538cdba92dd59cea335dbb2dfe9b9e41eda41e5329288b925dd2f14af72d7523c5924

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      338e210188fc8e08d2ced15f399eae55

      SHA1

      b3d58c5bf54176c3e277526fc79b32b3e81640f1

      SHA256

      1ab67db44570379609e8146b91ea0ed0b3e235a6f088853cfb5002ac3e4b8e36

      SHA512

      66c3dc0e7056298188d5a011ab8704b4a0ec1fc4d06daa70563c11c1bbcdf49b8ced9f64305aafc4c2020c5b73691144c56d95c9d9354cc1b25c0b6b402fffa1

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      fff358f324b17f412b27a6f0227d62af

      SHA1

      ab28c6fe725885cdef6ddd8efbedde72d5943e53

      SHA256

      071480ae1ae9d3e0102c2ec2ecb4383bfaeadc5bd7ba395097583020da5081a5

      SHA512

      56cb785a516ca28d9fc5ca9dfe02dbe0f246d36330b0da17d04ce848ad7103f95eb0440b1fe595ce7c63a912cfc26308d6866e792a36cd8a263bdc2cefa834bf

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      e58d1153bc8172c3df9e53d601aecbaf

      SHA1

      eb36698471b8f27a30f112b4d813d9d7140b9a70

      SHA256

      50a293e4e7599db16d9d573d3a4f34a48422f4f8517cba105b0b0f90d1eba37e

      SHA512

      7eae257b03e4957930c2a318b19717f713e079432a5d30d83438d6386e90dca41973031128f7b324e8c00eacf68df23746ff5476a16c8876823c4d521f39e9f7

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/872-138-0x0000000071030000-0x0000000071387000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/872-137-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/872-127-0x00000000061C0000-0x0000000006517000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1456-73-0x0000000007300000-0x0000000007315000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1456-72-0x00000000072B0000-0x00000000072C1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1456-71-0x0000000006F60000-0x0000000007004000-memory.dmp

      Filesize

      656KB

      Download

    • memory/1456-62-0x0000000071010000-0x0000000071367000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1456-61-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1456-60-0x0000000005800000-0x0000000005B57000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1720-87-0x0000000004660000-0x0000000004A5A000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1720-1-0x0000000004660000-0x0000000004A5A000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1720-126-0x0000000004A60000-0x000000000534B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/1720-125-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/1720-194-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1720-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/1720-2-0x0000000004A60000-0x000000000534B000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/1820-181-0x0000000005F90000-0x00000000062E7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1820-184-0x0000000070E80000-0x00000000711D7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1820-183-0x0000000070D00000-0x0000000070D4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2028-88-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2028-89-0x0000000070FF0000-0x0000000071347000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2028-85-0x0000000005E30000-0x0000000006187000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2844-212-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2844-208-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3908-107-0x00000000057A0000-0x0000000005AF7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3908-110-0x0000000070F80000-0x00000000712D7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3908-109-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3956-158-0x00000000069C0000-0x0000000006A0C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3956-159-0x0000000070D00000-0x0000000070D4C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3956-160-0x0000000070EF0000-0x0000000071247000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3956-169-0x0000000007720000-0x00000000077C4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/3956-156-0x0000000005F50000-0x00000000062A7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3956-170-0x0000000007A90000-0x0000000007AA1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3956-171-0x00000000062D0000-0x00000000062E5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4368-193-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4464-27-0x0000000070F60000-0x00000000712B7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4464-6-0x0000000005280000-0x00000000058AA000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4464-46-0x0000000007640000-0x000000000765A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4464-26-0x0000000074B70000-0x0000000075321000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4464-24-0x0000000007380000-0x00000000073B4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/4464-36-0x00000000073E0000-0x00000000073FE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4464-25-0x0000000070DE0000-0x0000000070E2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4464-23-0x00000000064E0000-0x0000000006526000-memory.dmp

      Filesize

      280KB

      Download

    • memory/4464-22-0x0000000005FA0000-0x0000000005FEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4464-21-0x0000000005F80000-0x0000000005F9E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4464-20-0x0000000074B70000-0x0000000075321000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4464-38-0x0000000074B70000-0x0000000075321000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4464-19-0x0000000005B40000-0x0000000005E97000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4464-39-0x0000000007B70000-0x00000000081EA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4464-41-0x0000000007570000-0x000000000757A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4464-40-0x0000000007530000-0x000000000754A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4464-42-0x0000000007680000-0x0000000007716000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4464-43-0x0000000007590000-0x00000000075A1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4464-44-0x00000000075E0000-0x00000000075EE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4464-9-0x00000000059B0000-0x0000000005A16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4464-10-0x0000000005A20000-0x0000000005A86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4464-8-0x00000000051C0000-0x00000000051E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4464-7-0x0000000074B70000-0x0000000075321000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4464-37-0x0000000007400000-0x00000000074A4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/4464-45-0x00000000075F0000-0x0000000007605000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4464-5-0x0000000002AA0000-0x0000000002AD6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4464-47-0x0000000007660000-0x0000000007668000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4464-4-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4464-50-0x0000000074B70000-0x0000000075321000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4468-230-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4468-234-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4468-214-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4468-258-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4468-218-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4468-222-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4468-202-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4468-254-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4468-250-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4468-226-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4468-238-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4468-242-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4468-246-0x0000000000400000-0x000000000273B000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4636-210-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4636-224-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4636-216-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.