Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/05/2024, 16:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c21ef752a75a4589bd911b41e893846eb2589fb386606e7000472e714c83b601.exe

  • Size

    4.1MB

  • MD5

    3f2d5b5b9aeadc636dbf6ea91c17c16f

  • SHA1

    c1cc44feff2001f206f488898546827c6f8727d6

  • SHA256

    c21ef752a75a4589bd911b41e893846eb2589fb386606e7000472e714c83b601

  • SHA512

    da9b633b0bcc5154ae2a9f7423210bb80bff599d30ee29866c0924cb2cd591881c06d11c5c3b799468972f3b089387fc6ba2a19449647e22c1b69303784c1ddb

  • SSDEEP

    98304:5vHfbigA34ifkpJZQU0TgaIfW6UkFHwAhDtgwFW+12:5vHfb2IifudqhIuUHwAjW+M

Score
10/10
gluptebadiscoverydropperevasionexecutionloaderpersistencerootkitupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 20 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\c21ef752a75a4589bd911b41e893846eb2589fb386606e7000472e714c83b601.exe
    "C:\Users\Admin\AppData\Local\Temp\c21ef752a75a4589bd911b41e893846eb2589fb386606e7000472e714c83b601.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
    • C:\Users\Admin\AppData\Local\Temp\c21ef752a75a4589bd911b41e893846eb2589fb386606e7000472e714c83b601.exe
      "C:\Users\Admin\AppData\Local\Temp\c21ef752a75a4589bd911b41e893846eb2589fb386606e7000472e714c83b601.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4844
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1816
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4460
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3520
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:232
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4120
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2948
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:1872
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2260
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3104
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2496
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:4908
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2164
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:868
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:3004
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:1964

    Network

    • flag-us
      DNS
      a68ce113-51f8-459d-aa66-7b9af55bbf01.uuid.realupdate.ru
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      a68ce113-51f8-459d-aa66-7b9af55bbf01.uuid.realupdate.ru
      IN TXT
      Response
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      stun3.l.google.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      stun3.l.google.com
      IN A
      Response
      stun3.l.google.com
      IN A
      74.125.250.129
    • flag-us
      DNS
      129.250.125.74.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      129.250.125.74.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.227.111.52.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      14.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      cdn.discordapp.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      cdn.discordapp.com
      IN A
      Response
      cdn.discordapp.com
      IN A
      162.159.129.233
      cdn.discordapp.com
      IN A
      162.159.134.233
      cdn.discordapp.com
      IN A
      162.159.133.233
      cdn.discordapp.com
      IN A
      162.159.135.233
      cdn.discordapp.com
      IN A
      162.159.130.233
    • flag-us
      DNS
      carsalessystem.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      carsalessystem.com
      IN A
      Response
      carsalessystem.com
      IN A
      104.21.94.82
      carsalessystem.com
      IN A
      172.67.221.71
    • flag-us
      DNS
      96.216.82.185.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      96.216.82.185.in-addr.arpa
      IN PTR
      Response
      96.216.82.185.in-addr.arpa
      IN PTR
      dedic-mariadebommarez-1201693hosted-by-itldccom
    • flag-us
      DNS
      server12.realupdate.ru
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      server12.realupdate.ru
      IN A
      Response
      server12.realupdate.ru
      IN A
      185.82.216.96
    • flag-us
      DNS
      233.129.159.162.in-addr.arpa
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      233.129.159.162.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      csrss.exe
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.111.227.14
    • flag-us
      DNS
      82.94.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      82.94.21.104.in-addr.arpa
      IN PTR
      Response
    • 162.159.129.233:443
      cdn.discordapp.com
      tls
      csrss.exe
      1.3kB
       5.3kB
       15
      16
    • 185.82.216.96:443
      server12.realupdate.ru
      tls
      csrss.exe
      1.4kB
       5.0kB
       13
      14
    • 104.21.94.82:443
      carsalessystem.com
      tls
      csrss.exe
      100.5kB
       2.2MB
       1702
      1645
    • 185.82.216.96:443
      server12.realupdate.ru
      tls
      csrss.exe
      1.2kB
       4.6kB
       10
      12
    • 185.82.216.96:443
      server12.realupdate.ru
      tls
      csrss.exe
      1.9kB
       4.6kB
       11
      13
    • 8.8.8.8:53
      a68ce113-51f8-459d-aa66-7b9af55bbf01.uuid.realupdate.ru
      dns
      csrss.exe
      376 B
       628 B
       5
      5

      DNS Request

      a68ce113-51f8-459d-aa66-7b9af55bbf01.uuid.realupdate.ru

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      stun3.l.google.com

      DNS Response

      74.125.250.129

      DNS Request

      129.250.125.74.in-addr.arpa

      DNS Request

      14.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      cdn.discordapp.com
      dns
      csrss.exe
      200 B
       375 B
       3
      3

      DNS Request

      cdn.discordapp.com

      DNS Response

      162.159.129.233
      162.159.134.233
      162.159.133.233
      162.159.135.233
      162.159.130.233

      DNS Request

      carsalessystem.com

      DNS Response

      104.21.94.82
      172.67.221.71

      DNS Request

      96.216.82.185.in-addr.arpa

    • 8.8.8.8:53
      server12.realupdate.ru
      dns
      csrss.exe
      218 B
       361 B
       3
      3

      DNS Request

      server12.realupdate.ru

      DNS Response

      185.82.216.96

      DNS Request

      233.129.159.162.in-addr.arpa

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.111.227.14

    • 74.125.250.129:19302
      stun3.l.google.com
      csrss.exe
      48 B
       60 B
       1
      1
    • 8.8.8.8:53
      82.94.21.104.in-addr.arpa
      dns
      71 B
       133 B
       1
      1

      DNS Request

      82.94.21.104.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_szadct1p.s3i.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d0c46cad6c0778401e21910bd6b56b70

      SHA1

      7be418951ea96326aca445b8dfe449b2bfa0dca6

      SHA256

      9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

      SHA512

      057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      c5c3c546a0659126ebbc5307e3e31ff8

      SHA1

      bdbcc5e5e6d152a7d6aa087bcf11872c4c7587ad

      SHA256

      88ec28401e15f025bab2fe7a5e67bec1d0aee7d3bf775458f634e3b0630f30e9

      SHA512

      545dc70e24fd2e14b02edd84014b0a3cfa00cf4155750421199e49849756511cfac227a62fc27714d4dcbe83b29510c99f0b53c6af51648b5768d69b1191943d

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      2863d30bc1b060a084c7d56d8fb33933

      SHA1

      ee29edb6376cbcecde77dd70fb3f56447d9cee6f

      SHA256

      b2630c191c5cbd0d25b6fa47c801ff702bc0c4d75c1a7b9e6ab420eaf6b0787c

      SHA512

      254c4b2b5690994730b46bcd4ae6774aacf6961b76cc842893f05e757b95e15bd115a1e399547b6109d5dbbb2cb273d39c949e100f0aca7307564d6bfbed076f

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      b880b45f810e88fe76fef96cd8aac845

      SHA1

      c820319015e6cf7dd821dee6a07e68a34cb495de

      SHA256

      89fdbe695a127b63a559543f41be58fb291eba6ba17baa7269214012a6fd401a

      SHA512

      999737825872771d39140eee6fc9fc3d49a0c8e1a3bff0804732ee3ba1b3344102d8f7f526ba3f504c6dbd7d8eb625ff8913b06c01162aec08dd3220117c7289

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      d935783b9ca67d6645dfe2756daa9833

      SHA1

      852d1c02e8eb46f9db7cfd1d7fda48e214be9303

      SHA256

      32325ace886295d976140542d838946dcb3ec4aefdc18638e1286bdde40558ef

      SHA512

      7225bc24216a928377d0288fdafb6ec598eef6a5c8f4cf897a08c931f4410b158ff591ff5d180bd8ed8af2478671f3b5ff1a8eac5815678cf85931bead7b0cec

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      19KB

      MD5

      949379832aa895e255509d3ff8c87f3f

      SHA1

      ab508288e907d8a1cd0c8166b8463933cbe6e3e5

      SHA256

      45595efa873c87c5f6e89c89d5d10d8a4bdf48e6076a2615c7749a6fa3a8cab5

      SHA512

      d062ec735c1fbc112a066b8e49b579817799d2e94bdc19d1b9ac8f1a8eb47a9b88ff73ad81cf7c006b1adc73d90ed011041b3a9ad57b922d846c7f03ee08bb0c

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.1MB

      MD5

      3f2d5b5b9aeadc636dbf6ea91c17c16f

      SHA1

      c1cc44feff2001f206f488898546827c6f8727d6

      SHA256

      c21ef752a75a4589bd911b41e893846eb2589fb386606e7000472e714c83b601

      SHA512

      da9b633b0bcc5154ae2a9f7423210bb80bff599d30ee29866c0924cb2cd591881c06d11c5c3b799468972f3b089387fc6ba2a19449647e22c1b69303784c1ddb

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/232-215-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/232-242-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/232-205-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/232-245-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/232-248-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/232-218-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/232-221-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/232-224-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/232-227-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/232-230-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/232-233-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/232-236-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/232-239-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/1624-22-0x0000000005C40000-0x0000000005C8C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1624-10-0x0000000005650000-0x00000000056B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1624-41-0x0000000007200000-0x000000000720A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1624-42-0x0000000007310000-0x00000000073A6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1624-43-0x0000000007220000-0x0000000007231000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1624-44-0x0000000007270000-0x000000000727E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1624-45-0x0000000007280000-0x0000000007295000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1624-46-0x00000000072D0000-0x00000000072EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1624-47-0x00000000072F0000-0x00000000072F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1624-50-0x00000000746E0000-0x0000000074E91000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1624-39-0x0000000007800000-0x0000000007E7A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/1624-40-0x00000000071C0000-0x00000000071DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1624-26-0x00000000746E0000-0x0000000074E91000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1624-36-0x0000000007070000-0x000000000708E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1624-37-0x0000000007090000-0x0000000007134000-memory.dmp

      Filesize

      656KB

      Download

    • memory/1624-27-0x0000000070AD0000-0x0000000070E27000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1624-24-0x0000000007010000-0x0000000007044000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1624-4-0x00000000746EE000-0x00000000746EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1624-25-0x0000000070950000-0x000000007099C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1624-23-0x0000000006180000-0x00000000061C6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1624-21-0x0000000005C10000-0x0000000005C2E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1624-20-0x0000000005730000-0x0000000005A87000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1624-5-0x0000000002400000-0x0000000002436000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1624-11-0x00000000056C0000-0x0000000005726000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1624-7-0x00000000746E0000-0x0000000074E91000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1624-38-0x00000000746E0000-0x0000000074E91000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1624-6-0x0000000004F10000-0x000000000553A000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1624-9-0x00000000055B0000-0x00000000055D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1624-8-0x00000000746E0000-0x0000000074E91000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1964-217-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/1964-222-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2164-210-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2164-213-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/2260-176-0x00000000059A0000-0x00000000059B5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/2260-174-0x0000000007150000-0x00000000071F4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/2260-161-0x0000000005A40000-0x0000000005D97000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2260-175-0x00000000074B0000-0x00000000074C1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2260-163-0x0000000005F30000-0x0000000005F7C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2260-164-0x00000000708E0000-0x000000007092C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2260-165-0x0000000070A60000-0x0000000070DB7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3104-188-0x00000000708E0000-0x000000007092C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3104-189-0x0000000070A80000-0x0000000070DD7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3104-186-0x0000000005C10000-0x0000000005F67000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3404-121-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/3404-204-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/3520-111-0x0000000070A60000-0x0000000070AAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3520-109-0x0000000005C20000-0x0000000005F77000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3520-112-0x0000000070CA0000-0x0000000070FF7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3564-1-0x00000000045E0000-0x00000000049DE000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3564-54-0x00000000049E0000-0x00000000052CB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3564-53-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3564-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

      Filesize

      9.1MB

      Download

    • memory/3564-2-0x00000000049E0000-0x00000000052CB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/3564-51-0x0000000000400000-0x0000000002733000-memory.dmp

      Filesize

      35.2MB

      Download

    • memory/4120-139-0x00000000709C0000-0x0000000070A0C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4120-136-0x0000000006480000-0x00000000067D7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4120-140-0x0000000070B40000-0x0000000070E97000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4120-149-0x0000000007B90000-0x0000000007C34000-memory.dmp

      Filesize

      656KB

      Download

    • memory/4120-150-0x0000000007F30000-0x0000000007F41000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4120-138-0x0000000006E30000-0x0000000006E7C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4120-151-0x0000000006350000-0x0000000006365000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4460-91-0x0000000070C60000-0x0000000070FB7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4460-90-0x0000000070A60000-0x0000000070AAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4844-65-0x0000000070A60000-0x0000000070AAC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4844-64-0x0000000006880000-0x00000000068CC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4844-63-0x00000000062E0000-0x0000000006637000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4844-66-0x0000000070C60000-0x0000000070FB7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4844-75-0x0000000007A20000-0x0000000007AC4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/4844-76-0x0000000007D50000-0x0000000007D61000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4844-77-0x0000000007DA0000-0x0000000007DB5000-memory.dmp

      Filesize

      84KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.