Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cb6c05b2e9...93.exe

windows7-x64

10

cb6c05b2e9...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 14:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe

  • Size

    346KB

  • MD5

    268c62a4b45d08a0639ead11b2feebd8

  • SHA1

    c1d9237230acc994067fdc1d6502b6a84afd1b9a

  • SHA256

    cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293

  • SHA512

    176becae59d443d15e81f09dd87baaeca282c5f2b9dbcb18b93952b08c62cce10eff73b8742d6f2da514130cc573467d1246507097d2d5675c9690fd9d02dc38

  • SSDEEP

    6144:ICkDWiKIWcFbFwH5kZW7zy7nzo1NmN8a4jpxE5qrwbja1:ICkDWiKIBwZkZW7zy7nzo1NmN8a4jpxK

Score
10/10
saintbotdiscoverydropperevasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • SaintBot

    Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.

    droppersaintbot
  • SaintBot payload 5 IoCs
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • Nirsoft 1 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 22 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe
    "C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4600
      • C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe" /SpecialRun 4101d8 4600
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4992
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:864
    • C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe
      "C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Maps connected drives based on registry
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe"
        3⤵
        • Windows security bypass
        • Checks computer location settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\AdvancedRun.exe
          "C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3508
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\test.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2420
            • C:\Windows\system32\sc.exe
              sc stop windefend
              6⤵
              • Launches sc.exe
              PID:3380
            • C:\Windows\system32\sc.exe
              sc config windefend start= disabled
              6⤵
              • Launches sc.exe
              PID:2136
            • C:\Windows\system32\sc.exe
              sc stop Sense
              6⤵
              • Launches sc.exe
              PID:4916
            • C:\Windows\system32\sc.exe
              sc config Sense start= disabled
              6⤵
              • Launches sc.exe
              PID:2908
            • C:\Windows\system32\sc.exe
              sc stop wuauserv
              6⤵
              • Launches sc.exe
              PID:4764
            • C:\Windows\system32\sc.exe
              sc config wuauserv start= disabled
              6⤵
              • Launches sc.exe
              PID:4504
            • C:\Windows\system32\sc.exe
              sc stop usosvc
              6⤵
              • Launches sc.exe
              PID:5088
            • C:\Windows\system32\sc.exe
              sc config usosvc start= disabled
              6⤵
              • Launches sc.exe
              PID:4792
            • C:\Windows\system32\sc.exe
              sc stop WaasMedicSvc
              6⤵
              • Launches sc.exe
              PID:4352
            • C:\Windows\system32\sc.exe
              sc config WaasMedicSvc start= disabled
              6⤵
              • Launches sc.exe
              PID:4460
            • C:\Windows\system32\sc.exe
              sc stop SecurityHealthService
              6⤵
              • Launches sc.exe
              PID:3560
            • C:\Windows\system32\sc.exe
              sc config SecurityHealthService start= disabled
              6⤵
              • Launches sc.exe
              PID:3260
            • C:\Windows\system32\sc.exe
              sc stop SDRSVC
              6⤵
              • Launches sc.exe
              PID:4408
            • C:\Windows\system32\sc.exe
              sc config SDRSVC start= disabled
              6⤵
              • Launches sc.exe
              PID:3684
            • C:\Windows\system32\sc.exe
              sc stop wscsvc
              6⤵
              • Launches sc.exe
              PID:4876
            • C:\Windows\system32\sc.exe
              sc config wscsvc start= disabled
              6⤵
              • Launches sc.exe
              PID:2340
            • C:\Windows\system32\sc.exe
              sc stop WdiServiceHost
              6⤵
              • Launches sc.exe
              PID:2392
            • C:\Windows\system32\sc.exe
              sc config WdiServiceHost start= disabled
              6⤵
              • Launches sc.exe
              PID:4432
            • C:\Windows\system32\sc.exe
              sc stop WdiSystemHost
              6⤵
              • Launches sc.exe
              PID:3532
            • C:\Windows\system32\sc.exe
              sc config WdiSystemHost start= disabled
              6⤵
              • Launches sc.exe
              PID:4296
            • C:\Windows\system32\sc.exe
              sc stop InstallService
              6⤵
              • Launches sc.exe
              PID:3116
            • C:\Windows\system32\sc.exe
              sc config InstallService Start= disabled
              6⤵
              • Launches sc.exe
              PID:4472
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe" -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4788
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:4228
          • C:\Windows\SysWOW64\dfrgui.exe
            "C:\Windows\system32\dfrgui.exe"
            5⤵
            • Loads dropped DLL
            • Adds Run key to start application
            • Maps connected drives based on registry
            • Drops file in System32 directory
            • Checks processor information in registry
            PID:864
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Update" /tr "%SYSTEMDRIVE%\Users\%USERNAME%\AppData\Local\zz%USERNAME%\%USERNAME%.vbs" /F
              6⤵
              • Creates scheduled task(s)
              PID:3420
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4684
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost -n 3
          4⤵
          • Runs ping.exe
          PID:1764
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
          4⤵
            PID:3456

    Network

    • flag-us
      DNS
      183.142.211.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.142.211.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.197.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.197.17.2.in-addr.arpa
      IN PTR
      Response
      240.197.17.2.in-addr.arpa
      IN PTR
      a2-17-197-240deploystaticakamaitechnologiescom
    • flag-us
      DNS
      67.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8003659902.space
      dfrgui.exe
      Remote address:
      8.8.8.8:53
      Request
      8003659902.space
      IN A
      Response
    • flag-us
      DNS
      157.123.68.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      157.123.68.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      249.197.17.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      249.197.17.2.in-addr.arpa
      IN PTR
      Response
      249.197.17.2.in-addr.arpa
      IN PTR
      a2-17-197-249deploystaticakamaitechnologiescom
    • flag-us
      DNS
      240.143.123.92.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.143.123.92.in-addr.arpa
      IN PTR
      Response
      240.143.123.92.in-addr.arpa
      IN PTR
      a92-123-143-240deploystaticakamaitechnologiescom
    No results found
    • 8.8.8.8:53
      183.142.211.20.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      183.142.211.20.in-addr.arpa

    • 8.8.8.8:53
      240.197.17.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      240.197.17.2.in-addr.arpa

    • 8.8.8.8:53
      67.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      67.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      8003659902.space
      dns
      dfrgui.exe
      62 B
       127 B
       1
      1

      DNS Request

      8003659902.space

    • 8.8.8.8:53
      157.123.68.40.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      157.123.68.40.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      249.197.17.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      249.197.17.2.in-addr.arpa

    • 8.8.8.8:53
      240.143.123.92.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      240.143.123.92.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    5
    T1562

    Disable or Modify Tools

    4
    T1562.001

    Modify Registry

    5
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    4
    T1012

    Remote System Discovery

    1
    T1018

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Service Stop

    1
    T1489

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      3d086a433708053f9bf9523e1d87a4e8

      SHA1

      b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

      SHA256

      6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

      SHA512

      931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      aa3ea3159875b1013e0e01bd1e7f8dfd

      SHA1

      037b554bfe444f7fca9770baabbec6becb187d3a

      SHA256

      181518c4561e88a05a94504325af99d928e8cd41a94160ea9e4cd6030652435b

      SHA512

      e6bd4db6cf3d393c1278b36a10db0a80fbaa6e7dfa448f9f02e752fbd8125b55f364c2c1ee9e31b5efa1e9cc865c7d76cafa8853c04cc2e9e998f007119eb631

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\test.bat
      Filesize

      8KB

      MD5

      b2a5ef7d334bdf866113c6f4f9036aae

      SHA1

      f9027f2827b35840487efd04e818121b5a8541e0

      SHA256

      27426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e

      SHA512

      8ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pakvdiif.swi.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\zzAdmin\slideshow.mp4
      Filesize

      1.6MB

      MD5

      4f3387277ccbd6d1f21ac5c07fe4ca68

      SHA1

      e16506f662dc92023bf82def1d621497c8ab5890

      SHA256

      767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

      SHA512

      9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe
      Filesize

      346KB

      MD5

      268c62a4b45d08a0639ead11b2feebd8

      SHA1

      c1d9237230acc994067fdc1d6502b6a84afd1b9a

      SHA256

      cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293

      SHA512

      176becae59d443d15e81f09dd87baaeca282c5f2b9dbcb18b93952b08c62cce10eff73b8742d6f2da514130cc573467d1246507097d2d5675c9690fd9d02dc38

      Download Submit

    • C:\Users\Admin\AppData\Roaming\del.bat
      Filesize

      169B

      MD5

      600dcbbcae1744d5f4cd1cccd1fefd22

      SHA1

      fde7a4c86e1f4444fd135e81d6efa88fab349e93

      SHA256

      26025f90b439bed43d3c90977105b59d5b4451e06f40cccb54ba86e05ec99d0c

      SHA512

      507c814de0ebc9ed6f9cda75785fb238208d2e6e66334d3712fc5f69e44abe0ab4ebaa5e754f4fe4eecbd19bf22bd8f7fac52b2391a0d05d5645dfa0e5e62681

      Download Submit

    • memory/864-59-0x00000000076C0000-0x00000000076D4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/864-54-0x0000000007480000-0x000000000749A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/864-141-0x00000000005C0000-0x00000000005CB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/864-140-0x00000000005C0000-0x00000000005CB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/864-30-0x0000000005AC0000-0x0000000005B26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/864-31-0x0000000005B30000-0x0000000005B96000-memory.dmp

      Filesize

      408KB

      Download

    • memory/864-36-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/864-37-0x0000000006140000-0x000000000615E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/864-38-0x0000000006190000-0x00000000061DC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/864-39-0x000000007FD00000-0x000000007FD10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/864-40-0x0000000006720000-0x0000000006752000-memory.dmp

      Filesize

      200KB

      Download

    • memory/864-41-0x000000006FE50000-0x000000006FE9C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/864-51-0x0000000006700000-0x000000000671E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/864-52-0x0000000007120000-0x00000000071C3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/864-53-0x0000000007AC0000-0x000000000813A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/864-21-0x0000000002A50000-0x0000000002A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/864-55-0x00000000074F0000-0x00000000074FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/864-56-0x0000000007700000-0x0000000007796000-memory.dmp

      Filesize

      600KB

      Download

    • memory/864-57-0x0000000007680000-0x0000000007691000-memory.dmp

      Filesize

      68KB

      Download

    • memory/864-58-0x00000000076B0000-0x00000000076BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/864-139-0x00000000005C0000-0x00000000005CB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/864-60-0x00000000077C0000-0x00000000077DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/864-61-0x00000000077A0000-0x00000000077A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/864-64-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/864-19-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/864-18-0x0000000002850000-0x0000000002886000-memory.dmp

      Filesize

      216KB

      Download

    • memory/864-24-0x0000000005390000-0x00000000053B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/864-20-0x0000000002A50000-0x0000000002A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/864-22-0x0000000005420000-0x0000000005A48000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1872-70-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1872-65-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2360-83-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2360-102-0x0000000005580000-0x0000000005590000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2360-136-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4168-98-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4168-3-0x00000000050C0000-0x000000000515C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4168-1-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4168-23-0x00000000051D0000-0x00000000051E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4168-0-0x0000000000680000-0x00000000006DE000-memory.dmp

      Filesize

      376KB

      Download

    • memory/4168-2-0x00000000055D0000-0x0000000005B74000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4228-137-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4228-133-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4788-103-0x0000000000F00000-0x0000000000F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4788-129-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4788-127-0x0000000000F00000-0x0000000000F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4788-126-0x0000000000F00000-0x0000000000F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4788-116-0x000000006FE50000-0x000000006FE9C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4788-114-0x0000000005C10000-0x0000000005F64000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4788-104-0x0000000000F00000-0x0000000000F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4788-101-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.