Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cb6c05b2e9...93.exe

windows7-x64

10

cb6c05b2e9...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe

  • Size

    346KB

  • MD5

    268c62a4b45d08a0639ead11b2feebd8

  • SHA1

    c1d9237230acc994067fdc1d6502b6a84afd1b9a

  • SHA256

    cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293

  • SHA512

    176becae59d443d15e81f09dd87baaeca282c5f2b9dbcb18b93952b08c62cce10eff73b8742d6f2da514130cc573467d1246507097d2d5675c9690fd9d02dc38

  • SSDEEP

    6144:ICkDWiKIWcFbFwH5kZW7zy7nzo1NmN8a4jpxE5qrwbja1:ICkDWiKIBwZkZW7zy7nzo1NmN8a4jpxK

Score
10/10
saintbotdiscoverydropperevasionpersistencetrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • SaintBot

    Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.

    droppersaintbot
  • SaintBot payload 5 IoCs
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs 3 IoCs
    evasiontrojan
  • Nirsoft 1 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 22 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe
    "C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4600
      • C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe" /SpecialRun 4101d8 4600
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4992
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:864
    • C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe
      "C:\Users\Admin\AppData\Local\Temp\cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Maps connected drives based on registry
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe"
        3⤵
        • Windows security bypass
        • Checks computer location settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\AdvancedRun.exe
          "C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3508
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\test.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2420
            • C:\Windows\system32\sc.exe
              sc stop windefend
              6⤵
              • Launches sc.exe
              PID:3380
            • C:\Windows\system32\sc.exe
              sc config windefend start= disabled
              6⤵
              • Launches sc.exe
              PID:2136
            • C:\Windows\system32\sc.exe
              sc stop Sense
              6⤵
              • Launches sc.exe
              PID:4916
            • C:\Windows\system32\sc.exe
              sc config Sense start= disabled
              6⤵
              • Launches sc.exe
              PID:2908
            • C:\Windows\system32\sc.exe
              sc stop wuauserv
              6⤵
              • Launches sc.exe
              PID:4764
            • C:\Windows\system32\sc.exe
              sc config wuauserv start= disabled
              6⤵
              • Launches sc.exe
              PID:4504
            • C:\Windows\system32\sc.exe
              sc stop usosvc
              6⤵
              • Launches sc.exe
              PID:5088
            • C:\Windows\system32\sc.exe
              sc config usosvc start= disabled
              6⤵
              • Launches sc.exe
              PID:4792
            • C:\Windows\system32\sc.exe
              sc stop WaasMedicSvc
              6⤵
              • Launches sc.exe
              PID:4352
            • C:\Windows\system32\sc.exe
              sc config WaasMedicSvc start= disabled
              6⤵
              • Launches sc.exe
              PID:4460
            • C:\Windows\system32\sc.exe
              sc stop SecurityHealthService
              6⤵
              • Launches sc.exe
              PID:3560
            • C:\Windows\system32\sc.exe
              sc config SecurityHealthService start= disabled
              6⤵
              • Launches sc.exe
              PID:3260
            • C:\Windows\system32\sc.exe
              sc stop SDRSVC
              6⤵
              • Launches sc.exe
              PID:4408
            • C:\Windows\system32\sc.exe
              sc config SDRSVC start= disabled
              6⤵
              • Launches sc.exe
              PID:3684
            • C:\Windows\system32\sc.exe
              sc stop wscsvc
              6⤵
              • Launches sc.exe
              PID:4876
            • C:\Windows\system32\sc.exe
              sc config wscsvc start= disabled
              6⤵
              • Launches sc.exe
              PID:2340
            • C:\Windows\system32\sc.exe
              sc stop WdiServiceHost
              6⤵
              • Launches sc.exe
              PID:2392
            • C:\Windows\system32\sc.exe
              sc config WdiServiceHost start= disabled
              6⤵
              • Launches sc.exe
              PID:4432
            • C:\Windows\system32\sc.exe
              sc stop WdiSystemHost
              6⤵
              • Launches sc.exe
              PID:3532
            • C:\Windows\system32\sc.exe
              sc config WdiSystemHost start= disabled
              6⤵
              • Launches sc.exe
              PID:4296
            • C:\Windows\system32\sc.exe
              sc stop InstallService
              6⤵
              • Launches sc.exe
              PID:3116
            • C:\Windows\system32\sc.exe
              sc config InstallService Start= disabled
              6⤵
              • Launches sc.exe
              PID:4472
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe" -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4788
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Maps connected drives based on registry
          • Suspicious behavior: EnumeratesProcesses
          PID:4228
          • C:\Windows\SysWOW64\dfrgui.exe
            "C:\Windows\system32\dfrgui.exe"
            5⤵
            • Loads dropped DLL
            • Adds Run key to start application
            • Maps connected drives based on registry
            • Drops file in System32 directory
            • Checks processor information in registry
            PID:864
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Update" /tr "%SYSTEMDRIVE%\Users\%USERNAME%\AppData\Local\zz%USERNAME%\%USERNAME%.vbs" /F
              6⤵
              • Creates scheduled task(s)
              PID:3420
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4684
        • C:\Windows\SysWOW64\PING.EXE
          ping localhost -n 3
          4⤵
          • Runs ping.exe
          PID:1764
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
          4⤵
            PID:3456

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Impair Defenses

    5
    T1562

    Disable or Modify Tools

    4
    T1562.001

    Modify Registry

    5
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    4
    T1012

    Remote System Discovery

    1
    T1018

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Service Stop

    1
    T1489

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      3d086a433708053f9bf9523e1d87a4e8

      SHA1

      b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

      SHA256

      6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

      SHA512

      931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      aa3ea3159875b1013e0e01bd1e7f8dfd

      SHA1

      037b554bfe444f7fca9770baabbec6becb187d3a

      SHA256

      181518c4561e88a05a94504325af99d928e8cd41a94160ea9e4cd6030652435b

      SHA512

      e6bd4db6cf3d393c1278b36a10db0a80fbaa6e7dfa448f9f02e752fbd8125b55f364c2c1ee9e31b5efa1e9cc865c7d76cafa8853c04cc2e9e998f007119eb631

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\66b31eaf-af69-4250-89af-b83b2c433d9f\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\9497cbeb-a169-422c-b84a-070c3a8984fc\test.bat
      Filesize

      8KB

      MD5

      b2a5ef7d334bdf866113c6f4f9036aae

      SHA1

      f9027f2827b35840487efd04e818121b5a8541e0

      SHA256

      27426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e

      SHA512

      8ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pakvdiif.swi.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\zzAdmin\slideshow.mp4
      Filesize

      1.6MB

      MD5

      4f3387277ccbd6d1f21ac5c07fe4ca68

      SHA1

      e16506f662dc92023bf82def1d621497c8ab5890

      SHA256

      767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

      SHA512

      9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\11519.exe
      Filesize

      346KB

      MD5

      268c62a4b45d08a0639ead11b2feebd8

      SHA1

      c1d9237230acc994067fdc1d6502b6a84afd1b9a

      SHA256

      cb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293

      SHA512

      176becae59d443d15e81f09dd87baaeca282c5f2b9dbcb18b93952b08c62cce10eff73b8742d6f2da514130cc573467d1246507097d2d5675c9690fd9d02dc38

      Download Submit

    • C:\Users\Admin\AppData\Roaming\del.bat
      Filesize

      169B

      MD5

      600dcbbcae1744d5f4cd1cccd1fefd22

      SHA1

      fde7a4c86e1f4444fd135e81d6efa88fab349e93

      SHA256

      26025f90b439bed43d3c90977105b59d5b4451e06f40cccb54ba86e05ec99d0c

      SHA512

      507c814de0ebc9ed6f9cda75785fb238208d2e6e66334d3712fc5f69e44abe0ab4ebaa5e754f4fe4eecbd19bf22bd8f7fac52b2391a0d05d5645dfa0e5e62681

      Download Submit

    • memory/864-59-0x00000000076C0000-0x00000000076D4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/864-54-0x0000000007480000-0x000000000749A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/864-141-0x00000000005C0000-0x00000000005CB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/864-140-0x00000000005C0000-0x00000000005CB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/864-30-0x0000000005AC0000-0x0000000005B26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/864-31-0x0000000005B30000-0x0000000005B96000-memory.dmp

      Filesize

      408KB

      Download

    • memory/864-36-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/864-37-0x0000000006140000-0x000000000615E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/864-38-0x0000000006190000-0x00000000061DC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/864-39-0x000000007FD00000-0x000000007FD10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/864-40-0x0000000006720000-0x0000000006752000-memory.dmp

      Filesize

      200KB

      Download

    • memory/864-41-0x000000006FE50000-0x000000006FE9C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/864-51-0x0000000006700000-0x000000000671E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/864-52-0x0000000007120000-0x00000000071C3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/864-53-0x0000000007AC0000-0x000000000813A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/864-21-0x0000000002A50000-0x0000000002A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/864-55-0x00000000074F0000-0x00000000074FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/864-56-0x0000000007700000-0x0000000007796000-memory.dmp

      Filesize

      600KB

      Download

    • memory/864-57-0x0000000007680000-0x0000000007691000-memory.dmp

      Filesize

      68KB

      Download

    • memory/864-58-0x00000000076B0000-0x00000000076BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/864-139-0x00000000005C0000-0x00000000005CB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/864-60-0x00000000077C0000-0x00000000077DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/864-61-0x00000000077A0000-0x00000000077A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/864-64-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/864-19-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/864-18-0x0000000002850000-0x0000000002886000-memory.dmp

      Filesize

      216KB

      Download

    • memory/864-24-0x0000000005390000-0x00000000053B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/864-20-0x0000000002A50000-0x0000000002A60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/864-22-0x0000000005420000-0x0000000005A48000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1872-70-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1872-65-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2360-83-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2360-102-0x0000000005580000-0x0000000005590000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2360-136-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4168-98-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4168-3-0x00000000050C0000-0x000000000515C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4168-1-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4168-23-0x00000000051D0000-0x00000000051E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4168-0-0x0000000000680000-0x00000000006DE000-memory.dmp

      Filesize

      376KB

      Download

    • memory/4168-2-0x00000000055D0000-0x0000000005B74000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4228-137-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4228-133-0x0000000000400000-0x000000000040B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4788-103-0x0000000000F00000-0x0000000000F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4788-129-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4788-127-0x0000000000F00000-0x0000000000F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4788-126-0x0000000000F00000-0x0000000000F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4788-116-0x000000006FE50000-0x000000006FE9C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4788-114-0x0000000005C10000-0x0000000005F64000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4788-104-0x0000000000F00000-0x0000000000F10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4788-101-0x00000000748A0000-0x0000000075050000-memory.dmp

      Filesize

      7.7MB

      Download