Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    191s
  • max time network
    186s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2022, 01:18

General

  • Target

    505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe

  • Size

    1.2MB

  • MD5

    8f15bfb3722b7b5c2af0a3af4aea2e59

  • SHA1

    b7b1c094d883c219c7f872b9d18bd765bce8a5f5

  • SHA256

    505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

  • SHA512

    47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

  • SSDEEP

    12288:92vL7kVDlyOjZ87Bvr7wn8/GtFgd6/L5G8Qx9CPW0CjTTrm+pLFONMIRkxkfkkUN:UfSh94z+tCdSV3fW0CjT3m+pApl08M3

Malware Config

Signatures

  • NirSoft MailPassView 9 IoCs

    Password recovery tool for various email clients

  • Nirsoft 16 IoCs
  • Executes dropped EXE 5 IoCs
  • Drops startup file 6 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
    "C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe
      "C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Local\Temp\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539.exe"
        3⤵
        • Drops startup file
        PID:1360
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ebis.pro/images/invoice_img.png
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:828
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1912
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:472083 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2100
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:603139 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2108
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:828 CREDAT:275482 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2964
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 1584
        3⤵
          PID:1504
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
          3⤵
            PID:524
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
            3⤵
            • Accesses Microsoft Outlook accounts
            PID:1368
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
            C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1044
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1888
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Acctres.exe"
                5⤵
                • Drops startup file
                PID:776
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ebis.pro/images/invoice_img.png
                5⤵
                  PID:2072
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                  dw20.exe -x -s 1516
                  5⤵
                  • Loads dropped DLL
                  PID:2344
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
                  5⤵
                    PID:2412
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
                    5⤵
                    • Accesses Microsoft Outlook accounts
                    PID:2548
                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
                  4⤵
                  • Executes dropped EXE
                  PID:1008
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
              2⤵
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              PID:964
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
                3⤵
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:2812
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\takshost.exe"
                  4⤵
                  • Drops startup file
                  PID:2908
                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                  dw20.exe -x -s 1464
                  4⤵
                    PID:2356
                  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
                    4⤵
                      PID:2472
                    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logmail.txt
                      4⤵
                      • Accesses Microsoft Outlook accounts
                      PID:2528
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:2080

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\logff.txt

                Filesize

                2B

                MD5

                f3b25701fe362ec84616a93a45ce9998

                SHA1

                d62636d8caec13f04e28442a0a6fa1afeb024bbb

                SHA256

                b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                SHA512

                98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

              • C:\Users\Admin\AppData\Local\Temp\logff.txt

                Filesize

                2B

                MD5

                f3b25701fe362ec84616a93a45ce9998

                SHA1

                d62636d8caec13f04e28442a0a6fa1afeb024bbb

                SHA256

                b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                SHA512

                98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

              • C:\Users\Admin\AppData\Local\Temp\logff.txt

                Filesize

                2B

                MD5

                f3b25701fe362ec84616a93a45ce9998

                SHA1

                d62636d8caec13f04e28442a0a6fa1afeb024bbb

                SHA256

                b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                SHA512

                98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

                Filesize

                1.2MB

                MD5

                8f15bfb3722b7b5c2af0a3af4aea2e59

                SHA1

                b7b1c094d883c219c7f872b9d18bd765bce8a5f5

                SHA256

                505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

                SHA512

                47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

                Filesize

                1.2MB

                MD5

                8f15bfb3722b7b5c2af0a3af4aea2e59

                SHA1

                b7b1c094d883c219c7f872b9d18bd765bce8a5f5

                SHA256

                505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

                SHA512

                47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

                Filesize

                1.2MB

                MD5

                8f15bfb3722b7b5c2af0a3af4aea2e59

                SHA1

                b7b1c094d883c219c7f872b9d18bd765bce8a5f5

                SHA256

                505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

                SHA512

                47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4QYX5DOT.txt

                Filesize

                601B

                MD5

                079efa30e63076a73f3455926df15059

                SHA1

                f3f4467b3a91f632454370b579cafcfcdea4b869

                SHA256

                4fba62098efaa7b436c10bfee583f71326b495652d729544f5a7993e3d7203f5

                SHA512

                d08a6e742de3cf11dcf2404fdcf40945633406d089b73e019587ce28a7d9094fb19072810a335e779aea3d2c8327d9427d3786bbfb3018b4102503868c8ca8c1

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DVVTQYNE.txt

                Filesize

                98B

                MD5

                63a1a56f5b8619ee9850a2178bbf6361

                SHA1

                e11791f934c5f55695bc659c290d6563b79d9f67

                SHA256

                410929282e2c453de841631a4be7c966fd806b9a3c1710a5f858ebe530b2ab05

                SHA512

                c248c3585dce9922c441147661dc0f7399eacf9a949b42462b22c141cd640084760a81a02863cdfe04a602cbd7784723be5a2efc5ec4a6e262b28b8e80617e2d

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

                Filesize

                9KB

                MD5

                3f9eb41226ad438b49d384cb08ce0126

                SHA1

                44024295715bd4847a29949d9a01a2b0a4671074

                SHA256

                dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

                SHA512

                0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

                Filesize

                9KB

                MD5

                3f9eb41226ad438b49d384cb08ce0126

                SHA1

                44024295715bd4847a29949d9a01a2b0a4671074

                SHA256

                dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

                SHA512

                0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

                Filesize

                9KB

                MD5

                3f9eb41226ad438b49d384cb08ce0126

                SHA1

                44024295715bd4847a29949d9a01a2b0a4671074

                SHA256

                dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

                SHA512

                0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

                Filesize

                9KB

                MD5

                3f9eb41226ad438b49d384cb08ce0126

                SHA1

                44024295715bd4847a29949d9a01a2b0a4671074

                SHA256

                dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

                SHA512

                0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

                Filesize

                9KB

                MD5

                3f9eb41226ad438b49d384cb08ce0126

                SHA1

                44024295715bd4847a29949d9a01a2b0a4671074

                SHA256

                dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

                SHA512

                0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

              • \Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

                Filesize

                1.2MB

                MD5

                8f15bfb3722b7b5c2af0a3af4aea2e59

                SHA1

                b7b1c094d883c219c7f872b9d18bd765bce8a5f5

                SHA256

                505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

                SHA512

                47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

              • \Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe

                Filesize

                1.2MB

                MD5

                8f15bfb3722b7b5c2af0a3af4aea2e59

                SHA1

                b7b1c094d883c219c7f872b9d18bd765bce8a5f5

                SHA256

                505658da866d352de8778dede2b413f90232f03a8a28021d7e92d316d6709539

                SHA512

                47cf5362e7a48d0871f628b3a1913a8b081d2e366323e196860a1249c9b5408178a175e4acfac42a6e4f2d617b405501d6ff036acea558f75184fccecb0131f6

              • \Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

                Filesize

                9KB

                MD5

                3f9eb41226ad438b49d384cb08ce0126

                SHA1

                44024295715bd4847a29949d9a01a2b0a4671074

                SHA256

                dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

                SHA512

                0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

              • \Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe

                Filesize

                9KB

                MD5

                3f9eb41226ad438b49d384cb08ce0126

                SHA1

                44024295715bd4847a29949d9a01a2b0a4671074

                SHA256

                dccd11c68485b58fbf705e191f3a93364a95e698e808d64fd6f643f4ad03b0e4

                SHA512

                0df9d94eedf480ad6918ebe011723d930c3bdaa43004de02bd1536a2e98fe9a559dde9ca099e7c4b994dfa55cb6edca3a8dcff3bc4a9ba71eb6e72caceeaa37b

              • memory/524-88-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

              • memory/524-100-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

              • memory/524-101-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

              • memory/524-97-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

              • memory/524-80-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

              • memory/524-85-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

              • memory/524-81-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

              • memory/524-86-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

              • memory/524-83-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

              • memory/964-131-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/964-176-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1008-178-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1008-180-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1008-142-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1044-179-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1044-98-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1044-118-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1180-58-0x0000000000400000-0x0000000000476000-memory.dmp

                Filesize

                472KB

              • memory/1180-61-0x0000000000400000-0x0000000000476000-memory.dmp

                Filesize

                472KB

              • memory/1180-60-0x0000000000400000-0x0000000000476000-memory.dmp

                Filesize

                472KB

              • memory/1180-62-0x0000000000400000-0x0000000000476000-memory.dmp

                Filesize

                472KB

              • memory/1180-77-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1180-57-0x0000000000400000-0x0000000000476000-memory.dmp

                Filesize

                472KB

              • memory/1180-69-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1180-65-0x0000000000400000-0x0000000000476000-memory.dmp

                Filesize

                472KB

              • memory/1180-67-0x0000000000400000-0x0000000000476000-memory.dmp

                Filesize

                472KB

              • memory/1368-115-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

              • memory/1368-104-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

              • memory/1368-109-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

              • memory/1368-117-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

              • memory/1368-116-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

              • memory/1368-111-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

              • memory/1368-108-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

              • memory/1368-103-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

              • memory/1368-106-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

              • memory/1516-78-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1516-122-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1516-76-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1740-55-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1740-56-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1740-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

                Filesize

                8KB

              • memory/1740-121-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1888-141-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/1888-177-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/2080-201-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/2412-160-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

              • memory/2472-217-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

              • memory/2528-232-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

              • memory/2548-175-0x0000000000400000-0x000000000041B000-memory.dmp

                Filesize

                108KB

              • memory/2812-194-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB

              • memory/2812-233-0x0000000074550000-0x0000000074AFB000-memory.dmp

                Filesize

                5.7MB