Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2024, 13:16

General

  • Target

    72574ebc8ac037a668c637ccfc74e538.exe

  • Size

    13.0MB

  • MD5

    72574ebc8ac037a668c637ccfc74e538

  • SHA1

    a61f9306526bc05c1c5a67afd7b3d689b076ab35

  • SHA256

    cb2ab7c671df235643f807f9d81d28eb8cab4cceacc05175fe6719e6cebf0d77

  • SHA512

    5dd63b0fe46a7b947e01ac68915ee645156900d3a95c802bd8eb0eea064e4411202905c1ef8a9eb64804195c118babf756967874143ab0fef0012a8d44b1b4b5

  • SSDEEP

    196608:yU7d9xZSt4U7d9xZStSU7d9xZSt4U7d9xZStY:D7d9xZo7d9xZS7d9xZo7d9xZN

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

  • Warzone RAT payload 16 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 6 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
    "C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:352
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
      2⤵
      • Drops startup file
      PID:1880
    • C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
      C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
        C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
        3⤵
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1732
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1876
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
            5⤵
            • Drops startup file
            PID:220
          • \??\c:\windows\system\explorer.exe
            c:\windows\system\explorer.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            PID:1896
            • \??\c:\windows\system\explorer.exe
              c:\windows\system\explorer.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visiblity of hidden/system files in Explorer
              • Modifies Installed Components in the registry
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:1972
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:4080
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                  8⤵
                  • Drops startup file
                  PID:728
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe
                  8⤵
                  • Executes dropped EXE
                  PID:2948
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                7⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                PID:628
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                  8⤵
                    PID:5048
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe
                    8⤵
                      PID:1236
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    7⤵
                      PID:4300
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                        8⤵
                          PID:3616
                        • \??\c:\windows\system\spoolsv.exe
                          c:\windows\system\spoolsv.exe
                          8⤵
                            PID:3232
                        • \??\c:\windows\system\spoolsv.exe
                          c:\windows\system\spoolsv.exe SE
                          7⤵
                            PID:3656
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                              8⤵
                                PID:1256
                              • \??\c:\windows\system\spoolsv.exe
                                c:\windows\system\spoolsv.exe
                                8⤵
                                  PID:3148
                              • \??\c:\windows\system\spoolsv.exe
                                c:\windows\system\spoolsv.exe SE
                                7⤵
                                  PID:4488
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                                    8⤵
                                      PID:1684
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe
                                      8⤵
                                        PID:2452
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      7⤵
                                        PID:3460
                                    • C:\Windows\SysWOW64\diskperf.exe
                                      "C:\Windows\SysWOW64\diskperf.exe"
                                      6⤵
                                        PID:1992
                                • C:\Windows\SysWOW64\diskperf.exe
                                  "C:\Windows\SysWOW64\diskperf.exe"
                                  3⤵
                                    PID:1404

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

                                Filesize

                                4.4MB

                                MD5

                                70cf203d405e77cee4c98146cc788ea0

                                SHA1

                                8e044b16c16c92f786219780f2ab486602afc95f

                                SHA256

                                34a13ac898868da643586e5ea443dba8cae0eb6722b6992f36e4c7b82974c820

                                SHA512

                                6f04fc82635b6b31f7893de5e726a9402ee583e36b90207c3022a93a6147382af26322aa5de54dde43ae8379c03229b788914d563a84660c6b84b424b46975e7

                              • C:\Users\Admin\AppData\Local\Temp\Disk.sys

                                Filesize

                                7.4MB

                                MD5

                                7314e8612d9c91e4348c5373a985a117

                                SHA1

                                fefbed3392d74bd4a14993ff4c16a3c4f77ae62f

                                SHA256

                                f86aa2f325bfd3f125c7fe41ff2a64340cb863f5bd5bb824c991c11b6c6b3ec1

                                SHA512

                                545fd2f23e788076b9d56207129315fc10cc4d3cf28ef9edeb8fa51fdfb1eaa5e73052c229d2ca770fa61301ab1c94cebe0ff2e2e46fc16d5ae4e555ca03434b

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

                                Filesize

                                93B

                                MD5

                                8445bfa5a278e2f068300c604a78394b

                                SHA1

                                9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

                                SHA256

                                5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

                                SHA512

                                8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

                                Filesize

                                92B

                                MD5

                                13222a4bb413aaa8b92aa5b4f81d2760

                                SHA1

                                268a48f2fe84ed49bbdc1873a8009db8c7cba66a

                                SHA256

                                d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

                                SHA512

                                eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

                              • C:\Windows\System\explorer.exe

                                Filesize

                                13.0MB

                                MD5

                                9a11d5281f55a05b3b4817cfca8ed013

                                SHA1

                                7d65c8d75a313f51d7e70ab2eaec712302202e5d

                                SHA256

                                dd6f48b3cd84e0a1386c770154034e16232eeb191b181950e9a95a9b2608de38

                                SHA512

                                bc40473fc96e2005b78471e433c9f0577ae53f4b3fc0f7cc376faf3cf68c384e6415e83580876f13704f466fbe58afce3cce6eedb5e97ff86991c5129037498c

                              • C:\Windows\System\explorer.exe

                                Filesize

                                2.1MB

                                MD5

                                fba478552e3b8e6ad8346b0e4e757c24

                                SHA1

                                9545adebc305cec19a9b8b8a54a38d12cac72dec

                                SHA256

                                c3108888d80b4072fea9e6b7083d5661d4e069489ea3f025b596108d5deff248

                                SHA512

                                c13c00c9124ec833d98bddbde55916fa0d5d5c1dd4d360fe9673326612e62dc81ce63b31e0d3cdee92118a636ad771e1971200eab4a0209a3c5d66d47cd24d29

                              • C:\Windows\System\explorer.exe

                                Filesize

                                640KB

                                MD5

                                c08e3de0f4dd75bd37ffe405d863ad6f

                                SHA1

                                98422d88f5a930d095c7536d375913e07e3d39f8

                                SHA256

                                9124fc0aa94e018d3280d9ea0d2e86eb6132f3dc605ef540a9fb617f0912e001

                                SHA512

                                7c6cbe5416ac11d0ea2841e9c74bb4cd759de97689c0baf31985bcc0c6f18a165cbd3c13f41970171851d581e47281f55f2616a223101ff45d858236b13d0f5f

                              • C:\Windows\System\explorer.exe

                                Filesize

                                8.4MB

                                MD5

                                4733967cb3d7519edaf46adb2dedecdb

                                SHA1

                                e9533d9b98980506f7d828be7f7368fd060b2c17

                                SHA256

                                681b07390abbf6b93b99363f84c2232e49606d2089ad779f914c72f0266bbea2

                                SHA512

                                be556b6a484a4cf863804999b4428cff4ffcf635f6da1098c1421f6e6c005ef755dd734d83ebb6cb4be6c01c380e20480ac10c649457e5f5cf2ea0b36d8f1c73

                              • C:\Windows\System\spoolsv.exe

                                Filesize

                                512KB

                                MD5

                                f962405ba617e0e33033b9e8d974d8d8

                                SHA1

                                436d5d85cc73b56946322cd19dbc4eae8bd406cd

                                SHA256

                                c3ae9c9797af62b0050236bb0db104eabfeb7c8567e09b87791fd598081e735e

                                SHA512

                                972d7c7956c3318e589efe96c8dd89e22c3c2ebf56f59353e437b895c0e4362229509c26f7f1fc2422895a79f7a7d7853fe8171223a4b51986179fff9ec0b438

                              • C:\Windows\System\spoolsv.exe

                                Filesize

                                3.8MB

                                MD5

                                8e3268c291d2f7e0017896e068ea4423

                                SHA1

                                dbeba471c9bb94ff943288969f6566e3ee0f7b08

                                SHA256

                                e4f7694871d4b8fbdbad44bcf1bb27c9a9b1c2cccd2e78ebc2917fbac6283756

                                SHA512

                                7b6ca1e2babd539ae17a92fe53b526f5b78aeaff8d8c4f0490e73de83fdb444c9e4636d96ee6541d6e7d5fd47e2b3d7122d23143e560dceb981ebaee53721410

                              • C:\Windows\System\spoolsv.exe

                                Filesize

                                2.2MB

                                MD5

                                69781dd2543fdf58d405ad90a51ac5c9

                                SHA1

                                928d0ddc74eb09874a70c29de92cc23d71a7908d

                                SHA256

                                a5bbf2e0624e8656faecf98f0a2dfe9215355995c05d9464b01ccea24259badf

                                SHA512

                                abe9eaadccfc4b87eadd404418ba91aa863b74ef145acc12f0a847b48541773e3171551cecb5816c47c28683c3b8161740a8160aa708f6bb8ce4d9687cee5c30

                              • C:\Windows\System\spoolsv.exe

                                Filesize

                                2.0MB

                                MD5

                                d56c4265b79ac55551d9be733e758e75

                                SHA1

                                3ee6dcc2322deb1ad10cfe885b917aafab5469b0

                                SHA256

                                9a71c6608cf4af2f9c1267803744b9d998dcffc14a77001e565648a3302f718e

                                SHA512

                                064e8d8bf2d31a3284b08283c0a19f207cbfcb09f2789c80b98b293452c367855f02aa3b56918e97709a3576cbc579e8bc6cebaabe5b238aee17c77491ce4925

                              • C:\Windows\System\spoolsv.exe

                                Filesize

                                384KB

                                MD5

                                2bd81f8ec10438c465af48a55f7dcb5b

                                SHA1

                                a0f9aea762966ee0addf8a37f9bbb484b13eed1f

                                SHA256

                                03e7054dd4ec7cb0a2cb53fecf561c886d0ce8907e057786e840372eec93afc5

                                SHA512

                                34d47ef73b7b6d691ab776a94adf957bee93e4d39f91c8ebeff6d634ae38584967188aaa27d699decd17a1addf5872d10b0d248cdd2b11cd266ed75881e1e5ea

                              • C:\Windows\System\spoolsv.exe

                                Filesize

                                832KB

                                MD5

                                0612afb3e27451c56aaaf412088db0bc

                                SHA1

                                8913d87d487bc94c91b045dfe6f64e16a16059ca

                                SHA256

                                97ac3821b5bbf7c56fd7d5e3f4f7a99859855a72c711259f5148739c1de64168

                                SHA512

                                726fe4ada9f97ed88418086c872cd7bbb07c97c9b4f94eca72a9b583ff4cbeb013f9fb229183c51cf76d62c01965474e5486d0ddfac47230368176ad7c282f3f

                              • C:\Windows\System\spoolsv.exe

                                Filesize

                                704KB

                                MD5

                                1dfb8c9373e65d8f3885359015c7cf54

                                SHA1

                                3554302584f899733f6f99f27ac15fb51dfd7183

                                SHA256

                                57102bcbbd53a489c697f3429cc4036160398e857001128d570e13cb0f21f593

                                SHA512

                                98ccc28bc6cbcb96121a61b14927d10a33d4f5b29a19bd950087bf8752505732d744769cd7b3f3ab85c5d6564342069071564692f9d222618fe81804af8214b8

                              • C:\Windows\System\spoolsv.exe

                                Filesize

                                448KB

                                MD5

                                17c31cb7ad10c27b2cea9360d6c70a2c

                                SHA1

                                a875214efaa9ff587f134210173159ea287478c0

                                SHA256

                                63308a4dfc891e04e4a6f7c56a0dd97191ee7535b129c124ccda116e3f2162d8

                                SHA512

                                d4ea3431237bc6dd1177a0ea8014e4a266aa0bf23a2114a38af21e0aee3a3d277fdcb01a9cf95b3c68ba0bc7d76b4db4afaef14fa96770124e0f364a9e81c5b4

                              • C:\Windows\System\spoolsv.exe

                                Filesize

                                2.4MB

                                MD5

                                13728994efa248a6643ed4092716786e

                                SHA1

                                8fa00628cacea76fb24eaeb2d03ee71464ecd2f0

                                SHA256

                                1b9bd631514ed4fb5a64a4ef49522f266e65a5d3da0840fc05090fe503cf876e

                                SHA512

                                902e603a8a31c1c7a7bd772f6ad4169491bd83cb7f565c294a96902787c1e66cf33928e40ffecf3eb02b0d9c97fce5c17856e36cec49e57f4581f83ca7f6815c

                              • C:\Windows\System\spoolsv.exe

                                Filesize

                                2.6MB

                                MD5

                                e51597f0e28eb72c6d1afc5d68777e1a

                                SHA1

                                536ec194342d07cc58faff2c044e8b5e7c1bd40b

                                SHA256

                                f6ffa8333e82869357ef5e427b24042fc0a307dfdfa03ce2beafbea18be2738b

                                SHA512

                                7377d41e0bb18b24fa7591a24361505663a0798e363de8ceab11ba1227105984ec7351819f6d065f19f57ce4ed9bdda5d0f3f73a5ba953d77d15d9f0b85c8177

                              • \??\c:\windows\system\explorer.exe

                                Filesize

                                4.6MB

                                MD5

                                3a6373f26310deee26ba77fa102a8666

                                SHA1

                                4f465d8a7dc559f9a684a71e277e6079f79a077a

                                SHA256

                                bd998e6ed077f6989df710cb26bcd2752d6debe55450466b7f3573bcfcbdefae

                                SHA512

                                4aae79ac083fcc07de3bfbb199482409a31797c738a18a2172774a160249dbb9d43869b4799f301f3fd24ae9aa708e15088053ecf074fcfd20a63d397368e28c

                              • \??\c:\windows\system\spoolsv.exe

                                Filesize

                                320KB

                                MD5

                                d633cf877e170d96be79c41bf0af2c8d

                                SHA1

                                08b751f2d20054dce22c1a4faa1071e55c656866

                                SHA256

                                abb0afcf3c3b8b2fcfacd79dcce67de94d4d47de96ddaf06f14d38685caba7a7

                                SHA512

                                3f702fdcb0e81abeb7b5ccbd3eb6599de9592816829267998a5cdcffaa0fd95c93e559385e4b1a0844ba3ac50f1c6286489b5a172e7d837588c78d47fc4eb373

                              • memory/352-0-0x0000000000400000-0x0000000000446000-memory.dmp

                                Filesize

                                280KB

                              • memory/352-4-0x0000000000400000-0x0000000000446000-memory.dmp

                                Filesize

                                280KB

                              • memory/628-99-0x0000000000400000-0x0000000000446000-memory.dmp

                                Filesize

                                280KB

                              • memory/1236-110-0x0000000000400000-0x0000000000628000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/1236-121-0x0000000007100000-0x0000000007101000-memory.dmp

                                Filesize

                                4KB

                              • memory/1404-29-0x0000000000400000-0x0000000000412000-memory.dmp

                                Filesize

                                72KB

                              • memory/1404-27-0x0000000000400000-0x0000000000412000-memory.dmp

                                Filesize

                                72KB

                              • memory/1404-23-0x0000000000400000-0x0000000000412000-memory.dmp

                                Filesize

                                72KB

                              • memory/1732-24-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1732-45-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1732-18-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1876-39-0x0000000000400000-0x0000000000446000-memory.dmp

                                Filesize

                                280KB

                              • memory/1896-55-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/1896-59-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/1896-52-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/1896-54-0x0000000000400000-0x0000000000628000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/1896-51-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/1896-56-0x00000000071D0000-0x00000000071D1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1896-57-0x0000000000400000-0x0000000000628000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/1896-53-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/1896-50-0x0000000000400000-0x0000000000628000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/1896-48-0x0000000000400000-0x0000000000628000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/1896-73-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/1896-44-0x0000000000400000-0x0000000000628000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/1896-79-0x0000000000400000-0x0000000000628000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/1972-69-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1972-101-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1992-77-0x0000000000400000-0x0000000000412000-memory.dmp

                                Filesize

                                72KB

                              • memory/2948-95-0x0000000000400000-0x0000000000628000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/2948-103-0x0000000007140000-0x0000000007141000-memory.dmp

                                Filesize

                                4KB

                              • memory/2948-137-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/2948-96-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/2948-97-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/2948-98-0x0000000000400000-0x0000000000628000-memory.dmp

                                Filesize

                                2.2MB

                              • memory/2948-100-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/3232-131-0x00000000072A0000-0x00000000072A1000-memory.dmp

                                Filesize

                                4KB

                              • memory/3656-128-0x0000000000400000-0x0000000000446000-memory.dmp

                                Filesize

                                280KB

                              • memory/4080-90-0x0000000000400000-0x0000000000446000-memory.dmp

                                Filesize

                                280KB

                              • memory/4300-115-0x0000000000400000-0x0000000000446000-memory.dmp

                                Filesize

                                280KB

                              • memory/4488-135-0x0000000000400000-0x0000000000446000-memory.dmp

                                Filesize

                                280KB

                              • memory/4672-11-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/4672-7-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/4672-10-0x0000000000400000-0x0000000001990000-memory.dmp

                                Filesize

                                21.6MB

                              • memory/4672-9-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/4672-31-0x0000000000400000-0x0000000001990000-memory.dmp

                                Filesize

                                21.6MB

                              • memory/4672-8-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/4672-6-0x0000000000400000-0x0000000001990000-memory.dmp

                                Filesize

                                21.6MB

                              • memory/4672-22-0x0000000000400000-0x0000000001990000-memory.dmp

                                Filesize

                                21.6MB

                              • memory/4672-12-0x0000000000400000-0x0000000001990000-memory.dmp

                                Filesize

                                21.6MB

                              • memory/4672-5-0x0000000000400000-0x0000000001990000-memory.dmp

                                Filesize

                                21.6MB

                              • memory/4672-28-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/4672-13-0x0000000007530000-0x0000000007531000-memory.dmp

                                Filesize

                                4KB

                              • memory/4672-16-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB

                              • memory/4672-3-0x0000000000400000-0x0000000001990000-memory.dmp

                                Filesize

                                21.6MB

                              • memory/4672-2-0x0000000000400000-0x0000000001400000-memory.dmp

                                Filesize

                                16.0MB