Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    31s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2024, 07:06

Errors

Reason
Machine shutdown

General

  • Target

    55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe

  • Size

    1.8MB

  • MD5

    6a8855023dca6226bcfd23ff4ba3a6c8

  • SHA1

    aaed3742a5352026e782f0b57431773039b7afdd

  • SHA256

    55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6

  • SHA512

    1b1b2f1d48ee17c73fc31523308e23f2198ffbcf0fa26680cfeb4d6bdc74aa3192afbc5c73889b24e3bd487f64cf83c49540fbfcb8c2cf195af563572ef5ad05

  • SSDEEP

    24576:3CpZ7HMIDGMJdMKR0t8Ag5GzQiu5/VIvxfaOUvGghrDJZ9BbwEw3HKV+Xnt:EZ71DuKRzAaKQiu/gs9eiJPBJw3Hr

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

0657d1

C2

http://185.215.113.19

Attributes
  • install_dir

    0d8f5eb8a7

  • install_file

    explorti.exe

  • strings_key

    6c55a5f34bb433fbd933a168577b1838

  • url_paths

    /Vi9leo/index.php

rc4.plain

Extracted

Family

stealc

Botnet

nord

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Extracted

Family

stealc

Botnet

kora

C2

http://185.215.113.100

Attributes
  • url_path

    /e2b1563c6670f193.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Stealc

    Stealc is an infostealer written in C++.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 52 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe
    "C:\Users\Admin\AppData\Local\Temp\55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
      "C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe
        "C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4908
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:740
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4332
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
              6⤵
              • Checks processor information in registry
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4308
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8159eb95-4658-4a32-8ad9-a6ecc7effa0b} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" gpu
                7⤵
                  PID:4708
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79cdc9bb-baa5-4b5b-9db6-94cfee1c3ad8} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" socket
                  7⤵
                    PID:4640
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 3164 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90e3a80c-ded2-4918-b3fe-548e4e699037} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab
                    7⤵
                      PID:3048
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3888 -childID 2 -isForBrowser -prefsHandle 3900 -prefMapHandle 3896 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cf97e62-e790-41a4-a6f1-f7408e7ab5b4} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab
                      7⤵
                        PID:3524
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4732 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4740 -prefMapHandle 4736 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11b8bf9b-9ace-469c-b22d-38a0c6983252} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" utility
                        7⤵
                        • Checks processor information in registry
                        PID:5412
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -childID 3 -isForBrowser -prefsHandle 5304 -prefMapHandle 5300 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2e3da6f-232d-419d-9231-9c8e507ef5a2} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab
                        7⤵
                          PID:5728
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5216 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {837b173d-afcb-4c34-aea8-1e96d793b096} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab
                          7⤵
                            PID:5740
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e0b2ed8-fef8-4c0b-98ad-e0b56033ffb5} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab
                            7⤵
                              PID:5752
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6332 -childID 6 -isForBrowser -prefsHandle 6352 -prefMapHandle 6316 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {658923cb-6b5e-4d03-af10-e3af5969f84c} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab
                              7⤵
                                PID:4124
                      • C:\Users\Admin\1000037002\4b5c16ae16.exe
                        "C:\Users\Admin\1000037002\4b5c16ae16.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:1620
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:1484
                      • C:\Users\Admin\AppData\Local\Temp\1000038001\4fb3bfd77b.exe
                        "C:\Users\Admin\AppData\Local\Temp\1000038001\4fb3bfd77b.exe"
                        3⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:4136
                  • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                    C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                    1⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:5656

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\1000037002\4b5c16ae16.exe

                    Filesize

                    207KB

                    MD5

                    510bbbc4aaa1435c2fbaae4a72ad2055

                    SHA1

                    8fcc653c1da4c9b641b0ee566565ae27127687ce

                    SHA256

                    cd390760087ffc9c698e75f33f6c2844e97131dbd00a894dfeee0f1b144f2222

                    SHA512

                    4701c53d69c6000cb9759f13b31074c8ae5dea21ca09ef40a2aec2bdcf72b52ede4b7327bda398a937094e2d4074a58c8ac9d4c079ddb31ffb46a000416e1a65

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json

                    Filesize

                    41KB

                    MD5

                    94bcfad3d0b0311552212fc2cb10ed46

                    SHA1

                    66519aa7be937a7f65529d1566de0f4ba5559312

                    SHA256

                    b0d39e09dc9a045e0cba8d75645a610471fdf3b28ebcc3ad308d93b138f152b4

                    SHA512

                    8982f5d71c698b81e9b9347bb2f6154b4b8aec05fa5aea2b77fa835e664c5a5c727d0b59c99e6b5fa390a93f165441ea9f468de0c442058e46f4fa7045073109

                  • C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

                    Filesize

                    1.8MB

                    MD5

                    6a8855023dca6226bcfd23ff4ba3a6c8

                    SHA1

                    aaed3742a5352026e782f0b57431773039b7afdd

                    SHA256

                    55196ccf3cdf22594ec93c644269175fadd5d47e5c95b5c22fc0e66a436de6c6

                    SHA512

                    1b1b2f1d48ee17c73fc31523308e23f2198ffbcf0fa26680cfeb4d6bdc74aa3192afbc5c73889b24e3bd487f64cf83c49540fbfcb8c2cf195af563572ef5ad05

                  • C:\Users\Admin\AppData\Local\Temp\1000036001\f4dfe0e4ba.exe

                    Filesize

                    1.2MB

                    MD5

                    75a2d87eafbefb74dc8bab6fec16cac1

                    SHA1

                    c3decd95d7e19c4dbd1d7b9e409eeb4861c6f369

                    SHA256

                    0027e27dcdc31f32e1159f82034ce00169ec7e3b487999d95997c519e0e7d40a

                    SHA512

                    1b6c9ad97b74f639d26fd6d3af7c218f04ef08b77f6d6a67c05350c2965941472592fc6cc9c878644e686532295a20cc23d95ca5db4b62a86ec440000079c5f4

                  • C:\Users\Admin\AppData\Local\Temp\1000038001\4fb3bfd77b.exe

                    Filesize

                    187KB

                    MD5

                    278ee1426274818874556aa18fd02e3a

                    SHA1

                    185a2761330024dec52134df2c8388c461451acb

                    SHA256

                    37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb

                    SHA512

                    07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin

                    Filesize

                    10KB

                    MD5

                    c7563a75b5ce328869001f1fe060709d

                    SHA1

                    ef4ff3f508e8438646db59402711124c6cdf4e20

                    SHA256

                    63d028f77b7631fb54478a30d772e55f0dd7e6acd2389f9551d7ac9b4040eb1d

                    SHA512

                    4501de08eb0263593747f00ceb229eb36c93df88685d74f83f61cdb391c02fb95319ab58b41a6f985e0680eac41504fba8d4cf2b0bfa6f09a20ede05bf82c93b

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    5KB

                    MD5

                    ccae4068cfd53ab0ad377ef16e2e4700

                    SHA1

                    9b3eb40c8a6e28b58e5ff198ba4bee94b6a82f7a

                    SHA256

                    f8da76e19cd59fe4c041471187180684295a1426723225214d5e5384db99a564

                    SHA512

                    0e97dcfe863e615b55f09fe1034594d0c6aa83a47053109f9378977c3231838aada2950803a3298ebb9565c7417e022d3680ba45bb0de3e31655f1b8e1641738

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp

                    Filesize

                    6KB

                    MD5

                    2ddbcf412c26e10b3fc9c47b553080d3

                    SHA1

                    037bdafc2661a8201c7065d6e2fe23253e1f7beb

                    SHA256

                    3922a46b5844d02985bf1060e9e9bedce7a4ca0671f4d9ea660b66eb0760411f

                    SHA512

                    8b9e3c6cc5ef3063cecaba69af4b7212836b57279d0afa5a8ac8c917c2c4ac493b6728d1be5e0aad6bafb086194991c56f55e6c21b0409dca8dc9737c865a0e7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\a1819732-e64e-476b-8082-18996dba3647

                    Filesize

                    671B

                    MD5

                    2edb9f23bbe2ff479a766c88bebbfe40

                    SHA1

                    9a49465508efae245ea46a65b1c6669a71a8c0bc

                    SHA256

                    596e2dc97be11cadde91c4348ed4c20dc2163e31b9a5bca2024c58db070d96d4

                    SHA512

                    70eeaf8851ce7f0358a3825ab5136d24bc912cb35b53b8e6c13d9d94d1d70fc869f7b5031b528e120ec0508d0ca43db211d18aa1d547eeadc252fd94953bbeec

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\cc257946-ff83-4e24-a0ad-bf265b3f5f4e

                    Filesize

                    982B

                    MD5

                    ad2deb559a2bcea8baa151b85e8a183a

                    SHA1

                    b6fe698bfeee8e74ca939b532a30d1c67c635d16

                    SHA256

                    cda261167b43645962f7513f4c62032ebb528bb89f16ed0299ffd8aa266ef3fe

                    SHA512

                    9384b52e1e9e8e1712ef544aa133b2c3ddb07ad62f5b91e81c4cdf81441846f402f0805dc5ca7f10fee4576950b08a361a7cf160ded3199bb21e21783b75b6ca

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\e5a76c61-c750-41bd-a140-fddfed0e9e9b

                    Filesize

                    26KB

                    MD5

                    a0dd8a39743a2f8cf56e638e5e1a3beb

                    SHA1

                    56f44061ff48eaddb6187cd70af7128b43fe25b8

                    SHA256

                    5d57731e721a42656e91e44e84a7cb8591209254acd7e9c0928ce085552b5369

                    SHA512

                    e53e74d168f5de096e6e4ec3a452a1ad4315c63c9dfd6b1f28520267da59a96da374697855cc52a42800706eaf66e0c2419e0bf6555e1fcd6319e0eb261bbc81

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\prefs.js

                    Filesize

                    11KB

                    MD5

                    758d969a8d03925dad87b9b422fdcced

                    SHA1

                    4f3fdde94632c4a66721d92f23d4f00b63c5355a

                    SHA256

                    3fc6178f7021c6958e8df76d30dc497789dfda88c7db2b0e4c3cd624e42a5fc4

                    SHA512

                    f0e29c5234793064b8f69c7f1b3ce90da4982608c9a663ffd0d02fc86032a5456814a7b5deb9cd9e932e46d268578916272ddec37c9363c4c452409c09211a2d

                  • memory/740-44-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/740-48-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/740-46-0x0000000000400000-0x000000000052D000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1484-69-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1484-71-0x0000000000400000-0x0000000000643000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/1620-67-0x0000000000490000-0x00000000004CA000-memory.dmp

                    Filesize

                    232KB

                  • memory/2000-18-0x0000000000520000-0x00000000009EA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2000-432-0x0000000000520000-0x00000000009EA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2000-443-0x0000000000520000-0x00000000009EA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2000-442-0x0000000000520000-0x00000000009EA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2000-22-0x0000000000520000-0x00000000009EA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2000-433-0x0000000000520000-0x00000000009EA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2000-340-0x0000000000520000-0x00000000009EA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2000-20-0x0000000000520000-0x00000000009EA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2000-19-0x0000000000521000-0x000000000054F000-memory.dmp

                    Filesize

                    184KB

                  • memory/2000-21-0x0000000000520000-0x00000000009EA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2064-4-0x00000000009F0000-0x0000000000EBA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2064-17-0x00000000009F0000-0x0000000000EBA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2064-3-0x00000000009F0000-0x0000000000EBA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/2064-2-0x00000000009F1000-0x0000000000A1F000-memory.dmp

                    Filesize

                    184KB

                  • memory/2064-1-0x0000000077D24000-0x0000000077D26000-memory.dmp

                    Filesize

                    8KB

                  • memory/2064-0-0x00000000009F0000-0x0000000000EBA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/4136-88-0x0000000000080000-0x00000000002C3000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/4136-87-0x0000000000080000-0x00000000002C3000-memory.dmp

                    Filesize

                    2.3MB

                  • memory/4908-42-0x0000000000230000-0x0000000000362000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/4908-41-0x000000007393E000-0x000000007393F000-memory.dmp

                    Filesize

                    4KB

                  • memory/5656-445-0x0000000000520000-0x00000000009EA000-memory.dmp

                    Filesize

                    4.8MB

                  • memory/5656-446-0x0000000000520000-0x00000000009EA000-memory.dmp

                    Filesize

                    4.8MB