Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/08/2024, 05:21

General

  • Target

    c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe

  • Size

    812KB

  • MD5

    c25bab4d90ee29cc8a07c8c28e8094bd

  • SHA1

    81c0131227b99015cc3f89c7bd7edf871a20e19d

  • SHA256

    d910880590de82048b026112b56434fbbbd143f388e51a777faf5980a948be57

  • SHA512

    61d42c69d4f181394802e212d243bbb3cd25d70e9dee41de5d2bd3e0bf75303628a89501915f0341719021c10226123fc4862191134f382cae8889d631616836

  • SSDEEP

    24576:XDDbCLHCz4d67gpgy8Z5WZZAztVm8oyCcW7:TSTRw4gyhrAzrc

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 10 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 15 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry key 1 TTPs 4 IoCs
  • Runs ping.exe 1 TTPs 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c25bab4d90ee29cc8a07c8c28e8094bd_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Local\Temp\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\java2.bat
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\java2.bat" "
          4⤵
          • Drops startup file
          • System Location Discovery: System Language Discovery
          PID:3972
    • C:\Windows\Temp\googsvc.exe
      C:\Windows\Temp\googsvc.exe
      2⤵
        PID:3884
      • C:\Windows\Temp\googsvc.exe
        C:\Windows\Temp\googsvc.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4864
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3692
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            4⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:3964
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\googsvc.exe" /t REG_SZ /d "C:\Windows\Temp\googsvc.exe:*:Enabled:Windows Messanger" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4132
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Temp\googsvc.exe" /t REG_SZ /d "C:\Windows\Temp\googsvc.exe:*:Enabled:Windows Messanger" /f
            4⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2324
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4916
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            4⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:3456
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4296
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\drivergen.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\drivergen.exe:*:Enabled:Windows Messanger" /f
            4⤵
            • Modifies firewall policy service
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1880
      • C:\Windows\Temp\googsvc.exe
        C:\Windows\Temp\googsvc.exe
        2⤵
          PID:1716
        • C:\Windows\Temp\googsvc.exe
          C:\Windows\Temp\googsvc.exe
          2⤵
            PID:4160
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\per.bat" "
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4180
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              3⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1796
            • C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
              "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2800
              • C:\Windows\Temp\googsvc.exe
                C:\Windows\Temp\googsvc.exe
                4⤵
                  PID:3944
                • C:\Windows\Temp\googsvc.exe
                  C:\Windows\Temp\googsvc.exe
                  4⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2028
                • C:\Windows\Temp\googsvc.exe
                  C:\Windows\Temp\googsvc.exe
                  4⤵
                    PID:4852
                  • C:\Windows\Temp\googsvc.exe
                    C:\Windows\Temp\googsvc.exe
                    4⤵
                      PID:4804
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 1.1.1.1 -n 1 -w 3000
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:2792
                  • C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
                    "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1468
                    • C:\Windows\Temp\googsvc.exe
                      C:\Windows\Temp\googsvc.exe
                      4⤵
                        PID:4220
                      • C:\Windows\Temp\googsvc.exe
                        C:\Windows\Temp\googsvc.exe
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:2824
                      • C:\Windows\Temp\googsvc.exe
                        C:\Windows\Temp\googsvc.exe
                        4⤵
                          PID:2656
                        • C:\Windows\Temp\googsvc.exe
                          C:\Windows\Temp\googsvc.exe
                          4⤵
                            PID:4592
                        • C:\Windows\SysWOW64\PING.EXE
                          ping 1.1.1.1 -n 1 -w 3000
                          3⤵
                          • System Location Discovery: System Language Discovery
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Runs ping.exe
                          PID:4816
                        • C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
                          "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:792
                          • C:\Windows\Temp\googsvc.exe
                            C:\Windows\Temp\googsvc.exe
                            4⤵
                              PID:3960
                            • C:\Windows\Temp\googsvc.exe
                              C:\Windows\Temp\googsvc.exe
                              4⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              PID:1640
                            • C:\Windows\Temp\googsvc.exe
                              C:\Windows\Temp\googsvc.exe
                              4⤵
                                PID:468
                              • C:\Windows\Temp\googsvc.exe
                                C:\Windows\Temp\googsvc.exe
                                4⤵
                                  PID:1792
                              • C:\Windows\SysWOW64\PING.EXE
                                ping 1.1.1.1 -n 1 -w 3000
                                3⤵
                                • System Location Discovery: System Language Discovery
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:3480
                              • C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
                                "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
                                3⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2840
                                • C:\Windows\Temp\googsvc.exe
                                  C:\Windows\Temp\googsvc.exe
                                  4⤵
                                    PID:2352
                                  • C:\Windows\Temp\googsvc.exe
                                    C:\Windows\Temp\googsvc.exe
                                    4⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:1644
                                  • C:\Windows\Temp\googsvc.exe
                                    C:\Windows\Temp\googsvc.exe
                                    4⤵
                                      PID:1796
                                    • C:\Windows\Temp\googsvc.exe
                                      C:\Windows\Temp\googsvc.exe
                                      4⤵
                                        PID:1308
                                    • C:\Windows\SysWOW64\PING.EXE
                                      ping 1.1.1.1 -n 1 -w 3000
                                      3⤵
                                      • System Location Discovery: System Language Discovery
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:4448
                                    • C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
                                      "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
                                      3⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2376
                                      • C:\Windows\Temp\googsvc.exe
                                        C:\Windows\Temp\googsvc.exe
                                        4⤵
                                          PID:3608
                                        • C:\Windows\Temp\googsvc.exe
                                          C:\Windows\Temp\googsvc.exe
                                          4⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          • Suspicious use of SetWindowsHookEx
                                          PID:2272
                                        • C:\Windows\Temp\googsvc.exe
                                          C:\Windows\Temp\googsvc.exe
                                          4⤵
                                            PID:3552
                                          • C:\Windows\Temp\googsvc.exe
                                            C:\Windows\Temp\googsvc.exe
                                            4⤵
                                              PID:4452
                                          • C:\Windows\SysWOW64\PING.EXE
                                            ping 1.1.1.1 -n 1 -w 3000
                                            3⤵
                                            • System Location Discovery: System Language Discovery
                                            • System Network Configuration Discovery: Internet Connection Discovery
                                            • Runs ping.exe
                                            PID:4604
                                          • C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
                                            "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
                                            3⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3444
                                            • C:\Windows\Temp\googsvc.exe
                                              C:\Windows\Temp\googsvc.exe
                                              4⤵
                                                PID:4792
                                              • C:\Windows\Temp\googsvc.exe
                                                C:\Windows\Temp\googsvc.exe
                                                4⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of SetWindowsHookEx
                                                PID:3460
                                              • C:\Windows\Temp\googsvc.exe
                                                C:\Windows\Temp\googsvc.exe
                                                4⤵
                                                  PID:4468
                                                • C:\Windows\Temp\googsvc.exe
                                                  C:\Windows\Temp\googsvc.exe
                                                  4⤵
                                                    PID:1724
                                                • C:\Windows\SysWOW64\PING.EXE
                                                  ping 1.1.1.1 -n 1 -w 3000
                                                  3⤵
                                                  • System Location Discovery: System Language Discovery
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:5076
                                                • C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe
                                                  "C:\Users\Admin\AppData\Local\Temp\chksvc32 .exe"
                                                  3⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetThreadContext
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3304
                                                  • C:\Windows\Temp\googsvc.exe
                                                    C:\Windows\Temp\googsvc.exe
                                                    4⤵
                                                      PID:1456
                                                    • C:\Windows\Temp\googsvc.exe
                                                      C:\Windows\Temp\googsvc.exe
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:3068
                                                    • C:\Windows\Temp\googsvc.exe
                                                      C:\Windows\Temp\googsvc.exe
                                                      4⤵
                                                        PID:5016
                                                      • C:\Windows\Temp\googsvc.exe
                                                        C:\Windows\Temp\googsvc.exe
                                                        4⤵
                                                          PID:3132

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chksvc32 .exe.log

                                                    Filesize

                                                    499B

                                                    MD5

                                                    17f7e5c69c4f1dc984a9810dde3b6982

                                                    SHA1

                                                    601b5cf990955dabd1693049c2ed13b9ee2d2bd9

                                                    SHA256

                                                    88f6579fa5ec5ee4040bc0cc74ff0f95966ccfb0181342f51362c42cc10cee12

                                                    SHA512

                                                    a48162a368d358fe99876d95f0389f07bcbe0f689b741db722d284dbb43dfdeccb0589cc64cb0bad379333bcdbb88c0d3fba7d419572216a219907e2cf501df1

                                                  • C:\Users\Admin\AppData\Local\Temp\invs.vbs

                                                    Filesize

                                                    78B

                                                    MD5

                                                    c578d9653b22800c3eb6b6a51219bbb8

                                                    SHA1

                                                    a97aa251901bbe179a48dbc7a0c1872e163b1f2d

                                                    SHA256

                                                    20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

                                                    SHA512

                                                    3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

                                                  • C:\Users\Admin\AppData\Local\Temp\java.bat

                                                    Filesize

                                                    47B

                                                    MD5

                                                    81bf5400486e5da45ba0c6c1399d843f

                                                    SHA1

                                                    d70a7c4d3f3057a3ef5b8b1c764b40b3d3b4d59d

                                                    SHA256

                                                    d1a915a5e0286b1648a6e094f52813e2b5766dce3acf6342b297f7ca113545f1

                                                    SHA512

                                                    ebeee9eb5249ee1b278bf6c1fbcd91e4c073a241203f218dfa2edfa708a37679c6e6a78751de55b4640a024b32ce4389bd5d931401309163950cd15b4a91c140

                                                  • C:\Users\Admin\AppData\Local\Temp\java2.bat

                                                    Filesize

                                                    151B

                                                    MD5

                                                    f73f12c228d1739deaf18b076fa97cc5

                                                    SHA1

                                                    9a66b62b35fb1a25100d45850033bc2743ff38c9

                                                    SHA256

                                                    d73fdd571ff32309fbaae805207a4c1dae63b10de34f2559794ad90ffafeab6f

                                                    SHA512

                                                    ee8a46e408db8d70834c37059c6b85638818c90f2f1a7387f68bb80e90e879c1dc9527e2f7265f3d953703f16859520b640bca70de4f269e9854306120ede530

                                                  • C:\Users\Admin\AppData\Local\Temp\per.bat

                                                    Filesize

                                                    111B

                                                    MD5

                                                    9f5ca9584ebfaf1e7edec5f5e063edc4

                                                    SHA1

                                                    8ad29316bb42023ef7fb22e5023d14c223fcee68

                                                    SHA256

                                                    ab348f675a736ec52b56896512a30e1b5fdf0546f1f4686ed908d318a2ca5309

                                                    SHA512

                                                    0f4d6711b5697ddc093e448809d8b462d384d8ba38ed81dc31069a0529477defbb537f2d5be9c0d61c277aa7e8700a82ae12d4c39e939661a310d280b1551585

                                                  • C:\Users\Admin\AppData\Local\Temp\rundll32-.txt

                                                    Filesize

                                                    812KB

                                                    MD5

                                                    c25bab4d90ee29cc8a07c8c28e8094bd

                                                    SHA1

                                                    81c0131227b99015cc3f89c7bd7edf871a20e19d

                                                    SHA256

                                                    d910880590de82048b026112b56434fbbbd143f388e51a777faf5980a948be57

                                                    SHA512

                                                    61d42c69d4f181394802e212d243bbb3cd25d70e9dee41de5d2bd3e0bf75303628a89501915f0341719021c10226123fc4862191134f382cae8889d631616836

                                                  • C:\Windows\Temp\googsvc.exe

                                                    Filesize

                                                    1.1MB

                                                    MD5

                                                    d881de17aa8f2e2c08cbb7b265f928f9

                                                    SHA1

                                                    08936aebc87decf0af6e8eada191062b5e65ac2a

                                                    SHA256

                                                    b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

                                                    SHA512

                                                    5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

                                                  • memory/1640-84-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/1644-96-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/2028-55-0x0000000000470000-0x0000000000539000-memory.dmp

                                                    Filesize

                                                    804KB

                                                  • memory/2028-56-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/2272-109-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/2824-71-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/3068-134-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/3460-122-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/4100-2-0x0000000074CF0000-0x00000000752A1000-memory.dmp

                                                    Filesize

                                                    5.7MB

                                                  • memory/4100-0-0x0000000074CF2000-0x0000000074CF3000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4100-36-0x0000000074CF2000-0x0000000074CF3000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4100-37-0x0000000074CF0000-0x00000000752A1000-memory.dmp

                                                    Filesize

                                                    5.7MB

                                                  • memory/4100-44-0x0000000074CF0000-0x00000000752A1000-memory.dmp

                                                    Filesize

                                                    5.7MB

                                                  • memory/4100-1-0x0000000074CF0000-0x00000000752A1000-memory.dmp

                                                    Filesize

                                                    5.7MB

                                                  • memory/4864-59-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/4864-72-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/4864-74-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/4864-47-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/4864-86-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/4864-38-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/4864-97-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/4864-99-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/4864-58-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/4864-22-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/4864-123-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB

                                                  • memory/4864-17-0x0000000000400000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    448KB