Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27/08/2024, 09:16

General

  • Target

    c4b5c435640c8d3ff617c26aedc1ec71_JaffaCakes118.rtf

  • Size

    2.0MB

  • MD5

    c4b5c435640c8d3ff617c26aedc1ec71

  • SHA1

    7e0fb054a5e79c923de01262b603d3bf3da06c25

  • SHA256

    8cc49c2ec80f755f0301768a32fd5ba3ba84d21d9a5c4737137f5d1c28211c4e

  • SHA512

    f83687805172194210e8aff9a9bf32d968a6cedf79159be75bbb9b239260bbd605a08056d2424023aa547b36d7f994ae2257ca5c46fd5a37e8a186fb6aded944

  • SSDEEP

    24576:gopSTEOUpl4BSSJQ3x1JKzpYP9zr7gR4mRSc02IcFN8pKKx72vQ7Tt2tQRn1f6MQ:2

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 3 TTPs 4 IoCs
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
  • Looks for VMWare services registry key. 1 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
  • Launches Equation Editor 1 TTPs 2 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1164
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1200
        • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\c4b5c435640c8d3ff617c26aedc1ec71_JaffaCakes118.rtf"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
            3⤵
            • Process spawned unexpected child process
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2592
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
              4⤵
              • Looks for VMWare services registry key.
              • Loads dropped DLL
              • Checks whether UAC is enabled
              • Maps connected drives based on registry
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2600
              • C:\Windows\SysWOW64\timeout.exe
                TIMEOUT 1
                5⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:2628
              • C:\Users\Admin\AppData\Local\Temp\exe.exe
                C:\Users\Admin\AppData\Local\Temp\ExE.ExE
                5⤵
                • Drops startup file
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2860
                • C:\Windows\SysWOW64\explorer.exe
                  "C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2000
              • C:\Windows\SysWOW64\taskkill.exe
                TASKKILL /F /IM winword.exe
                5⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2876
              • C:\Windows\SysWOW64\reg.exe
                reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2928
              • C:\Windows\SysWOW64\reg.exe
                reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2944
              • C:\Windows\SysWOW64\reg.exe
                reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2960
              • C:\Windows\SysWOW64\reg.exe
                reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
                5⤵
                • System Location Discovery: System Language Discovery
                PID:3048
              • C:\Windows\SysWOW64\reg.exe
                reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2084
              • C:\Windows\SysWOW64\reg.exe
                reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
                5⤵
                • System Location Discovery: System Language Discovery
                PID:3060
              • C:\Windows\SysWOW64\reg.exe
                reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
                5⤵
                • System Location Discovery: System Language Discovery
                PID:3036
              • C:\Windows\SysWOW64\reg.exe
                reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1272
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1724
                • C:\Windows\SysWOW64\reg.exe
                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:1420
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1636
                • C:\Windows\SysWOW64\reg.exe
                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2480
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1124
                • C:\Windows\SysWOW64\reg.exe
                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2540
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2892
                • C:\Windows\SysWOW64\reg.exe
                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:592
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1492
                • C:\Windows\SysWOW64\reg.exe
                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:560
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1148
                • C:\Windows\SysWOW64\reg.exe
                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:1484
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2428
                • C:\Windows\SysWOW64\reg.exe
                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2136
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:2352
                • C:\Windows\SysWOW64\reg.exe
                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2376
              • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
                "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\RestorePing.docx"
                5⤵
                • Looks for VMWare services registry key.
                • Maps connected drives based on registry
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious use of SetWindowsHookEx
                PID:2116
                • C:\Windows\splwow64.exe
                  C:\Windows\splwow64.exe 12288
                  6⤵
                    PID:2880
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
              3⤵
              • Process spawned unexpected child process
              • System Location Discovery: System Language Discovery
              PID:2516
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1340
          • C:\Windows\system32\conhost.exe
            \??\C:\Windows\system32\conhost.exe "-401897851-683933480-588613960-345291276-21185956541746666654-2138751-578542688"
            1⤵
              PID:1984
            • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
              "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
              1⤵
              • System Location Discovery: System Language Discovery
              • Launches Equation Editor
              • Suspicious use of WriteProcessMemory
              PID:2500
              • C:\Windows\SysWOW64\CmD.exe
                CmD /C %TmP%\TasK.BaT & UUUUUUUU c
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2568
            • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
              "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
              1⤵
              • System Location Discovery: System Language Discovery
              • Launches Equation Editor
              PID:1680
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
              1⤵
                PID:1080
                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.exe"
                  2⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:576
                  • C:\Windows\SysWOW64\svchost.exe
                    "C:\Windows\system32\svchost.exe"
                    3⤵
                    • Event Triggered Execution: Image File Execution Options Injection
                    • Indicator Removal: Clear Persistence
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Checks processor information in registry
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1872
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      4⤵
                      • Modifies firewall policy service
                      • Event Triggered Execution: Image File Execution Options Injection
                      • Checks BIOS information in registry
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • System Location Discovery: System Language Discovery
                      • Checks processor information in registry
                      • Enumerates system info in registry
                      • Modifies Internet Explorer Protected Mode
                      • Modifies Internet Explorer Protected Mode Banner
                      • Modifies Internet Explorer settings
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1352

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\2nd.bat

                Filesize

                2KB

                MD5

                042a85703b16f6204b77947e223ca8d8

                SHA1

                748c78444785ba150c7b59f69d83fbea02d3ac08

                SHA256

                b2142ce20a5abca30228f0e4c9cf5d37b5e63bc172e0212c0cb36c97dfe65bd4

                SHA512

                670e5e33cd8180c28e9927e90ff0ed1bb642bda9b59b6c589d444f22b1ee8a64052d43f2fbe224e5ef24bf5d75aa276291fb0ba3d6bd96657926372fc5ae9bc2

              • C:\Users\Admin\AppData\Local\Temp\decoy.doc

                Filesize

                191B

                MD5

                5d65bac473774c66544cc2f4062c9b78

                SHA1

                b2b606f85dd95ff2ab5bcca43966a9c4cbb372b2

                SHA256

                7697184623cf1ffe94e69db38ca0821d3ff2df5826af38a9f7e244f3a725b042

                SHA512

                853ad5701b858fd350bbf2171955d84d551260f883ccc25eb403f4b2606b6694d34c62ade98db0761da8ac3cb3250e98e19e54c3ab7c927782a3a0ed10924cd2

              • C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct

                Filesize

                432B

                MD5

                8decdcaeb92d9f628b6bf95de4c0597a

                SHA1

                19443ad64921ef01a77619350efcc97cd767a36b

                SHA256

                e4f6b9def338fe9aca9e8796e79c58c5e42168e697c41bfe149946513765036e

                SHA512

                d67fee80c9f4884331e476f53de7516d21e926cf2f00094bf310ccd6e875164740b31749ec1ea43c1015037590b9bfebe2bde0065d75e42343bfbd0c46bccf59

              • C:\Users\Admin\AppData\Local\Temp\task.bat

                Filesize

                149B

                MD5

                c42b20e49a3b093e2d0c9d6b3051cfc7

                SHA1

                5fc1f968c7285c8b0c5f25e839e14d77df7e28f3

                SHA256

                83935da79d6a4dcfd28121b5c0dd01b40e66da125971ac49e65221efb91a65a6

                SHA512

                01881572adbe471797fd901057fabb1d631fc675dacd33c59876b9bb163deb1b9f8f82ed49c8a19bf69d871abe8e241beba8dcddc84ca4caf13ee4d4be9ac1fe

              • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

                Filesize

                19KB

                MD5

                7c067644485dc1858149faff351d32cb

                SHA1

                c15168cdfc63a97e0d72df6af00a0692cbb018b7

                SHA256

                53bb78d6c83d7fe1d8985292586d23bd2f03fd061a3e2124e7ab99d5c7e69144

                SHA512

                fb8a6a82cda76bbf6aee76668571794800caf2f35c9db7480040ba11f57712d331681f91413971f7652680335d1bf6e4c2a52e6a078d7684a46f73f14fe7fcd9

              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

                Filesize

                392B

                MD5

                f2919796198e267a150ed86173156733

                SHA1

                5a5a5fb489bbb1c95d01b3f6aef234d9ca520be4

                SHA256

                af54491527986b27210c92e5e62cd0aa0605c49593b0d273a04af077af7aab17

                SHA512

                cc0b410b1b37ff41e2ad06b88cf12af424d022a8de5ceb267b3648f7a7bcd3e82314675652c0373181634a1003727e681f87c3e7d3ba253ef74fd4d35479804a

              • \Users\Admin\AppData\Local\Temp\exe.exe

                Filesize

                1016KB

                MD5

                8587dc282627173f41a46f4b96ef27c8

                SHA1

                752735704695a6f074cb3e58a5baf1e8c4607a4a

                SHA256

                bfb3fa4796436cda2f3b37537cc7c0a125c03ea2aba57241f2239b9c4904ed94

                SHA512

                c8d2a7ccf6b997e73039d82a7978232c6f16b4fb0064502ad83b811a6047678de969fc54b55b4b9bfd316019b1dbb256c7447170822ba5d1da38770dffdc915b

              • memory/1080-103-0x0000000077460000-0x0000000077609000-memory.dmp

                Filesize

                1.7MB

              • memory/1080-110-0x0000000077460000-0x0000000077609000-memory.dmp

                Filesize

                1.7MB

              • memory/1352-88-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-89-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-96-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-102-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-101-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-86-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-109-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-90-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-87-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-91-0x0000000000090000-0x00000000000FA000-memory.dmp

                Filesize

                424KB

              • memory/1352-111-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-100-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-94-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-95-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1352-97-0x0000000077640000-0x00000000777C1000-memory.dmp

                Filesize

                1.5MB

              • memory/1872-75-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB

              • memory/1872-93-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

                Filesize

                32KB

              • memory/1872-79-0x0000000000140000-0x00000000001A6000-memory.dmp

                Filesize

                408KB

              • memory/1872-77-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB

              • memory/1872-76-0x0000000000400000-0x0000000000435000-memory.dmp

                Filesize

                212KB

              • memory/2116-131-0x000000005FFF0000-0x0000000060000000-memory.dmp

                Filesize

                64KB

              • memory/2116-99-0x0000000002000000-0x000000000206A000-memory.dmp

                Filesize

                424KB

              • memory/2116-104-0x0000000002000000-0x000000000206A000-memory.dmp

                Filesize

                424KB

              • memory/2116-105-0x0000000002000000-0x000000000206A000-memory.dmp

                Filesize

                424KB

              • memory/2116-132-0x0000000002000000-0x000000000206A000-memory.dmp

                Filesize

                424KB

              • memory/2116-63-0x000000005FFF0000-0x0000000060000000-memory.dmp

                Filesize

                64KB

              • memory/2600-114-0x00000000007E0000-0x000000000084A000-memory.dmp

                Filesize

                424KB

              • memory/2600-113-0x00000000007E0000-0x000000000084A000-memory.dmp

                Filesize

                424KB

              • memory/2600-98-0x00000000007E0000-0x000000000084A000-memory.dmp

                Filesize

                424KB

              • memory/2764-2-0x000000007109D000-0x00000000710A8000-memory.dmp

                Filesize

                44KB

              • memory/2764-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

                Filesize

                64KB

              • memory/2764-38-0x000000007109D000-0x00000000710A8000-memory.dmp

                Filesize

                44KB

              • memory/2764-0-0x000000002F121000-0x000000002F122000-memory.dmp

                Filesize

                4KB

              • memory/2880-134-0x0000000077460000-0x0000000077609000-memory.dmp

                Filesize

                1.7MB

              • memory/2880-136-0x0000000077460000-0x0000000077609000-memory.dmp

                Filesize

                1.7MB