Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/02/2025, 01:42

General

  • Target

    c6628f8a246ea6922019236758da7c4429462dabf3b54d3d5b5ee5df6639ae58.exe

  • Size

    909KB

  • MD5

    e4867f55b3f1aefa733a5a0857d17123

  • SHA1

    40221d838aeeeb9c20ae756f0ad5a98bd69fc0c0

  • SHA256

    c6628f8a246ea6922019236758da7c4429462dabf3b54d3d5b5ee5df6639ae58

  • SHA512

    6abdf3d769ac2818217e901e94db06c930056d2cda652324cd6e5fbcb84a77f04d83f644af46d6acd8030a8dca2e0351647532c9fa7f88eb984cf06d2390d948

  • SSDEEP

    12288:0C3R4yaY+g0D9D+fw8ZAd+ZjxGLWhWuDb5B9304KuI4biDBfR5j5TzIBCZYu+fQj:00fwyQ+ZJBH3Ih4biDLTmAYu+oA0Ar25

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    inhanoi.net.vn
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ^TSt3!FK$UBA

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://inhanoi.net.vn
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ^TSt3!FK$UBA

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Agenttesla family
  • Guloader family
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6628f8a246ea6922019236758da7c4429462dabf3b54d3d5b5ee5df6639ae58.exe
    "C:\Users\Admin\AppData\Local\Temp\c6628f8a246ea6922019236758da7c4429462dabf3b54d3d5b5ee5df6639ae58.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3324
    • C:\Users\Admin\AppData\Local\Temp\c6628f8a246ea6922019236758da7c4429462dabf3b54d3d5b5ee5df6639ae58.exe
      "C:\Users\Admin\AppData\Local\Temp\c6628f8a246ea6922019236758da7c4429462dabf3b54d3d5b5ee5df6639ae58.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:780
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUFDNEQwNDAtMDU2OS00Q0FBLUFGN0MtMkZEMjRGN0ZCRTgwfSIgdXNlcmlkPSJ7MUJDMEYxMEQtMzM5RC00OTQ2LUE3MDgtMTE0MzRDREI0OUY5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjJDODRFQjUtQUFGQi00NTBCLUI5MUMtRDk2NTYzQjIyRTExfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDEyODEwNDIyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:1668
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUFDNEQwNDAtMDU2OS00Q0FBLUFGN0MtMkZEMjRGN0ZCRTgwfSIgdXNlcmlkPSJ7MUJDMEYxMEQtMzM5RC00OTQ2LUE3MDgtMTE0MzRDREI0OUY5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InswQTYzQTA3NS01MzRCLTQzQTktQkFBMy04MjcyRUFCRjQwRjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuMDMiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7RTI4NTFCQkUtMjExMy00NDE2LTk1MTMtNjEyMDM2MTI5Q0RBfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSIxIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MjMwMTQ4MjcyMjgwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMiIgcj0iMiIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0Q4MkM3QTY3LThDOTItNDJERC1BRkJDLUVBQ0E3MDhDQ0JGMX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZT0iNjYwOCIgY29ob3J0PSJycmZAMC40NCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIyIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins1RkUzRjIxRC01OUNGLTRGN0YtODAxMi05OTg3QjMzNjk0QzZ9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:1404
  • C:\Windows\SysWOW64\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5108" "948" "988" "996" "0" "0" "0" "0" "0" "0" "0" "0"
    1⤵
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:1488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

    Filesize

    391KB

    MD5

    8175fb08ddbb06d187451153c1c6770c

    SHA1

    526f06146f8143236684d448dae121f508d4cfce

    SHA256

    8345fe00578d13013339a3a5a5da8756609a3483486d29d59f1ef80feb06c243

    SHA512

    9d423b3166b98f4baae49fd67f31f5ce495cd2fac92d89535e4eee948db42ed6bd82dc29b021525a0f00a65e30b074471ca98fa1a99299aeb63bc0530753cca4

  • C:\Users\Admin\AppData\Local\Temp\nsfEB49.tmp

    Filesize

    1B

    MD5

    8ce4b16b22b58894aa86c421e8759df3

    SHA1

    13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

    SHA256

    8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

    SHA512

    2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

  • C:\Users\Admin\AppData\Local\Temp\nsfEB49.tmp

    Filesize

    2B

    MD5

    25bc6654798eb508fa0b6343212a74fe

    SHA1

    15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

    SHA256

    8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

    SHA512

    5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

  • C:\Users\Admin\AppData\Local\Temp\nsfEB49.tmp

    Filesize

    3B

    MD5

    4e27f2226785e9abbe046fc592668860

    SHA1

    28b18a7f383131df509f7191f946a32c5a2e410c

    SHA256

    01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d

    SHA512

    2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

  • C:\Users\Admin\AppData\Local\Temp\nsfEB49.tmp

    Filesize

    4B

    MD5

    cde63b34c142af0a38cbe83791c964f8

    SHA1

    ece2b194b486118b40ad12c1f0e9425dd0672424

    SHA256

    65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d

    SHA512

    0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

  • C:\Users\Admin\AppData\Local\Temp\nsfEB49.tmp

    Filesize

    5B

    MD5

    e2fecc970546c3418917879fe354826c

    SHA1

    63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

    SHA256

    ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

    SHA512

    3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

  • C:\Users\Admin\AppData\Local\Temp\nsfEB49.tmp

    Filesize

    17B

    MD5

    26b5d572c05bd48008d83ec69a9fe7d8

    SHA1

    f030b576e69f6071fffee62f3d4447a4ae004812

    SHA256

    54dc16ada6e12dd1bb2ade6f6c3b9d0e51ebc00568d8022e19cd542620ca8752

    SHA512

    1a78242b3184d3316b53c8e329c2878c2eefb821aff0363b620ed906e7fa745375160015e9c6639a616a5767be6ba0829faf0332404bec85f412720cdb7a6f57

  • C:\Users\Admin\AppData\Local\Temp\nsfEB49.tmp

    Filesize

    7B

    MD5

    67cfa7364c4cf265b047d87ff2e673ae

    SHA1

    56e27889277981a9b63fcf5b218744a125bbc2fa

    SHA256

    639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713

    SHA512

    17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

  • C:\Users\Admin\AppData\Local\Temp\nsfEB49.tmp

    Filesize

    18B

    MD5

    cd0c38af71efb097ce402c588b17ff09

    SHA1

    8da4e54a7b95932f752a88ea416fa31d0c7c2fbe

    SHA256

    1630fc3705a57982a8939a6550615a92d8998f0c3394caeca0ae3019427ec50a

    SHA512

    03603368dbca419de6ad8ef10bb6c9670e83f06d2b3b7d7b5ebccf255473d7abb1cca1c7e0f2c2d49cd3f84c599ee5e71b03582567c95f3f76d5e54931a6ed06

  • C:\Users\Admin\AppData\Local\Temp\nsfEB49.tmp

    Filesize

    60B

    MD5

    c8c4b643d9ae67ff6236799535a2ad4f

    SHA1

    612d182cfe15984f2bf116474c957a1132393f52

    SHA256

    680bd2f9d87bf11af7d6226f94aece926b1e9a311524e19da822e13873127a95

    SHA512

    afbb3337dcde9056886609f9f88741c56de5570c0896045a5b384c53d4dbee752fcb26aee1789703ae7841edd49cd031d0b54555f71f7503a2d53dd26266baad

  • C:\Users\Admin\AppData\Local\Temp\nsgEBE7.tmp

    Filesize

    9B

    MD5

    2b3884fe02299c565e1c37ee7ef99293

    SHA1

    d8e2ef2a52083f6df210109fea53860ea227af9c

    SHA256

    ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

    SHA512

    aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

  • C:\Users\Admin\AppData\Local\Temp\nsgEBE7.tmp

    Filesize

    10B

    MD5

    9a53fc1d7126c5e7c81bb5c15b15537b

    SHA1

    e2d13e0fa37de4c98f30c728210d6afafbb2b000

    SHA256

    a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

    SHA512

    b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

  • C:\Users\Admin\AppData\Local\Temp\nsgEBE7.tmp

    Filesize

    25B

    MD5

    0064e905a25d25e9da3e091fec6128b4

    SHA1

    0916142d8dbc95b1603767e67e28d3abcca8f89f

    SHA256

    dbb07eb4882c53ce57bb0aa8a0707ee7e4be2a12fee11e1d17e843ec4edeba9f

    SHA512

    b94e4dfea2f088a2838174b1650ca9d3fe4e4cb75bb67e3770fbcfb277e09daaa05bbc2686744852e56db010a81a1f48da0da3b5be05470a297a58142c8bbc49

  • C:\Users\Admin\AppData\Local\Temp\nsgEBE7.tmp

    Filesize

    45B

    MD5

    8eef27645d7053f43c4475448a9cda79

    SHA1

    c17e04a15cf48b2efd548e5f8fce01f3a02fa964

    SHA256

    d5f19a010da7882ac4587ec8c0838e5b4a8b32acfeb8965bddb49d9f4321bb3e

    SHA512

    00be8657456a2b0ada41c58d01aca96a6cebaf33861fc62b9e605386729d7a960146419e468c537d7d42b0fa7d1087662615e8534347746081788cb8232dd24b

  • C:\Users\Admin\AppData\Local\Temp\nspEA4C.tmp

    Filesize

    54B

    MD5

    8e69760955a717be873f8253ebc6905b

    SHA1

    c813b0cc54451465777460ef2f46bc98c273c739

    SHA256

    3159fb26988fd82c5a652bdf09e65bb021011a4f8953f009c0a7d893149a9c8e

    SHA512

    16de94f841400aeffd2b67ca45e807da10023229f667f746b8fc7b127c347d843ff51b822191e656a94b63d8c8187c928d40113914d34570136c878b64279600

  • C:\Users\Admin\AppData\Local\Temp\nspEA4C.tmp

    Filesize

    59B

    MD5

    42d9107b0a7dcefc04b2f720704232c6

    SHA1

    c1d191f3c1f96b4d587f76a5335bd52a53521748

    SHA256

    5745e24f1d2217560ffd59274adb500eb2b350a3fcc86cda4e6181fbe4f96ece

    SHA512

    9b2d770cccc6966625fc63e6c8eb4410a35d656710494851ab4f5f6e94427819b1197370b54be88ad1f4fed76fe7a005e03314a87e69d6876940c8c0eacc5904

  • C:\Users\Admin\AppData\Local\Temp\nspEA4D.tmp\System.dll

    Filesize

    11KB

    MD5

    960a5c48e25cf2bca332e74e11d825c9

    SHA1

    da35c6816ace5daf4c6c1d57b93b09a82ecdc876

    SHA256

    484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

    SHA512

    cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

  • memory/780-598-0x00000000007F0000-0x0000000001A44000-memory.dmp

    Filesize

    18.3MB

  • memory/780-594-0x0000000001A50000-0x0000000002DC1000-memory.dmp

    Filesize

    19.4MB

  • memory/780-608-0x00000000007F0000-0x0000000001A44000-memory.dmp

    Filesize

    18.3MB

  • memory/780-609-0x0000000001A50000-0x0000000002DC1000-memory.dmp

    Filesize

    19.4MB

  • memory/780-610-0x00000000007F0000-0x0000000000830000-memory.dmp

    Filesize

    256KB

  • memory/780-611-0x0000000035B70000-0x0000000036114000-memory.dmp

    Filesize

    5.6MB

  • memory/780-612-0x00000000362B0000-0x0000000036316000-memory.dmp

    Filesize

    408KB

  • memory/780-615-0x0000000036E00000-0x0000000036E50000-memory.dmp

    Filesize

    320KB

  • memory/780-616-0x0000000036E50000-0x0000000036EEC000-memory.dmp

    Filesize

    624KB