Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    14/08/2024, 21:20

General

  • Target

    2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    aee166a4d3f20d04a52bda276a93e292

  • SHA1

    faa79e770d7fddcfab812e7ea9a48a042f76c371

  • SHA256

    f9890e500017842ef38ae3a3c923e7cef669f9a2a495f127e0b708e0629a8639

  • SHA512

    8abcf9cfd725c71b1a552313091534511526a32bef669ca6fb1fdddd48621b05892d58084d66d81520dbc68c7897fcd3644c843d12f532cd002356b584de42e1

  • SSDEEP

    49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lZ:RWWBibj56utgpPFotBER/mQ32lUl

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 39 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Windows\System\CupArAq.exe
      C:\Windows\System\CupArAq.exe
      2⤵
      • Executes dropped EXE
      PID:1500
    • C:\Windows\System\IiswCcs.exe
      C:\Windows\System\IiswCcs.exe
      2⤵
      • Executes dropped EXE
      PID:1292
    • C:\Windows\System\lTuUesp.exe
      C:\Windows\System\lTuUesp.exe
      2⤵
      • Executes dropped EXE
      PID:2804
    • C:\Windows\System\vPczCsa.exe
      C:\Windows\System\vPczCsa.exe
      2⤵
      • Executes dropped EXE
      PID:2800
    • C:\Windows\System\stnXumI.exe
      C:\Windows\System\stnXumI.exe
      2⤵
      • Executes dropped EXE
      PID:2908
    • C:\Windows\System\JyzeMlv.exe
      C:\Windows\System\JyzeMlv.exe
      2⤵
      • Executes dropped EXE
      PID:2628
    • C:\Windows\System\PcjdWZb.exe
      C:\Windows\System\PcjdWZb.exe
      2⤵
      • Executes dropped EXE
      PID:2740
    • C:\Windows\System\mANJUoA.exe
      C:\Windows\System\mANJUoA.exe
      2⤵
      • Executes dropped EXE
      PID:2896
    • C:\Windows\System\SrZXdEF.exe
      C:\Windows\System\SrZXdEF.exe
      2⤵
      • Executes dropped EXE
      PID:2668
    • C:\Windows\System\sMoeIYJ.exe
      C:\Windows\System\sMoeIYJ.exe
      2⤵
      • Executes dropped EXE
      PID:2652
    • C:\Windows\System\kzJmFBp.exe
      C:\Windows\System\kzJmFBp.exe
      2⤵
      • Executes dropped EXE
      PID:2548
    • C:\Windows\System\PhthMmy.exe
      C:\Windows\System\PhthMmy.exe
      2⤵
      • Executes dropped EXE
      PID:808
    • C:\Windows\System\dkBoNoO.exe
      C:\Windows\System\dkBoNoO.exe
      2⤵
      • Executes dropped EXE
      PID:316
    • C:\Windows\System\wfGIFjn.exe
      C:\Windows\System\wfGIFjn.exe
      2⤵
      • Executes dropped EXE
      PID:1748
    • C:\Windows\System\DQawMLa.exe
      C:\Windows\System\DQawMLa.exe
      2⤵
      • Executes dropped EXE
      PID:3012
    • C:\Windows\System\JbWwINU.exe
      C:\Windows\System\JbWwINU.exe
      2⤵
      • Executes dropped EXE
      PID:2912
    • C:\Windows\System\gspsYwc.exe
      C:\Windows\System\gspsYwc.exe
      2⤵
      • Executes dropped EXE
      PID:2936
    • C:\Windows\System\SestRjd.exe
      C:\Windows\System\SestRjd.exe
      2⤵
      • Executes dropped EXE
      PID:2924
    • C:\Windows\System\wecqzFc.exe
      C:\Windows\System\wecqzFc.exe
      2⤵
      • Executes dropped EXE
      PID:3064
    • C:\Windows\System\fypniOZ.exe
      C:\Windows\System\fypniOZ.exe
      2⤵
      • Executes dropped EXE
      PID:2344
    • C:\Windows\System\eYrAkYz.exe
      C:\Windows\System\eYrAkYz.exe
      2⤵
      • Executes dropped EXE
      PID:2192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\DQawMLa.exe

    Filesize

    5.2MB

    MD5

    90c8bd0a138c253746c6fa9337bdc884

    SHA1

    3489157b2cc8642c58985b07ba1c9f40b4b7f635

    SHA256

    8bf4c531e74cd70abe1bae52e5c237f5bffbea117de20fc52be7c6295ca95ab8

    SHA512

    737afa3f63ad852bf9cb69bbb47b835aaae8303da0210649b27497479a31028736beb04e37b405545dc4d4cd8d9974e7e8e81252af898a52ce1a27c5b5efd6f3

  • C:\Windows\system\IiswCcs.exe

    Filesize

    5.2MB

    MD5

    7e4bea86398f8e1af5d2344ce241e108

    SHA1

    f2779bf7812a9e3f23b59332da65da392a58ac8b

    SHA256

    5f4d337ff7a2b9804614ce17cdd32880e08aa2eff13b0f12dbf32693cd64ff34

    SHA512

    36c8622dd842eb5fcd42dc3dc035baca5f69081a42e14e505676c17cab93a7a9524b0384d437b0ad438c1c6312a4f21ebf90fc5167a42af187753db5cf215050

  • C:\Windows\system\JbWwINU.exe

    Filesize

    5.2MB

    MD5

    247ea2be0ec1c3f98090de212a858c00

    SHA1

    8c47ac35bb855ba79706f0cdee9f115e18423970

    SHA256

    0e955b10187924ba3ce541123f197ddedc7bcd1b7036898ac485d72801bbbd77

    SHA512

    74453e4fa582a033217407352395424551c86926c4568b91875da391a15f4669cc8e782b6b3a07c58a0b4ad0cee184d5b88581d4cad51c0bd70612f93415fba6

  • C:\Windows\system\JyzeMlv.exe

    Filesize

    5.2MB

    MD5

    4169e378ae809604eb73bfd10d9bb33a

    SHA1

    20b92c6cc923a715cef84c415fd7b9bdf9cc11d4

    SHA256

    fe550399fc13ece380241c5ba03a596e01752d32a9b128e7d65c50d780095fcc

    SHA512

    16e9d8f03d848b5795cd50eaf69a17bd66af784f9c8b85c60090341455adf8d45003fde13c497f49b6c738f7f2c0dcdc11468aa275c1acd57cb415e5b69e23cf

  • C:\Windows\system\PcjdWZb.exe

    Filesize

    5.2MB

    MD5

    af5f99fbe4007c7c703205e60fbc9c89

    SHA1

    b6f9d701c77d60c74049817bb198b39fd0cc55f5

    SHA256

    a819debd71fcd71aeca06d379dbd0d3bc1c8a20e1c18d57f6bba3fc760efaffc

    SHA512

    45371004dda16fb390d4b4874600ca44063978295dee3bc0d9b64dc153afa972308c9a986e8dc6273185d6bca25da2430db1b62291ddfd601fffbcca950d8aa2

  • C:\Windows\system\PhthMmy.exe

    Filesize

    5.2MB

    MD5

    71af8917fa96351c90e0195278185e6e

    SHA1

    b341e1fd11117456994a15c71c3f9b9aa626b75a

    SHA256

    8fa295b4defe2fa36739726cbf9d68358b719818eb708f76a90ea2e207441228

    SHA512

    f86274face99e616ba6b53bb5337cb5bb00f958ccd2b65eb35d302e15abecb1b0960043008e1dcf5cef9498c6267d244b2bc5bbef39b314c017bdab8bac0a49a

  • C:\Windows\system\SestRjd.exe

    Filesize

    5.2MB

    MD5

    bf60d78603cf22aeac1a600c32ff9f11

    SHA1

    fc4208625ce67f65a01315e8a4f0606ed574be52

    SHA256

    fc4aeb17e1f437d3909f6f4f1d01332102394d9534b4cd64326c7ecf99f07295

    SHA512

    e62e70f8043b75bd774d27419f1e38333f05714e02661dd9d9377b009c6ea75271bf852ce4d9855317f4a515598766b896190ddce83895b8ae770ef4bd2a814e

  • C:\Windows\system\SrZXdEF.exe

    Filesize

    5.2MB

    MD5

    2b89302075a557901d005bdf12628809

    SHA1

    3fa4a03ebd0deec64927f0bcf5bec62703b209c5

    SHA256

    1f36ab8f5aa4702a139ed5e0fecf2ff64f865de7562fd83be130e1f4b5a97772

    SHA512

    e3e85d43f621c2c03974e7fb80065dec9d41ec0ea9be9c8e75e369531beebd8f5c0a6e93ac0ed6749b4635d34488e66802eced7cf19ce707b232d9bf20acff02

  • C:\Windows\system\dkBoNoO.exe

    Filesize

    5.2MB

    MD5

    7dbaff32ca609343234cce67a5c8c80c

    SHA1

    b9c15a0bf33fd7c5bac69dd58c1e21579b8ccf8c

    SHA256

    9a412f29f8a1ecfbadf9062c8624f876a0180dc426ff5ca859650acb11e8c59b

    SHA512

    2a1fc0bf8665f700458591e83514b750c16c544f9b22b2fe923120c18c1ec9466ddc4518951121b9f9c3e68c9a290173474807e5d0ed23c4cf94d03c449e6fde

  • C:\Windows\system\fypniOZ.exe

    Filesize

    5.2MB

    MD5

    d12eb47a1a6eb4f0772cc2308c4c7b70

    SHA1

    c339f9da15af84c84853080e9da050d1318480b8

    SHA256

    0bdd67d23e5fe389e4fc9d4aed63294264ad2b606cd988e34b8ea4f8a9fb3c20

    SHA512

    da2e17873b0b1eb587aa2cc9f1986a21a0925ba73d3270e86be933d4845db30cd4fb55c44302179e6bd113b16787940c259283b9373129d9fce2514e7d6c6806

  • C:\Windows\system\gspsYwc.exe

    Filesize

    5.2MB

    MD5

    271790b834c249e67a807abd240ccf45

    SHA1

    4aa95faa0d576e6608684b745e2096b463bbd614

    SHA256

    c26c5390dbf4cc5040ba7ee514f0ab9fcb07a418ac4172048b2b1b45845e2475

    SHA512

    152a2468fef78a8c6d42ab30a240de1b86be721654c2084ee21a738b45fee8523e1a6f0258d5a1b2ce7e6061af5904bbecb62b5873dd90eea6747c7408c20bbd

  • C:\Windows\system\kzJmFBp.exe

    Filesize

    5.2MB

    MD5

    43301a0e56127ceae73a43c69d03df5b

    SHA1

    0dad59836c92254b1eb7e9caa4773872e7e1d2bd

    SHA256

    ac101b00ac5bb08b8e1e6fa910f9948f07194e5bcc4aeafad639ba5cb8402ebb

    SHA512

    c70f82f376c8260fb4b1261a5b2d7c04aa3493a3eff5ff313eee9527e5c265a8ca4b58a8f2c6572b678f972305689e267bde6d4483893ee973966f0efefdba98

  • C:\Windows\system\lTuUesp.exe

    Filesize

    5.2MB

    MD5

    bc6cadb18c39ff32d1e7e458dac279fa

    SHA1

    8ac26e36a66ae183ac88e91c33c6463364f4e6b5

    SHA256

    c3da0cb6aac83c83afe971ab273eecf94d78dda41b575b7c83012409ec9a25ea

    SHA512

    22f0464d4d983d033c78b34b689c7c06a924dcca55b12782f2ee60f07c51fffd374fa8266872f649d3ba51a4855e522e1e4d6c3963bf194306cc0dd40f4e3e73

  • C:\Windows\system\mANJUoA.exe

    Filesize

    5.2MB

    MD5

    af66bc4b65d0f7eb9896eeb8a1e1b27f

    SHA1

    cabf37fc0c0f5b5ad52b8640952ac5e71bf93ddf

    SHA256

    123ee2098e1d00e2a41446f4bebbf22f6f8157a12e5fc426bdc30d08a03d1fff

    SHA512

    a594142fd7179111d79178a0ca2537c76dca71733fcb55604a26bf2abe008d1e632e696c4cf84961209b582c65e8ef14cf37f28dd43394cf310e03406ab0a88f

  • C:\Windows\system\stnXumI.exe

    Filesize

    5.2MB

    MD5

    544ee3e4d1abadf995f3f72e61ab966a

    SHA1

    a21b27552f5d3f1c2f468dbbb6e984a1a9e1d12d

    SHA256

    97be945dc7d9f3cc64b6f989b46f4fd00d93e3635ca13b5dfff206d5207615ec

    SHA512

    9b4d07727c0075f9cfe4477987151f6763a1534a080670259d2e414e3f2be3c7f877e96d7fb33cb481c062b7c5e1e1c8a849661b118dfe5a75b803ad9123ca0b

  • C:\Windows\system\vPczCsa.exe

    Filesize

    5.2MB

    MD5

    54a1f2ab20c3d434791c9da3302e3600

    SHA1

    f898094de0c2176ba4663c35e1bd3439953c8cfc

    SHA256

    7c3c35a38affc5ead467ab84c8035449f3701de7a07205bbd9eab27454a44343

    SHA512

    a2bc05b0553566f60d042437b7e9c17f108cfa7360718a506e91ddddf1552d095a9ef846ecbafbb39a543c38824168d63156520d0d17cd692df6162c6badd31b

  • C:\Windows\system\wecqzFc.exe

    Filesize

    5.2MB

    MD5

    0a39f99983df4b5ee6dd0004c39f6fe3

    SHA1

    5956124c5ce48dddd3acf098750e33b32640e428

    SHA256

    7374e3919154c5052b5070d4472ddff2f247245d6e32ff326ccc7ae91372eb35

    SHA512

    8fe657208c3e6c19c4018ab723fd199987266f97ac06474c7866c1f7ca9dc3ab41b56ad4353b2b18d6a2c790c6390ae41087a6c9349b426cda0a73bd04ba36a4

  • C:\Windows\system\wfGIFjn.exe

    Filesize

    5.2MB

    MD5

    61fe24790d9d6736ec8adfa4727667d1

    SHA1

    75a406c0ecc70e6d10315dfa3aeeb51ad146fd93

    SHA256

    8bc87ded84701f763d45e615d6f928f8f3ec2d215de612ce1affc077d02a70b2

    SHA512

    919bec8e60554c75accf9acc588cc872aa556f61bd8bb86829f4affcc85c3133a129ec1aa9b51e449d0cd4459bc95eed1ea0e07c16ea582eb861ecd767b9e0cb

  • \Windows\system\CupArAq.exe

    Filesize

    5.2MB

    MD5

    e4d34b1eac24f6abd437eb2bf47a0040

    SHA1

    c9e266980412148f1dfc89b8e7bdfffb078fbeca

    SHA256

    497ce566297b5ec16573dd4609739ecc7f4a5f17575becd9d544f7bd1af0ed98

    SHA512

    2f7389259231a6e3766b4cac9b5dce7ab052144108f7b00793b3517bac9732ab01f13127056ca699f9170098e402f36d27eb8ddcbfa87a7f423d991d97c702b8

  • \Windows\system\eYrAkYz.exe

    Filesize

    5.2MB

    MD5

    1c514e7ed10b51b92b6563c604a81d32

    SHA1

    5132182ac0f7de5727995574001a83720e4d6553

    SHA256

    6aca55bf845220ebdd72dbf3d083e0242df591e3edd2a7511bc3970fcdde4d13

    SHA512

    e2c50d953e0c60fbe4b6f5b522f95d643d08aa6619b7e64c82c37e47e023b78731b5f9cee46b5f2a8fc31ff568602709d3fc21dc1b2c16a060d557abce038d82

  • \Windows\system\sMoeIYJ.exe

    Filesize

    5.2MB

    MD5

    e226fb4299faf404e0d8de00147db77b

    SHA1

    de60f0d54a4d8cc26b5e5ca6ea437a2d26f82c87

    SHA256

    5a877ac55d6a1b57a4dbb5f225e88935640484e5caf9b478482f200ff1c39c5f

    SHA512

    0edfc984e778116bafefb7da5908cddf6330795b291e835b245432be1317955bc85facd0b8b1d8c20fbcbbcbfdb1982d01f96f3c1f01148c657452d1b9c25374

  • memory/316-252-0x000000013F8B0000-0x000000013FC01000-memory.dmp

    Filesize

    3.3MB

  • memory/316-91-0x000000013F8B0000-0x000000013FC01000-memory.dmp

    Filesize

    3.3MB

  • memory/316-154-0x000000013F8B0000-0x000000013FC01000-memory.dmp

    Filesize

    3.3MB

  • memory/808-153-0x000000013FD40000-0x0000000140091000-memory.dmp

    Filesize

    3.3MB

  • memory/808-250-0x000000013FD40000-0x0000000140091000-memory.dmp

    Filesize

    3.3MB

  • memory/808-84-0x000000013FD40000-0x0000000140091000-memory.dmp

    Filesize

    3.3MB

  • memory/1292-16-0x000000013F710000-0x000000013FA61000-memory.dmp

    Filesize

    3.3MB

  • memory/1292-214-0x000000013F710000-0x000000013FA61000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-41-0x0000000002220000-0x0000000002571000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-98-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-163-0x0000000002220000-0x0000000002571000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-54-0x000000013FE20000-0x0000000140171000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-48-0x000000013FA00000-0x000000013FD51000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-6-0x000000013F070000-0x000000013F3C1000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-61-0x000000013F5D0000-0x000000013F921000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-187-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-0-0x000000013F5D0000-0x000000013F921000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-1-0x00000000000F0000-0x0000000000100000-memory.dmp

    Filesize

    64KB

  • memory/1316-35-0x000000013FBB0000-0x000000013FF01000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-164-0x000000013F5D0000-0x000000013F921000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-166-0x000000013FD40000-0x0000000140091000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-139-0x000000013F5D0000-0x000000013F921000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-28-0x000000013FB10000-0x000000013FE61000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-104-0x000000013FD80000-0x00000001400D1000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-15-0x0000000002220000-0x0000000002571000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-188-0x000000013FD80000-0x00000001400D1000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-83-0x000000013F980000-0x000000013FCD1000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-22-0x000000013F980000-0x000000013FCD1000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-90-0x0000000002220000-0x0000000002571000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-76-0x0000000002220000-0x0000000002571000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-70-0x000000013F070000-0x000000013F3C1000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-8-0x000000013F070000-0x000000013F3C1000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-213-0x000000013F070000-0x000000013F3C1000-memory.dmp

    Filesize

    3.3MB

  • memory/1748-155-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1748-254-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1748-99-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

    Filesize

    3.3MB

  • memory/2192-162-0x000000013F650000-0x000000013F9A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2344-161-0x000000013FC40000-0x000000013FF91000-memory.dmp

    Filesize

    3.3MB

  • memory/2548-248-0x000000013F5B0000-0x000000013F901000-memory.dmp

    Filesize

    3.3MB

  • memory/2548-77-0x000000013F5B0000-0x000000013F901000-memory.dmp

    Filesize

    3.3MB

  • memory/2548-152-0x000000013F5B0000-0x000000013F901000-memory.dmp

    Filesize

    3.3MB

  • memory/2628-103-0x000000013F650000-0x000000013F9A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2628-227-0x000000013F650000-0x000000013F9A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2628-42-0x000000013F650000-0x000000013F9A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2652-235-0x000000013FFB0000-0x0000000140301000-memory.dmp

    Filesize

    3.3MB

  • memory/2652-71-0x000000013FFB0000-0x0000000140301000-memory.dmp

    Filesize

    3.3MB

  • memory/2668-150-0x000000013F130000-0x000000013F481000-memory.dmp

    Filesize

    3.3MB

  • memory/2668-143-0x000000013F130000-0x000000013F481000-memory.dmp

    Filesize

    3.3MB

  • memory/2668-263-0x000000013F130000-0x000000013F481000-memory.dmp

    Filesize

    3.3MB

  • memory/2668-63-0x000000013F130000-0x000000013F481000-memory.dmp

    Filesize

    3.3MB

  • memory/2740-62-0x000000013FA00000-0x000000013FD51000-memory.dmp

    Filesize

    3.3MB

  • memory/2740-231-0x000000013FA00000-0x000000013FD51000-memory.dmp

    Filesize

    3.3MB

  • memory/2740-142-0x000000013FA00000-0x000000013FD51000-memory.dmp

    Filesize

    3.3MB

  • memory/2800-30-0x000000013FB10000-0x000000013FE61000-memory.dmp

    Filesize

    3.3MB

  • memory/2800-89-0x000000013FB10000-0x000000013FE61000-memory.dmp

    Filesize

    3.3MB

  • memory/2800-223-0x000000013FB10000-0x000000013FE61000-memory.dmp

    Filesize

    3.3MB

  • memory/2804-23-0x000000013F980000-0x000000013FCD1000-memory.dmp

    Filesize

    3.3MB

  • memory/2804-221-0x000000013F980000-0x000000013FCD1000-memory.dmp

    Filesize

    3.3MB

  • memory/2896-229-0x000000013FE20000-0x0000000140171000-memory.dmp

    Filesize

    3.3MB

  • memory/2896-55-0x000000013FE20000-0x0000000140171000-memory.dmp

    Filesize

    3.3MB

  • memory/2908-97-0x000000013FBB0000-0x000000013FF01000-memory.dmp

    Filesize

    3.3MB

  • memory/2908-225-0x000000013FBB0000-0x000000013FF01000-memory.dmp

    Filesize

    3.3MB

  • memory/2908-36-0x000000013FBB0000-0x000000013FF01000-memory.dmp

    Filesize

    3.3MB

  • memory/2912-157-0x000000013F3E0000-0x000000013F731000-memory.dmp

    Filesize

    3.3MB

  • memory/2924-159-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

    Filesize

    3.3MB

  • memory/2936-158-0x000000013F0B0000-0x000000013F401000-memory.dmp

    Filesize

    3.3MB

  • memory/3012-156-0x000000013FD80000-0x00000001400D1000-memory.dmp

    Filesize

    3.3MB

  • memory/3064-160-0x000000013F240000-0x000000013F591000-memory.dmp

    Filesize

    3.3MB