Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2024, 10:57

General

  • Target

    2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    c0d0caf16015e4abc80ef880d1ee70a4

  • SHA1

    04cd43a27aa30de9b7b2ed141904a2a70c018c97

  • SHA256

    3069a6de07f662a26e2a3437fe52217c9a15adf04fe874cdb1400e2e02c424ff

  • SHA512

    8e4c6bc6a967e529ba2619db3d20fd64cd07edc4db4a837e7ff74092db83d2f6c0809aeac189d9c2d3c2e0a8923b96a2366bcc6b1b00e158c7a44ba71ee76231

  • SSDEEP

    49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibf56utgpPFotBER/mQ32lUf

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 43 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\System\lalFDbM.exe
      C:\Windows\System\lalFDbM.exe
      2⤵
      • Executes dropped EXE
      PID:2564
    • C:\Windows\System\oFcZBQt.exe
      C:\Windows\System\oFcZBQt.exe
      2⤵
      • Executes dropped EXE
      PID:2920
    • C:\Windows\System\PCFwlqB.exe
      C:\Windows\System\PCFwlqB.exe
      2⤵
      • Executes dropped EXE
      PID:1884
    • C:\Windows\System\DOGMxcY.exe
      C:\Windows\System\DOGMxcY.exe
      2⤵
      • Executes dropped EXE
      PID:2808
    • C:\Windows\System\eNkVRQT.exe
      C:\Windows\System\eNkVRQT.exe
      2⤵
      • Executes dropped EXE
      PID:2556
    • C:\Windows\System\XJSGSzR.exe
      C:\Windows\System\XJSGSzR.exe
      2⤵
      • Executes dropped EXE
      PID:2736
    • C:\Windows\System\IiWgeOT.exe
      C:\Windows\System\IiWgeOT.exe
      2⤵
      • Executes dropped EXE
      PID:2676
    • C:\Windows\System\GNWoxZM.exe
      C:\Windows\System\GNWoxZM.exe
      2⤵
      • Executes dropped EXE
      PID:2724
    • C:\Windows\System\NTFQvqn.exe
      C:\Windows\System\NTFQvqn.exe
      2⤵
      • Executes dropped EXE
      PID:2148
    • C:\Windows\System\RMmUTHB.exe
      C:\Windows\System\RMmUTHB.exe
      2⤵
      • Executes dropped EXE
      PID:1076
    • C:\Windows\System\NzajhiM.exe
      C:\Windows\System\NzajhiM.exe
      2⤵
      • Executes dropped EXE
      PID:440
    • C:\Windows\System\ftrIOYl.exe
      C:\Windows\System\ftrIOYl.exe
      2⤵
      • Executes dropped EXE
      PID:1480
    • C:\Windows\System\nkWNVSp.exe
      C:\Windows\System\nkWNVSp.exe
      2⤵
      • Executes dropped EXE
      PID:2220
    • C:\Windows\System\kVqmrvf.exe
      C:\Windows\System\kVqmrvf.exe
      2⤵
      • Executes dropped EXE
      PID:1868
    • C:\Windows\System\hEquLZM.exe
      C:\Windows\System\hEquLZM.exe
      2⤵
      • Executes dropped EXE
      PID:3044
    • C:\Windows\System\hWDiwbW.exe
      C:\Windows\System\hWDiwbW.exe
      2⤵
      • Executes dropped EXE
      PID:3036
    • C:\Windows\System\luUhgUo.exe
      C:\Windows\System\luUhgUo.exe
      2⤵
      • Executes dropped EXE
      PID:2720
    • C:\Windows\System\MAzkfgj.exe
      C:\Windows\System\MAzkfgj.exe
      2⤵
      • Executes dropped EXE
      PID:1720
    • C:\Windows\System\WVmKyaj.exe
      C:\Windows\System\WVmKyaj.exe
      2⤵
      • Executes dropped EXE
      PID:2468
    • C:\Windows\System\xTtLUpE.exe
      C:\Windows\System\xTtLUpE.exe
      2⤵
      • Executes dropped EXE
      PID:2876
    • C:\Windows\System\BQGGxZH.exe
      C:\Windows\System\BQGGxZH.exe
      2⤵
      • Executes dropped EXE
      PID:832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\BQGGxZH.exe

    Filesize

    5.2MB

    MD5

    defac85e63e5ae8ed555312655e6717c

    SHA1

    91149770118cb2feed22062cddb0366c5378c81f

    SHA256

    122ea09eae384667472e271625782d24834f733c765572d3729cc78e1ddbae62

    SHA512

    62a49a8412796000c00b7e883718758c4aa14f91476874dbb8048a9d0f46a1de9a5db5f00681192fb05f3258851c178adc5519e455db9fadeb1c913eae08bd3d

  • C:\Windows\system\GNWoxZM.exe

    Filesize

    5.2MB

    MD5

    a1bd335dc8b87c9b43589a2aaed7a507

    SHA1

    6d7fada9854796f73d80fa28a6a91d0220daf386

    SHA256

    e37e8721befa623c06861d7fd19200731f0de65a851dddd7336ec0dd94419959

    SHA512

    509f30cc390f8db8662f5d8c9dbfc50738bb86eb31ef3afc8235b71dd1e588e2d8d6d0c3587f1016de4e5a87a8c505d7fb7ef12331cf9a79429759733590285c

  • C:\Windows\system\MAzkfgj.exe

    Filesize

    5.2MB

    MD5

    9d3e6fb7ca80c26c0b7b1dd883eab9b2

    SHA1

    9f6b1ae247007c797b4ebd5cb79ce141c48a15ad

    SHA256

    b5cabaaabf07753a3f002e68e6bc437c4b54acd5ce6316f280907686fe7f8eb8

    SHA512

    7466577b1f1b6ad212c56d7033acebfd9c1f42ae6db5932cd2831be03c9adf8623087011ef3e7bfc15062079a8d56d73b799688705eeb2c9db46b4800e39751a

  • C:\Windows\system\NTFQvqn.exe

    Filesize

    5.2MB

    MD5

    9d6ae1b7a0bd2bb7594e4216defd69ed

    SHA1

    52a81ceee9e6b77e396cd1b877bf8d652b081130

    SHA256

    82e81300a2cbaa3eb6d12508ad3879579ae1b5d33849d4763be27fb2fc9113ef

    SHA512

    891647f13f60a0e56ff5f2a2faa1a8d3c748bd839ede9d9faf66bf78b5c20a8cef6d1e503e633a8290a9fc41c623f7d975ab6af624c4d0979293eb5314411ad4

  • C:\Windows\system\NzajhiM.exe

    Filesize

    5.2MB

    MD5

    bab2b9535d4ca1d7c92d192f9209b6cc

    SHA1

    a5464461af9918026d248933dfbec68aa49a77a4

    SHA256

    d45a11d3bec2ff7ea64e901655e16cb3ddb43d3c476ee02ecb4eaebd4c99092d

    SHA512

    e0cf8562a5920d329a3f881bb455c43703e21e4d73398dc86cb4bac8d76faf4f607fdc6eff4aee321cd14c15f7d74e6e748c95742d3242d5a5c577c597db9a58

  • C:\Windows\system\PCFwlqB.exe

    Filesize

    5.2MB

    MD5

    6f54b2134b03341738b3685814e068c6

    SHA1

    0e7d17465f311f015859102718ef471cbbf990ed

    SHA256

    7ac1ba00e86575717cba56a3cd960c6c21faa1de6c59b880da92bd6c0a54ae51

    SHA512

    ddc3fb59cb9cc7aadb8afaae028d90da64abe4dbca3f68e351e554b0939b7191afc9c7ae36be270f0962263f9c194aff35152133054504438dbbddeafc66c8d9

  • C:\Windows\system\RMmUTHB.exe

    Filesize

    5.2MB

    MD5

    25a43eb12896344414671eca28c45ff7

    SHA1

    c03d7992bee69ed01a101a4b7bb93beecdd83014

    SHA256

    15e5151d9b44a486311578e67f529ab65a8a89a55b87db0962add27cc8c0d6e0

    SHA512

    48d33c7d7951e6af6c2355460bb1c303046b82b7eb6e589f01975267d049ed55fab47276ddb0d2659e17dd997c66980e6d2d3d6ec36938985a29a51b4b388828

  • C:\Windows\system\WVmKyaj.exe

    Filesize

    5.2MB

    MD5

    a61c35041e0e05e2d40c81035b4b7d8c

    SHA1

    85b70a47adfea8ce294a0e19b5832d6c5dd39f9b

    SHA256

    3863158c1be05048f11c40222e19628c153a421961ffe9390061b65edc873e8a

    SHA512

    522074e840a010aa198823d835d3e94950560b415293b18a4aa01d31547f3f1567798bc4951833c2a76c513163d33074d048c0332c1f8f4f4d2cea25e23ef288

  • C:\Windows\system\XJSGSzR.exe

    Filesize

    5.2MB

    MD5

    8ec9fb45b7736a68c1a8894e9d9c6018

    SHA1

    7b0e40ef1ae286ad78c702de2700a55b2c236ffc

    SHA256

    38cdfa29d672cc284fca9963050093110c834af61c6dcabc431402ab136aa442

    SHA512

    051a9cd93051171007154e7db2bbb01df4aeded3f3f271fd6bb980e092d4e5c618227620fad7f7b68360ce60fb5cd9f470f35d9b17c578c888d40f5e8b9708e5

  • C:\Windows\system\eNkVRQT.exe

    Filesize

    5.2MB

    MD5

    b42f0a88c667d8b651ec5c67a6f2bf07

    SHA1

    6f522f45028962a08c6a47294cdf166f11c8edac

    SHA256

    0d386790e223d3991bbcb11fc1f448508114b76f2647fa5fba9bdb6f01b2f403

    SHA512

    9bba980a2f281665bf6a74a00f1cc2cd9b17ad7abac99901ba2031642e236286b378376fda2b3e1eacf61532d8d0e2f8d103133a6cce5e6473715d93555b0ea8

  • C:\Windows\system\ftrIOYl.exe

    Filesize

    5.2MB

    MD5

    d339f330bac370d13248733776dd5e57

    SHA1

    c36bf931bd73ab191a4ad5e872c08cef66ddfb76

    SHA256

    36320d8c02fcab9985365b828857928cf334f6398ad5e95248ca2ea57bebdd01

    SHA512

    9f27ac694bbab4ef568099485b672816842a6ea6d5429fdf4d001791eaf65487c6f08d96eed90fb6456d33f04feefbcd7a4743b9ff41207c183475f373007097

  • C:\Windows\system\hEquLZM.exe

    Filesize

    5.2MB

    MD5

    a7f4c2e5d2f2dd4833119b9594e1b1ea

    SHA1

    a97ff59a06a2c51d089bcbc50bb52f3295d0019f

    SHA256

    0390ae47e7a14165e2080bfc1a93032d89abfdbc4c9db11aab29f871de275eed

    SHA512

    35623855a38a26a953388be4d697bf5ede01d1d6eee6ce315c5fa68b66362a024b042c2ec895ec85a14a0b706822180c8e8e1d2c0fa5920832bd36e7963cdb6f

  • C:\Windows\system\hWDiwbW.exe

    Filesize

    5.2MB

    MD5

    04289db7c5a51e7ffb79384cc5bfa19c

    SHA1

    f2946ee9577b9f29bf27e24d93e459c521fee402

    SHA256

    11d26f97123f9fcc0618fad2876b9489c22a7b453ff5b3a6d61d4b49a9398e51

    SHA512

    b416d0f9c8dba9dda9977615752afec3017d057097aa60a63aff32eaf1edffe3efae4f6c78eef2407251e85e06e1254c42b8b0c39b1d134a33a5ae917d43a227

  • C:\Windows\system\kVqmrvf.exe

    Filesize

    5.2MB

    MD5

    81bf4d4687dbbf86aedb7c35dece738e

    SHA1

    8f0255713efb784060e26315705b4a19746f7756

    SHA256

    24dc9faced0627ead24f17051b2d6f0eafff7be24b2cd74026c7cd79e4b1896f

    SHA512

    de7355e5b8c59b3c2998c7904ad90235ac1512c3feaa739efe615be3fd65833729aa65a72cc39803da7dc4b7206aa56b49e5337c42f14d23311eb3f5130d7b2d

  • C:\Windows\system\luUhgUo.exe

    Filesize

    5.2MB

    MD5

    54a5a29ead9eb409ab44e463580f3a07

    SHA1

    ec4e37cfa5c934533ff8498ed95af76b40de122c

    SHA256

    eb3ff8492710e39d8fa6e996cc382dddb5d5a0ee098cc08bf0dbce21399158f5

    SHA512

    11134891ef7f577542318836dae22287f19c98a01f98e6729ea857488a6e7b57adcc6673eb64c76b5219f404c6b294f8ac44075e776256d6b4cef4e0ab7d5602

  • C:\Windows\system\nkWNVSp.exe

    Filesize

    5.2MB

    MD5

    f86a67ac5052c784da0ea0a06375bbb3

    SHA1

    c18aa1a82bbcc6b4e015a1dbe03099438b16863c

    SHA256

    a50d17927023723d6359fa41b9ac829d739b59ba3eef704b57308052e46fdb58

    SHA512

    36d669dfb5e03270405fd0c440bfe7eaecc65bd26b2c1fc86c1e43697dddd149e0d203427bec8af9ec2eeca1b129c4b555d2de798c86def6ab53889a3e4312e1

  • C:\Windows\system\xTtLUpE.exe

    Filesize

    5.2MB

    MD5

    b0d8691c5e2657eba0d388ca420e8b7f

    SHA1

    73453ce6efbee32150b3adbad38b7ee722b420bb

    SHA256

    73af223a799ccc625d3186efffa4337a28b947fe8a975d28e98d8155115b5c54

    SHA512

    cefabd7cea8df373a8c723139a568c209e4595dbf5ed40e2e07b99955bf67ec0bac9969c2ee2876efc1147d9ec6e46523f7ad186d35971901c5685347bd23590

  • \Windows\system\DOGMxcY.exe

    Filesize

    5.2MB

    MD5

    05f640d12184bb697ebaf94e89b764f6

    SHA1

    cbb83dbc96a29ad894da44e37829da18726fe01b

    SHA256

    7f6a775c05dcb780e917ff82a9ec3bf24e359b559779df40f47ff6499688b613

    SHA512

    3636b84d396b639080ea5062dae154b68839d3f1a1e004e30c04a5bb2248efeceb7546ba5639f101469ef4759720c4b8228280bc8a5873bf1f0a708a7918c506

  • \Windows\system\IiWgeOT.exe

    Filesize

    5.2MB

    MD5

    cb3d73e51741d20dc433ffdc352e1000

    SHA1

    b93f9b99c6bf6f17f9dfe2f5b95cb869616b17eb

    SHA256

    6edd77e5b9a620d85fe5d5ffff42a258a356cb5563aef1528befca7338937d65

    SHA512

    08ba5c3d4e148e4a918f250307feb353c90faab4269c4e7048166a7710ea98f9c5ddc75c40838c36e2627b5ec3f92f3fa6fd7e496b3ccb0aacabbd918abb1636

  • \Windows\system\lalFDbM.exe

    Filesize

    5.2MB

    MD5

    0ac85c9015b1831333f8930d6d67fc41

    SHA1

    dff016e438b375e20530996da1360bd65a23a73d

    SHA256

    8889db95d72b510b30d7328c8a4a1e07b4fe5f5ed4b476d30cb5ca173c1b5ffa

    SHA512

    94d1897725c5c42611f30d977e7da459c95b85b93d3bdc9184e824b7de2c06a4703696a3e09af95ac72282d25fd78cacf916b1cdde9e32f934f6ccf6e4be8387

  • \Windows\system\oFcZBQt.exe

    Filesize

    5.2MB

    MD5

    f6a94a01a488861950f04ef1220f06b2

    SHA1

    f7272c2f0b126d0b85b5237cac21ff2097634bfb

    SHA256

    ba772f78b5a685edd8efc278fb938f1debdd99b597ebc0148b86a8e8ced8ae1f

    SHA512

    2bf79aa34a810443ddfed69d3b74c245bd54243567bb6a109bcdd6e725575b4af8b836a0e50413cd20de526550441583678c8830976d4fd89c2419856b0c044b

  • memory/440-75-0x000000013FEE0000-0x0000000140231000-memory.dmp

    Filesize

    3.3MB

  • memory/440-137-0x000000013FEE0000-0x0000000140231000-memory.dmp

    Filesize

    3.3MB

  • memory/440-248-0x000000013FEE0000-0x0000000140231000-memory.dmp

    Filesize

    3.3MB

  • memory/832-166-0x000000013F680000-0x000000013F9D1000-memory.dmp

    Filesize

    3.3MB

  • memory/1076-154-0x000000013F080000-0x000000013F3D1000-memory.dmp

    Filesize

    3.3MB

  • memory/1076-255-0x000000013F080000-0x000000013F3D1000-memory.dmp

    Filesize

    3.3MB

  • memory/1076-68-0x000000013F080000-0x000000013F3D1000-memory.dmp

    Filesize

    3.3MB

  • memory/1480-258-0x000000013F600000-0x000000013F951000-memory.dmp

    Filesize

    3.3MB

  • memory/1480-139-0x000000013F600000-0x000000013F951000-memory.dmp

    Filesize

    3.3MB

  • memory/1480-81-0x000000013F600000-0x000000013F951000-memory.dmp

    Filesize

    3.3MB

  • memory/1720-162-0x000000013F6C0000-0x000000013FA11000-memory.dmp

    Filesize

    3.3MB

  • memory/1868-259-0x000000013F960000-0x000000013FCB1000-memory.dmp

    Filesize

    3.3MB

  • memory/1868-148-0x000000013F960000-0x000000013FCB1000-memory.dmp

    Filesize

    3.3MB

  • memory/1868-94-0x000000013F960000-0x000000013FCB1000-memory.dmp

    Filesize

    3.3MB

  • memory/1884-221-0x000000013FEE0000-0x0000000140231000-memory.dmp

    Filesize

    3.3MB

  • memory/1884-23-0x000000013FEE0000-0x0000000140231000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-47-0x000000013F320000-0x000000013F671000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-1-0x00000000000F0000-0x0000000000100000-memory.dmp

    Filesize

    64KB

  • memory/2128-80-0x000000013F600000-0x000000013F951000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-67-0x000000013F080000-0x000000013F3D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-0-0x000000013FB70000-0x000000013FEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-74-0x000000013FEE0000-0x0000000140231000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-19-0x0000000002380000-0x00000000026D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-88-0x000000013F3F0000-0x000000013F741000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-140-0x000000013F3F0000-0x000000013F741000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-167-0x000000013FB70000-0x000000013FEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-55-0x000000013FB70000-0x000000013FEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-106-0x000000013F080000-0x000000013F3D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-10-0x000000013FF70000-0x00000001402C1000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-69-0x000000013F280000-0x000000013F5D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-138-0x000000013F600000-0x000000013F951000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-164-0x0000000002380000-0x00000000026D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-107-0x0000000002380000-0x00000000026D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-49-0x000000013F730000-0x000000013FA81000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-18-0x000000013FEE0000-0x0000000140231000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-46-0x000000013F080000-0x000000013F3D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-143-0x000000013FB70000-0x000000013FEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2148-250-0x000000013FE50000-0x00000001401A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2148-153-0x000000013FE50000-0x00000001401A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2148-62-0x000000013FE50000-0x00000001401A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2220-252-0x000000013F3F0000-0x000000013F741000-memory.dmp

    Filesize

    3.3MB

  • memory/2220-89-0x000000013F3F0000-0x000000013F741000-memory.dmp

    Filesize

    3.3MB

  • memory/2220-141-0x000000013F3F0000-0x000000013F741000-memory.dmp

    Filesize

    3.3MB

  • memory/2468-163-0x000000013FE20000-0x0000000140171000-memory.dmp

    Filesize

    3.3MB

  • memory/2556-44-0x000000013FA40000-0x000000013FD91000-memory.dmp

    Filesize

    3.3MB

  • memory/2556-234-0x000000013FA40000-0x000000013FD91000-memory.dmp

    Filesize

    3.3MB

  • memory/2564-21-0x000000013FF70000-0x00000001402C1000-memory.dmp

    Filesize

    3.3MB

  • memory/2564-219-0x000000013FF70000-0x00000001402C1000-memory.dmp

    Filesize

    3.3MB

  • memory/2676-50-0x000000013F730000-0x000000013FA81000-memory.dmp

    Filesize

    3.3MB

  • memory/2676-236-0x000000013F730000-0x000000013FA81000-memory.dmp

    Filesize

    3.3MB

  • memory/2720-161-0x000000013FDD0000-0x0000000140121000-memory.dmp

    Filesize

    3.3MB

  • memory/2724-268-0x000000013F320000-0x000000013F671000-memory.dmp

    Filesize

    3.3MB

  • memory/2724-54-0x000000013F320000-0x000000013F671000-memory.dmp

    Filesize

    3.3MB

  • memory/2724-87-0x000000013F320000-0x000000013F671000-memory.dmp

    Filesize

    3.3MB

  • memory/2724-152-0x000000013F320000-0x000000013F671000-memory.dmp

    Filesize

    3.3MB

  • memory/2736-238-0x000000013F080000-0x000000013F3D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2736-53-0x000000013F080000-0x000000013F3D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2736-86-0x000000013F080000-0x000000013F3D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2808-232-0x000000013F280000-0x000000013F5D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2808-29-0x000000013F280000-0x000000013F5D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2876-165-0x000000013FBC0000-0x000000013FF11000-memory.dmp

    Filesize

    3.3MB

  • memory/2920-216-0x000000013FD00000-0x0000000140051000-memory.dmp

    Filesize

    3.3MB

  • memory/2920-17-0x000000013FD00000-0x0000000140051000-memory.dmp

    Filesize

    3.3MB

  • memory/2920-57-0x000000013FD00000-0x0000000140051000-memory.dmp

    Filesize

    3.3MB

  • memory/3036-160-0x000000013FF00000-0x0000000140251000-memory.dmp

    Filesize

    3.3MB

  • memory/3044-159-0x000000013FAE0000-0x000000013FE31000-memory.dmp

    Filesize

    3.3MB