Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15/08/2024, 11:26

General

  • Target

    2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    31673e4247eae31d066ac22e97907cf3

  • SHA1

    c39903c24a15bbe4056405f54210c59b49652486

  • SHA256

    9dc08942a9069f8cc18d378a4a19af33a18c4d75ecfd03fe3cbfbbc22d2b077f

  • SHA512

    ed518d4d7cbfd8a2c7e19a2977b486171c1a895d2d834e51dce47ad95c55b09a97075463ef41dda6c0ff8f6088dcd1f7b8de5f425f5bb711a4399e072e595dc6

  • SSDEEP

    49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibf56utgpPFotBER/mQ32lUA

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 43 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\System\CHgRkUe.exe
      C:\Windows\System\CHgRkUe.exe
      2⤵
      • Executes dropped EXE
      PID:2524
    • C:\Windows\System\wofnClE.exe
      C:\Windows\System\wofnClE.exe
      2⤵
      • Executes dropped EXE
      PID:2376
    • C:\Windows\System\xNmfHfn.exe
      C:\Windows\System\xNmfHfn.exe
      2⤵
      • Executes dropped EXE
      PID:1256
    • C:\Windows\System\SXTllMt.exe
      C:\Windows\System\SXTllMt.exe
      2⤵
      • Executes dropped EXE
      PID:2324
    • C:\Windows\System\VBeoQZc.exe
      C:\Windows\System\VBeoQZc.exe
      2⤵
      • Executes dropped EXE
      PID:2384
    • C:\Windows\System\vvGwTlv.exe
      C:\Windows\System\vvGwTlv.exe
      2⤵
      • Executes dropped EXE
      PID:2868
    • C:\Windows\System\zqkQDZT.exe
      C:\Windows\System\zqkQDZT.exe
      2⤵
      • Executes dropped EXE
      PID:2764
    • C:\Windows\System\ofYkOpC.exe
      C:\Windows\System\ofYkOpC.exe
      2⤵
      • Executes dropped EXE
      PID:2896
    • C:\Windows\System\fSrbeSk.exe
      C:\Windows\System\fSrbeSk.exe
      2⤵
      • Executes dropped EXE
      PID:2640
    • C:\Windows\System\gUhgZRm.exe
      C:\Windows\System\gUhgZRm.exe
      2⤵
      • Executes dropped EXE
      PID:2972
    • C:\Windows\System\UmcnAsp.exe
      C:\Windows\System\UmcnAsp.exe
      2⤵
      • Executes dropped EXE
      PID:2776
    • C:\Windows\System\bDVTZZK.exe
      C:\Windows\System\bDVTZZK.exe
      2⤵
      • Executes dropped EXE
      PID:2616
    • C:\Windows\System\WXfeEmL.exe
      C:\Windows\System\WXfeEmL.exe
      2⤵
      • Executes dropped EXE
      PID:1092
    • C:\Windows\System\JunHmfQ.exe
      C:\Windows\System\JunHmfQ.exe
      2⤵
      • Executes dropped EXE
      PID:828
    • C:\Windows\System\qyisume.exe
      C:\Windows\System\qyisume.exe
      2⤵
      • Executes dropped EXE
      PID:2044
    • C:\Windows\System\MGvoJEA.exe
      C:\Windows\System\MGvoJEA.exe
      2⤵
      • Executes dropped EXE
      PID:1880
    • C:\Windows\System\XurKEql.exe
      C:\Windows\System\XurKEql.exe
      2⤵
      • Executes dropped EXE
      PID:1872
    • C:\Windows\System\QwcjkNV.exe
      C:\Windows\System\QwcjkNV.exe
      2⤵
      • Executes dropped EXE
      PID:2040
    • C:\Windows\System\aisdMUA.exe
      C:\Windows\System\aisdMUA.exe
      2⤵
      • Executes dropped EXE
      PID:2016
    • C:\Windows\System\NgfQmLF.exe
      C:\Windows\System\NgfQmLF.exe
      2⤵
      • Executes dropped EXE
      PID:804
    • C:\Windows\System\vSvjtNp.exe
      C:\Windows\System\vSvjtNp.exe
      2⤵
      • Executes dropped EXE
      PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\CHgRkUe.exe

    Filesize

    5.2MB

    MD5

    c6b745a4595fe81478bf926d7a4f117e

    SHA1

    81e4ad3b8dca4bd4a24ce7c868a32badbe566839

    SHA256

    da7170afe3c89f9b704d3678a8d72c3f4929df2e014c2ae9999779d549e16414

    SHA512

    22cdcbe90485fffd0932995cc0819ff399d426cedcde21473651823ac4e9da59efcb402121c8c6adb53a4b6f4de7aa510d9e3abd57ec32a9e97721bba823e22b

  • C:\Windows\system\JunHmfQ.exe

    Filesize

    5.2MB

    MD5

    ec77448f2398b704eccc5502a4d57b1a

    SHA1

    f207d6fd854ef35e79c1bb94b2b5c11ae7edc531

    SHA256

    5aa06da7affe9e8bfe5a2037453e05bec21546cf2d38b17c507b18043bc82dd3

    SHA512

    e1294254e95af84870d9c4f91cd21aa2f24cc4c421ac80fd9b7fd45aaa9a7bbd4648c97ba277bdedc160a849d530ee10f6875bbf30c4782aa2ca390c3d787aee

  • C:\Windows\system\MGvoJEA.exe

    Filesize

    5.2MB

    MD5

    42aea7ffeb273258ab6f7f748cf27511

    SHA1

    d6f708e69bc9967a2d991f834a91d3af06404e04

    SHA256

    25ecfbf9c8fff297f9d8dacd1a891cf5a63856927b72f7c8210cff31798e375f

    SHA512

    7ade4a1019bb20402a5b8c440b08806e968644554ab6da287c70ff616ae9cbd18bd2db2a46b24aacdcb02b8e16f0a9c64dc0f221ce5e3b5fff9619ebd8d43174

  • C:\Windows\system\NgfQmLF.exe

    Filesize

    5.2MB

    MD5

    63c65de1f82985b8ddd92edc64543bda

    SHA1

    b4cd3ceec6eab84c06efe10380179618f9f500cc

    SHA256

    23089ded8f32286373fe45ac2f88cbd1e9f25f23fcbdb4d7985d06412bd64b06

    SHA512

    b5b0af84fb2487a29f3db77c9e4b56ed79b29a3cd3be3de9b68889a4d915341b3c77adfaa03701fe0efc75ef844d0e2487cc9285342b55178d9f202599feff0e

  • C:\Windows\system\QwcjkNV.exe

    Filesize

    5.2MB

    MD5

    43ced77a2bb9861a86dc6c54f36bf5b1

    SHA1

    dbe97179fb6466739c909691bd4c3ec2675a6af6

    SHA256

    f04c4142f94616e9f3d1ebc5eafc5db5262d1c2eb87a731ca45ec96509ec095d

    SHA512

    8d0978d140e20ab6dff4d443ac64536e38f5f0df89e3d3e15d478b723d3fa342bf79733bc159ca19bf877c94e7793cc4b2645aaaed20db1d49b029f93bad3486

  • C:\Windows\system\SXTllMt.exe

    Filesize

    5.2MB

    MD5

    1f4f27786e6df75cbba9aaaef271f815

    SHA1

    9dcfe55080b4cd515bd80a6a76b33c4b3211278d

    SHA256

    7885be79b12f60fb53873875a78e4bfd7d77ec3710323e1f45e0964d0d0ecbb5

    SHA512

    a328da4f303eff453d592bfbc33cc926fe61654fea15aabbece97652a0e9cfa040ae077de056eebd7bea0d2999ac9888d4f28131f07038c540a0a061f674d5bd

  • C:\Windows\system\UmcnAsp.exe

    Filesize

    5.2MB

    MD5

    c624114489776791b6fba5fd33f16ddf

    SHA1

    f1f6704beb1e495f3a8976f88b12ccdc3098281e

    SHA256

    c2f4ea79904d1f9c5621009c98cd044a5293258ed4264856c3761bd41b555d3e

    SHA512

    4753094bfd0d4bca10f893febc83af6ce5bba7906d87ac92e536e7c65a20f346ec32397fb8bf5961521304419de290d23ec724103f3c8d6ba8037be0f906b516

  • C:\Windows\system\VBeoQZc.exe

    Filesize

    5.2MB

    MD5

    7331241f65fe7cdf6a5d543110f6df28

    SHA1

    84cc7e04cfe04ea526c6a65fdce79ad4a51fb3ca

    SHA256

    153ddd80241fe5b74927afea3cedb81a4718b4a747f7e04613628f9fedad212b

    SHA512

    21b26c8d590c0289bb284f8360c40c4dc23a349351454d3ad74f712b7a6f84bfc749eb84b4b8eb37b04f65fc3568c1c67927aa8c8cdb413a1be1b04bb6bc770f

  • C:\Windows\system\WXfeEmL.exe

    Filesize

    5.2MB

    MD5

    8c2ad59738d1cfafdc03fc6cd208f504

    SHA1

    5633f1803a0e47136bbfb65af958d1a1076515a8

    SHA256

    6ef7ed837191f97c45104e7f8a6aa2dfb4a4107838df41d3fa30f2d4ed48c5be

    SHA512

    6fbe26a416b3985874c899dee04c770f87d0369821502054e207d9fa98dd8b43f2db2c41e4d757c2a1a9205a06ab4f5e65364fc402ed78b3382346c5613ccfb7

  • C:\Windows\system\XurKEql.exe

    Filesize

    5.2MB

    MD5

    588fb392166a118e85ca380e1e924965

    SHA1

    4f0dda2a873202c59cdb14b6e1fcb12581c557b5

    SHA256

    c46dc2f71ae5a8d037436f0a3ea0d32fe82594a4cfdf9dd8f1bf504b3ea1149a

    SHA512

    b39d58e6187ecd96feff934f321b4fbf864ed6850d4bbe9d1786f8caa83214b4b774768fd5092c62eca7185d511c984f34b2ac85fa63cdda1f322daf62c67874

  • C:\Windows\system\aisdMUA.exe

    Filesize

    5.2MB

    MD5

    067efcd1760b9d4c9be5135a2a442fde

    SHA1

    25c330288218170df5cefd09ac728dcb65dce9e2

    SHA256

    f705b21cee936e88bb997094cccaf65791076b01bc45b05f2e4f5aac4aaeb3a4

    SHA512

    df5b3560f97b8d8011b15e7b0576253bd609c3d71b8bbce31443ccea24a41753d1e6969531220b5035a6b4f8b9259e1db6f0e794af930df44e30aeaf89ea3ae8

  • C:\Windows\system\bDVTZZK.exe

    Filesize

    5.2MB

    MD5

    9cfb4c89ea8f7ddb8e0a02ce1dd7787f

    SHA1

    641a3dd9a43bc812c13b1ade225626662649c436

    SHA256

    bb3678273bd22d4d4dbfe6586db7ab0a1a7e3faf2b70ea42f5df753272edea42

    SHA512

    4fd74c8147a0ed80f5bd28e6ca35660f3d086f71b0c6b8eb0606183c1cdedd67b8df6556a9cd288ee0b3010f823481077b5ea8a2b78e85c50ec38948da68dc3b

  • C:\Windows\system\fSrbeSk.exe

    Filesize

    5.2MB

    MD5

    79cb17ac8d924a873835f6ee1da9f2fb

    SHA1

    526d51bc46003fb690f7d05f9c1bb4f91155c8fb

    SHA256

    0f0ff44e4ea17e8c337dcfabeea069a88a7809b24eb68b802a51ca14a20ccd28

    SHA512

    d7e7299c529d30e4ad469eae7914b8d2ea087555a181dbc15581b05942a27235cfe785af606e9e3331606cb7a05d1698d432e8cbeb380f11d86504e10cfdc137

  • C:\Windows\system\ofYkOpC.exe

    Filesize

    5.2MB

    MD5

    9466b53cf3b50c6c6dcdde15ba1de426

    SHA1

    97bb93173237a52b25032aabc7799303f3d6f61a

    SHA256

    d66cdf6b4a851d39a3cbb01cab5daa3e97525f08d2602e52bfe25e3667a4b6d7

    SHA512

    e6c7ee112e09a78ddd7751892b5fe3349281edace25828ac8b353ab8cd2ab34ea4676d24e548597fba3661d18feb4e663a343f01bd3fe49039960de62d82c298

  • C:\Windows\system\qyisume.exe

    Filesize

    5.2MB

    MD5

    a01d6847cedc032220f4bf3b1d4d2cd7

    SHA1

    ba645e53c36cd2c512b0b26fbe3c56e79af5cfc4

    SHA256

    fbdda3a95fb6fdec55b64bbd6310b2f1a686068cafed72802632309f2238970a

    SHA512

    9fd24ca382cc2e3670d80e57f8572cb13807977c14c1810656eebbad23b504fd9a4c34ca2a785f55850d2b33b046805d8a583c1cae52f16846acd193b3b0b4b5

  • C:\Windows\system\vSvjtNp.exe

    Filesize

    5.2MB

    MD5

    b8d980a112b248f343386dba9cf9ffd1

    SHA1

    4b19bef53c51813f3a9f2014dc603134e8d68f90

    SHA256

    0bab36ee3a421c1e3b25c0ef2eb72f26e97cbd03e3c358a28efc6e3290bad5e7

    SHA512

    f7b65ab16d45a354a6ec127af560765e22caf74ac47d764d904da4b3fca2082f2d734f48a7daec89bd65fbc51a74619b863ab4dda441f658587362a544c95382

  • C:\Windows\system\vvGwTlv.exe

    Filesize

    5.2MB

    MD5

    2d747a3ca834c0e53c58c0d45f1cd062

    SHA1

    1970e6a457e841a57e458fc19bb65a2ae4553a8e

    SHA256

    60f469c60a6e8d043a9a00d7052cd3de5bdc7370104a1f4e06b035c4cc56c3d1

    SHA512

    18eff493a6cd5705124be34c9fdc25f026ae8fed17a27f881d68c5fcd6b2bab4db9a48458ba7c76486349741a08078f314a15f365bad63c19a4eee14fef566f3

  • C:\Windows\system\wofnClE.exe

    Filesize

    5.2MB

    MD5

    e74b80311090a1dc0765871644fc1a68

    SHA1

    4023254c09fdd57dc370ac86d4dde07a34121e5d

    SHA256

    b7d15179a35f7f613a63a329c289e8babe9034fe278cfe96433dade98b719364

    SHA512

    5a614cbe26e560ab990f95ea0384893bd64686728d8f2b62c3d2e7ac5a8eb8f2afab2bac3ed7aef663ddbc272b8a64a85b7a2decb171fc84f4a89fd349080a2a

  • C:\Windows\system\zqkQDZT.exe

    Filesize

    5.2MB

    MD5

    1606314ed3d399d9d32bdcbde3862aab

    SHA1

    2c617744f099d518c470ce3328c2ba61b4f8272b

    SHA256

    bcd4ee11b2b12698de343fdbebad5ce0bd98b3a4bc13fa3741fd2c255fa1cf5e

    SHA512

    408924a40aa50d8fb61ae667e7e0c6f82cef73f2cd5af949f0fca6742090a64526e2520acb2ae093a7041c04cd4c82b152fbdde8bc1109cca21c8689f1bbe6eb

  • \Windows\system\gUhgZRm.exe

    Filesize

    5.2MB

    MD5

    1e91dd8934b3bdf0fb9259ec4df40ccb

    SHA1

    7ea1f62167afc32be627f6ea62a18d04b0479139

    SHA256

    b3f6e151fb67aaf92b1f1ae45f34fac00dc3e62d9d061dac9382d0d849e61cd6

    SHA512

    7ae4d93e6a01780cad3587331332eead800bc6b80bcbc8a97be5ba99c8c9c341d2f4cd1fd30d11b9b4b254d63a4d5c13dc9f5393c894be62c44a077d1fea8364

  • \Windows\system\xNmfHfn.exe

    Filesize

    5.2MB

    MD5

    f3e0dcdd991736d45225b30395841566

    SHA1

    aaa85aa40ec235ed79c6cda01c6344e77a655bd6

    SHA256

    72627d8cc16173cca3c325206ac431460e0ae21586028ba1b8ca9be080c3bc2f

    SHA512

    3f68f527c749c27422db8ef3cc448581a63cfbc558f1808540e771f06f07ccb548af183c79bbeaea89c48809c8ab60f05342e97d370c86c1592ea26dbc0765c6

  • memory/804-164-0x000000013F660000-0x000000013F9B1000-memory.dmp

    Filesize

    3.3MB

  • memory/828-257-0x000000013F4C0000-0x000000013F811000-memory.dmp

    Filesize

    3.3MB

  • memory/828-102-0x000000013F4C0000-0x000000013F811000-memory.dmp

    Filesize

    3.3MB

  • memory/1092-142-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1092-94-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1092-259-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1256-226-0x000000013FAB0000-0x000000013FE01000-memory.dmp

    Filesize

    3.3MB

  • memory/1256-27-0x000000013FAB0000-0x000000013FE01000-memory.dmp

    Filesize

    3.3MB

  • memory/1872-161-0x000000013F310000-0x000000013F661000-memory.dmp

    Filesize

    3.3MB

  • memory/1880-160-0x000000013FC90000-0x000000013FFE1000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-54-0x00000000022A0000-0x00000000025F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-31-0x00000000022A0000-0x00000000025F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-93-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-1-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/1928-166-0x000000013FDF0000-0x0000000140141000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-82-0x00000000022A0000-0x00000000025F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-66-0x000000013FDF0000-0x0000000140141000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-141-0x00000000022A0000-0x00000000025F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-71-0x000000013F430000-0x000000013F781000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-144-0x000000013FDF0000-0x0000000140141000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-0-0x000000013FDF0000-0x0000000140141000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-70-0x00000000022A0000-0x00000000025F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-143-0x000000013F4C0000-0x000000013F811000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-26-0x00000000022A0000-0x00000000025F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-101-0x000000013F4C0000-0x000000013F811000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-49-0x000000013F7D0000-0x000000013FB21000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-139-0x00000000022A0000-0x00000000025F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-39-0x00000000022A0000-0x00000000025F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-108-0x000000013F040000-0x000000013F391000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-140-0x000000013F430000-0x000000013F781000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-29-0x00000000022A0000-0x00000000025F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1928-32-0x000000013F310000-0x000000013F661000-memory.dmp

    Filesize

    3.3MB

  • memory/1992-165-0x000000013FC20000-0x000000013FF71000-memory.dmp

    Filesize

    3.3MB

  • memory/2016-163-0x000000013F830000-0x000000013FB81000-memory.dmp

    Filesize

    3.3MB

  • memory/2040-162-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

    Filesize

    3.3MB

  • memory/2044-159-0x000000013F040000-0x000000013F391000-memory.dmp

    Filesize

    3.3MB

  • memory/2324-35-0x000000013F310000-0x000000013F661000-memory.dmp

    Filesize

    3.3MB

  • memory/2324-84-0x000000013F310000-0x000000013F661000-memory.dmp

    Filesize

    3.3MB

  • memory/2324-234-0x000000013F310000-0x000000013F661000-memory.dmp

    Filesize

    3.3MB

  • memory/2376-25-0x000000013FB70000-0x000000013FEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2376-228-0x000000013FB70000-0x000000013FEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2384-230-0x000000013FD70000-0x00000001400C1000-memory.dmp

    Filesize

    3.3MB

  • memory/2384-33-0x000000013FD70000-0x00000001400C1000-memory.dmp

    Filesize

    3.3MB

  • memory/2524-18-0x000000013F7F0000-0x000000013FB41000-memory.dmp

    Filesize

    3.3MB

  • memory/2524-68-0x000000013F7F0000-0x000000013FB41000-memory.dmp

    Filesize

    3.3MB

  • memory/2524-224-0x000000013F7F0000-0x000000013FB41000-memory.dmp

    Filesize

    3.3MB

  • memory/2616-246-0x000000013FCF0000-0x0000000140041000-memory.dmp

    Filesize

    3.3MB

  • memory/2616-88-0x000000013FCF0000-0x0000000140041000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-240-0x000000013FB70000-0x000000013FEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-69-0x000000013FB70000-0x000000013FEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2764-236-0x000000013F7D0000-0x000000013FB21000-memory.dmp

    Filesize

    3.3MB

  • memory/2764-50-0x000000013F7D0000-0x000000013FB21000-memory.dmp

    Filesize

    3.3MB

  • memory/2776-81-0x000000013F430000-0x000000013F781000-memory.dmp

    Filesize

    3.3MB

  • memory/2776-242-0x000000013F430000-0x000000013F781000-memory.dmp

    Filesize

    3.3MB

  • memory/2868-232-0x000000013FB70000-0x000000013FEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2868-87-0x000000013FB70000-0x000000013FEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2868-40-0x000000013FB70000-0x000000013FEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2896-238-0x000000013FFB0000-0x0000000140301000-memory.dmp

    Filesize

    3.3MB

  • memory/2896-103-0x000000013FFB0000-0x0000000140301000-memory.dmp

    Filesize

    3.3MB

  • memory/2896-55-0x000000013FFB0000-0x0000000140301000-memory.dmp

    Filesize

    3.3MB

  • memory/2972-83-0x000000013FF40000-0x0000000140291000-memory.dmp

    Filesize

    3.3MB

  • memory/2972-244-0x000000013FF40000-0x0000000140291000-memory.dmp

    Filesize

    3.3MB