Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    138s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2024, 19:19

General

  • Target

    2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    b0ff157d4ac98b4807810ab74e4a28f3

  • SHA1

    e226c8a67fc70ada7533dc6e2360205f643c7eb4

  • SHA256

    f39875c1523d321881abaa9c06e6e0294292cc998115f18203a093df12b15eb9

  • SHA512

    f861da708e688259f882840a1cdc07c25da4157c551b80c7f2b1af42edb3757fcaac0b1a464351c3cd456257dbd05caeebb9ce074fdd2f169202b256d1dc2468

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU3:Q+856utgpPF8u/73

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 64 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_b0ff157d4ac98b4807810ab74e4a28f3_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4276
    • C:\Windows\System\JKGfjZf.exe
      C:\Windows\System\JKGfjZf.exe
      2⤵
      • Executes dropped EXE
      PID:2776
    • C:\Windows\System\NBEVZXB.exe
      C:\Windows\System\NBEVZXB.exe
      2⤵
      • Executes dropped EXE
      PID:1676
    • C:\Windows\System\dkHStls.exe
      C:\Windows\System\dkHStls.exe
      2⤵
      • Executes dropped EXE
      PID:2036
    • C:\Windows\System\FAKYIps.exe
      C:\Windows\System\FAKYIps.exe
      2⤵
      • Executes dropped EXE
      PID:4792
    • C:\Windows\System\lOOCDlm.exe
      C:\Windows\System\lOOCDlm.exe
      2⤵
      • Executes dropped EXE
      PID:5004
    • C:\Windows\System\lRYzgML.exe
      C:\Windows\System\lRYzgML.exe
      2⤵
      • Executes dropped EXE
      PID:1792
    • C:\Windows\System\COPzAvi.exe
      C:\Windows\System\COPzAvi.exe
      2⤵
      • Executes dropped EXE
      PID:888
    • C:\Windows\System\FcIGBqC.exe
      C:\Windows\System\FcIGBqC.exe
      2⤵
      • Executes dropped EXE
      PID:4640
    • C:\Windows\System\JKUrgZx.exe
      C:\Windows\System\JKUrgZx.exe
      2⤵
      • Executes dropped EXE
      PID:4016
    • C:\Windows\System\NCHresP.exe
      C:\Windows\System\NCHresP.exe
      2⤵
      • Executes dropped EXE
      PID:2212
    • C:\Windows\System\FvLhBQg.exe
      C:\Windows\System\FvLhBQg.exe
      2⤵
      • Executes dropped EXE
      PID:4068
    • C:\Windows\System\JWobdFL.exe
      C:\Windows\System\JWobdFL.exe
      2⤵
      • Executes dropped EXE
      PID:4536
    • C:\Windows\System\OKnTitp.exe
      C:\Windows\System\OKnTitp.exe
      2⤵
      • Executes dropped EXE
      PID:5028
    • C:\Windows\System\OfBHjkf.exe
      C:\Windows\System\OfBHjkf.exe
      2⤵
      • Executes dropped EXE
      PID:3324
    • C:\Windows\System\bhgARBn.exe
      C:\Windows\System\bhgARBn.exe
      2⤵
      • Executes dropped EXE
      PID:4564
    • C:\Windows\System\tJwlAar.exe
      C:\Windows\System\tJwlAar.exe
      2⤵
      • Executes dropped EXE
      PID:2524
    • C:\Windows\System\qXjciqU.exe
      C:\Windows\System\qXjciqU.exe
      2⤵
      • Executes dropped EXE
      PID:1556
    • C:\Windows\System\McBFBTA.exe
      C:\Windows\System\McBFBTA.exe
      2⤵
      • Executes dropped EXE
      PID:2556
    • C:\Windows\System\GKlNGTa.exe
      C:\Windows\System\GKlNGTa.exe
      2⤵
      • Executes dropped EXE
      PID:1620
    • C:\Windows\System\AKMSZhy.exe
      C:\Windows\System\AKMSZhy.exe
      2⤵
      • Executes dropped EXE
      PID:3860
    • C:\Windows\System\SJpnMHT.exe
      C:\Windows\System\SJpnMHT.exe
      2⤵
      • Executes dropped EXE
      PID:3340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\AKMSZhy.exe

    Filesize

    5.9MB

    MD5

    60369095fd946619bd3b4f9b58ea853e

    SHA1

    add84c39b25d08956192d3fb8196f8c3f9d59288

    SHA256

    dd51b5612587731895e66fc1995e836c133a7ab22499f0e09c6bafe60bbed87c

    SHA512

    f7ca9999a073485329b97808a0c7c5d524f54d92c628aee9090fa1d46025ef3e9207b312538222898688742d48da5993ad13cfd18e2750e8fd6f29ae8048dd6f

  • C:\Windows\System\COPzAvi.exe

    Filesize

    5.9MB

    MD5

    9ed815bf9e453559d9c9bdb911733518

    SHA1

    7ae5146e07384003c2ebe11243a7a9e83f3bbd25

    SHA256

    6867f438aa743e19c616fb43b9e4df624d8999034823f7500b82ac31c906573c

    SHA512

    04bd85566254f4e71f40679677a5df555a7fba25698419a61f7e598b8c308288880efa54dce90ed11b17894fad9c168c961b52c269137a1c52302b23e58d6c38

  • C:\Windows\System\FAKYIps.exe

    Filesize

    5.9MB

    MD5

    fff41208026bc28971592c42d3d54c53

    SHA1

    db88d0d937aa5e1aca40080eadc234ea12aa35ac

    SHA256

    bc3d6dda3952739942dd4dba98b84c82c6775b725e34da7dc9a7949568730e89

    SHA512

    2e08fb398267620eaa44cfead2e15d1dff3ba3fe7586c41866b50e002fa4e1fab3060924fc5832f914b462e6cc5163965a18dfc8050ca074910cc2bf33f77afe

  • C:\Windows\System\FcIGBqC.exe

    Filesize

    5.9MB

    MD5

    106ec3c6a4ef1f75f57836f4c3abfb04

    SHA1

    3db662c16eea7df480564f9a1eec9b4693d6fea9

    SHA256

    5a70cce253694d190346f5ac3f91d16b53d83dc83aa17b2ff0c922d0219c6291

    SHA512

    d9d4c814dac968f9204bce422c62f6435db8e6fe8d4beddc91fcfaada57a3f1dd11b2bffeb6b393a410fa494ce1f8f735041afe4ce762c3fa6ba731000fb70cd

  • C:\Windows\System\FvLhBQg.exe

    Filesize

    5.9MB

    MD5

    60da67c0054987f7fe0cc2c3758d36a7

    SHA1

    0b6238c6340604d38dfe8967c9a2a3949859e268

    SHA256

    9074a07ea9b69c5d8100bb3752b1f3e977c903534150b7ed99cf12f06093b3c5

    SHA512

    5067bd031a4a61858b72c6f7fa5fed1e27dae1b1a8590b0e8161f51337e5e8fbcb0f7d7bffcc2c766ed05cfcefb1f6712da749cf3794b57092a3f560b6d4d188

  • C:\Windows\System\GKlNGTa.exe

    Filesize

    5.9MB

    MD5

    95b7b91897fe14c65c0fbbac0b8e11ab

    SHA1

    c06f300262148262e370e6d188a31e2d166a8338

    SHA256

    5a66ff86debe4b56a4cc556b02821e77f9aaa1595351105bc42ea869cf9d5559

    SHA512

    47f5eda504e799d78809505cca250030a2ddb82f9c0eb87f2e061cf8e3c8fd67d7ef762e3174a4cad3d53ff7e41ff3c25c9d0b025cb542ed4020db0b755e3c4a

  • C:\Windows\System\JKGfjZf.exe

    Filesize

    5.9MB

    MD5

    6f10c360019f41a33ee92bc73119306d

    SHA1

    b5fbdbab85d5befeff028d0f6be617e6c6295ac2

    SHA256

    742e974803ecf2fb998fb0a4ffe6d1eef5bbec9831c00a835c272a0aeaebf0b2

    SHA512

    296454142ea538905091c03025d9ae1426bbf294a8eccaafa01559ff2abbcae6c21ee20e640c67cfac9e339058d4b02aebf74adacb1fa6552f8020321f4e2652

  • C:\Windows\System\JKUrgZx.exe

    Filesize

    5.9MB

    MD5

    6cf3e99e49df873452f75987e58f627a

    SHA1

    941c8dfd598e5a55f67bf02c8749065c8d02c42e

    SHA256

    16ba25ee5b9ef6b8ed9f05635c003fc3eb61435c258bddecd783f979d56cc8b6

    SHA512

    2d96579aaef8367c9f9b36c6ee5d170c7e43b99e9d83eb949878928a7b35a3e8ef82e4d63c935c293685287448e4ba0ec7dd499fb153afb0c57a749121ffd01b

  • C:\Windows\System\JWobdFL.exe

    Filesize

    5.9MB

    MD5

    c57a76759b4bd496d3d37ed2a79f465a

    SHA1

    047d8c9f11361504f3751607d5bbad11b729f7f5

    SHA256

    31542a5ca415b519517e0bb27752e247349222211161ab62eabd6e960be06a04

    SHA512

    d3dc84ad4c57369959035883e056479a574af3028c9f8bf42454b97ff6eab567a1c0c8f717d1c3a3f1106b8cc358633297935ae07530cf454f95c670fcb1bdbe

  • C:\Windows\System\McBFBTA.exe

    Filesize

    5.9MB

    MD5

    9d6f5ca47d46743200a90a00eb28b95a

    SHA1

    b27d7a1eac2f8aa06fdb05fffea5d2e418cedd1e

    SHA256

    d87d5b828d4b1c8de019550f8be46efeae267f84ab9b8ab6ebdcddd560b8b3e3

    SHA512

    72e98aab0f933eee17bc71241ca51583f62e8969b0d0c222c66e4eadba8eaae10e1aad3dfb6ca8826709c3f6782f8c0d78d4855bee813bbe89de3af80db45dc5

  • C:\Windows\System\NBEVZXB.exe

    Filesize

    5.9MB

    MD5

    a81586582b60f91a9f3a56b5c99a23c5

    SHA1

    cfb197aff48a3c97277cfb7bae81eb056d86f5dd

    SHA256

    a69614b2f6e15da7f03ed502b8e88475428dc625134ce09117b65e8ebc9c1f0f

    SHA512

    e6c5987f293ca671fddf3272a50b118d81679b7812da3a0e3be3440dc65444634ef72de48832bcfbabd82b6526a24373b0b96519dd9fc818697e697c9ca36f7a

  • C:\Windows\System\NCHresP.exe

    Filesize

    5.9MB

    MD5

    aeabd90e84cb0740e97a722391a33ba1

    SHA1

    4f82756ec89b7da6f98984d9b1a85229a7b74acf

    SHA256

    99caf59de4b24e3cf2467a39062a9cf9efbde2087df92638b7b05290727a7521

    SHA512

    fa11e18477481117b26a7568e8fcb08c3b3578066fa4569ded3472cae5ced509c20fde0c5d96c4a07bf5365f6c725b3d30d9ffd8f376c2b5ceb7060c91610d09

  • C:\Windows\System\OKnTitp.exe

    Filesize

    5.9MB

    MD5

    45459b4b4de665bd0fbe7237f5c8be69

    SHA1

    2c5d251921faa391cfe0f24159e45dcc1c8cbf9b

    SHA256

    6468a34de1138728029fd2ff62fec0367bc03465bf3b1df115f2a5d1c59a1e8d

    SHA512

    a94986468bf442dc6c6e13928dbbf63c8bea6642190f6ce56d9ea23a370a3d9d6f5459c40acac36f612e5742453c2bb3f03e2b66532133b22ac94d51fa47d5e7

  • C:\Windows\System\OfBHjkf.exe

    Filesize

    5.9MB

    MD5

    89179cfc8a5e54139d16793532a834d6

    SHA1

    dc0c3fe583a5736cf72c0ab61395d3baed602ffb

    SHA256

    14a47b82e5e6d43b3ca8bc32e1ac7fbb6c380847eace9322f307ca2c1b89a5cf

    SHA512

    7e075422b328ec3a8c62389092871f429e09e3af80ae01a1dbabebd7c09322db4af1973c36905c270b2de52598e052606f427d97bfaec05912a1841488ed1732

  • C:\Windows\System\SJpnMHT.exe

    Filesize

    5.9MB

    MD5

    8fdc6546b6330de09a6f7806b3541d1d

    SHA1

    990af01bfd3830e101a7b85a40fe7d7a2b7b8b52

    SHA256

    5938f78e1c5903fce1e996fc59ad6e3252c14b8f65b00bb145d3b601d288cbd2

    SHA512

    02975597314cd5302b984ad75d63cc37e7dd618da49660d9e3a6c38abe9a087586311b3320e9b0e854dcac85615ef0f9c2cfeac9c63231ea02c7cb339fbcf0db

  • C:\Windows\System\bhgARBn.exe

    Filesize

    5.9MB

    MD5

    d81c810b5fd75d6afd408c279176f672

    SHA1

    e2a563904841d02a27441c807d48d21ab1d3fc7c

    SHA256

    f9a2b640b66d05f1f734230255e2daac19aab1bd4c918feb58528597147476ff

    SHA512

    4035539a921853a03b1373325766d8f5f3629821a88e8b82f1e60fe319bc14e1e28b1cc9468077025de80d8c9beae26a94101d010d9c5919c6303356bdc37c56

  • C:\Windows\System\dkHStls.exe

    Filesize

    5.9MB

    MD5

    befc0c3f403ea8848ac10b7971109d70

    SHA1

    06af5c4141a5050008d1aa6ac74c48990c1aeb57

    SHA256

    aa55e7d447407b290c536e95e4c3c46e7d128348930685239c928861aca5d2a2

    SHA512

    eea6292037077e23eb56b44ffc172756d24853a748e650f9ca7b4f40e707d00d8a5bb4e59f2480499116aadcfc4a65b21d9d0173f655213f1ab6e30c4e97c62f

  • C:\Windows\System\lOOCDlm.exe

    Filesize

    5.9MB

    MD5

    711665b67ad710d2baf38afe461c0a30

    SHA1

    474a26979a96cd83b97a754c3e3bc7e7262da16b

    SHA256

    792b32e39f6240e79935befe7f34ce781c59a107ccf15518fc1d6a3754cbd4ee

    SHA512

    6ce6ed5b48cdcf13c79a69a9f7889cd840edfdc171b710fef98239fcea220b5ebb90ed91a588ac4e9e6e464027b45fa49db3da74779e38fb5117dcac840758e6

  • C:\Windows\System\lRYzgML.exe

    Filesize

    5.9MB

    MD5

    82428a246feb9e81bdbd419d0b323fd6

    SHA1

    dc9563ee79b7de75d9a3e49220611a77eca00b35

    SHA256

    dfdca2ca9ab65df4ae05d24c9a821c89737d5332632b623468c51504351e4ab3

    SHA512

    605ca8d6cef08f27592b2b0326ca4ad71508c7d1c293a05a6709d60a36c36be7a24db44a1595ea002d1f3df95e16e9c8a739a8ea36207a1313a14232987477c8

  • C:\Windows\System\qXjciqU.exe

    Filesize

    5.9MB

    MD5

    c1c9ab2eab762e7637aad696bc9b7834

    SHA1

    f38d064b08d91a34d95996ca1f0ac70ca87b07ce

    SHA256

    a0ad79cb295262e890ecca05f9ee9a9290ef9f5b11664cf992278341ddda7568

    SHA512

    c45bc3dc07c63873a66894d359f71c16dce7764e0fd68d1184288304d9653fb1cde196934cd3100a1a04bafa8ce44d5468abb320e8fe54a127cbb6a166845c2f

  • C:\Windows\System\tJwlAar.exe

    Filesize

    5.9MB

    MD5

    e83dc697c821095642291bde162f0190

    SHA1

    b722247b6cdba5a6b3ab6be6b11a33e71bd921be

    SHA256

    9891e8b26d17536df5ef338e84ae7d2719c11c34d1f776ca66309a612fa8991b

    SHA512

    9671c295ae96612fb5fd81ccd679228cef85829c78e85aff4a0ab0a3ec0d4cfdfdd3805935e1843e935982b111f50a9ee7b8c7cb55e4c7fe8ef06011f0c2ed56

  • memory/888-53-0x00007FF7840A0000-0x00007FF7843F4000-memory.dmp

    Filesize

    3.3MB

  • memory/888-148-0x00007FF7840A0000-0x00007FF7843F4000-memory.dmp

    Filesize

    3.3MB

  • memory/1556-98-0x00007FF7EA1C0000-0x00007FF7EA514000-memory.dmp

    Filesize

    3.3MB

  • memory/1556-137-0x00007FF7EA1C0000-0x00007FF7EA514000-memory.dmp

    Filesize

    3.3MB

  • memory/1556-158-0x00007FF7EA1C0000-0x00007FF7EA514000-memory.dmp

    Filesize

    3.3MB

  • memory/1620-113-0x00007FF739530000-0x00007FF739884000-memory.dmp

    Filesize

    3.3MB

  • memory/1620-156-0x00007FF739530000-0x00007FF739884000-memory.dmp

    Filesize

    3.3MB

  • memory/1620-139-0x00007FF739530000-0x00007FF739884000-memory.dmp

    Filesize

    3.3MB

  • memory/1676-128-0x00007FF70D300000-0x00007FF70D654000-memory.dmp

    Filesize

    3.3MB

  • memory/1676-143-0x00007FF70D300000-0x00007FF70D654000-memory.dmp

    Filesize

    3.3MB

  • memory/1676-24-0x00007FF70D300000-0x00007FF70D654000-memory.dmp

    Filesize

    3.3MB

  • memory/1792-146-0x00007FF727760000-0x00007FF727AB4000-memory.dmp

    Filesize

    3.3MB

  • memory/1792-42-0x00007FF727760000-0x00007FF727AB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2036-144-0x00007FF7AFDC0000-0x00007FF7B0114000-memory.dmp

    Filesize

    3.3MB

  • memory/2036-29-0x00007FF7AFDC0000-0x00007FF7B0114000-memory.dmp

    Filesize

    3.3MB

  • memory/2036-129-0x00007FF7AFDC0000-0x00007FF7B0114000-memory.dmp

    Filesize

    3.3MB

  • memory/2212-150-0x00007FF633340000-0x00007FF633694000-memory.dmp

    Filesize

    3.3MB

  • memory/2212-70-0x00007FF633340000-0x00007FF633694000-memory.dmp

    Filesize

    3.3MB

  • memory/2524-97-0x00007FF752720000-0x00007FF752A74000-memory.dmp

    Filesize

    3.3MB

  • memory/2524-136-0x00007FF752720000-0x00007FF752A74000-memory.dmp

    Filesize

    3.3MB

  • memory/2524-160-0x00007FF752720000-0x00007FF752A74000-memory.dmp

    Filesize

    3.3MB

  • memory/2556-138-0x00007FF6DD670000-0x00007FF6DD9C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2556-112-0x00007FF6DD670000-0x00007FF6DD9C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2556-157-0x00007FF6DD670000-0x00007FF6DD9C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2776-141-0x00007FF621A10000-0x00007FF621D64000-memory.dmp

    Filesize

    3.3MB

  • memory/2776-12-0x00007FF621A10000-0x00007FF621D64000-memory.dmp

    Filesize

    3.3MB

  • memory/3324-153-0x00007FF66B0F0000-0x00007FF66B444000-memory.dmp

    Filesize

    3.3MB

  • memory/3324-96-0x00007FF66B0F0000-0x00007FF66B444000-memory.dmp

    Filesize

    3.3MB

  • memory/3340-161-0x00007FF7CDBF0000-0x00007FF7CDF44000-memory.dmp

    Filesize

    3.3MB

  • memory/3340-130-0x00007FF7CDBF0000-0x00007FF7CDF44000-memory.dmp

    Filesize

    3.3MB

  • memory/3860-159-0x00007FF68D1D0000-0x00007FF68D524000-memory.dmp

    Filesize

    3.3MB

  • memory/3860-114-0x00007FF68D1D0000-0x00007FF68D524000-memory.dmp

    Filesize

    3.3MB

  • memory/3860-140-0x00007FF68D1D0000-0x00007FF68D524000-memory.dmp

    Filesize

    3.3MB

  • memory/4016-132-0x00007FF655130000-0x00007FF655484000-memory.dmp

    Filesize

    3.3MB

  • memory/4016-56-0x00007FF655130000-0x00007FF655484000-memory.dmp

    Filesize

    3.3MB

  • memory/4016-149-0x00007FF655130000-0x00007FF655484000-memory.dmp

    Filesize

    3.3MB

  • memory/4068-73-0x00007FF7A2960000-0x00007FF7A2CB4000-memory.dmp

    Filesize

    3.3MB

  • memory/4068-133-0x00007FF7A2960000-0x00007FF7A2CB4000-memory.dmp

    Filesize

    3.3MB

  • memory/4068-152-0x00007FF7A2960000-0x00007FF7A2CB4000-memory.dmp

    Filesize

    3.3MB

  • memory/4276-111-0x00007FF70A960000-0x00007FF70ACB4000-memory.dmp

    Filesize

    3.3MB

  • memory/4276-0-0x00007FF70A960000-0x00007FF70ACB4000-memory.dmp

    Filesize

    3.3MB

  • memory/4276-1-0x000001434D520000-0x000001434D530000-memory.dmp

    Filesize

    64KB

  • memory/4536-151-0x00007FF689CF0000-0x00007FF68A044000-memory.dmp

    Filesize

    3.3MB

  • memory/4536-78-0x00007FF689CF0000-0x00007FF68A044000-memory.dmp

    Filesize

    3.3MB

  • memory/4564-135-0x00007FF6B47C0000-0x00007FF6B4B14000-memory.dmp

    Filesize

    3.3MB

  • memory/4564-91-0x00007FF6B47C0000-0x00007FF6B4B14000-memory.dmp

    Filesize

    3.3MB

  • memory/4564-155-0x00007FF6B47C0000-0x00007FF6B4B14000-memory.dmp

    Filesize

    3.3MB

  • memory/4640-52-0x00007FF724FF0000-0x00007FF725344000-memory.dmp

    Filesize

    3.3MB

  • memory/4640-147-0x00007FF724FF0000-0x00007FF725344000-memory.dmp

    Filesize

    3.3MB

  • memory/4792-145-0x00007FF628C90000-0x00007FF628FE4000-memory.dmp

    Filesize

    3.3MB

  • memory/4792-131-0x00007FF628C90000-0x00007FF628FE4000-memory.dmp

    Filesize

    3.3MB

  • memory/4792-36-0x00007FF628C90000-0x00007FF628FE4000-memory.dmp

    Filesize

    3.3MB

  • memory/5004-142-0x00007FF653CC0000-0x00007FF654014000-memory.dmp

    Filesize

    3.3MB

  • memory/5004-35-0x00007FF653CC0000-0x00007FF654014000-memory.dmp

    Filesize

    3.3MB

  • memory/5028-86-0x00007FF7F8520000-0x00007FF7F8874000-memory.dmp

    Filesize

    3.3MB

  • memory/5028-154-0x00007FF7F8520000-0x00007FF7F8874000-memory.dmp

    Filesize

    3.3MB

  • memory/5028-134-0x00007FF7F8520000-0x00007FF7F8874000-memory.dmp

    Filesize

    3.3MB