Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2024, 21:11

General

  • Target

    2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    87b61319968f7d15ebfa7ff2b9a69e11

  • SHA1

    bab34f070ef718f990e5ac26040250dcf7579532

  • SHA256

    b6d478b326a90461758c16bb85576639a741f7b9be17c7eed8e54438b06183ed

  • SHA512

    7ea26a859f7b1a1e06288eaf8704a5a741577820d451016f9ef8bff06062b5df0d7229520c828c78e59b4349c841cb09ee0120695c5d02647938474bc24afa34

  • SSDEEP

    49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibj56utgpPFotBER/mQ32lUI

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 45 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-14_87b61319968f7d15ebfa7ff2b9a69e11_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Windows\System\kfXPvyL.exe
      C:\Windows\System\kfXPvyL.exe
      2⤵
      • Executes dropped EXE
      PID:4708
    • C:\Windows\System\mkYqGZj.exe
      C:\Windows\System\mkYqGZj.exe
      2⤵
      • Executes dropped EXE
      PID:940
    • C:\Windows\System\KagAAKl.exe
      C:\Windows\System\KagAAKl.exe
      2⤵
      • Executes dropped EXE
      PID:4596
    • C:\Windows\System\JrKSElV.exe
      C:\Windows\System\JrKSElV.exe
      2⤵
      • Executes dropped EXE
      PID:2900
    • C:\Windows\System\BDsAFdC.exe
      C:\Windows\System\BDsAFdC.exe
      2⤵
      • Executes dropped EXE
      PID:3144
    • C:\Windows\System\XJTnvme.exe
      C:\Windows\System\XJTnvme.exe
      2⤵
      • Executes dropped EXE
      PID:4640
    • C:\Windows\System\QBrwvjS.exe
      C:\Windows\System\QBrwvjS.exe
      2⤵
      • Executes dropped EXE
      PID:2644
    • C:\Windows\System\UFoxNzv.exe
      C:\Windows\System\UFoxNzv.exe
      2⤵
      • Executes dropped EXE
      PID:2184
    • C:\Windows\System\GQVbFzX.exe
      C:\Windows\System\GQVbFzX.exe
      2⤵
      • Executes dropped EXE
      PID:4304
    • C:\Windows\System\FWgBVWg.exe
      C:\Windows\System\FWgBVWg.exe
      2⤵
      • Executes dropped EXE
      PID:3244
    • C:\Windows\System\qUAHtzo.exe
      C:\Windows\System\qUAHtzo.exe
      2⤵
      • Executes dropped EXE
      PID:2064
    • C:\Windows\System\dGwktad.exe
      C:\Windows\System\dGwktad.exe
      2⤵
      • Executes dropped EXE
      PID:4872
    • C:\Windows\System\jIppHbK.exe
      C:\Windows\System\jIppHbK.exe
      2⤵
      • Executes dropped EXE
      PID:2204
    • C:\Windows\System\xvbLKLx.exe
      C:\Windows\System\xvbLKLx.exe
      2⤵
      • Executes dropped EXE
      PID:2432
    • C:\Windows\System\lqDgbBq.exe
      C:\Windows\System\lqDgbBq.exe
      2⤵
      • Executes dropped EXE
      PID:3936
    • C:\Windows\System\BTtJgEq.exe
      C:\Windows\System\BTtJgEq.exe
      2⤵
      • Executes dropped EXE
      PID:348
    • C:\Windows\System\RQdTfSJ.exe
      C:\Windows\System\RQdTfSJ.exe
      2⤵
      • Executes dropped EXE
      PID:4216
    • C:\Windows\System\JYFgDFR.exe
      C:\Windows\System\JYFgDFR.exe
      2⤵
      • Executes dropped EXE
      PID:4908
    • C:\Windows\System\iTFEtzG.exe
      C:\Windows\System\iTFEtzG.exe
      2⤵
      • Executes dropped EXE
      PID:1960
    • C:\Windows\System\SRwbKdR.exe
      C:\Windows\System\SRwbKdR.exe
      2⤵
      • Executes dropped EXE
      PID:4308
    • C:\Windows\System\ztLOoNs.exe
      C:\Windows\System\ztLOoNs.exe
      2⤵
      • Executes dropped EXE
      PID:400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\BDsAFdC.exe

    Filesize

    5.2MB

    MD5

    189f52ed8d3766a7656a8fc6e8e69124

    SHA1

    6c0945aa78643efbc66f646018d07336d56ddc51

    SHA256

    1f01341150a4e567240356556aa09bb8d5a8411c39b6ab901d1be947c8399d4a

    SHA512

    a268e813f30fe1cc73a98a47dda4deb8bcb4da12ce436cc9832bc5131f7ff69ad15e3105d5ae64b8ed0585babb56b415f2c6f1b59464ed429ae3426c275cfae3

  • C:\Windows\System\BTtJgEq.exe

    Filesize

    5.2MB

    MD5

    594645a1e8923c25ccf48f91302821ca

    SHA1

    1ae37f573324e5a90dea2809596a522faeb67c9e

    SHA256

    7f54475af91c63ab73cf52ae81bb03252fa27fc7de1fccb67eb4c43eb0579527

    SHA512

    9f51fe5c6be2e4a47e545ae774939c9e77a0c08a093648893a37f024a37ff9524f0ba10000651584787dba571f2cf95b5659957eae7703343ce781b405853b2f

  • C:\Windows\System\FWgBVWg.exe

    Filesize

    5.2MB

    MD5

    238e7df5668f23fe87fefdda770d0e28

    SHA1

    3203473fbcd2a7e17b7c728c3349c236e14ff372

    SHA256

    df26e8b50ac4f4370bdb606a86c0e35995cd5a0e63cc8af79e9c802119d0a7c8

    SHA512

    71886ae1e6fb36e834833c4319b24fc80c680351a3d50e379bccf5b23920409cb8eaf8fc8df401c9601f69c9f72131e344d0f795c1f31462e4909b69ecced59a

  • C:\Windows\System\GQVbFzX.exe

    Filesize

    5.2MB

    MD5

    a2bf11a6bda8987cb7417b811ddca03e

    SHA1

    d3e08048cf7352b5d2bfe8833826a35280ce7057

    SHA256

    d76525d545d2eea9f78aa9ca5c4d6a046d8f9f18ea161421f18b1934c626051a

    SHA512

    16fc5decb273dcae8c184c02f28d5b0489d4515f9a9d1182abf2d59001c0c4d3ab7a5faae7c7aaa7747cf71adc83979457b0941818e03cbb391e3e64e71b54c2

  • C:\Windows\System\JYFgDFR.exe

    Filesize

    5.2MB

    MD5

    fe5514b7ab83937d01539b5ae752c0a3

    SHA1

    481bdd7cc2999415852406ec3aafb96075e0b19c

    SHA256

    9422d20927cb4444ff020f1a78824a4629c905ba7549b89be90f6fd2aa8c6a25

    SHA512

    d7763c2244c61e1d9defa33e852ae7ad6c66891a74ad4f5e9bee520dff2e99ef5515cb58a47f112902d41d2c6dc96e41ef7f540bb36137fa7dde2d455dc60eeb

  • C:\Windows\System\JrKSElV.exe

    Filesize

    5.2MB

    MD5

    ba321372c240c2ef09b94b630288b714

    SHA1

    ff4121b73787434b4d43806281c0107c5e62f5c8

    SHA256

    9f814bb6dad7102e465a3acd63367c13241d1383e6e38bfa4dfc7fb01c48bb5e

    SHA512

    74fc0957dd8c6a03acf788dc3cc5533ee3357315647d75ea25e6eb7582714a97bc6f1ce8004d8517566cdb8427400df38e5cafb0890d0a983ff0802066befceb

  • C:\Windows\System\KagAAKl.exe

    Filesize

    5.2MB

    MD5

    8b87def767d515762073a3c65a348b76

    SHA1

    71f976ab7113346667941b8c799ab66d46de4f45

    SHA256

    7dd087187718e4e177816af1730efa22c8774aa7e1c4c3765cbf8173174ac1eb

    SHA512

    c127730f4bb5727b5a3fb41828240cb67333517ac2da1e85989141f456f3550a33d56193737ea67a027b03072551ab94b211333e8b167408358775922b1d7f71

  • C:\Windows\System\QBrwvjS.exe

    Filesize

    5.2MB

    MD5

    38942547cbf8051397efbab7f2705682

    SHA1

    3c03bcaba809ca38ce75ce878abbb2f84c6bfa8d

    SHA256

    d9c5a4335217e212d95a8db0852ea2ec9d70fcb670743f7d4085e3847b17a886

    SHA512

    f75182e1150a5a77c331076f5846cbf6b1ba387d9769f157c8a72c78107583060fa0f01ec10dbbee54ac1d55675d62c2edc16e921684860590e29bb4ec60d1f0

  • C:\Windows\System\RQdTfSJ.exe

    Filesize

    5.2MB

    MD5

    ebdeecef29860a22e7f0dde85ddbd030

    SHA1

    148308b838f9d1791401ac73d03b1b41bb47075c

    SHA256

    fcebbc676e023ac34b992d549f2bdbbd0ea72726c84da750a26accdaf8d2af36

    SHA512

    9a79a07b772ce1cb7ec92a8e140ff417b7d6ab3f72ee1a8de03df9ecb308a78f936a82544cefc0a5ae215893ba411450d5ba31a5eea99c1daf6ce4c4d7ae03fe

  • C:\Windows\System\SRwbKdR.exe

    Filesize

    5.2MB

    MD5

    11dd75ccc4c96697281b8651e3c23906

    SHA1

    96e7c04c37b3f306e7ea81acaf4cb31f5bf904f3

    SHA256

    b6fc5b72b2b6cdc23f61c7db18aff691665356633e30446bcb6fd1b27624d34a

    SHA512

    0b3f95a04bc18e5818efa0f0280cb1b8d5deb5ce2e7adeb50d83cd66122aab25ad8734fc7b751ed3518598c10bf47a18dc021c621178d6e40ae33103a279b9bb

  • C:\Windows\System\UFoxNzv.exe

    Filesize

    5.2MB

    MD5

    46c77bf00fd7b82d957a9fef3fbab9b2

    SHA1

    fedac4481a1b77a1320804329b9f6ea504084c0b

    SHA256

    aee3fea143046ac6a0945ea7bcba54caa71446e8d0fda76054a094aeea086dcb

    SHA512

    ff08a2ccdc8765a4391f02b54eff6770bd741680670dbf6c0499b638a2e4c7a5f5401de00804f749d5795be6bf4f666ed58a6ec69751558d0a72315bca7e309f

  • C:\Windows\System\XJTnvme.exe

    Filesize

    5.2MB

    MD5

    db6f763cef2261907f99135798348671

    SHA1

    d8432bbdfe7b92bccee8b88c8fec77ec75ca457c

    SHA256

    277f40304cab5bfe3316a1e20fcc33e46adba6441c66c0ff2fdd37b9b49cd0b1

    SHA512

    c6530d6869ed3247da504a5769fafb7cc2eb6fec4f054e2123fa8145423a5885b801646adf736367d1288f103253d1dc0f271a3a5086d182bc522664c6b18ad0

  • C:\Windows\System\dGwktad.exe

    Filesize

    5.2MB

    MD5

    b4e8e587cc1dc73b6c6eb4248d00f031

    SHA1

    61e1fe84d9558d16117159d0b1b9e7e86160e352

    SHA256

    76672c4494743b1bf07ecd65b20fb95080781f4734a8129bfe3c785fabff3925

    SHA512

    521ada4cbd44ffbcde5c2d4a5240eebfbece534ed2b0ad79c7b0078d6c685310da7f4c0fc157a2f485244d146867e416dce39b1ebca8eb879447a500d115f698

  • C:\Windows\System\iTFEtzG.exe

    Filesize

    5.2MB

    MD5

    4890d90ed2e99539c0d2dc64b1cc4007

    SHA1

    851e806c838c29cc7600bb2e6c617bed09fa43b8

    SHA256

    bbd6013fe726d4b0abdfeef9332c89d94b6320232411b3c7a9a23d3836da5fd6

    SHA512

    88469e896efd3a228a5fc731bc13c9472b8611ea85b73858bd39b732cdf970f01e80597b0fda7eaad96a4c737ddb145abe0d05280964e500c8384e5a4bc45236

  • C:\Windows\System\jIppHbK.exe

    Filesize

    5.2MB

    MD5

    c10b5f1fd59969c5a407ee04a37d7019

    SHA1

    abaa4cb1b7303703a9545fdccdeabdbc680fa62e

    SHA256

    85ee31a130214de04eda00f6c232d7f8ac4518e36a6c0cfc5f8e4007c4075f4d

    SHA512

    f21f82344d928f57edf2bbfa6d8d9bf989ae20b4ce0a30e6c1f035a4b5ff30384dc122ff91437c1efc16115c8c9e4d02d3d01403e287baa0d7acd0497cc7a80e

  • C:\Windows\System\kfXPvyL.exe

    Filesize

    5.2MB

    MD5

    367695ff64d62a3397a32207b8c3a3c4

    SHA1

    f71d9935c5850639a416a0352ac4ae76525b029f

    SHA256

    d84c0eba0129d8090a762b98b55531032f982020e2ff3b2c430885f5d8324c0f

    SHA512

    6ab32a80c94549b61bd4bf9974bd840ec7b5f6ba9247f5756175e6a8f9d34079d8892c3bbb1bb0e7d81a3e0cfca4f279161aa7c59e426fd45ae9aa7c9c622228

  • C:\Windows\System\lqDgbBq.exe

    Filesize

    5.2MB

    MD5

    7f26e83ea5c0a8e6c2ff6a1040ba28be

    SHA1

    4999127c74acdc6861e6f7187264c1736e25208d

    SHA256

    794e5be904664dfc4b78eb6e7a4d68b10ed03fec343a854d75fd2c01c2c733cd

    SHA512

    4d5979267cfd5259adfc13f7dd0eb08aca62e1ef953fa4d893475ca99b9b50d5dec4d9a1aed1f206503c5e3992b2f47c7b54207bdf176f472b60d61d5324a4b2

  • C:\Windows\System\mkYqGZj.exe

    Filesize

    5.2MB

    MD5

    3da5c520a8846cef60134beb8c424b62

    SHA1

    c818da4af630ce3e87ebc680a5deb5babb24405c

    SHA256

    88af0c574bc57e830e029a696e0b9abf3d04fe9ead8be161643cd9d6dd0659b4

    SHA512

    8ccce6030a4976697049192093e35023c33a3fd26d2fa5355e65b9346ca1e213d3915023c1325d5c03e6ea874d907e2a0ef695dd1a25e8064c8b826e335bebe1

  • C:\Windows\System\qUAHtzo.exe

    Filesize

    5.2MB

    MD5

    3871422ad1d817c576bc0c2fb9d1358b

    SHA1

    3b9557f303cb84e7aa421fcfd2c0acd8745a43be

    SHA256

    57815be41c3ed69d746b3d130180977e72e8cb52947d1fa4f3f401be9e3bb97a

    SHA512

    e416fafd4c9bebecf40b327abad3f97542840446b1fb012a013a9b73279fbfed4b656a6dc7b8636ac2253e560bd665c82a95bbd7302a68638daca56dcb26b989

  • C:\Windows\System\xvbLKLx.exe

    Filesize

    5.2MB

    MD5

    0a42f4e3fb331b7eba12b2a61c8bbade

    SHA1

    f3fa5c4d06b8f0576948e6c70b99566d47208c4b

    SHA256

    a32e71cad19e99a2b7ce639a580d1ec72bc37bff88fee5d9f5e4959bae9901b0

    SHA512

    7b35e324a335f9f214b5900f20c8555bcbd2a8b421d4b97502f197acdb2fea516029846a576f1cd1e3d7446306cd70fc6a8dded5b0c130556b595d842e361aec

  • C:\Windows\System\ztLOoNs.exe

    Filesize

    5.2MB

    MD5

    07f4648e0e12551e4ce701dfbddb8f11

    SHA1

    35905ca6d3fe0a84d606e74ed8a69eabc5d224a2

    SHA256

    4f507d9d841c3d60d28460a4a6890659a48671e01d142b5fbb6430cb8b3d9d71

    SHA512

    c4577b071f217fdeba480b98a4bf5f7996655c3b391e7f85ea4951db0ac8cc22742cc747b6a45fed83563a6f8e28b5d0d2568d1de383e88d1c7ac8459936742b

  • memory/348-239-0x00007FF6E1C00000-0x00007FF6E1F51000-memory.dmp

    Filesize

    3.3MB

  • memory/348-151-0x00007FF6E1C00000-0x00007FF6E1F51000-memory.dmp

    Filesize

    3.3MB

  • memory/348-96-0x00007FF6E1C00000-0x00007FF6E1F51000-memory.dmp

    Filesize

    3.3MB

  • memory/400-131-0x00007FF708BD0000-0x00007FF708F21000-memory.dmp

    Filesize

    3.3MB

  • memory/400-172-0x00007FF708BD0000-0x00007FF708F21000-memory.dmp

    Filesize

    3.3MB

  • memory/400-251-0x00007FF708BD0000-0x00007FF708F21000-memory.dmp

    Filesize

    3.3MB

  • memory/940-210-0x00007FF6C1CA0000-0x00007FF6C1FF1000-memory.dmp

    Filesize

    3.3MB

  • memory/940-18-0x00007FF6C1CA0000-0x00007FF6C1FF1000-memory.dmp

    Filesize

    3.3MB

  • memory/940-125-0x00007FF6C1CA0000-0x00007FF6C1FF1000-memory.dmp

    Filesize

    3.3MB

  • memory/1960-247-0x00007FF6ED6F0000-0x00007FF6EDA41000-memory.dmp

    Filesize

    3.3MB

  • memory/1960-117-0x00007FF6ED6F0000-0x00007FF6EDA41000-memory.dmp

    Filesize

    3.3MB

  • memory/2064-70-0x00007FF783160000-0x00007FF7834B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2064-234-0x00007FF783160000-0x00007FF7834B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2064-130-0x00007FF783160000-0x00007FF7834B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2184-221-0x00007FF61D990000-0x00007FF61DCE1000-memory.dmp

    Filesize

    3.3MB

  • memory/2184-78-0x00007FF61D990000-0x00007FF61DCE1000-memory.dmp

    Filesize

    3.3MB

  • memory/2204-82-0x00007FF7EC5F0000-0x00007FF7EC941000-memory.dmp

    Filesize

    3.3MB

  • memory/2204-148-0x00007FF7EC5F0000-0x00007FF7EC941000-memory.dmp

    Filesize

    3.3MB

  • memory/2204-231-0x00007FF7EC5F0000-0x00007FF7EC941000-memory.dmp

    Filesize

    3.3MB

  • memory/2432-229-0x00007FF654110000-0x00007FF654461000-memory.dmp

    Filesize

    3.3MB

  • memory/2432-149-0x00007FF654110000-0x00007FF654461000-memory.dmp

    Filesize

    3.3MB

  • memory/2432-81-0x00007FF654110000-0x00007FF654461000-memory.dmp

    Filesize

    3.3MB

  • memory/2644-222-0x00007FF6BF7D0000-0x00007FF6BFB21000-memory.dmp

    Filesize

    3.3MB

  • memory/2644-129-0x00007FF6BF7D0000-0x00007FF6BFB21000-memory.dmp

    Filesize

    3.3MB

  • memory/2644-55-0x00007FF6BF7D0000-0x00007FF6BFB21000-memory.dmp

    Filesize

    3.3MB

  • memory/2900-218-0x00007FF754F90000-0x00007FF7552E1000-memory.dmp

    Filesize

    3.3MB

  • memory/2900-38-0x00007FF754F90000-0x00007FF7552E1000-memory.dmp

    Filesize

    3.3MB

  • memory/2900-139-0x00007FF754F90000-0x00007FF7552E1000-memory.dmp

    Filesize

    3.3MB

  • memory/3144-214-0x00007FF70C700000-0x00007FF70CA51000-memory.dmp

    Filesize

    3.3MB

  • memory/3144-77-0x00007FF70C700000-0x00007FF70CA51000-memory.dmp

    Filesize

    3.3MB

  • memory/3244-225-0x00007FF603790000-0x00007FF603AE1000-memory.dmp

    Filesize

    3.3MB

  • memory/3244-79-0x00007FF603790000-0x00007FF603AE1000-memory.dmp

    Filesize

    3.3MB

  • memory/3868-0-0x00007FF6142F0000-0x00007FF614641000-memory.dmp

    Filesize

    3.3MB

  • memory/3868-135-0x00007FF6142F0000-0x00007FF614641000-memory.dmp

    Filesize

    3.3MB

  • memory/3868-1-0x000001EB81960000-0x000001EB81970000-memory.dmp

    Filesize

    64KB

  • memory/3868-116-0x00007FF6142F0000-0x00007FF614641000-memory.dmp

    Filesize

    3.3MB

  • memory/3868-156-0x00007FF6142F0000-0x00007FF614641000-memory.dmp

    Filesize

    3.3MB

  • memory/3936-90-0x00007FF6AE260000-0x00007FF6AE5B1000-memory.dmp

    Filesize

    3.3MB

  • memory/3936-150-0x00007FF6AE260000-0x00007FF6AE5B1000-memory.dmp

    Filesize

    3.3MB

  • memory/3936-237-0x00007FF6AE260000-0x00007FF6AE5B1000-memory.dmp

    Filesize

    3.3MB

  • memory/4216-102-0x00007FF6FBFB0000-0x00007FF6FC301000-memory.dmp

    Filesize

    3.3MB

  • memory/4216-152-0x00007FF6FBFB0000-0x00007FF6FC301000-memory.dmp

    Filesize

    3.3MB

  • memory/4216-243-0x00007FF6FBFB0000-0x00007FF6FC301000-memory.dmp

    Filesize

    3.3MB

  • memory/4304-50-0x00007FF798060000-0x00007FF7983B1000-memory.dmp

    Filesize

    3.3MB

  • memory/4304-226-0x00007FF798060000-0x00007FF7983B1000-memory.dmp

    Filesize

    3.3MB

  • memory/4304-144-0x00007FF798060000-0x00007FF7983B1000-memory.dmp

    Filesize

    3.3MB

  • memory/4308-155-0x00007FF628F90000-0x00007FF6292E1000-memory.dmp

    Filesize

    3.3MB

  • memory/4308-249-0x00007FF628F90000-0x00007FF6292E1000-memory.dmp

    Filesize

    3.3MB

  • memory/4308-124-0x00007FF628F90000-0x00007FF6292E1000-memory.dmp

    Filesize

    3.3MB

  • memory/4596-35-0x00007FF7111A0000-0x00007FF7114F1000-memory.dmp

    Filesize

    3.3MB

  • memory/4596-126-0x00007FF7111A0000-0x00007FF7114F1000-memory.dmp

    Filesize

    3.3MB

  • memory/4596-212-0x00007FF7111A0000-0x00007FF7114F1000-memory.dmp

    Filesize

    3.3MB

  • memory/4640-216-0x00007FF616750000-0x00007FF616AA1000-memory.dmp

    Filesize

    3.3MB

  • memory/4640-48-0x00007FF616750000-0x00007FF616AA1000-memory.dmp

    Filesize

    3.3MB

  • memory/4640-127-0x00007FF616750000-0x00007FF616AA1000-memory.dmp

    Filesize

    3.3MB

  • memory/4708-6-0x00007FF62D480000-0x00007FF62D7D1000-memory.dmp

    Filesize

    3.3MB

  • memory/4708-121-0x00007FF62D480000-0x00007FF62D7D1000-memory.dmp

    Filesize

    3.3MB

  • memory/4708-208-0x00007FF62D480000-0x00007FF62D7D1000-memory.dmp

    Filesize

    3.3MB

  • memory/4872-232-0x00007FF7A9440000-0x00007FF7A9791000-memory.dmp

    Filesize

    3.3MB

  • memory/4872-80-0x00007FF7A9440000-0x00007FF7A9791000-memory.dmp

    Filesize

    3.3MB

  • memory/4908-241-0x00007FF716F90000-0x00007FF7172E1000-memory.dmp

    Filesize

    3.3MB

  • memory/4908-153-0x00007FF716F90000-0x00007FF7172E1000-memory.dmp

    Filesize

    3.3MB

  • memory/4908-106-0x00007FF716F90000-0x00007FF7172E1000-memory.dmp

    Filesize

    3.3MB