Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/08/2024, 10:47

General

  • Target

    2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    6c5862dd6742b207080c3bf04987ed32

  • SHA1

    28cefb613aac4959f44677a2348391cae9e89e6b

  • SHA256

    e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1

  • SHA512

    9582818d8a419bb34e979980b259fdbbd9c92c1c42f695fc3e490080d14fbe7822304d7a0c196a4fedd03541ee874bfe5d3dd0dafdb39d50410da17cf7e901e0

  • SSDEEP

    49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lUt

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 44 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\System\icuvtEB.exe
      C:\Windows\System\icuvtEB.exe
      2⤵
      • Executes dropped EXE
      PID:2792
    • C:\Windows\System\ELRIjCN.exe
      C:\Windows\System\ELRIjCN.exe
      2⤵
      • Executes dropped EXE
      PID:4772
    • C:\Windows\System\BwsPaEr.exe
      C:\Windows\System\BwsPaEr.exe
      2⤵
      • Executes dropped EXE
      PID:5016
    • C:\Windows\System\EilvOVR.exe
      C:\Windows\System\EilvOVR.exe
      2⤵
      • Executes dropped EXE
      PID:2636
    • C:\Windows\System\gexnndi.exe
      C:\Windows\System\gexnndi.exe
      2⤵
      • Executes dropped EXE
      PID:2704
    • C:\Windows\System\mZBgisT.exe
      C:\Windows\System\mZBgisT.exe
      2⤵
      • Executes dropped EXE
      PID:2228
    • C:\Windows\System\awaVaKx.exe
      C:\Windows\System\awaVaKx.exe
      2⤵
      • Executes dropped EXE
      PID:4388
    • C:\Windows\System\hEjlGEY.exe
      C:\Windows\System\hEjlGEY.exe
      2⤵
      • Executes dropped EXE
      PID:3268
    • C:\Windows\System\nbHewlH.exe
      C:\Windows\System\nbHewlH.exe
      2⤵
      • Executes dropped EXE
      PID:2256
    • C:\Windows\System\ebbPaoh.exe
      C:\Windows\System\ebbPaoh.exe
      2⤵
      • Executes dropped EXE
      PID:3500
    • C:\Windows\System\tkTnwvA.exe
      C:\Windows\System\tkTnwvA.exe
      2⤵
      • Executes dropped EXE
      PID:556
    • C:\Windows\System\bkGdnjG.exe
      C:\Windows\System\bkGdnjG.exe
      2⤵
      • Executes dropped EXE
      PID:1592
    • C:\Windows\System\IOmtonY.exe
      C:\Windows\System\IOmtonY.exe
      2⤵
      • Executes dropped EXE
      PID:4036
    • C:\Windows\System\hUCsPuQ.exe
      C:\Windows\System\hUCsPuQ.exe
      2⤵
      • Executes dropped EXE
      PID:4040
    • C:\Windows\System\xAJuAyn.exe
      C:\Windows\System\xAJuAyn.exe
      2⤵
      • Executes dropped EXE
      PID:5000
    • C:\Windows\System\RzmGEDq.exe
      C:\Windows\System\RzmGEDq.exe
      2⤵
      • Executes dropped EXE
      PID:4284
    • C:\Windows\System\LvhHQzc.exe
      C:\Windows\System\LvhHQzc.exe
      2⤵
      • Executes dropped EXE
      PID:1440
    • C:\Windows\System\fPRYZLN.exe
      C:\Windows\System\fPRYZLN.exe
      2⤵
      • Executes dropped EXE
      PID:3416
    • C:\Windows\System\xfyBEMO.exe
      C:\Windows\System\xfyBEMO.exe
      2⤵
      • Executes dropped EXE
      PID:2872
    • C:\Windows\System\YQOqzYI.exe
      C:\Windows\System\YQOqzYI.exe
      2⤵
      • Executes dropped EXE
      PID:3588
    • C:\Windows\System\xnDAVat.exe
      C:\Windows\System\xnDAVat.exe
      2⤵
      • Executes dropped EXE
      PID:3916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\BwsPaEr.exe

    Filesize

    5.2MB

    MD5

    ac5cd9e20d3edd3f969f47206521cb6e

    SHA1

    f4894a2035e61fe9d3f0fe3ec4641e5a2c565b52

    SHA256

    9b6c389ec15938152b07c7f67d59249644607ff70d42edf9ae23fb1a3d90a6a5

    SHA512

    e872d5e0ac26a0b4c17cae90bb6366e2e92633dab84d91f1eee91b4b195c72764fbaadbbb707c199f61ce43764557db6d2733f3dd1f80fa277248dbaf71f4edf

  • C:\Windows\System\ELRIjCN.exe

    Filesize

    5.2MB

    MD5

    4a16f39f2ac4c032e01b9a991a609519

    SHA1

    d25d49fc7a02e62caf114f93d5730911a53d0f72

    SHA256

    2fb3965043659737311b4b7945ec37775a965bc9ebadf9c46428981a20c9f306

    SHA512

    a226321c39148e4228d95def038af65dbfb893739d2eee3a9730fc95a55ba6e352c571c1c23690a938bb56f348c23f1fbe82739e3f3af6229bc9e13cc95abc65

  • C:\Windows\System\EilvOVR.exe

    Filesize

    5.2MB

    MD5

    b5d42630ba95d1b8aa4fa881e6edc768

    SHA1

    8fd6d7eb3ceba5137e2d7f77f98d82a71db6020f

    SHA256

    d697bb3f70a103775a14f986e4d377078bf0979e7445fcb2283f743f3b95f41b

    SHA512

    f85a5e672d8892d8ad6f6933f09ef2a3d838ef33d72ef27ebafc612507831b5a1a89d0742200678e881367f82918874ee1338ac76d7f5c9ae25c6ad73777a9b0

  • C:\Windows\System\IOmtonY.exe

    Filesize

    5.2MB

    MD5

    830fe606d05c011f2dcc2a5d5ef8bbfb

    SHA1

    3025b27c8cea16fdc7664f16d83559e449f02ba8

    SHA256

    44bb79b48862c5b4add57fbf923f526d038415ab37618e1377dfbda5611688b9

    SHA512

    d2584c55124503017f83a35c7e277719ebadc014d32dd4812bd9a447ad9a4100a457273d22cc1d73a90f7aa395d81288c67f445e8827ec640983160897f7de6a

  • C:\Windows\System\LvhHQzc.exe

    Filesize

    5.2MB

    MD5

    de4204d96f3c40fa70a1a0a31c9c97c7

    SHA1

    5a69b22faedac3203222f9ec758ac97a69250b36

    SHA256

    0097509158c920e819088bbb3d53e7ed529be559d49d4dac14e37a5fd9f6936e

    SHA512

    96384aac4e1bc1076f40c3cf8173cc39c79d2a213fc308e7f6595a50e28edf5556ef75f2f85801c82513ee03ad41c1d0706dd1fc81d872efd48f73df4093d0fc

  • C:\Windows\System\RzmGEDq.exe

    Filesize

    5.2MB

    MD5

    3a85a50be704a066db3bc725035f452b

    SHA1

    eb77c3ac92116ba782880165ad682b53f4e46e1e

    SHA256

    ef53855d78f23e6280fcec8ab8aff53c543b9d3b443427ca83d3b8c2cb5f11da

    SHA512

    54eb91188b6dbfeaede33a85d6fc186de76cd2e38dbb78d7ad42c7e5c023d1a5358cdda5a3fff826fd1ca94049bab41d24b310de2b3a8f8adb0e118e52ecbb5b

  • C:\Windows\System\YQOqzYI.exe

    Filesize

    5.2MB

    MD5

    64121f80d451c5a87a278d0a7e3164f7

    SHA1

    74ae04cfdc07c5af5df554ddff7a3eb6c3e2df82

    SHA256

    42a7456ff3aa506659ec86789c35c93565a5055fbf09abd365dbd1be933dffc3

    SHA512

    373121d459209d9f695e871d521fa7ba3532f31bb2a787075cda65ec36379ca9cd2b314557b248a470b295dbe0f5a9605eb1ffba4447dd258e75005363752d6a

  • C:\Windows\System\awaVaKx.exe

    Filesize

    5.2MB

    MD5

    0b450a3f9ea0c2dea0c196b06ec42d3e

    SHA1

    1787646dcc46017a273a0777fe918b604c742f21

    SHA256

    713bd4a8d0662a2f50396e4d52bb8b8b7932028e910bb37c7c90451379766f62

    SHA512

    66af5adbce30a540ed191eb5f0c598e5111d955500713639f52a5bb4b514a8ae9cceceda16a302ab3fb004574a7b3fda018100a9f9ef52b652ccf4ee842d58aa

  • C:\Windows\System\bkGdnjG.exe

    Filesize

    5.2MB

    MD5

    6c4bdb7131e3c2018164b777b870c2c4

    SHA1

    d34a002973f368417b1323291d8054a2b03d0a2d

    SHA256

    e070fca12ec6c5d637ff86152d88e70bbe1793cc74c0ebf38a00caed18ffc435

    SHA512

    0847434ce570b7ac4b5d0ecfd9f3cd2d8979ae94522d0682b3e7cac06a611235ff9cb411f2f276cd8c2e680c4f4b08078014e4133499c14e22f522faabb3b60e

  • C:\Windows\System\ebbPaoh.exe

    Filesize

    5.2MB

    MD5

    7d3fa332b54aaf81b690a810491712a9

    SHA1

    b78e0ba335ce3bdaaea23cb7b8ecb00b4307d173

    SHA256

    552fb694d1161d8dddd90c26a148d72118063cd81ef7e00e28ae44b09ae690bc

    SHA512

    869967c4f67d47884156a24695e061b11d3b209c816573af334e3eb346f795488fc5783142b29a87cd189a1ddc22ebf199d1bbd95bca71ff5f4e705a0ea26c0c

  • C:\Windows\System\fPRYZLN.exe

    Filesize

    5.2MB

    MD5

    d54b460bdcfa8b71094fb03215bbd7a1

    SHA1

    7f52a5670ee4ece55c767ad46b275b09fab66bc0

    SHA256

    bf1a8c7ee76ff6794dee13b0e6248e04e1f8825beae58b8b4c523776768b06d1

    SHA512

    07f5bdce4dd90e9c5a4aa79984c77d426887a06d48758c23d593d7a8ca6f587d4cba8837e2d94bcabc275d30eb5f7a7b87eb4f0e178d259c1433d7de4ff80958

  • C:\Windows\System\gexnndi.exe

    Filesize

    5.2MB

    MD5

    27abdbb99f799fc5ff6032c8b4c7c6f3

    SHA1

    eb3b005b9e7a8dc4e189199edfaf1ec2810e1ca4

    SHA256

    85ac7aabf5ee75188f77ff56e8af8184427bf5ab3dd5b8a38d86148f311eefbd

    SHA512

    086931e7795ae7eb48715f3d4ed467d542309729c61baaa6e9486d3c719083260e88bab5a8e8e2413edde68a78209d6614442405be291ff1da71fc27708ca71d

  • C:\Windows\System\hEjlGEY.exe

    Filesize

    5.2MB

    MD5

    3869418ed38a45742f7c08703bc118b2

    SHA1

    b644df3a7e279c6b1ed7dd46fc0a108972d20e69

    SHA256

    591adf3c7b144f80b3858ea126eaeaa17aa72b79577b9ab44f9e7cfa74d8f8cf

    SHA512

    c71261d4ee1c98dd97f2b36896b98235b963c2cbcedd7588ad74ebb0bf21a6c30bb3cd847fb7f986afa1d8d2969b2ed0d669ed15e4cf123869aa3500f8484f88

  • C:\Windows\System\hUCsPuQ.exe

    Filesize

    5.2MB

    MD5

    81b64fbd165684732d01d45e50e5197e

    SHA1

    005a2c57812dafef3ccfb44f17777b4fffd523d8

    SHA256

    add029a26dc423e56f183e7b34a6a6c7473f311fa72051d36b3a7ee67564896e

    SHA512

    6af4ab26a21d99f00b454df55626fe8990802102d4acb1d9e670ea856c990774c58886e777499f89e63e50ec6b7ecd6879570b72a6af7bd1781e1adab3cfaca5

  • C:\Windows\System\icuvtEB.exe

    Filesize

    5.2MB

    MD5

    bdd0fd3cf38024d1f624800375ca484b

    SHA1

    95eb522f386bf38107493a6f0d0668035b959d37

    SHA256

    c5fae26d5281e458d272e52a377509cd0dfe4e0cdade69f61be2df8f0f60c407

    SHA512

    47876e15c469c16320ec9bd583cffc2dbfe09300b092169a91e83e1c4ccfed8732b8b3e1e80b9b5562db890ae6c1141c7ffd9d9365c64ffe98fa040bace2d4a0

  • C:\Windows\System\mZBgisT.exe

    Filesize

    5.2MB

    MD5

    ef99a7d32c84a940e09098915a15bc10

    SHA1

    f420f73c53ebea9e5ed36b8aeed2a53a2215fe31

    SHA256

    6166e37c7a996e7e7d57c39d997a65153d7bb543ff561b9a6f80b61873500c21

    SHA512

    4a94d4e7f0cdb44a27606a7d63705221b0489244d3973b2e31350db1ae6248a7c98eb14b1db6efc37860d220b9247f6eac68de94f924ab3d1fc5c61e973750bf

  • C:\Windows\System\nbHewlH.exe

    Filesize

    5.2MB

    MD5

    435fe85978728c72a4fb32b5e23ccc9a

    SHA1

    fdd044dc6365cb533aeb406235026d5100ceab52

    SHA256

    b097f0e813eead32a76078634d363f7a6b6dc090012de2497b64017501854b67

    SHA512

    e59c621162e43911324c5a466ccac51c118ffa326ec60a86b148d0b819f1657ade53511ce89e3663ffcf5842b0a98265a08779f510f7daffb40d3d3866e868e9

  • C:\Windows\System\tkTnwvA.exe

    Filesize

    5.2MB

    MD5

    49e757dd81780cde3713ff6e84624032

    SHA1

    7534e6025d490f21a211c83ca4a9a14bff49ed6c

    SHA256

    5f5559b89248ba0980c2cb218f6508be2553b332defe155a37708bc8a8b802eb

    SHA512

    63cadf2bf0d58c2d4aefd2c2ccaf5a6983cc7427d2c7a5604852d52ea3dc8c04541fec0396e35dab2afd656b89d95101d63117e2eec73f0ede423c51f38d2be6

  • C:\Windows\System\xAJuAyn.exe

    Filesize

    5.2MB

    MD5

    ef2ae1b34d67d0ee8ffb14024fbe2583

    SHA1

    0af41358aa2004d67caadd8803e6b4424d3c6156

    SHA256

    10063ed5f10e581bd71aa09d2fc2e82bc3daa24d574b899ba81cebd50ca4ba5d

    SHA512

    1e469cec6ff030a594db9ad729b1be33ecd32bef459ca5f70e80dadcfa03760140ef42d4896ed00a04fe90aff3863f56a8416a8d612fba2286eaa3b505cce60c

  • C:\Windows\System\xfyBEMO.exe

    Filesize

    5.2MB

    MD5

    444918270c46ff2f0ec14e529f5d9e6b

    SHA1

    d231352494976d43e464a3d8586d59e0ff5dbbf5

    SHA256

    7cfae6907c82d82ec9bc23fe29de094051a12dc8329add61129d6aa9fd4d7cb9

    SHA512

    151c2e16afdc6951adabd4c9308f2c7d8d174e7233c6a6a22735b5730a3bc660c943d5b644c48c70651321917a9272fa0b3502313b10907cae048704562bc67c

  • C:\Windows\System\xnDAVat.exe

    Filesize

    5.2MB

    MD5

    bcdeca127a8a72259ce0fe60a3b1096c

    SHA1

    ef117fd771eee2a1c85b9e0ccd8b755dcc3281b3

    SHA256

    9520b6e1252637665782259827a2d6246f9b324ad0530f7d2e61d7a8c61c57bb

    SHA512

    d7dff5eac2caf730110be031be6fdfaa6d9796d0451f0ed0023b795d377ae9737e2bf6302115dc3bf87f86658323d0378b0fef78af9b1e01dd2ddfe9591d0bd5

  • memory/556-233-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp

    Filesize

    3.3MB

  • memory/556-139-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp

    Filesize

    3.3MB

  • memory/556-67-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp

    Filesize

    3.3MB

  • memory/1440-246-0x00007FF6B5940000-0x00007FF6B5C91000-memory.dmp

    Filesize

    3.3MB

  • memory/1440-126-0x00007FF6B5940000-0x00007FF6B5C91000-memory.dmp

    Filesize

    3.3MB

  • memory/1592-90-0x00007FF6C1C50000-0x00007FF6C1FA1000-memory.dmp

    Filesize

    3.3MB

  • memory/1592-239-0x00007FF6C1C50000-0x00007FF6C1FA1000-memory.dmp

    Filesize

    3.3MB

  • memory/2228-38-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp

    Filesize

    3.3MB

  • memory/2228-134-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp

    Filesize

    3.3MB

  • memory/2228-225-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp

    Filesize

    3.3MB

  • memory/2256-137-0x00007FF624150000-0x00007FF6244A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2256-236-0x00007FF624150000-0x00007FF6244A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2256-89-0x00007FF624150000-0x00007FF6244A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2636-219-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp

    Filesize

    3.3MB

  • memory/2636-33-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp

    Filesize

    3.3MB

  • memory/2636-132-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp

    Filesize

    3.3MB

  • memory/2704-133-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2704-53-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2704-221-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2792-199-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2792-7-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2792-129-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2872-247-0x00007FF75A240000-0x00007FF75A591000-memory.dmp

    Filesize

    3.3MB

  • memory/2872-127-0x00007FF75A240000-0x00007FF75A591000-memory.dmp

    Filesize

    3.3MB

  • memory/3268-74-0x00007FF7473E0000-0x00007FF747731000-memory.dmp

    Filesize

    3.3MB

  • memory/3268-227-0x00007FF7473E0000-0x00007FF747731000-memory.dmp

    Filesize

    3.3MB

  • memory/3416-242-0x00007FF604FC0000-0x00007FF605311000-memory.dmp

    Filesize

    3.3MB

  • memory/3416-146-0x00007FF604FC0000-0x00007FF605311000-memory.dmp

    Filesize

    3.3MB

  • memory/3416-117-0x00007FF604FC0000-0x00007FF605311000-memory.dmp

    Filesize

    3.3MB

  • memory/3500-61-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp

    Filesize

    3.3MB

  • memory/3500-138-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp

    Filesize

    3.3MB

  • memory/3500-237-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp

    Filesize

    3.3MB

  • memory/3588-118-0x00007FF610180000-0x00007FF6104D1000-memory.dmp

    Filesize

    3.3MB

  • memory/3588-257-0x00007FF610180000-0x00007FF6104D1000-memory.dmp

    Filesize

    3.3MB

  • memory/3916-123-0x00007FF696E40000-0x00007FF697191000-memory.dmp

    Filesize

    3.3MB

  • memory/3916-243-0x00007FF696E40000-0x00007FF697191000-memory.dmp

    Filesize

    3.3MB

  • memory/4036-125-0x00007FF696D00000-0x00007FF697051000-memory.dmp

    Filesize

    3.3MB

  • memory/4036-252-0x00007FF696D00000-0x00007FF697051000-memory.dmp

    Filesize

    3.3MB

  • memory/4040-124-0x00007FF76D980000-0x00007FF76DCD1000-memory.dmp

    Filesize

    3.3MB

  • memory/4040-255-0x00007FF76D980000-0x00007FF76DCD1000-memory.dmp

    Filesize

    3.3MB

  • memory/4284-144-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp

    Filesize

    3.3MB

  • memory/4284-254-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp

    Filesize

    3.3MB

  • memory/4284-110-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp

    Filesize

    3.3MB

  • memory/4388-55-0x00007FF690A60000-0x00007FF690DB1000-memory.dmp

    Filesize

    3.3MB

  • memory/4388-224-0x00007FF690A60000-0x00007FF690DB1000-memory.dmp

    Filesize

    3.3MB

  • memory/4772-201-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp

    Filesize

    3.3MB

  • memory/4772-12-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp

    Filesize

    3.3MB

  • memory/4772-130-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp

    Filesize

    3.3MB

  • memory/4812-1-0x000001D25A100000-0x000001D25A110000-memory.dmp

    Filesize

    64KB

  • memory/4812-0-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp

    Filesize

    3.3MB

  • memory/4812-150-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp

    Filesize

    3.3MB

  • memory/4812-128-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp

    Filesize

    3.3MB

  • memory/5000-143-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp

    Filesize

    3.3MB

  • memory/5000-100-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp

    Filesize

    3.3MB

  • memory/5000-250-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp

    Filesize

    3.3MB

  • memory/5016-18-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp

    Filesize

    3.3MB

  • memory/5016-217-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp

    Filesize

    3.3MB

  • memory/5016-131-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp

    Filesize

    3.3MB