Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/08/2024, 11:26

General

  • Target

    2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    31673e4247eae31d066ac22e97907cf3

  • SHA1

    c39903c24a15bbe4056405f54210c59b49652486

  • SHA256

    9dc08942a9069f8cc18d378a4a19af33a18c4d75ecfd03fe3cbfbbc22d2b077f

  • SHA512

    ed518d4d7cbfd8a2c7e19a2977b486171c1a895d2d834e51dce47ad95c55b09a97075463ef41dda6c0ff8f6088dcd1f7b8de5f425f5bb711a4399e072e595dc6

  • SSDEEP

    49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibf56utgpPFotBER/mQ32lUA

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 46 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3352
    • C:\Windows\System\FjBxCuW.exe
      C:\Windows\System\FjBxCuW.exe
      2⤵
      • Executes dropped EXE
      PID:1032
    • C:\Windows\System\QXZvFVt.exe
      C:\Windows\System\QXZvFVt.exe
      2⤵
      • Executes dropped EXE
      PID:1188
    • C:\Windows\System\YEVKYyq.exe
      C:\Windows\System\YEVKYyq.exe
      2⤵
      • Executes dropped EXE
      PID:4708
    • C:\Windows\System\sfxDGoe.exe
      C:\Windows\System\sfxDGoe.exe
      2⤵
      • Executes dropped EXE
      PID:4280
    • C:\Windows\System\lkTjlzX.exe
      C:\Windows\System\lkTjlzX.exe
      2⤵
      • Executes dropped EXE
      PID:712
    • C:\Windows\System\xNlkhSH.exe
      C:\Windows\System\xNlkhSH.exe
      2⤵
      • Executes dropped EXE
      PID:4220
    • C:\Windows\System\BbZAvGd.exe
      C:\Windows\System\BbZAvGd.exe
      2⤵
      • Executes dropped EXE
      PID:1880
    • C:\Windows\System\HnJgTrX.exe
      C:\Windows\System\HnJgTrX.exe
      2⤵
      • Executes dropped EXE
      PID:3056
    • C:\Windows\System\hCirSkm.exe
      C:\Windows\System\hCirSkm.exe
      2⤵
      • Executes dropped EXE
      PID:3544
    • C:\Windows\System\ADqpiVO.exe
      C:\Windows\System\ADqpiVO.exe
      2⤵
      • Executes dropped EXE
      PID:440
    • C:\Windows\System\qyJMvnk.exe
      C:\Windows\System\qyJMvnk.exe
      2⤵
      • Executes dropped EXE
      PID:3244
    • C:\Windows\System\bdRJFIs.exe
      C:\Windows\System\bdRJFIs.exe
      2⤵
      • Executes dropped EXE
      PID:2716
    • C:\Windows\System\cgvyYsx.exe
      C:\Windows\System\cgvyYsx.exe
      2⤵
      • Executes dropped EXE
      PID:3484
    • C:\Windows\System\lItmsKe.exe
      C:\Windows\System\lItmsKe.exe
      2⤵
      • Executes dropped EXE
      PID:2560
    • C:\Windows\System\oWSqqAO.exe
      C:\Windows\System\oWSqqAO.exe
      2⤵
      • Executes dropped EXE
      PID:4940
    • C:\Windows\System\VmksQfD.exe
      C:\Windows\System\VmksQfD.exe
      2⤵
      • Executes dropped EXE
      PID:900
    • C:\Windows\System\ovFtZMQ.exe
      C:\Windows\System\ovFtZMQ.exe
      2⤵
      • Executes dropped EXE
      PID:4104
    • C:\Windows\System\NtHrteb.exe
      C:\Windows\System\NtHrteb.exe
      2⤵
      • Executes dropped EXE
      PID:4744
    • C:\Windows\System\LHlqCnZ.exe
      C:\Windows\System\LHlqCnZ.exe
      2⤵
      • Executes dropped EXE
      PID:992
    • C:\Windows\System\cQNubHK.exe
      C:\Windows\System\cQNubHK.exe
      2⤵
      • Executes dropped EXE
      PID:776
    • C:\Windows\System\GLDyBYG.exe
      C:\Windows\System\GLDyBYG.exe
      2⤵
      • Executes dropped EXE
      PID:1516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\ADqpiVO.exe

    Filesize

    5.2MB

    MD5

    6c2583c996f111f19e5b7f75afc483b3

    SHA1

    9f8d1d5f527474b84b9f6e172ab16ae35f0e101c

    SHA256

    2b8191bfda83140beb86e2143ede8b8a5233558cdd52a8f11e9a3b3229b87ec5

    SHA512

    dc29aad93ad5b7efd4fdeed38c1e9c573cdec3292823d99e9adcd15f2ca7ff45ad21d79872dad969a7ebe7508fc7c67b1b4a1f70d603c3b54359387f0a84a5b2

  • C:\Windows\System\BbZAvGd.exe

    Filesize

    5.2MB

    MD5

    e2480807fdc6b4ccc1a1416566411963

    SHA1

    82cb25938e6cb2410d0cdeead1baf7e097b0acd9

    SHA256

    8bd3613ab347cba28a8cfdfa0353e1246de18d4bfdb42512f1f8e9dbd6e5d9c6

    SHA512

    216ceff4364b986992eec3414a3202015ed816f11adc1a8705698ab9f2c80ba4196f9e2cd6ed928ba8a5b12dcb14c32ecb36d525318edccc10f24717e7c81332

  • C:\Windows\System\FjBxCuW.exe

    Filesize

    5.2MB

    MD5

    e8fa3f6841807d9afb9e89ecd8adfaea

    SHA1

    93cf284a25383997ea077ae006659288b6a6b484

    SHA256

    49bb4e10ed381dbcf5bd994f1699cefb6a3983ab9c3985de8c1d2491f5e906c6

    SHA512

    e8e401f84e84e9ea521b95acf12d5e5fbe622feb5a10dd76bf4af15b6402078e463a9c06b534f9e61c05825fd3b44c9eda4f7c4045b7b04a7ddffdea5f815788

  • C:\Windows\System\GLDyBYG.exe

    Filesize

    5.2MB

    MD5

    e032952e73475f0e6c9d4003cc4adf41

    SHA1

    162589ef8c75fffa70e1e299ab4ca87ba08baf4d

    SHA256

    647fd13facb74876ec209a0733fc791264640d58e014bb5a7611b42e9d430e68

    SHA512

    d8c221179149e068349c7ff9ece5721a64c10ca7dc25f048f46eff8da800a0ff82f620ab49591d7f74986facffc90dc07afb5f51fcd4801a6c1ac7aed2b960ce

  • C:\Windows\System\HnJgTrX.exe

    Filesize

    5.2MB

    MD5

    d3a76127cd59c2dcbd1a63a59b60e73b

    SHA1

    84a746446aa28161849a58c6bd6d761246056dab

    SHA256

    d15bc19edd2ff7179216cfe7854bb327675abdc8b64d65f57157f4ff82d41de4

    SHA512

    331a83d8b2323b65d024de9ae6e258d56b3b0b413e3423d364935e6d861252f257dfd10be0d5810743fb736f16a72356da373637ad3a266ec8b74d6cfd4318b8

  • C:\Windows\System\LHlqCnZ.exe

    Filesize

    5.2MB

    MD5

    d8d489b54d3997a4acff082fb366ff92

    SHA1

    e8b395136af54e9b181b4a308c2f9ccee83f9470

    SHA256

    3ac5207e873b0e1f063f44fc9951c471545c81096ac50ea2fa6914627baf1997

    SHA512

    a2f57c80ea180e8f999390123817aafdf3437b2fd3900d47a8ad750dc5d6ced0e31f004e7b72548bd737adee150ec34fb5469ff123c014a27767a8acfc5bc4e5

  • C:\Windows\System\NtHrteb.exe

    Filesize

    5.2MB

    MD5

    5f8c8bda73e71eed27d6ed53a23a03e3

    SHA1

    d2651135b02aea22b5c70a7b2e4f9fb424f8e8b9

    SHA256

    20047d58aca3acff7ba22709f20e598f0f2cd1ba21da80fe5556fa05a420bf84

    SHA512

    bc9c84047d48d36e93bedcc500ed7e7ee74721979765b0cc62ea7d56cbede5df9764920583a51e25866c8757c4f7b702f239f2c541a619d1ef15f368db40c6ff

  • C:\Windows\System\QXZvFVt.exe

    Filesize

    5.2MB

    MD5

    d7378d35b0bdd9da0cda68688417bc04

    SHA1

    a18682c31572a35d95990195d56df0d0c100fdb7

    SHA256

    017a6e607e36d9215fce1ad9ad509e6ccf145c4c91c3f681317e6ccdf2bdff64

    SHA512

    1546af34ad9f3e1e81500739dc5f10307f9bcf2d4ddf9daaf3e5c87fceb6ac7cda6839eaf27150995f7dd1b24f57a9fcd81428c52b3ec7894cebe43d9fa94c17

  • C:\Windows\System\VmksQfD.exe

    Filesize

    5.2MB

    MD5

    d36d365b614faeea4f86f6a7746dce48

    SHA1

    21ce70eb2d20ec25a82828270481b2487e3ea3fe

    SHA256

    734d707e9907fc052b2127afc9a7ec5f7055991a4b6e502a58fae1f4bcc34075

    SHA512

    88305bf00f12469d0a0d61fd938606872b2a13666ab596fe6ce6f5284f2ad85e6db0b602927dd13048f46a72789b38dc3c7a7f6f55c31d9ca91ab47a530f8b8e

  • C:\Windows\System\YEVKYyq.exe

    Filesize

    5.2MB

    MD5

    51b300dfd3d8dfe39b1815c66d6b253a

    SHA1

    f4cedf4e456ac8d7f6c712abe365390792b9cad5

    SHA256

    7c4a6650d2e7e237f587ba2cfc7329d59fa3936b0ba79ea8e38c1109b525be71

    SHA512

    c1a23137ccb568470312928e71d6eebb77cc7fae45997614cdd2d221c3010e5563fc43a73846455e0e52e2cbbf60a634d55cfcab108fd40ce35ff4c8fe558813

  • C:\Windows\System\bdRJFIs.exe

    Filesize

    5.2MB

    MD5

    1fa12096508c3758bd3ddbf9be648964

    SHA1

    224ac0cbeb61e1495729cb4c75a44c401e7cee40

    SHA256

    c33e78f25e37f3a67acacade190ce3c529a0e57bf09a17b394f57f02c03e9fe6

    SHA512

    d1ad99754cf2eb019c011b2b26b4578580bb9c9e99d3ffc887937d5203de2307a43a8bce5ae3f4bd611d4d6bde68ddf63fd4b2c5082c61708bc5a81bdaca15c0

  • C:\Windows\System\cQNubHK.exe

    Filesize

    5.2MB

    MD5

    5fad8d860d8f195a113df5cd79864250

    SHA1

    20ba13de75c87dfc7744448e1bddff9bef97da2f

    SHA256

    c6a3c659532ed50824ab507ad5a23cfd0d31f537860da1dc77c57ce6e954c59a

    SHA512

    c0cb9e295fb1cdee4036c727cbce441f49ed9e2614aa5bf2218dbf4420636a56be491fdeaab30df088a8ba04f4745026a52381d9c248a3b0060430760442c47c

  • C:\Windows\System\cgvyYsx.exe

    Filesize

    5.2MB

    MD5

    e00950f43b0f7be7fc64b684fb3c4870

    SHA1

    77a76239829f5097b0f2be6195704398bd33cd2a

    SHA256

    30a76e28dda71078a26f45e7a6cb338902713a9572634950e6427d7da6faa12b

    SHA512

    901f26e4bb2008527709808773b78ac91a41528745123866224b26cacfe678839cc95943d214c542d0dd52a7189e846a3f8eef53dce1de49d6fb5f7b4d36690a

  • C:\Windows\System\hCirSkm.exe

    Filesize

    5.2MB

    MD5

    93e262a9e74bf3c44c1cb730de184b0e

    SHA1

    c626a8d93cdcfdd5656e82d162acf4a77c41adfa

    SHA256

    ef43e3500bcc66989ce727b775b5a7efd4808f52efe74c95d6f550c363530022

    SHA512

    cc5d82fb68b811637d3477e7e7fd127ff2ba1afb0ad2cc165e058366260565d8ccd718fa6be1bf3ea619bf792ec9401cf629b9b896bf9d9947c86493633de0ff

  • C:\Windows\System\lItmsKe.exe

    Filesize

    5.2MB

    MD5

    ac269a7c7f990cab81b4fb599f0846ef

    SHA1

    4ad00c599aef5642575b902889254a4bbf13a97c

    SHA256

    e0aa76d4964649872309ba61d600a1f610694d251aaa156ae18c207b1e71d649

    SHA512

    fbd784d91f285df05ebe72741291e4121431ac1b24e51c071e29b482f5074a9ebcd859327912317f4ad952c22fe779263138aad4182c83764ddf002bbb028e8c

  • C:\Windows\System\lkTjlzX.exe

    Filesize

    5.2MB

    MD5

    7baf4d303584a39e0be2f3ec81d6779d

    SHA1

    7ba4922f5749a64a0e37da9d013c80194cf42167

    SHA256

    8377a857efabc0d5bd083545f9a9d78014784d3474f489d69464d6239b605856

    SHA512

    c134fd6c9cf3326a8f0b9000dfcfc69cfa44f5de932144df2da0bdd8a49225e0e95da16840364ad9aeb4a3d5e6f726b9a02cd7397a18790a372fe6a3425f5cd9

  • C:\Windows\System\oWSqqAO.exe

    Filesize

    5.2MB

    MD5

    facc283c552d499f18cc317bd2dee48c

    SHA1

    821a7d8b6095c87b07d96ebca06d55b8b1383106

    SHA256

    2d8d7a9e2306b59aa57f5cd27fb7747f7e02f6cc21ebefa36bde32a5d8c123db

    SHA512

    94dd57a8982d06c67379001898e63c780b9695c917c81c5c438deaa2df60cfd8a9f6aac1de917f0b86c60958e726ccfd779ca2f4a43d72f766176af93c7ccf8a

  • C:\Windows\System\ovFtZMQ.exe

    Filesize

    5.2MB

    MD5

    35a70af3a989d82bd9ca87e04fa6f19e

    SHA1

    aefa5f268746b98cd1bbde79578f1d936a662281

    SHA256

    8244541193388ec0c36a2e42c14d81180a029489079fb1aae9fbe975eb8849a4

    SHA512

    e404480c7349e0fa3ebe9e695bce8b251ccbefbc61d0865a373eee74a34b3af274496133d9cc717fb234323714f5102e3542d5e85161600a02b5f9e3ee9116a3

  • C:\Windows\System\qyJMvnk.exe

    Filesize

    5.2MB

    MD5

    6e24d3cb8f69e2276bde10fc5dbd44d0

    SHA1

    ecb9dac4b91d33d1890a1c509b4b89079dd3cd70

    SHA256

    17e8587ff7914772fb30e5b1b8cafd831ec0403f1c79eaa9661acb46d98fe128

    SHA512

    e04486d6c1a9a992542fd365dc08981f445c1f7163cfc9cf47a474adc09268062c43c28dc925aee9c1a31f5d13af0bd5eb79864b127c3f72e1711661fa99ae79

  • C:\Windows\System\sfxDGoe.exe

    Filesize

    5.2MB

    MD5

    43cbfe605aaeedfedee64ac7ef04aac9

    SHA1

    4137f14e350a0a08e27a793a5d2b7588fb48c61c

    SHA256

    4bbf370c33c818498257c297ebc2efd333640270497552e168c69e1f5354420b

    SHA512

    408bc153a21a573dd349de18f1f7cd9d85d8d7569ffdbc33c847b12d25c6da67daa3f621d8c3c9c9e6be4d1d1b598fc4343907b4eb9ba190d7912b12bacdf189

  • C:\Windows\System\xNlkhSH.exe

    Filesize

    5.2MB

    MD5

    e87503ac0486a4378abcf0586a21f0cd

    SHA1

    7807da7eabc8e6dbc9df2807251c7a40d82281a9

    SHA256

    8eabbee432808eddcea0029215e5c01db210939e19498f983a9269a34f1df3e8

    SHA512

    2d5552df5e6058c505e4c2adcf5aa5cd2bafbd55ba88cae3c85b323634deb2117b1c50cec9ced2c55d995faee6d38a3d6536fb95ead0b47836727dd4d2ccf0e0

  • memory/440-232-0x00007FF7992F0000-0x00007FF799641000-memory.dmp

    Filesize

    3.3MB

  • memory/440-60-0x00007FF7992F0000-0x00007FF799641000-memory.dmp

    Filesize

    3.3MB

  • memory/440-141-0x00007FF7992F0000-0x00007FF799641000-memory.dmp

    Filesize

    3.3MB

  • memory/712-30-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/712-220-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/712-136-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp

    Filesize

    3.3MB

  • memory/776-258-0x00007FF6D7EE0000-0x00007FF6D8231000-memory.dmp

    Filesize

    3.3MB

  • memory/776-132-0x00007FF6D7EE0000-0x00007FF6D8231000-memory.dmp

    Filesize

    3.3MB

  • memory/900-124-0x00007FF78C620000-0x00007FF78C971000-memory.dmp

    Filesize

    3.3MB

  • memory/900-247-0x00007FF78C620000-0x00007FF78C971000-memory.dmp

    Filesize

    3.3MB

  • memory/992-256-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp

    Filesize

    3.3MB

  • memory/992-131-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp

    Filesize

    3.3MB

  • memory/1032-7-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp

    Filesize

    3.3MB

  • memory/1032-203-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp

    Filesize

    3.3MB

  • memory/1032-73-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp

    Filesize

    3.3MB

  • memory/1188-121-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1188-205-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1188-14-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp

    Filesize

    3.3MB

  • memory/1516-260-0x00007FF773910000-0x00007FF773C61000-memory.dmp

    Filesize

    3.3MB

  • memory/1516-133-0x00007FF773910000-0x00007FF773C61000-memory.dmp

    Filesize

    3.3MB

  • memory/1880-138-0x00007FF787660000-0x00007FF7879B1000-memory.dmp

    Filesize

    3.3MB

  • memory/1880-42-0x00007FF787660000-0x00007FF7879B1000-memory.dmp

    Filesize

    3.3MB

  • memory/1880-227-0x00007FF787660000-0x00007FF7879B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2560-254-0x00007FF650BE0000-0x00007FF650F31000-memory.dmp

    Filesize

    3.3MB

  • memory/2560-134-0x00007FF650BE0000-0x00007FF650F31000-memory.dmp

    Filesize

    3.3MB

  • memory/2716-235-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp

    Filesize

    3.3MB

  • memory/2716-143-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp

    Filesize

    3.3MB

  • memory/2716-74-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp

    Filesize

    3.3MB

  • memory/3056-224-0x00007FF6ED0A0000-0x00007FF6ED3F1000-memory.dmp

    Filesize

    3.3MB

  • memory/3056-54-0x00007FF6ED0A0000-0x00007FF6ED3F1000-memory.dmp

    Filesize

    3.3MB

  • memory/3244-233-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp

    Filesize

    3.3MB

  • memory/3244-69-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp

    Filesize

    3.3MB

  • memory/3244-142-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp

    Filesize

    3.3MB

  • memory/3352-126-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp

    Filesize

    3.3MB

  • memory/3352-1-0x0000028C88810000-0x0000028C88820000-memory.dmp

    Filesize

    64KB

  • memory/3352-153-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp

    Filesize

    3.3MB

  • memory/3352-66-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp

    Filesize

    3.3MB

  • memory/3352-0-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp

    Filesize

    3.3MB

  • memory/3484-122-0x00007FF6C7C20000-0x00007FF6C7F71000-memory.dmp

    Filesize

    3.3MB

  • memory/3484-248-0x00007FF6C7C20000-0x00007FF6C7F71000-memory.dmp

    Filesize

    3.3MB

  • memory/3544-140-0x00007FF662CB0000-0x00007FF663001000-memory.dmp

    Filesize

    3.3MB

  • memory/3544-229-0x00007FF662CB0000-0x00007FF663001000-memory.dmp

    Filesize

    3.3MB

  • memory/3544-52-0x00007FF662CB0000-0x00007FF663001000-memory.dmp

    Filesize

    3.3MB

  • memory/4104-125-0x00007FF71E650000-0x00007FF71E9A1000-memory.dmp

    Filesize

    3.3MB

  • memory/4104-251-0x00007FF71E650000-0x00007FF71E9A1000-memory.dmp

    Filesize

    3.3MB

  • memory/4220-226-0x00007FF7694C0000-0x00007FF769811000-memory.dmp

    Filesize

    3.3MB

  • memory/4220-36-0x00007FF7694C0000-0x00007FF769811000-memory.dmp

    Filesize

    3.3MB

  • memory/4220-137-0x00007FF7694C0000-0x00007FF769811000-memory.dmp

    Filesize

    3.3MB

  • memory/4280-22-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp

    Filesize

    3.3MB

  • memory/4280-135-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp

    Filesize

    3.3MB

  • memory/4280-217-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp

    Filesize

    3.3MB

  • memory/4708-221-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp

    Filesize

    3.3MB

  • memory/4708-18-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp

    Filesize

    3.3MB

  • memory/4708-130-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp

    Filesize

    3.3MB

  • memory/4744-129-0x00007FF7BB450000-0x00007FF7BB7A1000-memory.dmp

    Filesize

    3.3MB

  • memory/4744-245-0x00007FF7BB450000-0x00007FF7BB7A1000-memory.dmp

    Filesize

    3.3MB

  • memory/4940-123-0x00007FF72DDC0000-0x00007FF72E111000-memory.dmp

    Filesize

    3.3MB

  • memory/4940-253-0x00007FF72DDC0000-0x00007FF72E111000-memory.dmp

    Filesize

    3.3MB