Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2023 04:05
Behavioral task
behavioral1
Sample
415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe
Resource
win10v2004-20231023-en
General
-
Target
415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe
-
Size
6.4MB
-
MD5
945367df45a2a64398e5062cb38719e1
-
SHA1
a329a307a28e128ef11917681d09a9c4f4831a8b
-
SHA256
415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc
-
SHA512
004e039ca6114c4340b2de720698f7bd90e2424a50968ed115682adb9b1fcb0178e77ff26ccac6834759ad682c8704105343cc1671ac127acef3bc68154951c3
-
SSDEEP
98304:1uyDxMzTES27wy4Pf1N2zIh3ET9KMxVMOPUh3PdWPEUrJY6AOxbHoCvsJ1ngOcs:1LxCU4FMIZETHjPePdrQJ/BwnPc
Malware Config
Extracted
cobaltstrike
http://47.106.67.138:50001/crQ7
-
user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Extracted
cobaltstrike
100000
http://47.106.67.138:50001/ga.js
-
access_type
512
-
host
47.106.67.138,/ga.js
-
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
polling_time
60000
-
port_number
50001
-
sc_process32
%windir%\syswow64\rundll32.exe
-
sc_process64
%windir%\sysnative\rundll32.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCueKV9Yt49USWZnc3JWTxxBPaFJbnyMFnTz/cKreUy28RGFBpqNBGN5uMZRu8HA/Ng8+Roxm1VpXht7mVmhHM6kWXC3eXcVo/ZP4VTqgX1J3TrLJ+venYrqWzvazx1ueQmsPOwbv4u5Fav25rv+wQ1rSBVnaKLGiBfnkUHA8BH/QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4096
-
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/submit.php
-
user_agent
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)
-
watermark
100000
Extracted
cobaltstrike
0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
artifact.exepid process 2064 artifact.exe -
Loads dropped DLL 2 IoCs
Processes:
415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exepid process 4260 415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe 4260 415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1696 WINWORD.EXE 1696 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1696 WINWORD.EXE 1696 WINWORD.EXE 1696 WINWORD.EXE 1696 WINWORD.EXE 1696 WINWORD.EXE 1696 WINWORD.EXE 1696 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.execmd.execmd.exedescription pid process target process PID 3724 wrote to memory of 4260 3724 415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe 415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe PID 3724 wrote to memory of 4260 3724 415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe 415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe PID 4260 wrote to memory of 560 4260 415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe cmd.exe PID 4260 wrote to memory of 560 4260 415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe cmd.exe PID 4260 wrote to memory of 1168 4260 415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe cmd.exe PID 4260 wrote to memory of 1168 4260 415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe cmd.exe PID 560 wrote to memory of 2064 560 cmd.exe artifact.exe PID 560 wrote to memory of 2064 560 cmd.exe artifact.exe PID 1168 wrote to memory of 1696 1168 cmd.exe WINWORD.EXE PID 1168 wrote to memory of 1696 1168 cmd.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe"C:\Users\Admin\AppData\Local\Temp\415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe"C:\Users\Admin\AppData\Local\Temp\415f915c2f5d53a214130d5b32a9abd1eed36aa4a2c7a28f0a34075d53c56bbc.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI37242\./xxxxexe.docx"3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\_MEI37242\xxxxexe.docx" /o ""4⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI37242\./artifact.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\artifact.exeC:\Users\Admin\AppData\Local\Temp\_MEI37242\./artifact.exe4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\VCRUNTIME140.dllFilesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\VCRUNTIME140.dllFilesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_bz2.pydFilesize
82KB
MD53859239ced9a45399b967ebce5a6ba23
SHA16f8ff3df90ac833c1eb69208db462cda8ca3f8d6
SHA256a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a
SHA512030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_decimal.pydFilesize
247KB
MD565b4ab77d6c6231c145d3e20e7073f51
SHA123d5ce68ed6aa8eaabe3366d2dd04e89d248328e
SHA25693eb9d1859edca1c29594491863bf3d72af70b9a4240e0d9dd171f668f4f8614
SHA51228023446e5ac90e9e618673c879ca46f598a62fbb9e69ef925db334ad9cb1544916caf81e2ecdc26b75964dcedba4ad4de1ba2c42fb838d0df504d963fcf17ee
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_hashlib.pydFilesize
63KB
MD54255c44dc64f11f32c961bf275aab3a2
SHA1c1631b2821a7e8a1783ecfe9a14db453be54c30a
SHA256e557873d5ad59fd6bd29d0f801ad0651dbb8d9ac21545defe508089e92a15e29
SHA5127d3a306755a123b246f31994cd812e7922943cdbbc9db5a6e4d3372ea434a635ffd3945b5d2046de669e7983ef2845bd007a441d09cfe05cf346523c12bdad52
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_lzma.pydFilesize
155KB
MD5e5abc3a72996f8fde0bcf709e6577d9d
SHA115770bdcd06e171f0b868c803b8cf33a8581edd3
SHA2561796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb
SHA512b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\_socket.pydFilesize
77KB
MD51eea9568d6fdef29b9963783827f5867
SHA1a17760365094966220661ad87e57efe09cd85b84
SHA25674181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117
SHA512d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\artifact.exeFilesize
17KB
MD5af2d13ff1395fc1d5711d30ea2a1b67b
SHA164827b68e98aecb9a21c21bd46860c702b1c1201
SHA256beac0b29dfe8f013ad2235efcb4acab0d9b7478a1721233996bb8e5c718428c8
SHA512ac72a8a4aa1f415b66a84d0ac763ad9c0dd1c9b27b7408fce4a8183b637a8f2ec3eb0d11ce4928f578862ecac2b715ce2a761851b63ec9dc5cf75712dbb401e7
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\artifact.exeFilesize
17KB
MD5af2d13ff1395fc1d5711d30ea2a1b67b
SHA164827b68e98aecb9a21c21bd46860c702b1c1201
SHA256beac0b29dfe8f013ad2235efcb4acab0d9b7478a1721233996bb8e5c718428c8
SHA512ac72a8a4aa1f415b66a84d0ac763ad9c0dd1c9b27b7408fce4a8183b637a8f2ec3eb0d11ce4928f578862ecac2b715ce2a761851b63ec9dc5cf75712dbb401e7
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\base_library.zipFilesize
1.4MB
MD52f6d57bccf7f7735acb884a980410f6a
SHA193a6926887a08dc09cd92864cd82b2bec7b24ec5
SHA2561b7d326bad406e96a4c83b5a49714819467e3174ed0a74f81c9ebd96d1dd40b3
SHA51295bcfc66dbe7b6ad324bd2dc2258a3366a3594bfc50118ab37a2a204906109e42192fb10a91172b340cc28c12640513db268c854947fb9ed8426f214ff8889b4
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\libcrypto-1_1.dllFilesize
3.3MB
MD5e94733523bcd9a1fb6ac47e10a267287
SHA194033b405386d04c75ffe6a424b9814b75c608ac
SHA256f20eb4efd8647b5273fdaafceb8ccb2b8ba5329665878e01986cbfc1e6832c44
SHA51207dd0eb86498497e693da0f9dd08de5b7b09052a2d6754cfbc2aa260e7f56790e6c0a968875f7803cb735609b1e9b9c91a91b84913059c561bffed5ab2cbb29f
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\python311.dllFilesize
5.5MB
MD55a5dd7cad8028097842b0afef45bfbcf
SHA1e247a2e460687c607253949c52ae2801ff35dc4a
SHA256a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\python311.dllFilesize
5.5MB
MD55a5dd7cad8028097842b0afef45bfbcf
SHA1e247a2e460687c607253949c52ae2801ff35dc4a
SHA256a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\select.pydFilesize
29KB
MD5c97a587e19227d03a85e90a04d7937f6
SHA1463703cf1cac4e2297b442654fc6169b70cfb9bf
SHA256c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf
SHA51297784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\unicodedata.pydFilesize
1.1MB
MD5aa13ee6770452af73828b55af5cd1a32
SHA1c01ece61c7623e36a834d8b3c660e7f28c91177e
SHA2568fbed20e9225ff82132e97b4fefbb5ddbc10c062d9e3f920a6616ab27bb5b0fb
SHA512b2eeb9a7d4a32e91084fdae302953aac57388a5390f9404d8dfe5c4a8f66ca2ab73253cf5ba4cc55350d8306230dd1114a61e22c23f42fbcc5c0098046e97e0f
-
C:\Users\Admin\AppData\Local\Temp\_MEI37242\xxxxexe.docxFilesize
125KB
MD52722cb69ff1e253688f59dbe6097a151
SHA13acbc0c70b375eac304063b1c17bed14161a2886
SHA2565982357ac73ad06bcb5ba02b23d316985aebeedae322dc0a5a0cf9fdcbd91fbc
SHA5122d4b5e02ae7f947a9e50e74d7158857fee43e1bbf2519efcb244476dc121c3bec53be809fbc7e80fcfa4ec8de19f75a7c52c69761da386fdb93e9b5cede2e428
-
memory/1696-37-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-47-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-32-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmpFilesize
64KB
-
memory/1696-34-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmpFilesize
64KB
-
memory/1696-33-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-31-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmpFilesize
64KB
-
memory/1696-35-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-36-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmpFilesize
64KB
-
memory/1696-97-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmpFilesize
64KB
-
memory/1696-38-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-39-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-40-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-41-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-42-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-43-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-44-0x00007FF82E550000-0x00007FF82E560000-memory.dmpFilesize
64KB
-
memory/1696-45-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-30-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmpFilesize
64KB
-
memory/1696-46-0x00007FF82E550000-0x00007FF82E560000-memory.dmpFilesize
64KB
-
memory/1696-48-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-49-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-98-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmpFilesize
64KB
-
memory/1696-100-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-101-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-63-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-64-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-99-0x00007FF870E30000-0x00007FF871025000-memory.dmpFilesize
2.0MB
-
memory/1696-95-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmpFilesize
64KB
-
memory/1696-96-0x00007FF830EB0000-0x00007FF830EC0000-memory.dmpFilesize
64KB
-
memory/2064-65-0x00000000006C0000-0x000000000070F000-memory.dmpFilesize
316KB
-
memory/2064-59-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2064-51-0x00000000006C0000-0x000000000070F000-memory.dmpFilesize
316KB
-
memory/2064-50-0x0000000003750000-0x0000000003B50000-memory.dmpFilesize
4.0MB
-
memory/2064-29-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB