Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-08-2024 20:22

General

  • Target

    2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    35fd3e6cfdf21d052e03cfd295554f4a

  • SHA1

    01c8baa8e0e87d64866f756a9397502c7a70b55b

  • SHA256

    fe976a7e383b394424552a3b9084fefeeab182f64ca5032daa0e9aff4fb6df53

  • SHA512

    85ec2a8af8b804afcee9578b3432ff77b7514f31300b94c70f2007dc386337a6b76d4b439460a8d7dfacd51b184d79199886cce463f0039bf87f0de8d8fb3cd3

  • SSDEEP

    49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lS:RWWBibf56utgpPFotBER/mQ32lUW

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 46 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\System\yKPudEa.exe
      C:\Windows\System\yKPudEa.exe
      2⤵
      • Executes dropped EXE
      PID:4380
    • C:\Windows\System\HgGnpFq.exe
      C:\Windows\System\HgGnpFq.exe
      2⤵
      • Executes dropped EXE
      PID:3480
    • C:\Windows\System\OrmLigu.exe
      C:\Windows\System\OrmLigu.exe
      2⤵
      • Executes dropped EXE
      PID:1240
    • C:\Windows\System\IWcTIMM.exe
      C:\Windows\System\IWcTIMM.exe
      2⤵
      • Executes dropped EXE
      PID:1936
    • C:\Windows\System\WXaKnOp.exe
      C:\Windows\System\WXaKnOp.exe
      2⤵
      • Executes dropped EXE
      PID:4940
    • C:\Windows\System\ClnYSCM.exe
      C:\Windows\System\ClnYSCM.exe
      2⤵
      • Executes dropped EXE
      PID:1244
    • C:\Windows\System\dDThacf.exe
      C:\Windows\System\dDThacf.exe
      2⤵
      • Executes dropped EXE
      PID:1636
    • C:\Windows\System\hwBhhiK.exe
      C:\Windows\System\hwBhhiK.exe
      2⤵
      • Executes dropped EXE
      PID:2756
    • C:\Windows\System\lVNCYWf.exe
      C:\Windows\System\lVNCYWf.exe
      2⤵
      • Executes dropped EXE
      PID:3228
    • C:\Windows\System\bUgPkol.exe
      C:\Windows\System\bUgPkol.exe
      2⤵
      • Executes dropped EXE
      PID:2956
    • C:\Windows\System\cqtoraH.exe
      C:\Windows\System\cqtoraH.exe
      2⤵
      • Executes dropped EXE
      PID:960
    • C:\Windows\System\agmRdfb.exe
      C:\Windows\System\agmRdfb.exe
      2⤵
      • Executes dropped EXE
      PID:1752
    • C:\Windows\System\qZhMbBf.exe
      C:\Windows\System\qZhMbBf.exe
      2⤵
      • Executes dropped EXE
      PID:3780
    • C:\Windows\System\HEvnwHm.exe
      C:\Windows\System\HEvnwHm.exe
      2⤵
      • Executes dropped EXE
      PID:4532
    • C:\Windows\System\KzLbSAn.exe
      C:\Windows\System\KzLbSAn.exe
      2⤵
      • Executes dropped EXE
      PID:1040
    • C:\Windows\System\CkOCVlW.exe
      C:\Windows\System\CkOCVlW.exe
      2⤵
      • Executes dropped EXE
      PID:4492
    • C:\Windows\System\yocSFip.exe
      C:\Windows\System\yocSFip.exe
      2⤵
      • Executes dropped EXE
      PID:4388
    • C:\Windows\System\kHiNZGj.exe
      C:\Windows\System\kHiNZGj.exe
      2⤵
      • Executes dropped EXE
      PID:4036
    • C:\Windows\System\oexSsrm.exe
      C:\Windows\System\oexSsrm.exe
      2⤵
      • Executes dropped EXE
      PID:3896
    • C:\Windows\System\LerOdFh.exe
      C:\Windows\System\LerOdFh.exe
      2⤵
      • Executes dropped EXE
      PID:4448
    • C:\Windows\System\BMHYBEd.exe
      C:\Windows\System\BMHYBEd.exe
      2⤵
      • Executes dropped EXE
      PID:2428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\BMHYBEd.exe

    Filesize

    5.2MB

    MD5

    b4eaa00d0c4749e3d28d2f569c965580

    SHA1

    6a441dd508e49860f6f199cf7a62703bdf8393e9

    SHA256

    aa682b6514e7dcdbe1aae4b1b5dfd9e8e72f165711a01600d653f5574d72b162

    SHA512

    407342f52504d0b07d8a1d5f4a3da480c62ff600d5689c3fc999b3c559db9cfa4da0121413c8ddf0a38929867cee251d00b1a6f7229234301b0b5e13286a1fab

  • C:\Windows\System\CkOCVlW.exe

    Filesize

    5.2MB

    MD5

    55d8380f1dce015d4ff865eda13e6768

    SHA1

    a043fa7b652a2b00a85055affba5e4b7efb20ed3

    SHA256

    6fcceb973cc3ae373aafce35f159c8d69cf7d20060ee255e481bb7b3f47369dc

    SHA512

    baccf9503086ba4e7defe19fad803e08580f63805b85155a9d6e4751536bcbdd7f53ab0d1f2402c67ced69c1e981a8d92d2dee09be0213d8c15813984cc18970

  • C:\Windows\System\ClnYSCM.exe

    Filesize

    5.2MB

    MD5

    f6d6b546ab1c204b98a186cf46971238

    SHA1

    ebdfc9a06923cb909beac9f43150f21d5119799e

    SHA256

    b3b98d8d19efebc7768a698574527d9fa890dec4c5f402cceb47c08395f15c69

    SHA512

    12cdded0e2292b000442224bfe88c82fe2faf9503807937e25f6cfa9a012b01f292d7b85d6b71651e1710f99437fd863ff614b2c643156948a997639ed5f6a5c

  • C:\Windows\System\HEvnwHm.exe

    Filesize

    5.2MB

    MD5

    0edf1a3bd3a5184333db1fee24c8efe2

    SHA1

    509931f204e6ea021e106457feeedebe3b015666

    SHA256

    fe3b1b03a8d9e85556c76cb18bdc9fd762392bef25d2cb01d6caea959c973fb4

    SHA512

    5e9eab2bd109b22409c2725d14aaaf6613be5a622506ef236f18395379c70b06838933996524bfa80fa1e976eed337f3b6b762278512ac2515fe5d73db56f6f2

  • C:\Windows\System\HgGnpFq.exe

    Filesize

    5.2MB

    MD5

    2c5e80756ae8e6c2e5237561d6c5a1ae

    SHA1

    c2e1435ee2fe43b9e712b66ffc10664a70eb1b1a

    SHA256

    d862e3e1696a173f2860e820a8bf73cdff9c010c4f10a43ce01e362b50498f6c

    SHA512

    482da4f9c92adfa964f7477393a25190a19742ab625eb66092bec815efe6dbafd17d44e3f5c0cc43a310108a4e9db533c1f59d9caf1725f00517268d88766d2e

  • C:\Windows\System\IWcTIMM.exe

    Filesize

    5.2MB

    MD5

    7bfe750f8cbf9199a2fc9e00ddc0d67a

    SHA1

    7c9469ce346a127e8db4cf180155a2ef4e9c696c

    SHA256

    94dd1e19255b114b55e645862c1ddcca2ec0dd480e927b0a47b526a35e0d37a8

    SHA512

    489127f977c6cb3333393438a5967932fbb36bb1c9dab8f984ef82ac2c9fac70ab47d500b4c1610b78a151bfd4f4cf3e3292f7ffe01954e78d9adf3d1d56a3c0

  • C:\Windows\System\KzLbSAn.exe

    Filesize

    5.2MB

    MD5

    b82735eb8854277cdfdbb4ffd9eed451

    SHA1

    f11906528242e4f3cd9cbc99327192a249b3a114

    SHA256

    47e116d17744b89a4e15c0b94f8a19dc3a40ffdd72b24d58fc8fe1a402bfcef5

    SHA512

    ab499e67c5ede7f70336892805dacf31ba917089ea9fb084d05b67808cb45cbefd7ba895b98dd362f51b15f11a32374b6391465583af58086e366317f6b42dc2

  • C:\Windows\System\LerOdFh.exe

    Filesize

    5.2MB

    MD5

    6118e86418ff089e578c56b030209ca0

    SHA1

    5fde8e50e1f365ed08d76eb0a7cea032494de2e1

    SHA256

    533e106eae3ebedc98d2865c8f5a9582ddefe854846777db7f612288b7b48c53

    SHA512

    a949eae3547132bc2bc9f56294e7458ca24652a56da27a0bede2c220e343367958d50c1c8021592f431e79588e62433b7038d303f732f57260c1ec4f761ec234

  • C:\Windows\System\OrmLigu.exe

    Filesize

    5.2MB

    MD5

    971beef3f248dde96d06e81c518defba

    SHA1

    b425ca24d47a29b805c4e8cfb531e9f67c799d85

    SHA256

    65fc08128e708ed4f714a3f0a97954fe7b5ed8f693c9206260c53b24e05c0dab

    SHA512

    5179bf118e93ffad8db6a85c1ddcb1ca0d417e2de9ece5bafe198ab0fa65dcfd7054a4b0202203614c0c2c0cfa0ba2c9d589c9d5da932c6bf925eb0e50acfce8

  • C:\Windows\System\WXaKnOp.exe

    Filesize

    5.2MB

    MD5

    b32fb0f1c3b226e39ebaed88562bc27f

    SHA1

    a8e0c0d0e955d854eb0e696887c13f1a999c1686

    SHA256

    908a723bfabdf76853982f1282a4e220efc1c0e9112aefadcaede13adc2caa56

    SHA512

    616b11e60397504a6cfe5d7374bdd3279028eac49ecc0d670f302ef730715cd18a76e04f8ff0754eaf746406f32c10f64cf0fe92804d991b472d27793dd554ba

  • C:\Windows\System\agmRdfb.exe

    Filesize

    5.2MB

    MD5

    7b86ae4e359a6571e615bcb82e467a7a

    SHA1

    05345c0add0f2174f7742cabcace80817ffcd916

    SHA256

    08245a6a8208f08f36cb15c1d99b79fb1f5f5acb49d6e01c2376b9ecf3c1c60f

    SHA512

    db323ed9bc4f0b145b84b74e4c50ff8e0691972594fe12c4d7afb0a29212d38a75e207f5c530e3ee87cba24ed862ae0a4f23af93bd1c23a5f09f533b85abe067

  • C:\Windows\System\bUgPkol.exe

    Filesize

    5.2MB

    MD5

    423e356a9b1adf0b96e1cd9bbabfd61c

    SHA1

    3f065b149725044bf9e71a7197b1eae51a62c6d9

    SHA256

    4f597c778918ebd976f025a8f29fc801153ae8ff7a475d9d99d0aa1ad91a56eb

    SHA512

    725c5c378d9d679dca99f719b9dbf6c80bd80ff78bd80e590abca6443092ab24e553002a6fae78ef6a6cef711da4731cc8e38c6707602eeb27dc374bf5168c58

  • C:\Windows\System\cqtoraH.exe

    Filesize

    5.2MB

    MD5

    f9a070844afafb05fa60e8a2cdc04275

    SHA1

    8f0a76d45e75cdd546fd38b4d1377296a541f9d9

    SHA256

    f33a9796d7db30a16f69c7a8c37456c213cf2a95e88a7a02098586919b2b4589

    SHA512

    cc13e443f3ad69d19dab45508ebae484637546004587ebc4f68443fc2dddd8aadde2193810bee4d81e59e7ffdc565adb61c1d759ac60e90dca41eecadbddf43f

  • C:\Windows\System\dDThacf.exe

    Filesize

    5.2MB

    MD5

    edd247ca954096c0bfbf325a097b0791

    SHA1

    db113359b82b49a63446d73a1d6e274c07271639

    SHA256

    2ed4fe46a4ee304433dd5354a1349d24e20a4ace2174f5f4d9bfbe115ad20648

    SHA512

    a42bf622cb2ab273f1e4803d0b2cda067805d789f9f6818187abebb3217eef32f8076380dd6abcf88ca7801082915bb5d0eebb76a0220a32d24f8f64f00215b3

  • C:\Windows\System\hwBhhiK.exe

    Filesize

    5.2MB

    MD5

    26ceb4dea678500e2bcd4f7a06bf1dfc

    SHA1

    37cd1a4c48e6db4860344d0c5893ef3af2c8e0b1

    SHA256

    cb998e14818ff377bfae2a8d4b6d527c6aee6ae364bf545e3cb3b8b937a8d57a

    SHA512

    722952324492ba650aceaa96923fea31f384d240ae5c51901a4a5cc34cba13f08c06fb96ac0b6293b9d1991d70e4caa2f9ee02b64a8a7a34db45f9bffb237e18

  • C:\Windows\System\kHiNZGj.exe

    Filesize

    5.2MB

    MD5

    6f19bcf308c528fe1239ad242f4dc64f

    SHA1

    7e1de3368ecb2cad839d5d5363658db1ba374325

    SHA256

    a0d550508955df26024f6460ede526e985ea83867be93bc80722c5b98fc84acf

    SHA512

    f1ff3cb6e1dafb8637c6dc9163162f7855b158e60d04f5568d59b5a9597810384ca9d5ccd1ce976709963bd3dc7f5206346d193e937bfc0330f2ed34ab59b01d

  • C:\Windows\System\lVNCYWf.exe

    Filesize

    5.2MB

    MD5

    662695c32943f6fb2f8e4e4392aefbf1

    SHA1

    f3595bc8d7a614a8ec3fd43a74bf39ee94349242

    SHA256

    171fa27bf69e17a07cdce6643a46eae22cfc0406f9aebda15ebaf367419887ce

    SHA512

    627eb8bc5603a2b17f4a82dc5b794add35143ac102f0b4fbef47b603736680c6490516df32443d0e77516c23e1f415bfdeaa429b40c0991c83e5aa4a9fa190ea

  • C:\Windows\System\oexSsrm.exe

    Filesize

    5.2MB

    MD5

    f7ff76f804d5b14966985e2ff126cea0

    SHA1

    0c7523395d6fb0debf8e8add4ab6346c85b84760

    SHA256

    32ad235c799279b63443b86f170f717e075df68213325d81c5b4e1c4e72af8a4

    SHA512

    b8e2409894f5e7c1b9b49a190b2dbfe283eec90eed954923920cf56745b9f17b11e1c4f6691cd55be53118da43120f83bda72fa40c4de867a2eb20aa2bb881e6

  • C:\Windows\System\qZhMbBf.exe

    Filesize

    5.2MB

    MD5

    afdd59fa1339f11bf36b82ac7abb060d

    SHA1

    0ef2e3029f0c0f2400b5069deaea497cf0489695

    SHA256

    d0925c226e5661f10f31c67b7fb10dafb15e6fbcd3a6502f4af28673260d2aa2

    SHA512

    bc0c91a76a93ef35f5abb449c06a98c689f58b34b9b9815ceedecbd712ee4c0329a1b7b64d8840e5e9d2fd00040dc9fdf941f1d0091b62d54eb35ad4a1e0750a

  • C:\Windows\System\yKPudEa.exe

    Filesize

    5.2MB

    MD5

    c3d8374b316a48a1909286f1b6a458e5

    SHA1

    ed9a876c2ed2464e0e49bc450ed6134935d4ba05

    SHA256

    9ec14e614a2181f36e5d3aa4067fa01b35b25bafedbd1c956f403e52a4a663c1

    SHA512

    3a57fb4956913547884ff0beb8d0f01526c95421433dbc9d6b64b17ff724a3b1df4d55d8ca1f4f8eb043159da78c70c6c1dcc3f257a0e349cf055781ef1f83a9

  • C:\Windows\System\yocSFip.exe

    Filesize

    5.2MB

    MD5

    526f11bd8e792948204083ae6a504874

    SHA1

    5b66dfe61cc726b4e2879678bb058a87a845f203

    SHA256

    31b40f30b2a153df60b11b960bdc3254eae374fca0871e057d68552f2eed4613

    SHA512

    52172237a0d12ccb890f3c46515bbcc2b85645377a624f833209acec24aa688fbc0f0cd08464846d7e4db1f31b781ed55c3ef3d109b495f2724ae404db2c543d

  • memory/960-148-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp

    Filesize

    3.3MB

  • memory/960-72-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp

    Filesize

    3.3MB

  • memory/960-237-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp

    Filesize

    3.3MB

  • memory/1040-96-0x00007FF632EC0000-0x00007FF633211000-memory.dmp

    Filesize

    3.3MB

  • memory/1040-152-0x00007FF632EC0000-0x00007FF633211000-memory.dmp

    Filesize

    3.3MB

  • memory/1040-245-0x00007FF632EC0000-0x00007FF633211000-memory.dmp

    Filesize

    3.3MB

  • memory/1240-211-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp

    Filesize

    3.3MB

  • memory/1240-101-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp

    Filesize

    3.3MB

  • memory/1240-20-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp

    Filesize

    3.3MB

  • memory/1244-119-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp

    Filesize

    3.3MB

  • memory/1244-217-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp

    Filesize

    3.3MB

  • memory/1244-37-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp

    Filesize

    3.3MB

  • memory/1636-128-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp

    Filesize

    3.3MB

  • memory/1636-44-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp

    Filesize

    3.3MB

  • memory/1636-229-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp

    Filesize

    3.3MB

  • memory/1752-90-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp

    Filesize

    3.3MB

  • memory/1752-239-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp

    Filesize

    3.3MB

  • memory/1936-26-0x00007FF712A20000-0x00007FF712D71000-memory.dmp

    Filesize

    3.3MB

  • memory/1936-213-0x00007FF712A20000-0x00007FF712D71000-memory.dmp

    Filesize

    3.3MB

  • memory/2060-0-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp

    Filesize

    3.3MB

  • memory/2060-1-0x000001FBA6800000-0x000001FBA6810000-memory.dmp

    Filesize

    64KB

  • memory/2060-135-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp

    Filesize

    3.3MB

  • memory/2060-61-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp

    Filesize

    3.3MB

  • memory/2060-159-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp

    Filesize

    3.3MB

  • memory/2428-134-0x00007FF785E40000-0x00007FF786191000-memory.dmp

    Filesize

    3.3MB

  • memory/2428-258-0x00007FF785E40000-0x00007FF786191000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-231-0x00007FF636D00000-0x00007FF637051000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-50-0x00007FF636D00000-0x00007FF637051000-memory.dmp

    Filesize

    3.3MB

  • memory/2956-235-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2956-66-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2956-141-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp

    Filesize

    3.3MB

  • memory/3228-53-0x00007FF6954B0000-0x00007FF695801000-memory.dmp

    Filesize

    3.3MB

  • memory/3228-233-0x00007FF6954B0000-0x00007FF695801000-memory.dmp

    Filesize

    3.3MB

  • memory/3228-140-0x00007FF6954B0000-0x00007FF695801000-memory.dmp

    Filesize

    3.3MB

  • memory/3480-209-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp

    Filesize

    3.3MB

  • memory/3480-89-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp

    Filesize

    3.3MB

  • memory/3480-12-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp

    Filesize

    3.3MB

  • memory/3780-241-0x00007FF74C330000-0x00007FF74C681000-memory.dmp

    Filesize

    3.3MB

  • memory/3780-91-0x00007FF74C330000-0x00007FF74C681000-memory.dmp

    Filesize

    3.3MB

  • memory/3896-156-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp

    Filesize

    3.3MB

  • memory/3896-254-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp

    Filesize

    3.3MB

  • memory/3896-120-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp

    Filesize

    3.3MB

  • memory/4036-155-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp

    Filesize

    3.3MB

  • memory/4036-251-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp

    Filesize

    3.3MB

  • memory/4036-112-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp

    Filesize

    3.3MB

  • memory/4380-7-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp

    Filesize

    3.3MB

  • memory/4380-207-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp

    Filesize

    3.3MB

  • memory/4380-68-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp

    Filesize

    3.3MB

  • memory/4388-249-0x00007FF66A040000-0x00007FF66A391000-memory.dmp

    Filesize

    3.3MB

  • memory/4388-107-0x00007FF66A040000-0x00007FF66A391000-memory.dmp

    Filesize

    3.3MB

  • memory/4388-154-0x00007FF66A040000-0x00007FF66A391000-memory.dmp

    Filesize

    3.3MB

  • memory/4448-130-0x00007FF671190000-0x00007FF6714E1000-memory.dmp

    Filesize

    3.3MB

  • memory/4448-256-0x00007FF671190000-0x00007FF6714E1000-memory.dmp

    Filesize

    3.3MB

  • memory/4492-102-0x00007FF7127A0000-0x00007FF712AF1000-memory.dmp

    Filesize

    3.3MB

  • memory/4492-247-0x00007FF7127A0000-0x00007FF712AF1000-memory.dmp

    Filesize

    3.3MB

  • memory/4532-243-0x00007FF7C8FA0000-0x00007FF7C92F1000-memory.dmp

    Filesize

    3.3MB

  • memory/4532-92-0x00007FF7C8FA0000-0x00007FF7C92F1000-memory.dmp

    Filesize

    3.3MB

  • memory/4940-111-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp

    Filesize

    3.3MB

  • memory/4940-30-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp

    Filesize

    3.3MB

  • memory/4940-215-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp

    Filesize

    3.3MB