Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-08-2024 20:44

General

  • Target

    2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    3e6b4053e06fd3dafd9ef15112bfb66d

  • SHA1

    246516c368838a667aaca52e2a5b44c44fed862c

  • SHA256

    82ddcf208870b5e00846fbd3bf96f43a4447386d9919458a312420aaf72fad6a

  • SHA512

    3db631a6d374b40125c3bebb426092ba1efcccc7b848abc36918214fb2c0921a9f5dc569a1667600894b01b96365ae2597b57305f381916ca96df8b8bc48cbee

  • SSDEEP

    49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUQ

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 45 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Windows\System\ZHPNJPC.exe
      C:\Windows\System\ZHPNJPC.exe
      2⤵
      • Executes dropped EXE
      PID:3948
    • C:\Windows\System\jbGLeSG.exe
      C:\Windows\System\jbGLeSG.exe
      2⤵
      • Executes dropped EXE
      PID:1856
    • C:\Windows\System\qlFmlJt.exe
      C:\Windows\System\qlFmlJt.exe
      2⤵
      • Executes dropped EXE
      PID:2896
    • C:\Windows\System\NkgTGsz.exe
      C:\Windows\System\NkgTGsz.exe
      2⤵
      • Executes dropped EXE
      PID:3680
    • C:\Windows\System\LZewaqy.exe
      C:\Windows\System\LZewaqy.exe
      2⤵
      • Executes dropped EXE
      PID:4832
    • C:\Windows\System\AuFXGrm.exe
      C:\Windows\System\AuFXGrm.exe
      2⤵
      • Executes dropped EXE
      PID:4128
    • C:\Windows\System\RayVyuD.exe
      C:\Windows\System\RayVyuD.exe
      2⤵
      • Executes dropped EXE
      PID:4480
    • C:\Windows\System\eiNJBKx.exe
      C:\Windows\System\eiNJBKx.exe
      2⤵
      • Executes dropped EXE
      PID:4884
    • C:\Windows\System\uTbUDxE.exe
      C:\Windows\System\uTbUDxE.exe
      2⤵
      • Executes dropped EXE
      PID:1512
    • C:\Windows\System\zEIlgpV.exe
      C:\Windows\System\zEIlgpV.exe
      2⤵
      • Executes dropped EXE
      PID:2740
    • C:\Windows\System\NtYGPmQ.exe
      C:\Windows\System\NtYGPmQ.exe
      2⤵
      • Executes dropped EXE
      PID:2768
    • C:\Windows\System\bEMESrx.exe
      C:\Windows\System\bEMESrx.exe
      2⤵
      • Executes dropped EXE
      PID:1208
    • C:\Windows\System\FdUqPVy.exe
      C:\Windows\System\FdUqPVy.exe
      2⤵
      • Executes dropped EXE
      PID:952
    • C:\Windows\System\AjIkJVh.exe
      C:\Windows\System\AjIkJVh.exe
      2⤵
      • Executes dropped EXE
      PID:1672
    • C:\Windows\System\PdAWZSZ.exe
      C:\Windows\System\PdAWZSZ.exe
      2⤵
      • Executes dropped EXE
      PID:2576
    • C:\Windows\System\kqkYUsQ.exe
      C:\Windows\System\kqkYUsQ.exe
      2⤵
      • Executes dropped EXE
      PID:4400
    • C:\Windows\System\WQMNYvn.exe
      C:\Windows\System\WQMNYvn.exe
      2⤵
      • Executes dropped EXE
      PID:1020
    • C:\Windows\System\KtXDbou.exe
      C:\Windows\System\KtXDbou.exe
      2⤵
      • Executes dropped EXE
      PID:2916
    • C:\Windows\System\iygrAYr.exe
      C:\Windows\System\iygrAYr.exe
      2⤵
      • Executes dropped EXE
      PID:3216
    • C:\Windows\System\wgCnGuY.exe
      C:\Windows\System\wgCnGuY.exe
      2⤵
      • Executes dropped EXE
      PID:4624
    • C:\Windows\System\cDWbzxb.exe
      C:\Windows\System\cDWbzxb.exe
      2⤵
      • Executes dropped EXE
      PID:4240
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:8
    1⤵
      PID:780

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System\AjIkJVh.exe

      Filesize

      5.2MB

      MD5

      42da02e06bd7f8484e0f7dc3b25ce12c

      SHA1

      88d29d124e6a3c4ef61f25945dc74fcf4aa463ed

      SHA256

      a9d4d99ba7f2bb063731fefb67593485b3d2592a79c6e722172902fab072d4cc

      SHA512

      1014f97e7b19336051f585203a10a3f99599dffd0e8e434e01e5bcf26282ff48820f3a2b36cecc72057072f207c5b1e96f1fa080b8b2dafbd05ec4738dd64e7c

    • C:\Windows\System\AuFXGrm.exe

      Filesize

      5.2MB

      MD5

      0b98af4559cafd5941e57377fd31182b

      SHA1

      c3196f2f03f97aafe006ef76c80099c6b49e7e42

      SHA256

      d4532636dd67df286b9ba773982d21e9215e7e6eed672f4f15380942e9bdfd8b

      SHA512

      258139e18937eadf93d83bd598a8721ddffe07e23c44139cf9abafd7f5ffb7dfb1da499d78b0a3b621fca79e2e09b5279443818b82895a471d9967ca7133ba71

    • C:\Windows\System\FdUqPVy.exe

      Filesize

      5.2MB

      MD5

      ddfc0ea6efae48bb92b28c25ddd8986b

      SHA1

      38acb6921f00f3229a2998f3a4a5bde29161c910

      SHA256

      7fbc6c6f057be30c442ad75f97335d7255ba9c38ac8e6f1bfa6e5912203828c1

      SHA512

      b8f29974585f8a0a4cd02c9bdb3e9cad916db507d3fb9db201fe846f8d2c5487252b97a186051c4b0d71babe6db1097810da4c7f7d484c10cb78f71c4631506a

    • C:\Windows\System\KtXDbou.exe

      Filesize

      5.2MB

      MD5

      e2130a192ee4addccababf4ec1fa4aac

      SHA1

      254c056c7ac2d57c3f3c11eb8eb37cd6414ac483

      SHA256

      00ab6c187f607b546fc082e66b094ce5fecdfb2ee0ed76f68f31ea8cafe33bd8

      SHA512

      d86c9c40feae4b8148396882ff0ad9c729ef3175d1cf51ecf4cb78d77c7afb56b418157b9c5624e312e6ecd9744c819abefe971ca020b215491286c0f4118d83

    • C:\Windows\System\LZewaqy.exe

      Filesize

      5.2MB

      MD5

      c97481e16df51133685ba9168bbaa696

      SHA1

      81fa6ec75700ae4ef85ea8e321b4261eeff98149

      SHA256

      29bd6b579fb444c336ca5369d339a8d97705e51bbecac46e9f32e0e1d6686937

      SHA512

      edb983e9921f7dd3a54ea22fe976f576865d474be58982bd79fe3e2fef37fdadc0b444723ce3c595945d4059f0d7081775b1b2a4fe6f0687cee5ada1398d9cbc

    • C:\Windows\System\NkgTGsz.exe

      Filesize

      5.2MB

      MD5

      4e1a83cee8e092bab19cb01af02434d2

      SHA1

      99b235c1f6554a40fe8b9a48631bd53dacd041f6

      SHA256

      7b6d8f58037d964554a5c0bf68ceffc80f425d59621a7b3d594e496e405f4c6e

      SHA512

      1168ecdbbd1aa259b0c15324e49c4d28bf207d5ccdd582a4f87222cb28e27a286e0017d7cc3c428e154b6e43bc2108c4492a1cb902cc33a4de95c3b801e714c3

    • C:\Windows\System\NtYGPmQ.exe

      Filesize

      5.2MB

      MD5

      61eb30d01c5de07d2d73e20c40c00e38

      SHA1

      6aaf9d390311fed175baa9284e7eacc9b66a66b7

      SHA256

      9c4bc505c8291753bbcf9e581429ab693441eaae74e81ac28c2b2c28633476eb

      SHA512

      4cc2465ad95d8e2550a811f0967c7f0acde9599ca0da0f33d2cdb19fbb8bcad6ade2988431d2b4c05a658a5b641acfe0dc93310415e37938d0f71a1600bd24bf

    • C:\Windows\System\PdAWZSZ.exe

      Filesize

      5.2MB

      MD5

      7703a69c3e61f3ccaf2f9096311e264e

      SHA1

      48b999e6ff78353fc140dbfd9d6385f61869a1c1

      SHA256

      9b3c6868e2893b0b18e02b3f38f469cdf2f0abee191f2ec61c5102894f605022

      SHA512

      b44ead27ef6ade20a0b1c494d616e4ab5a9cb3854b4288570f56119822a129b2601e5531add15653a80b90cfb252b5000ce7fe5956fce60a469b25356df997bb

    • C:\Windows\System\RayVyuD.exe

      Filesize

      5.2MB

      MD5

      5d3afc8db59d4d122416aac48a802a25

      SHA1

      a060888afcc54f5562f77fa192044f112fa35513

      SHA256

      683afcb99f53b1f83b1fe107ebcea14eb3eaf19ea1f1b6012b841fd8a39ab0f9

      SHA512

      9d6196b8d6b2c44b105f400e793ba742b65f9b051628fb5babce0529af1d7c47f2a4270c6053becc59ce070470d7b11d13d3420474cee1037b7c29e3b45fd534

    • C:\Windows\System\WQMNYvn.exe

      Filesize

      5.2MB

      MD5

      d2eb2c97fa6c40987a6e38bf7b1c100c

      SHA1

      94bf4762e3e43e977b3d44225ff6545461b395dc

      SHA256

      b177aa4837857e811354facf9d86cf4ac28448ca268b82454b357573173d178e

      SHA512

      f9825cbd65f09df478be20a2bcabcc1fd7664e371900ea3ab69e680437fc6758ecd188f0f1e5552c50b5e4c9b1aaf21fe0ba329cef149560e9136c3152a5b407

    • C:\Windows\System\ZHPNJPC.exe

      Filesize

      5.2MB

      MD5

      ee131c0f690bf0a34c6119eaf77e165a

      SHA1

      9d8d0cff4b715ebc9bb2d48bf2c81bad0ede4bbd

      SHA256

      771963d26310700fea53c647b86c90499b2d03abfe18e5513957c53f9c3fa6cb

      SHA512

      23e0de3a766a8456be1b291eeeba4ffd69aa85f10253b0d38d38f37ea537c69e18ead4070f108c6cff230f8f1d3f48cecc21b8c625b07f297094c54943e3303c

    • C:\Windows\System\bEMESrx.exe

      Filesize

      5.2MB

      MD5

      2a915343a3b94ce5e9e08df617e80f73

      SHA1

      f48ab84f681f53b9ac757590abf7acffce4f1088

      SHA256

      6c7f3b82a2f269b8df0df3672348725602498140812c2f4e9e404ab925da79ad

      SHA512

      5adf48b8a2ca447217df58b6b7019fd0bebd94eb3c0a28a6d55778397540d29fb249689947ce7eeac50ce6c61cc8223c0b7a71777ffb33e7e4b686ad82308985

    • C:\Windows\System\cDWbzxb.exe

      Filesize

      5.2MB

      MD5

      188b211175e19dda47f03a8508f14773

      SHA1

      53c1062bc40f14973a35d2e69f33859676d935ad

      SHA256

      f8d57827465f740fdefb2ca36dfb9fc805ee4bdc23a0980553c147dc4ae690e8

      SHA512

      a603ecee53d6b85a0569bb08442a49ebf378cf0db5545f83e1e0243919350891591d829cc4515ba997c52c3ede37943ffead1d9ff17d864521ea34ae703c8004

    • C:\Windows\System\eiNJBKx.exe

      Filesize

      5.2MB

      MD5

      60c2528a73238ec0a292fa0cf926b100

      SHA1

      a120925a6b504b3a4b81ca9a82419ce51636e172

      SHA256

      efbadc4e4fad1ffeea05ed8ee0aa5f2c2de25347ac22c947e6e79dc61bf61e00

      SHA512

      6e30e6fbbca267be481944122ab60a840f0ef76d01606c4eacd789d01d79ecaee74acf7f98842a70a4dd987e94563adeeb27e33b7026e8a44e5a00cdb4244554

    • C:\Windows\System\iygrAYr.exe

      Filesize

      5.2MB

      MD5

      90c9521aff97adaa6cb3b77ce838dbfa

      SHA1

      d398bf100e369ea3a34564b40ebeda9f7053b94e

      SHA256

      29a10bd85c56d7b03983fbe997aa03ae51665d12d370ffdae5f6350b5738af86

      SHA512

      19bcd0a30dc35a85dbd859cb37313c35df7283e0695a51bdae01019204697f02d4257ae94f3f88bffbd11142e5fd9a4a9f288df81b1faa24da5f8d247e51fcf9

    • C:\Windows\System\jbGLeSG.exe

      Filesize

      5.2MB

      MD5

      9180475dc85b14a9d94040ad7378f3a2

      SHA1

      6f1615f35f03f78106047709b5d330d210b3d22a

      SHA256

      4d381a9468de0d688ecc12b2c9a688b43535f75d90c0d83c58e52cff4151aef8

      SHA512

      c426fc6babd786fcdb0bb3e0406c11c77fdb569f7bd81e1e134fdc1c7d8e161c8692750e90c76bd1b6bc18958d0f20b2131992d29f8f9261c9ba0f335bbd3033

    • C:\Windows\System\kqkYUsQ.exe

      Filesize

      5.2MB

      MD5

      1b2f6c220a0d78067add47cd17da681c

      SHA1

      cc0dae9ada470ec0bb900addd84bd20a756fffe8

      SHA256

      3f32b6b5f74c7fd70bae724a37aae55332f909723ed3fd2383d52d0b608b7b1c

      SHA512

      efdbf220c0f895c1bbb5cfedfb05b8ed9d7377e632f8ffe246f0d835c08cc91cd120aa97813e69cc7ccb4d34ce8a9adb68c780f5518eb3ae97cf0e17ca75df19

    • C:\Windows\System\qlFmlJt.exe

      Filesize

      5.2MB

      MD5

      08308c8789368cb5ae0f9e3d999bbdde

      SHA1

      0582db3f35d89b575f84e533ec7cb5804753b871

      SHA256

      a4409086020be1a187ca38e3c9a4463bd32b7a2186db56847ae22fe6f7572f39

      SHA512

      2c79a18fdca6143decb542aabc5da4215143ccf8f9ab74156e58c688e99e5741b79bff1697ac7c11a0dd622bd0996d980f475b1f13be8a407b51038ad45b0f1a

    • C:\Windows\System\uTbUDxE.exe

      Filesize

      5.2MB

      MD5

      a363c661c53db3ff8369c1a2f5414204

      SHA1

      666e1c1ee9cd7454c2e79560307554902cfb2d8b

      SHA256

      a2a4d411455cd75fc030be3d0917e67125406f98736e184b7391af9171694fa9

      SHA512

      871c276923aa786ba810fa2a607e7e03266f8ef147a0e702b695e1db813fde7645fb5c3a3b896f8862e2ef48125c8550583896961e54a7a0126f0ebe0b036954

    • C:\Windows\System\wgCnGuY.exe

      Filesize

      5.2MB

      MD5

      4ffd1c8e3a1c3b3c01a5cd4ac884c46a

      SHA1

      bdf8c52877488208203504a7d1bcd621f0d2f90b

      SHA256

      eabc61c3a4f4eabcfb63019a9a159460b910276259109b7ec4a06950e44abba5

      SHA512

      954f47f4f20b3f69000eaa1b3750d132f8f9c25b14f3dca8028568fb6cc2c45d0716d5e9518dd9abf88552bb2835857e4817ca4286540b9061375109ee23f717

    • C:\Windows\System\zEIlgpV.exe

      Filesize

      5.2MB

      MD5

      0e8276620e8b4ec3f12038862c322fa9

      SHA1

      a6415b588ad13dbdef58d865ca7bb59f77c91b42

      SHA256

      88edaa5ef204fa7225c8e5369ffbe6d19334d66dfe1dd87f2ae30fcefebea320

      SHA512

      f6c0096830020d6f487cd525ddf571193795f237ff11f7d918c6f1f5b92b2a888462b305cd3c00626485f3bf23040f0af12c7db0ec4608762a271a0aa171d597

    • memory/952-136-0x00007FF61FD20000-0x00007FF620071000-memory.dmp

      Filesize

      3.3MB

    • memory/952-86-0x00007FF61FD20000-0x00007FF620071000-memory.dmp

      Filesize

      3.3MB

    • memory/952-221-0x00007FF61FD20000-0x00007FF620071000-memory.dmp

      Filesize

      3.3MB

    • memory/1020-139-0x00007FF6D8CA0000-0x00007FF6D8FF1000-memory.dmp

      Filesize

      3.3MB

    • memory/1020-236-0x00007FF6D8CA0000-0x00007FF6D8FF1000-memory.dmp

      Filesize

      3.3MB

    • memory/1208-216-0x00007FF631CF0000-0x00007FF632041000-memory.dmp

      Filesize

      3.3MB

    • memory/1208-71-0x00007FF631CF0000-0x00007FF632041000-memory.dmp

      Filesize

      3.3MB

    • memory/1208-135-0x00007FF631CF0000-0x00007FF632041000-memory.dmp

      Filesize

      3.3MB

    • memory/1512-80-0x00007FF668FD0000-0x00007FF669321000-memory.dmp

      Filesize

      3.3MB

    • memory/1512-210-0x00007FF668FD0000-0x00007FF669321000-memory.dmp

      Filesize

      3.3MB

    • memory/1672-89-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp

      Filesize

      3.3MB

    • memory/1672-232-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp

      Filesize

      3.3MB

    • memory/1672-137-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp

      Filesize

      3.3MB

    • memory/1856-199-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp

      Filesize

      3.3MB

    • memory/1856-15-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp

      Filesize

      3.3MB

    • memory/1856-125-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp

      Filesize

      3.3MB

    • memory/2576-237-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp

      Filesize

      3.3MB

    • memory/2576-87-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp

      Filesize

      3.3MB

    • memory/2576-140-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp

      Filesize

      3.3MB

    • memory/2740-218-0x00007FF7B1DF0000-0x00007FF7B2141000-memory.dmp

      Filesize

      3.3MB

    • memory/2740-69-0x00007FF7B1DF0000-0x00007FF7B2141000-memory.dmp

      Filesize

      3.3MB

    • memory/2768-219-0x00007FF7278F0000-0x00007FF727C41000-memory.dmp

      Filesize

      3.3MB

    • memory/2768-81-0x00007FF7278F0000-0x00007FF727C41000-memory.dmp

      Filesize

      3.3MB

    • memory/2896-203-0x00007FF654A40000-0x00007FF654D91000-memory.dmp

      Filesize

      3.3MB

    • memory/2896-126-0x00007FF654A40000-0x00007FF654D91000-memory.dmp

      Filesize

      3.3MB

    • memory/2896-25-0x00007FF654A40000-0x00007FF654D91000-memory.dmp

      Filesize

      3.3MB

    • memory/2916-141-0x00007FF659300000-0x00007FF659651000-memory.dmp

      Filesize

      3.3MB

    • memory/2916-229-0x00007FF659300000-0x00007FF659651000-memory.dmp

      Filesize

      3.3MB

    • memory/3216-228-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp

      Filesize

      3.3MB

    • memory/3216-142-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp

      Filesize

      3.3MB

    • memory/3320-0-0x00007FF790CC0000-0x00007FF791011000-memory.dmp

      Filesize

      3.3MB

    • memory/3320-1-0x00000239783C0000-0x00000239783D0000-memory.dmp

      Filesize

      64KB

    • memory/3320-123-0x00007FF790CC0000-0x00007FF791011000-memory.dmp

      Filesize

      3.3MB

    • memory/3320-151-0x00007FF790CC0000-0x00007FF791011000-memory.dmp

      Filesize

      3.3MB

    • memory/3320-88-0x00007FF790CC0000-0x00007FF791011000-memory.dmp

      Filesize

      3.3MB

    • memory/3680-201-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp

      Filesize

      3.3MB

    • memory/3680-127-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp

      Filesize

      3.3MB

    • memory/3680-33-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp

      Filesize

      3.3MB

    • memory/3948-124-0x00007FF660F10000-0x00007FF661261000-memory.dmp

      Filesize

      3.3MB

    • memory/3948-8-0x00007FF660F10000-0x00007FF661261000-memory.dmp

      Filesize

      3.3MB

    • memory/3948-197-0x00007FF660F10000-0x00007FF661261000-memory.dmp

      Filesize

      3.3MB

    • memory/4128-213-0x00007FF723EF0000-0x00007FF724241000-memory.dmp

      Filesize

      3.3MB

    • memory/4128-129-0x00007FF723EF0000-0x00007FF724241000-memory.dmp

      Filesize

      3.3MB

    • memory/4128-34-0x00007FF723EF0000-0x00007FF724241000-memory.dmp

      Filesize

      3.3MB

    • memory/4240-144-0x00007FF7DE890000-0x00007FF7DEBE1000-memory.dmp

      Filesize

      3.3MB

    • memory/4240-224-0x00007FF7DE890000-0x00007FF7DEBE1000-memory.dmp

      Filesize

      3.3MB

    • memory/4400-138-0x00007FF7C3E90000-0x00007FF7C41E1000-memory.dmp

      Filesize

      3.3MB

    • memory/4400-233-0x00007FF7C3E90000-0x00007FF7C41E1000-memory.dmp

      Filesize

      3.3MB

    • memory/4480-207-0x00007FF712370000-0x00007FF7126C1000-memory.dmp

      Filesize

      3.3MB

    • memory/4480-130-0x00007FF712370000-0x00007FF7126C1000-memory.dmp

      Filesize

      3.3MB

    • memory/4480-45-0x00007FF712370000-0x00007FF7126C1000-memory.dmp

      Filesize

      3.3MB

    • memory/4624-225-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp

      Filesize

      3.3MB

    • memory/4624-143-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp

      Filesize

      3.3MB

    • memory/4832-128-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp

      Filesize

      3.3MB

    • memory/4832-38-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp

      Filesize

      3.3MB

    • memory/4832-206-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp

      Filesize

      3.3MB

    • memory/4884-131-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp

      Filesize

      3.3MB

    • memory/4884-61-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp

      Filesize

      3.3MB

    • memory/4884-211-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp

      Filesize

      3.3MB