Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/10/2024, 11:52

General

  • Target

    2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    bf492e8fe609314ea99cc11e57500cbd

  • SHA1

    26390a70811abcd773d86f6ccd79a35107b26329

  • SHA256

    ffce603765f6bad1f27321a2c7dbe428b7b7aa9d5d4a0ed78b83296fc3f236f1

  • SHA512

    fa819a7f32d42c0d34632fd3ab61da06543d5312020df70699f22669461048490a4d3e2b7692e5647ab813fb9b6be643e5b738742d882871cac01c4b49021aa7

  • SSDEEP

    49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l3:RWWBibd56utgpPFotBER/mQ32lUT

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 45 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Windows\System\sgLXlJp.exe
      C:\Windows\System\sgLXlJp.exe
      2⤵
      • Executes dropped EXE
      PID:1680
    • C:\Windows\System\PysYUSO.exe
      C:\Windows\System\PysYUSO.exe
      2⤵
      • Executes dropped EXE
      PID:2060
    • C:\Windows\System\bPyTItp.exe
      C:\Windows\System\bPyTItp.exe
      2⤵
      • Executes dropped EXE
      PID:2096
    • C:\Windows\System\SSbLcit.exe
      C:\Windows\System\SSbLcit.exe
      2⤵
      • Executes dropped EXE
      PID:4976
    • C:\Windows\System\SXWsWjj.exe
      C:\Windows\System\SXWsWjj.exe
      2⤵
      • Executes dropped EXE
      PID:5100
    • C:\Windows\System\judZQpF.exe
      C:\Windows\System\judZQpF.exe
      2⤵
      • Executes dropped EXE
      PID:2032
    • C:\Windows\System\jVcgHzc.exe
      C:\Windows\System\jVcgHzc.exe
      2⤵
      • Executes dropped EXE
      PID:3976
    • C:\Windows\System\QpMTLrz.exe
      C:\Windows\System\QpMTLrz.exe
      2⤵
      • Executes dropped EXE
      PID:952
    • C:\Windows\System\KeZKehj.exe
      C:\Windows\System\KeZKehj.exe
      2⤵
      • Executes dropped EXE
      PID:2160
    • C:\Windows\System\mKbVIXY.exe
      C:\Windows\System\mKbVIXY.exe
      2⤵
      • Executes dropped EXE
      PID:956
    • C:\Windows\System\mINPePc.exe
      C:\Windows\System\mINPePc.exe
      2⤵
      • Executes dropped EXE
      PID:2516
    • C:\Windows\System\CiwPRGi.exe
      C:\Windows\System\CiwPRGi.exe
      2⤵
      • Executes dropped EXE
      PID:3360
    • C:\Windows\System\urxkLVh.exe
      C:\Windows\System\urxkLVh.exe
      2⤵
      • Executes dropped EXE
      PID:1724
    • C:\Windows\System\WdvDejg.exe
      C:\Windows\System\WdvDejg.exe
      2⤵
      • Executes dropped EXE
      PID:4828
    • C:\Windows\System\cBSSSUg.exe
      C:\Windows\System\cBSSSUg.exe
      2⤵
      • Executes dropped EXE
      PID:1956
    • C:\Windows\System\RSQFjzT.exe
      C:\Windows\System\RSQFjzT.exe
      2⤵
      • Executes dropped EXE
      PID:2596
    • C:\Windows\System\JuCuLOO.exe
      C:\Windows\System\JuCuLOO.exe
      2⤵
      • Executes dropped EXE
      PID:1268
    • C:\Windows\System\hCAUkFI.exe
      C:\Windows\System\hCAUkFI.exe
      2⤵
      • Executes dropped EXE
      PID:3064
    • C:\Windows\System\ZBoluBS.exe
      C:\Windows\System\ZBoluBS.exe
      2⤵
      • Executes dropped EXE
      PID:1052
    • C:\Windows\System\MdReKcT.exe
      C:\Windows\System\MdReKcT.exe
      2⤵
      • Executes dropped EXE
      PID:776
    • C:\Windows\System\yaNuRZV.exe
      C:\Windows\System\yaNuRZV.exe
      2⤵
      • Executes dropped EXE
      PID:4536

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System\CiwPRGi.exe

          Filesize

          5.2MB

          MD5

          b4a56c4c87cc2868c65b160a33f6f865

          SHA1

          adccfa5a99c2945af961279fa28b6dce1bd63561

          SHA256

          e46f94e23ac45e740af5af422c8dc399494bb215b47df4fd9c76a0f3211455ee

          SHA512

          f8c672c16a25049203afd46f07db0aec5095c146f12b9bbdf34f91eeaf2f5a4f21ec999af2494caed92caa2d2a123cd60ddf73272898188c00170a810857e85f

        • C:\Windows\System\JuCuLOO.exe

          Filesize

          5.2MB

          MD5

          12f017a0617b94218b6e9e8e94767a09

          SHA1

          7d4170185c116f870fc30f985c8d04a48ccdf32b

          SHA256

          a3da256f029da4fcd3a8ef61050fb825b7075c2b636c6127bf0d78341c9594b8

          SHA512

          56ed29fc23fac185ba103c7ccaa46bfe5eb2198221551c1d4c9e5a5f8912d9f7f067317ac96fce6028ae3c154862bbc8be1673d22b4ebb966b229f62dcaccaa9

        • C:\Windows\System\KeZKehj.exe

          Filesize

          5.2MB

          MD5

          f3f3dbc3b3649bbea31fbc4dca0af17b

          SHA1

          c12d976b17bff42fdd14fa1913afa7072ea30ff7

          SHA256

          c41b4ac9ffedb3e5cd359690a5a4275942ea78381b08033df74fb37b2cc5d256

          SHA512

          f853e830eae1b8e531d8852555d71172ee03640aa954ac29ddcd1832afec81ddf7b331d4f7d4704a225ab5f2a9a705adda936f69cd25509e3139108fc56b7471

        • C:\Windows\System\MdReKcT.exe

          Filesize

          5.2MB

          MD5

          5918c27a7d6be1437379d1bae8a286d1

          SHA1

          7733ef8ffc545114feb65527470c02da5f17dd8c

          SHA256

          1b6b074f33e674b5edd9131bd81af3a0ad906a675b1e3f59a1ebc4f0473d7526

          SHA512

          58cbba05b0638bd031c27be5b6dc2498d6e51cfcd0070e58c00b05969d0e65f82cc6537b554408b14781f1e8f2e3204b8204f57d598018176b0d5ea360ba0df0

        • C:\Windows\System\PysYUSO.exe

          Filesize

          5.2MB

          MD5

          145025a79af2c74a556134e7d8804d19

          SHA1

          124c8fd704361d0a4abeb7a5bbae2dba9112f6a6

          SHA256

          344e7dbb999952bc91720654a1f3e4dc0c1392327f6b1a05bb878fee9e543e04

          SHA512

          9ea88df74df2cd8b052bd26d97981b7b9d5e36d2aaa80d3a8ff5c6411b770ea3646efb9fb09577ea7ffd436078d042e93d89dcf32eb65cc874bc9b2e20b2b016

        • C:\Windows\System\QpMTLrz.exe

          Filesize

          5.2MB

          MD5

          5f9d6fa8fa64a75b2eceb2ce9dbc1c7f

          SHA1

          0b3d42e9204ca3217f46c0a8bc3bd85a157bd3c0

          SHA256

          9c3baaff033e8933376d80bfe634f4263bcbf0fb5954acded179c2b4df545eaa

          SHA512

          0c16dad4abf94e3d088b0b78f3361d5be560d01b0564cb628b5e71548cdee423d82164e74399bca7238ff5d6c2e8f684eaabee65cb5c133393375605b03d9759

        • C:\Windows\System\RSQFjzT.exe

          Filesize

          5.2MB

          MD5

          2caeeeee34e87f09f83dd79a66d8bf58

          SHA1

          6fbf2b8b35d72f4e0f42217982a710094c2bed42

          SHA256

          cf07b064b1151e357da315eb8acaa2239574521ef349f3fe920c6978be5d9fe9

          SHA512

          1226a1ccab1e8e3c8be76a284cdee76a55eb5389d7886fa3f45c6e38bd36504701cd4385586f4d88ed6a91ba6ca95017afb56993984ebce6902df8e163b1b648

        • C:\Windows\System\SSbLcit.exe

          Filesize

          5.2MB

          MD5

          d762d7426a6438fe50e3ddbeb46f2bb0

          SHA1

          1372ba1c063fca5e4022801affd3558d75a25a2d

          SHA256

          fe3849d99d0a29c55c14593b28306cfbce7d4be62b487283d3a8ffeb5d1c4399

          SHA512

          c4a69ea2cb76bdc1a9ec34c9158a9779bdf85c7d37a282740c77be930452fb53523424b28985a0694057b577afd2dc6bf6e9cf37b7c192a8daadbf6d5090330a

        • C:\Windows\System\SXWsWjj.exe

          Filesize

          5.2MB

          MD5

          fac369b4eb2897f47bf0b8661b1504b1

          SHA1

          75ad7e83bf884ec6aabc5e770294bb57f81d4255

          SHA256

          52c686cc62917e8e7db87dc13461955436548211a998ca0b2688d71cadf604f4

          SHA512

          5f2c85022dd9156ed3a213f40edcbef2063c50f6f131333786fd3a97b24fd85596b3a2566bd05110fe2052b00378d308427885a38a76f91af94cfcbd89fdba54

        • C:\Windows\System\WdvDejg.exe

          Filesize

          5.2MB

          MD5

          191a0d21c615a3637d83e410071001e3

          SHA1

          923945537aa674487b626a01637bf40d03dfab26

          SHA256

          ccf6691f455ee02fb0279d21c77681029f44111a2b83d532cc94ea1b3e253618

          SHA512

          a23b1150977edeea6fa004fe964a269d3844896bf3de1940b5ce7dff65f041faf1432b6c2b354de7188fa0d4fbb70f6a3522d9af038e60f282b176e6b43c4471

        • C:\Windows\System\ZBoluBS.exe

          Filesize

          5.2MB

          MD5

          ab7cb572eac1d2b120d3f91f5fee8f31

          SHA1

          939fec42fe9256b79ff4c652b1457de657c27a04

          SHA256

          e5a59045ad799d5d5452c48b1111b8b455aa000acc1aeac62d046a4496569de9

          SHA512

          5027567805682da1b4a35adc2168c00bb40b4ce94eccf165b9ffbc8697466b26699bf03fb97856c2828b912fa942f31d058f48e455af5dac0a6a045ed92bd460

        • C:\Windows\System\bPyTItp.exe

          Filesize

          5.2MB

          MD5

          369a6de3fd59eb8897d268f5b8c7fc01

          SHA1

          3572de0cf0350f83f606ccaa958c24f6997fa124

          SHA256

          9a2b7242e7b06452fbdaa6d5f53d98312e2f05eedb547043265654b2efebdc12

          SHA512

          6265a577173c2e490d3d3c3499fedf1cbebc0ce340429c948413ee365d7264df01f4b2a4e0bd0a0e72ead0292078948da7e554aa40101e8d959d12d2675eb292

        • C:\Windows\System\cBSSSUg.exe

          Filesize

          5.2MB

          MD5

          f68fb5aa105506edc19f355471632141

          SHA1

          56f7501ea438979e705d177d10c479e1939a5f8e

          SHA256

          01b5afef693fbc341740bdf430b8b91c010ee6bbbd95c9d5652b319fc7758bee

          SHA512

          7df7d2edcbe2004ca05f0c1f9709c796ca3f5f30f6dd79016066e137eb547a51f3552d0ea1693e2799780c2665c5087e8446614505d2ca00ad1b9210926d3c95

        • C:\Windows\System\hCAUkFI.exe

          Filesize

          5.2MB

          MD5

          ac49d75fa5fbab0f05c8ba8a65e7b798

          SHA1

          34a962c04451057e424578da6dfa54f27b94e55f

          SHA256

          1c67877c3b0f7402fe6bb54a866d13eed96350096b12777cc9a874d30aa583c0

          SHA512

          6fe2143d009054a6d76f3ae2accc54af2b9e6110bcc075ef95753feb4e08d3225c5fc30103adea6fa6497f8aab7314ab357c91a76fdb388b781b06adfd751273

        • C:\Windows\System\jVcgHzc.exe

          Filesize

          5.2MB

          MD5

          822795e7841aa2621cd0aabb2fc324cb

          SHA1

          ed97688766ea0bbf61e963446a4722cdba254754

          SHA256

          59a95ef81f74c55bfe6e2984bb94ed5d040d1e1a47953ebdba775aad9824b0b8

          SHA512

          a1cb3ac802c67460f30131ca0713251bec2cadf6f7042df2bff616a83f7bb8608cd49bba0283713c679174ec333256d9b95f6afac995a0bfcf12d976e01069d5

        • C:\Windows\System\judZQpF.exe

          Filesize

          5.2MB

          MD5

          319ecb3c3c35fc569f0d9c0df6390e46

          SHA1

          5f0ef4dc8636646f62976b6104fb7f5d6218e425

          SHA256

          222282a53e98818f1e0be990aa68f262a2796caf4f7b4c1a09ff842bea3377f8

          SHA512

          733c484b79d830526108e59d5b99d24da02b4b7051d9207a3ae42f881e673c8be10dde22bdefe578f062fd5b96c5d2f3645411cb7fc95c68c417618aa504f8a0

        • C:\Windows\System\mINPePc.exe

          Filesize

          5.2MB

          MD5

          5666998e5e9d48721f1f91771891d982

          SHA1

          afa675d007ee32232f99c695c4713ce232c3882f

          SHA256

          b5e7cd5da7e48cc3c2e8fe6a765e6407c40d7e89a5872e292d3a43421835a352

          SHA512

          47085801e4944235bed8c976ff35adc7669138a47bdf1dddf9980875e14da77fb57cd3a606ff4564dec98337201fd68064b22b6e19fdebc656b5326e30a538e5

        • C:\Windows\System\mKbVIXY.exe

          Filesize

          5.2MB

          MD5

          bb5262ba2c916aeaa51f7789e2a0b079

          SHA1

          66d8108586ef5016a8411a5a17477204725bc7ce

          SHA256

          638c99e0e70be08325b3f6bdad1144a3f138053546a2ebab765be3a1811778ed

          SHA512

          3dbb6ed4633673c27ce52f45f350b0c98f56e4a69616eb1ff71c1e942521a41a0a61e8f89208eaf1ffcdd3d3b75125c13ce39703551141197959872feed9ae88

        • C:\Windows\System\sgLXlJp.exe

          Filesize

          5.2MB

          MD5

          f7172c41a2568c098b96af909f49d6a6

          SHA1

          5d2f4ef286cea53e16cff34f9f67b7141efd2900

          SHA256

          2d69642395ebb109484d9b1b761266afcde26b09fa48713d1dc49fe3f0c1cdf4

          SHA512

          844f457a03defb543fb88f57aca599d5b74240ebb99025e6df4974e5c572c10bbbdc24ee60c3b2c051a6239857001b1e580c5822b79c418c5fe6e5e099ee2239

        • C:\Windows\System\urxkLVh.exe

          Filesize

          5.2MB

          MD5

          f0fdaf9f00d15eb262105eacf51f5ee5

          SHA1

          f22ad627da756782da95dfdc5128083b87cde17c

          SHA256

          e4fad3f84ebca2a4711cc3e980187ac94e487a07ad1d9048cfea80695fecbe53

          SHA512

          eff66ac332d3ed10738bbdf882d3bd531d9adc340c9cb3b046afa4d5b889c7c3b2ad5d51230530dbf24a257950e304e792c3099309bc31ee5a7eb3b5a6cb55ba

        • C:\Windows\System\yaNuRZV.exe

          Filesize

          5.2MB

          MD5

          fa90fd5123191f0dc568f81899fd4cfc

          SHA1

          504b993ff5aa3c7630010b40cd41289144a0415f

          SHA256

          0fe283d56defa131677adcfa166ce23831c89f95851c3c2ff7bc8d6c2967a781

          SHA512

          67a03377c2e243a334a938d2a6101d8168f4091c5f17c656022446ce5d9ef41bb0de69772fb628a94b49193c1b733c1d1d9f556254beeb9668ac1265339f807f

        • memory/776-122-0x00007FF7704E0000-0x00007FF770831000-memory.dmp

          Filesize

          3.3MB

        • memory/776-266-0x00007FF7704E0000-0x00007FF770831000-memory.dmp

          Filesize

          3.3MB

        • memory/776-157-0x00007FF7704E0000-0x00007FF770831000-memory.dmp

          Filesize

          3.3MB

        • memory/952-241-0x00007FF646950000-0x00007FF646CA1000-memory.dmp

          Filesize

          3.3MB

        • memory/952-57-0x00007FF646950000-0x00007FF646CA1000-memory.dmp

          Filesize

          3.3MB

        • memory/952-137-0x00007FF646950000-0x00007FF646CA1000-memory.dmp

          Filesize

          3.3MB

        • memory/956-85-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp

          Filesize

          3.3MB

        • memory/956-257-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp

          Filesize

          3.3MB

        • memory/956-147-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp

          Filesize

          3.3MB

        • memory/1052-260-0x00007FF645650000-0x00007FF6459A1000-memory.dmp

          Filesize

          3.3MB

        • memory/1052-121-0x00007FF645650000-0x00007FF6459A1000-memory.dmp

          Filesize

          3.3MB

        • memory/1268-154-0x00007FF644700000-0x00007FF644A51000-memory.dmp

          Filesize

          3.3MB

        • memory/1268-104-0x00007FF644700000-0x00007FF644A51000-memory.dmp

          Filesize

          3.3MB

        • memory/1268-250-0x00007FF644700000-0x00007FF644A51000-memory.dmp

          Filesize

          3.3MB

        • memory/1680-6-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp

          Filesize

          3.3MB

        • memory/1680-214-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp

          Filesize

          3.3MB

        • memory/1680-129-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp

          Filesize

          3.3MB

        • memory/1724-115-0x00007FF66A210000-0x00007FF66A561000-memory.dmp

          Filesize

          3.3MB

        • memory/1724-262-0x00007FF66A210000-0x00007FF66A561000-memory.dmp

          Filesize

          3.3MB

        • memory/1956-120-0x00007FF650580000-0x00007FF6508D1000-memory.dmp

          Filesize

          3.3MB

        • memory/1956-249-0x00007FF650580000-0x00007FF6508D1000-memory.dmp

          Filesize

          3.3MB

        • memory/2032-135-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp

          Filesize

          3.3MB

        • memory/2032-233-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp

          Filesize

          3.3MB

        • memory/2032-43-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp

          Filesize

          3.3MB

        • memory/2060-17-0x00007FF698DF0000-0x00007FF699141000-memory.dmp

          Filesize

          3.3MB

        • memory/2060-130-0x00007FF698DF0000-0x00007FF699141000-memory.dmp

          Filesize

          3.3MB

        • memory/2060-216-0x00007FF698DF0000-0x00007FF699141000-memory.dmp

          Filesize

          3.3MB

        • memory/2096-131-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2096-19-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2096-218-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2160-56-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp

          Filesize

          3.3MB

        • memory/2160-242-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp

          Filesize

          3.3MB

        • memory/2160-136-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp

          Filesize

          3.3MB

        • memory/2516-89-0x00007FF649E70000-0x00007FF64A1C1000-memory.dmp

          Filesize

          3.3MB

        • memory/2516-254-0x00007FF649E70000-0x00007FF64A1C1000-memory.dmp

          Filesize

          3.3MB

        • memory/2596-153-0x00007FF684E00000-0x00007FF685151000-memory.dmp

          Filesize

          3.3MB

        • memory/2596-98-0x00007FF684E00000-0x00007FF685151000-memory.dmp

          Filesize

          3.3MB

        • memory/2596-246-0x00007FF684E00000-0x00007FF685151000-memory.dmp

          Filesize

          3.3MB

        • memory/3064-155-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp

          Filesize

          3.3MB

        • memory/3064-114-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp

          Filesize

          3.3MB

        • memory/3064-258-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp

          Filesize

          3.3MB

        • memory/3360-253-0x00007FF699620000-0x00007FF699971000-memory.dmp

          Filesize

          3.3MB

        • memory/3360-66-0x00007FF699620000-0x00007FF699971000-memory.dmp

          Filesize

          3.3MB

        • memory/3360-149-0x00007FF699620000-0x00007FF699971000-memory.dmp

          Filesize

          3.3MB

        • memory/3976-71-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp

          Filesize

          3.3MB

        • memory/3976-236-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp

          Filesize

          3.3MB

        • memory/4536-158-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp

          Filesize

          3.3MB

        • memory/4536-265-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp

          Filesize

          3.3MB

        • memory/4536-123-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp

          Filesize

          3.3MB

        • memory/4828-245-0x00007FF6C8F90000-0x00007FF6C92E1000-memory.dmp

          Filesize

          3.3MB

        • memory/4828-119-0x00007FF6C8F90000-0x00007FF6C92E1000-memory.dmp

          Filesize

          3.3MB

        • memory/4976-30-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp

          Filesize

          3.3MB

        • memory/4976-234-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp

          Filesize

          3.3MB

        • memory/4976-132-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp

          Filesize

          3.3MB

        • memory/5100-32-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp

          Filesize

          3.3MB

        • memory/5100-238-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp

          Filesize

          3.3MB

        • memory/5100-134-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp

          Filesize

          3.3MB

        • memory/5104-128-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp

          Filesize

          3.3MB

        • memory/5104-133-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp

          Filesize

          3.3MB

        • memory/5104-0-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp

          Filesize

          3.3MB

        • memory/5104-1-0x00000202353F0000-0x0000020235400000-memory.dmp

          Filesize

          64KB

        • memory/5104-159-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp

          Filesize

          3.3MB