Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/10/2024, 11:44

General

  • Target

    2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    0cd80e2cdb30e9b76d22bb3c1908858e

  • SHA1

    ea3204c085028411152f25ca9da52981b4bf9789

  • SHA256

    a9f13cd1daa00a11d71ce2d1f3fda74900bb4a5be35ebe6d6701df9b1b9308f5

  • SHA512

    f76d174ecc6d6c323d6cb2034cec095d6fd0566dfc576cbfac1e587240e9c5a2a2d1e020e516ce036adb25a13ed49af093948e0e144e0953692062f1848d231b

  • SSDEEP

    49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ln:RWWBibd56utgpPFotBER/mQ32lUj

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 45 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\System\kHnGXGw.exe
      C:\Windows\System\kHnGXGw.exe
      2⤵
      • Executes dropped EXE
      PID:1048
    • C:\Windows\System\zyJQFjR.exe
      C:\Windows\System\zyJQFjR.exe
      2⤵
      • Executes dropped EXE
      PID:2928
    • C:\Windows\System\fsqoRzg.exe
      C:\Windows\System\fsqoRzg.exe
      2⤵
      • Executes dropped EXE
      PID:5060
    • C:\Windows\System\LUITuWs.exe
      C:\Windows\System\LUITuWs.exe
      2⤵
      • Executes dropped EXE
      PID:2316
    • C:\Windows\System\MOecgQT.exe
      C:\Windows\System\MOecgQT.exe
      2⤵
      • Executes dropped EXE
      PID:1460
    • C:\Windows\System\FXeidgD.exe
      C:\Windows\System\FXeidgD.exe
      2⤵
      • Executes dropped EXE
      PID:3884
    • C:\Windows\System\WlrdmpY.exe
      C:\Windows\System\WlrdmpY.exe
      2⤵
      • Executes dropped EXE
      PID:2876
    • C:\Windows\System\xqjmWYR.exe
      C:\Windows\System\xqjmWYR.exe
      2⤵
      • Executes dropped EXE
      PID:2620
    • C:\Windows\System\guudmYD.exe
      C:\Windows\System\guudmYD.exe
      2⤵
      • Executes dropped EXE
      PID:4140
    • C:\Windows\System\FYtfVUd.exe
      C:\Windows\System\FYtfVUd.exe
      2⤵
      • Executes dropped EXE
      PID:4816
    • C:\Windows\System\nArzAfI.exe
      C:\Windows\System\nArzAfI.exe
      2⤵
      • Executes dropped EXE
      PID:3216
    • C:\Windows\System\DUsvgvx.exe
      C:\Windows\System\DUsvgvx.exe
      2⤵
      • Executes dropped EXE
      PID:2920
    • C:\Windows\System\bFJetjc.exe
      C:\Windows\System\bFJetjc.exe
      2⤵
      • Executes dropped EXE
      PID:1076
    • C:\Windows\System\kliznop.exe
      C:\Windows\System\kliznop.exe
      2⤵
      • Executes dropped EXE
      PID:1576
    • C:\Windows\System\TUuFGvR.exe
      C:\Windows\System\TUuFGvR.exe
      2⤵
      • Executes dropped EXE
      PID:3636
    • C:\Windows\System\IdQMgPl.exe
      C:\Windows\System\IdQMgPl.exe
      2⤵
      • Executes dropped EXE
      PID:4820
    • C:\Windows\System\clpXIry.exe
      C:\Windows\System\clpXIry.exe
      2⤵
      • Executes dropped EXE
      PID:1476
    • C:\Windows\System\hcAUOws.exe
      C:\Windows\System\hcAUOws.exe
      2⤵
      • Executes dropped EXE
      PID:1612
    • C:\Windows\System\lLGfCfI.exe
      C:\Windows\System\lLGfCfI.exe
      2⤵
      • Executes dropped EXE
      PID:2368
    • C:\Windows\System\GNojxul.exe
      C:\Windows\System\GNojxul.exe
      2⤵
      • Executes dropped EXE
      PID:2412
    • C:\Windows\System\aNnvcJH.exe
      C:\Windows\System\aNnvcJH.exe
      2⤵
      • Executes dropped EXE
      PID:4524

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System\DUsvgvx.exe

          Filesize

          5.2MB

          MD5

          db1dcabcc46b096b7c0bf41c0b11621b

          SHA1

          9fe838ee8590fbb7b050d4da8d43756b0498046d

          SHA256

          6ef909208da4df854aea4dba292b24f427f92dc607133a094698f35bb114c005

          SHA512

          aa56162f1c0e318876aa0559a44a7f0554da4b56f01f7106dd50482e71448dd27eaf191a1fdc315fea0643162e5b061986daa391cd3b7ccfcfd2b2edc1b7089e

        • C:\Windows\System\FXeidgD.exe

          Filesize

          5.2MB

          MD5

          4bf793afc3e04b654cc428e016644963

          SHA1

          97b75fa97a8cc76d0e04adff890bf546e7e18896

          SHA256

          b2c141096f0141960a98e7af6bfe2d7d5d8b72e4a0f4fe18e76f217b4874ccb5

          SHA512

          6fbe452064bd424d4488a7e50e48e7524aa986d3ab768e2c96ce8dedbac30c2f398b5771cc67d81a518ef8ec0752fe17c173285e19677fe1edbe05319d19b64d

        • C:\Windows\System\FYtfVUd.exe

          Filesize

          5.2MB

          MD5

          1b43a9b88ae8b364ed7a1234ebebb3ee

          SHA1

          86bb8b5e38fa2ca333f5da80b5a511e493a5fc85

          SHA256

          bcf39f4a1095e09a623a819b75d5dc331e99e9be0a02bec6860944e0fb296fd8

          SHA512

          38975aa61a336ada2e32471951c946a8c7888abd1810b2450ded089b58ef8edbbf7e0111cd29907454d9b2763d237e5b874de3f5266ba73abd57a50e84463929

        • C:\Windows\System\GNojxul.exe

          Filesize

          5.2MB

          MD5

          d565fcb8821455db31e8b78c8bc22d14

          SHA1

          4e9f50ca6d79eee16efb04312f778a8f096ce032

          SHA256

          5a400feaae7fed720609b1e8cbf75a845c7a8559f443f8cd14d8a2150ec38ff6

          SHA512

          1d86d5af6c462b835b965395bc9f57a2db03f46d98790070c3176da47bf72d8292889f503e00adc6040fe39b0faef078ed90d4683600d779a42cc82464c190bf

        • C:\Windows\System\IdQMgPl.exe

          Filesize

          5.2MB

          MD5

          d7fd38ac14bd146288e517b62c2af468

          SHA1

          1dff7b858f9a60b680be37f37293c185f4f7713c

          SHA256

          0aa38476efd525ed435e6dc20d20f827edb5a7314d754383d23e50a0debd2bfc

          SHA512

          f0f05e6164c517483cbe103b44a6358da94195fa6094dddac019406348ae255da1974029dba324ba42c90c3e99be7cddcb7d4cd11c4299cc62b16b1ee8042285

        • C:\Windows\System\LUITuWs.exe

          Filesize

          5.2MB

          MD5

          c2fc36a9db23ea0978ac726b62f8192e

          SHA1

          8ba77b3114d17115068a023b28d7b35763ddc3b1

          SHA256

          944f90b089578a8106158e1de707a9e91ea8d2d981702e9f524323c494daa502

          SHA512

          7f30b56d575811a01a7607a049256d0d600b359df8c5778b220564ed91e527ce1b335c864a642cd01124d4817d45787632b3bf6963762a3653b9f882fd25ceb8

        • C:\Windows\System\MOecgQT.exe

          Filesize

          5.2MB

          MD5

          e0593249f634e3955f2155286488077a

          SHA1

          f9751469dbb2a5593be958acd97bbebd995bd0be

          SHA256

          27e3181c0c5d67db2b19edddd0c707560b51ff4fbcedf7249d9767c00f94e636

          SHA512

          0213b7c6bc217edc7274206cb99d74feb00f302cd462910135276a75c58d2e41a4c3a00394b8cd840fec17da4e03ae22432e3eba9882d54d8b7a6a8bb1bc89af

        • C:\Windows\System\TUuFGvR.exe

          Filesize

          5.2MB

          MD5

          b9c819155e5ebcb8bd2dd69ed0a077c0

          SHA1

          ddcf8cf7687c9e5ecfe5b7598f70906b82f9c84b

          SHA256

          fcb6843770b9572de55a8e433e6d1fa13540fea2d4d81fb5dd912a314385fe53

          SHA512

          2312cc73f8534f8e8012bb40b88e7998b6dd8482dec5e61a2a8bb78ccd6af481eee972d60302927358c575ffc403a2897fead1c56ad81fd7f3d015a7cdd0eac1

        • C:\Windows\System\WlrdmpY.exe

          Filesize

          5.2MB

          MD5

          f961c87fecdb9152a73891daca92e28f

          SHA1

          74d050cf5f3fe422afd3b0d4d1af835733a448f8

          SHA256

          6c92def8ed7e4a5821a5a6d9932692aa30d36571081582692829cfe4a9490dc2

          SHA512

          d4960034ea16e1998e6ec233934eb93c20c85dc763aff49d431dfa635452276d236439cae0d2499b52344222f7e5e6473d06029ed5c829c90087f6f77f7e69cc

        • C:\Windows\System\aNnvcJH.exe

          Filesize

          5.2MB

          MD5

          e9478fa5e44b8e44bd3900030b878c30

          SHA1

          dfcaf787d34ddda5c6fd9e4b15038f04c58fd8d6

          SHA256

          331dc2f04544c5330c7813c720890901b34ee223900593ab96468f3f23418b73

          SHA512

          a1bba36409cf18efe875f703df21d80a7d1610d553c526e4beb528accb8b04a408efb9db266b177214a3bd238df646cfc1b6afd5d5788a1e06e1b875fa7d3ae4

        • C:\Windows\System\bFJetjc.exe

          Filesize

          5.2MB

          MD5

          e4810fd7256dfbf89fea97b94ad548ad

          SHA1

          f3badfe9d8629d60833007e6eca3bc2a1d6eef19

          SHA256

          b8953d567e91177ac50ca92d308cf88a46eb59fd629ac37470e412b2b40686f1

          SHA512

          4a38d229a8de4338baf3ea6521b7b319d07cd624ba1901f2326fc522af6dbd08428fc4f9600cd7ba68331d808c6f07afdfb16918f2f757da9436c2c8642c06ce

        • C:\Windows\System\clpXIry.exe

          Filesize

          5.2MB

          MD5

          703aa7e5c87549cbd5ffb47fda3045d4

          SHA1

          e49c720e11cf2d2e54da87c98cafd92daf4a3435

          SHA256

          de16d21357872e867139266a8c400b11e5a62711a77980b2c213919439bad0ce

          SHA512

          f2d6b43e90278530b5e9b194e54aebb86b77850e1bcf7a5c0baf31b96d128074b2169dbdc44a89e186b779e4e00f78e57d43425f03d53ee2ebc32a10ddb9a3b4

        • C:\Windows\System\fsqoRzg.exe

          Filesize

          5.2MB

          MD5

          88d4f75a5d506c5600036073c7705b4a

          SHA1

          47e86ab7f424bf219b35496f68cd4e4a8ad5aa61

          SHA256

          0507ee181a373f11b913abfbcaff06e7856869f9a839d09e1bd38f679762a1f4

          SHA512

          8939f6ff1bc3aea98825b7b267bf1eff81113e0ec1e3a1b5700c30c1cce4fc6323d41c90c8caec21ff0168e9ca9e0dacd79b62e36b851e0c33745c8dccf4d017

        • C:\Windows\System\guudmYD.exe

          Filesize

          5.2MB

          MD5

          1b1ea34a4aa8c6a28258b49cc28cda49

          SHA1

          8c61d60cbc56153a6cd90af199d4ddf7862ea8a7

          SHA256

          3b79f2c26613614e5d330ef1377aad673772e93c952a89380cdc2dd646551449

          SHA512

          8dcf884f564b86356b7497e0c77dfa3a31c8f9acfebad3ac2fde5b643a2971db9dca28fc86798ec43664f500c3710ef7657da7d10393e2b4124f4ffdc4447a62

        • C:\Windows\System\hcAUOws.exe

          Filesize

          5.2MB

          MD5

          54d1e4c391c4310ef5877f53c2ed4147

          SHA1

          c41ca2e2e1db09e29cd555041c8c6fb63d88dad6

          SHA256

          5145ac0230ac5ef70e069c960d356462743c7d645638872c18c1731532977b9d

          SHA512

          818a209c8cb670377a40da03ebc38fa08d82d9f966a41501833da41deaff9aeeef951cb2c8a496cd3b84eb813edce33e530ebb33da1ac6809b3385d2b779c594

        • C:\Windows\System\kHnGXGw.exe

          Filesize

          5.2MB

          MD5

          e7d16f9a8a05bf96ef6eb43d779975a9

          SHA1

          7176efa9a9506da232d1b1854ee1facf12b154e1

          SHA256

          d6d8c6c75a3bed7e1bb5df2774d131b53a6feff1afc469d4c60641984069cc74

          SHA512

          98cdf57e822ddd917623ae82e2dcf53a9bb883ae6c526ff38c3a8905e05e12b7f7eef77ed6b39a4d8e479ec1fbb799d96f994f0e9b922eee2c5f66859ad9b008

        • C:\Windows\System\kliznop.exe

          Filesize

          5.2MB

          MD5

          367e21b07be9a369c2939a9fef7ffbc3

          SHA1

          32adb0f2fae1d63a9b625b7538e595696226e9ae

          SHA256

          027a2884461c15803178b01d290c975d91f876cd576dfd66f0ef6baa7c2362ac

          SHA512

          e67487137b69e36cc2eb1f72c0ae0416276ad8b2ec481db9632dbe9a90bbc943d3d1c43e96869717e89d0650c00101bb310346755badda998bddcb584f63bafe

        • C:\Windows\System\lLGfCfI.exe

          Filesize

          5.2MB

          MD5

          d915d8327df222365fb0f4323eca1932

          SHA1

          467537fed5980ddbb16645c4397a983c88ed3d58

          SHA256

          d27a2ea3abc708ea2c0a8e33ba24129b8aa7c4f8bf6638ea3f1213117e46eb98

          SHA512

          b770eecdb48065a21f0e847ffafb667c9a33e0e35f6dfaf353f0980f78f4a8cdb210adc3a83c5f70b15a196e3d802fb1fbd9f1c109210de15d85f61939935333

        • C:\Windows\System\nArzAfI.exe

          Filesize

          5.2MB

          MD5

          f5b556fe4c61a164211e5598e4bf789d

          SHA1

          7269f1f6e44048ccae2c1702512a549d03638c5a

          SHA256

          0ace602c353d36e5e06af206f6d314c911171c2770a3d21b1531eaf64690b97f

          SHA512

          ef4cdf6e2b3fcd347f73ef99ba54e049182fdd12c81beb4592187c9b6e5657510727bd24e094b85174cfdbc6bb0babc258b2a485c14d04c8d2f031b8b9900184

        • C:\Windows\System\xqjmWYR.exe

          Filesize

          5.2MB

          MD5

          f18ec446fed7b1fdbb997d7d08a6817a

          SHA1

          f0be1d74808ecb30be7bc42786bb320309ce447b

          SHA256

          0997bb93d743401af54e4a8826aa00550b830aebfb046939ec5951e5e5c7677d

          SHA512

          9d0bd9443f70c9e48356c2383f2980570fa4fdb1ccba6359ac4a633427bf7f7c870a4fafede9174691b850e1cd2298c8ce4b9e23f1abd1ff01fe26536532967d

        • C:\Windows\System\zyJQFjR.exe

          Filesize

          5.2MB

          MD5

          d33a46878c6deaa4255661190d831125

          SHA1

          a6f0d4db0f4ba889c4a337844dfcb8736abe227d

          SHA256

          a3f00c4c5a7e3300384c705639d25b8bd4abdd136b9fb7c88d3b9b2b3c1413ee

          SHA512

          fd2924b7d66912a972d17ff341f6740abfdc8943346a6f8762539ec5781f120f3be9b94e9d83b4cf51d114149638fe9613fbd41c39ec03ab904e3504b5ce8948

        • memory/1048-129-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp

          Filesize

          3.3MB

        • memory/1048-8-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp

          Filesize

          3.3MB

        • memory/1048-212-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp

          Filesize

          3.3MB

        • memory/1076-114-0x00007FF7AC800000-0x00007FF7ACB51000-memory.dmp

          Filesize

          3.3MB

        • memory/1076-244-0x00007FF7AC800000-0x00007FF7ACB51000-memory.dmp

          Filesize

          3.3MB

        • memory/1460-221-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp

          Filesize

          3.3MB

        • memory/1460-133-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp

          Filesize

          3.3MB

        • memory/1460-42-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp

          Filesize

          3.3MB

        • memory/1476-124-0x00007FF715DE0000-0x00007FF716131000-memory.dmp

          Filesize

          3.3MB

        • memory/1476-251-0x00007FF715DE0000-0x00007FF716131000-memory.dmp

          Filesize

          3.3MB

        • memory/1576-123-0x00007FF65F130000-0x00007FF65F481000-memory.dmp

          Filesize

          3.3MB

        • memory/1576-240-0x00007FF65F130000-0x00007FF65F481000-memory.dmp

          Filesize

          3.3MB

        • memory/1612-253-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp

          Filesize

          3.3MB

        • memory/1612-110-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp

          Filesize

          3.3MB

        • memory/1612-146-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp

          Filesize

          3.3MB

        • memory/2316-32-0x00007FF791330000-0x00007FF791681000-memory.dmp

          Filesize

          3.3MB

        • memory/2316-218-0x00007FF791330000-0x00007FF791681000-memory.dmp

          Filesize

          3.3MB

        • memory/2316-132-0x00007FF791330000-0x00007FF791681000-memory.dmp

          Filesize

          3.3MB

        • memory/2368-125-0x00007FF6A06D0000-0x00007FF6A0A21000-memory.dmp

          Filesize

          3.3MB

        • memory/2368-258-0x00007FF6A06D0000-0x00007FF6A0A21000-memory.dmp

          Filesize

          3.3MB

        • memory/2412-255-0x00007FF7475A0000-0x00007FF7478F1000-memory.dmp

          Filesize

          3.3MB

        • memory/2412-127-0x00007FF7475A0000-0x00007FF7478F1000-memory.dmp

          Filesize

          3.3MB

        • memory/2620-53-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp

          Filesize

          3.3MB

        • memory/2620-234-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp

          Filesize

          3.3MB

        • memory/2620-136-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp

          Filesize

          3.3MB

        • memory/2876-50-0x00007FF655480000-0x00007FF6557D1000-memory.dmp

          Filesize

          3.3MB

        • memory/2876-222-0x00007FF655480000-0x00007FF6557D1000-memory.dmp

          Filesize

          3.3MB

        • memory/2876-135-0x00007FF655480000-0x00007FF6557D1000-memory.dmp

          Filesize

          3.3MB

        • memory/2920-140-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp

          Filesize

          3.3MB

        • memory/2920-246-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp

          Filesize

          3.3MB

        • memory/2920-86-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp

          Filesize

          3.3MB

        • memory/2928-19-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp

          Filesize

          3.3MB

        • memory/2928-130-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp

          Filesize

          3.3MB

        • memory/2928-214-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp

          Filesize

          3.3MB

        • memory/3216-242-0x00007FF709E10000-0x00007FF70A161000-memory.dmp

          Filesize

          3.3MB

        • memory/3216-85-0x00007FF709E10000-0x00007FF70A161000-memory.dmp

          Filesize

          3.3MB

        • memory/3216-139-0x00007FF709E10000-0x00007FF70A161000-memory.dmp

          Filesize

          3.3MB

        • memory/3636-237-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp

          Filesize

          3.3MB

        • memory/3636-102-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp

          Filesize

          3.3MB

        • memory/3884-61-0x00007FF70CA50000-0x00007FF70CDA1000-memory.dmp

          Filesize

          3.3MB

        • memory/3884-224-0x00007FF70CA50000-0x00007FF70CDA1000-memory.dmp

          Filesize

          3.3MB

        • memory/4140-226-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp

          Filesize

          3.3MB

        • memory/4140-137-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp

          Filesize

          3.3MB

        • memory/4140-74-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp

          Filesize

          3.3MB

        • memory/4524-257-0x00007FF686900000-0x00007FF686C51000-memory.dmp

          Filesize

          3.3MB

        • memory/4524-128-0x00007FF686900000-0x00007FF686C51000-memory.dmp

          Filesize

          3.3MB

        • memory/4816-113-0x00007FF75EB00000-0x00007FF75EE51000-memory.dmp

          Filesize

          3.3MB

        • memory/4816-239-0x00007FF75EB00000-0x00007FF75EE51000-memory.dmp

          Filesize

          3.3MB

        • memory/4820-103-0x00007FF664390000-0x00007FF6646E1000-memory.dmp

          Filesize

          3.3MB

        • memory/4820-144-0x00007FF664390000-0x00007FF6646E1000-memory.dmp

          Filesize

          3.3MB

        • memory/4820-249-0x00007FF664390000-0x00007FF6646E1000-memory.dmp

          Filesize

          3.3MB

        • memory/4944-150-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4944-151-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4944-126-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4944-0-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4944-1-0x00000179A1850000-0x00000179A1860000-memory.dmp

          Filesize

          64KB

        • memory/5060-58-0x00007FF7CCC30000-0x00007FF7CCF81000-memory.dmp

          Filesize

          3.3MB

        • memory/5060-216-0x00007FF7CCC30000-0x00007FF7CCF81000-memory.dmp

          Filesize

          3.3MB