Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/10/2024, 11:46

General

  • Target

    2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    27044029b7bc7f2761e7d8103b26ddd8

  • SHA1

    a648c5ea9bac0a79043fda1a3cfe630ebe313baf

  • SHA256

    9bd8e2de1d92fd326b3e8314dd7dd793599cf03f73413998febb72731bf07e2a

  • SHA512

    c840ab8b493599d5ed48d660ad164fde5247d67e352e692c674037724259741f43b3beea0cd741982df21536a78b77121e3c75049551be7e8bf94db0bb6acf8f

  • SSDEEP

    49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibd56utgpPFotBER/mQ32lUo

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 45 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\System\QdudlAd.exe
      C:\Windows\System\QdudlAd.exe
      2⤵
      • Executes dropped EXE
      PID:4884
    • C:\Windows\System\KkLfGFM.exe
      C:\Windows\System\KkLfGFM.exe
      2⤵
      • Executes dropped EXE
      PID:452
    • C:\Windows\System\aNafrgt.exe
      C:\Windows\System\aNafrgt.exe
      2⤵
      • Executes dropped EXE
      PID:2960
    • C:\Windows\System\OxufWsI.exe
      C:\Windows\System\OxufWsI.exe
      2⤵
      • Executes dropped EXE
      PID:4428
    • C:\Windows\System\QBgFWac.exe
      C:\Windows\System\QBgFWac.exe
      2⤵
      • Executes dropped EXE
      PID:4220
    • C:\Windows\System\dsLOwQj.exe
      C:\Windows\System\dsLOwQj.exe
      2⤵
      • Executes dropped EXE
      PID:4448
    • C:\Windows\System\jNwpEeP.exe
      C:\Windows\System\jNwpEeP.exe
      2⤵
      • Executes dropped EXE
      PID:4660
    • C:\Windows\System\MbvTmkn.exe
      C:\Windows\System\MbvTmkn.exe
      2⤵
      • Executes dropped EXE
      PID:2992
    • C:\Windows\System\sGSvfuQ.exe
      C:\Windows\System\sGSvfuQ.exe
      2⤵
      • Executes dropped EXE
      PID:2236
    • C:\Windows\System\GQIrzJi.exe
      C:\Windows\System\GQIrzJi.exe
      2⤵
      • Executes dropped EXE
      PID:4140
    • C:\Windows\System\hHJaMWr.exe
      C:\Windows\System\hHJaMWr.exe
      2⤵
      • Executes dropped EXE
      PID:3688
    • C:\Windows\System\mkoLIzy.exe
      C:\Windows\System\mkoLIzy.exe
      2⤵
      • Executes dropped EXE
      PID:4636
    • C:\Windows\System\rGHKhBf.exe
      C:\Windows\System\rGHKhBf.exe
      2⤵
      • Executes dropped EXE
      PID:3220
    • C:\Windows\System\RoaCGdL.exe
      C:\Windows\System\RoaCGdL.exe
      2⤵
      • Executes dropped EXE
      PID:3248
    • C:\Windows\System\YDqQKQx.exe
      C:\Windows\System\YDqQKQx.exe
      2⤵
      • Executes dropped EXE
      PID:1816
    • C:\Windows\System\ceDUBlj.exe
      C:\Windows\System\ceDUBlj.exe
      2⤵
      • Executes dropped EXE
      PID:5000
    • C:\Windows\System\uhSEQgy.exe
      C:\Windows\System\uhSEQgy.exe
      2⤵
      • Executes dropped EXE
      PID:3828
    • C:\Windows\System\SUVPotj.exe
      C:\Windows\System\SUVPotj.exe
      2⤵
      • Executes dropped EXE
      PID:4952
    • C:\Windows\System\jMxAtqj.exe
      C:\Windows\System\jMxAtqj.exe
      2⤵
      • Executes dropped EXE
      PID:3476
    • C:\Windows\System\DTwjbuw.exe
      C:\Windows\System\DTwjbuw.exe
      2⤵
      • Executes dropped EXE
      PID:1692
    • C:\Windows\System\ycAfikw.exe
      C:\Windows\System\ycAfikw.exe
      2⤵
      • Executes dropped EXE
      PID:1764

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System\DTwjbuw.exe

          Filesize

          5.2MB

          MD5

          d04ffed4e2c95ac963902983535a4934

          SHA1

          3d80ddb6db3b92203802219c435db034def7249e

          SHA256

          d70d0441c0e964001bc56ccaa3dbea2b395b21907f0737e3fbbb675b8ffb6c0e

          SHA512

          2e1491932dfbd63c412368252613d3fa3f64832c9b785dedb636f3aa79dd340dbf1d8bc7ace1d1d004ee6c8903563d344decdce77766d68ca088131cb75d4947

        • C:\Windows\System\GQIrzJi.exe

          Filesize

          5.2MB

          MD5

          1a5076b3f5eeea334266e49f52effa0a

          SHA1

          87d15eb14fd585509d66bfe9f4af0c5c9cd8686d

          SHA256

          34c357011e099f0096ac8855e6d848ce56fceb7222286a38b190b460c4071434

          SHA512

          2d9660138954b8384490231d6baf2df590221843ab659c091f3538c301d8c5a681241e94b2d0667fd5a1bdc92d2b6b39dd3bda5daba27c82c3a806fc042b8f69

        • C:\Windows\System\KkLfGFM.exe

          Filesize

          5.2MB

          MD5

          189ab21b01ed3377a51be3c575939e9b

          SHA1

          cb364a0880c9ceeeda0188bdf2bb57e191648994

          SHA256

          94e18a3d7e11b7b0a058db1157314c4d27e492f5500c623a89f6888ec1617850

          SHA512

          75cac9e295b2ab2c9b86ce1aefbe5ecd2f6eeae64a9cb553f2d14e665999a14f7525edaf7a411579aff7a2cb5930c138a7052f084c1148faee89437fcdcf67e7

        • C:\Windows\System\MbvTmkn.exe

          Filesize

          5.2MB

          MD5

          e394f7fcd6046ddf136e019334d5b63f

          SHA1

          94ec2abade8542ab2c8125cd63b23c355652c2bf

          SHA256

          e48b7b440c354ca579255bf6f09fede2aad57c0635362bffae5c7649da6bcefa

          SHA512

          19eb7897f2e87b1f4512ae1b28082243e7b3ba3924ba9fa70347fe1cda706ab994657dcee150d33c39a00001ef340edd0833db7684ca8c2d1bc09b88e00c5615

        • C:\Windows\System\OxufWsI.exe

          Filesize

          5.2MB

          MD5

          02387e2a734c020dcf0df7904e866a1c

          SHA1

          2637984f4d92bc0462c0c9f4a31b05a284e071d8

          SHA256

          aa9c880e114845b4e5d4aafac0dc277b2422d7cb0b67b2da443b9a1f12342663

          SHA512

          932be74e93ff490ab81890d76301eae7fd14e1190105db0faed4b3bef83aa9223f3525be90078f5ba6e41955b3ffb2e9df886b0996a8106c746dece3d0c7da66

        • C:\Windows\System\QBgFWac.exe

          Filesize

          5.2MB

          MD5

          77d51b4de19fbb38c809e30b894af765

          SHA1

          657d1313ee61956d9aca2c556dec108cb446edbf

          SHA256

          d5b3d236e75528a5d7530ea3bf9c67cf8b42ca018250c1f3fca3002724d43bc2

          SHA512

          450b88f9c3093208d9795526f875e7d1f3e8d9bc26245e9643b77eb865595ce1b74149020ce61ed349ac605bea39ec0aeddbdea902804acc7d4093186a664814

        • C:\Windows\System\QdudlAd.exe

          Filesize

          5.2MB

          MD5

          dd025472bba6e592e623479fe42e09b0

          SHA1

          4d3ba66432eab299a77aca8a5c29a97628f233e5

          SHA256

          926d84c12512578cf3769f8fa64d101dc6ffe65dd4e2bc205ae9a85ea14dd351

          SHA512

          b958f5e1a41a0736ae397e4ec059ccdecbcf4535a631ec95ca6c4b0ef20ed6811f3a291c6fe365f64ca7d30b64cd85bf487a70d4ecc5ad2742db18bd8a995360

        • C:\Windows\System\RoaCGdL.exe

          Filesize

          5.2MB

          MD5

          e9b65c50f0cc30482b5fd4b368f1a251

          SHA1

          2cd8d6db9fcc32ee5573623657f6f3246eefcc0e

          SHA256

          c7c5162be65e39a6b79e8d3ab608e216a139386c2907f2f1c9fe92cf76b7b9d6

          SHA512

          6fb32127701c8410d2f951569d3cb43b4dd17ef9d8294103cffcad231494b5da669c833bd9cdd183db2b0eabd192a3f073edb87f6051de77895c5644fa609961

        • C:\Windows\System\SUVPotj.exe

          Filesize

          5.2MB

          MD5

          bf61f45a45a828f994c1f768985177cd

          SHA1

          394f3bd759995a2b6b9ce8f0e684c571fc2e618e

          SHA256

          755d86c56191575cb3dba4b95eb9d81a09b4ec2de44bba0d5512a77b5a2db801

          SHA512

          ca379440e2ce73d879c26c078a18de3f0d248aab1aaed7707c240b6e8dd312f22be3df4b835f1ba6db78c65e64db3d1007794bf3a2eca56ade0da8c9f57225ba

        • C:\Windows\System\YDqQKQx.exe

          Filesize

          5.2MB

          MD5

          5ddcae08ed93dbb60b6f2e7d3c2ab63f

          SHA1

          f0e4f85de3949738b77d45f96ffc19960c256409

          SHA256

          cac0238ffeba1da452ec82ff63ea571e1778107aeaf24dd7afb98a5699d4cb5a

          SHA512

          a9b38ffc22e13c10234b7704ab870cff53eb223cb6473802d7ed9d72fe3d5372170d98ad9c953bf20d88a8d794a5e001bd51810a25fffe9256e4fa1e42bd63d9

        • C:\Windows\System\aNafrgt.exe

          Filesize

          5.2MB

          MD5

          8c44a9ffb7fba9db9c20f8f9f55d24c3

          SHA1

          529f40f25fbc29d37e0b42d46104f60c43d79e54

          SHA256

          e3a6f8e75918ec3afc1977476f4033aa6d83a931a092a0b5d32dd7fd27f6a492

          SHA512

          fcdfc6e2d6d49c29e1a613e4a2d6238197879796c177aee2fcc8da1f55fb22fefebf7f7273fb4af3c5c994b8657b7e3a09bae5d98b015cf5e57964a90dea3c87

        • C:\Windows\System\ceDUBlj.exe

          Filesize

          5.2MB

          MD5

          7b2b71adeb52507a36fcc31403c8dd31

          SHA1

          32171ca8af05823f968bc22f3f647e8127223ec0

          SHA256

          49c2c84e170a800779a6966efab2fdefa679d5a3dfdce81b5a04af761aa28d83

          SHA512

          2816fc170191c1990eb9f02f1d810794b6041bd1f8f465713e728873a0cddf6ae67b8884c592b2c70e1bdfca4663025f3e293f23486ab21ef098b046aa4c5e2c

        • C:\Windows\System\dsLOwQj.exe

          Filesize

          5.2MB

          MD5

          e9187230eb440806057b075004506e44

          SHA1

          cd6048f6db9cb8a28caf9b902fb92b051042cdb6

          SHA256

          b994dedf31bca3367d62a4a9e4175f47ae4a05dee05ee292d5123fe2cb933106

          SHA512

          faa0247fe68636443c88325de2a4e112a5b95e2f4042875839501a6e7fa0c383e71539c30e2b921a024ae30d5489b7adf74e76113a8be4fd156d9c3380aa1dc0

        • C:\Windows\System\hHJaMWr.exe

          Filesize

          5.2MB

          MD5

          b20f3111483101de215aa90aa8c9f566

          SHA1

          5f7ae6756ad7bee6849d328168cc09a85e38ac83

          SHA256

          12a176c60c36278d27164c0c80d06d8f55a0bf79ce318b98c7d8b47a1c517912

          SHA512

          03825584ff516d73782a714ff784a24db2ce93ad52940a7f8e43d2ef104011dca6d7bbfcf4530968d8f885e0709a7c1f62a0c5d2deec31ff489f3c6e7a09507d

        • C:\Windows\System\jMxAtqj.exe

          Filesize

          5.2MB

          MD5

          f8d90a28471b0fc29d83bc68d64cc448

          SHA1

          578282f0848fc878edae008fb92a526f2a835628

          SHA256

          39252b734cf67e5127c6239ab3a68f4953510b483b1e0eaaac3901749fe234b3

          SHA512

          2f40a4f1de72146ba9a699ffe8a17ceba28426f202d5d800556c25144241ee08fd705bc0fd3707ee7ba3b49ad4cc708cb70cf5971e89f9039066222547acd717

        • C:\Windows\System\jNwpEeP.exe

          Filesize

          5.2MB

          MD5

          1bbd1eb71217a6562ad6300a40e11662

          SHA1

          9ec3d053b8d209da18cb8dc19cddf3b100ba9bcf

          SHA256

          84d08dcb72a202d7e16d141f81f00072b17d90408400e6d9433f44e6cd8c1a32

          SHA512

          ad4cfebda61fd445291e530d439924f2fe80b952fe2c5bfc93fbf4cd6902d27e52854c7299b4713d091a801f62618374a9cdee1d94fabb603bddd864c0816114

        • C:\Windows\System\mkoLIzy.exe

          Filesize

          5.2MB

          MD5

          8af275f30d752f3455c448f0231c5d60

          SHA1

          0e534c87a61066be055f449d08f3dda004c41046

          SHA256

          c7dca2ac16c60ff580e92913c594c3ec4eaa99dc4a710dbee1418966e51ceed2

          SHA512

          8b7fa8a3ba43f2bfae94f9ea7246820eea326e691b80579aa5b25037de67d95ed783c96a078fc2e7a34a59c68794869224215f0ddd15788b93bbf80b72d85a2f

        • C:\Windows\System\rGHKhBf.exe

          Filesize

          5.2MB

          MD5

          60831d30c07d4befef05fee997b8c473

          SHA1

          3faa8dae04edb268b0f5eacdacc11eed3b180c0f

          SHA256

          2a1c53d42b2aa4a93735aee7bb45f24957da7fc6e61eec0e1e33057f4132b980

          SHA512

          eaef674c41538e488724891fa1b92ad82e3499708db4436266192f7de86f246db8f5ccb2e2d87541ad223b99620c62869b5e72397986ac20f7720db4b03ec15d

        • C:\Windows\System\sGSvfuQ.exe

          Filesize

          5.2MB

          MD5

          258b5740001aae64eccccede232aa45b

          SHA1

          84dffcc3c64bc6e86c7366141d6b1fc6aa296931

          SHA256

          430447edb4ef9b6f41807dbe663be8e210733ab2abe3bac76afec28d77f685f7

          SHA512

          459e1e1b91bca435f628359d6213d0451938bbb796167f8c3858774125b8f982ee0c0507480f39a72fec5c593933df85c324f6587ab69edfda8311b1f2f1f672

        • C:\Windows\System\uhSEQgy.exe

          Filesize

          5.2MB

          MD5

          bb0c5dc94c5ed591d468516640ce70f5

          SHA1

          59525d9444acdbd5b4d0a89286d9b23779d8d9d4

          SHA256

          b4114d62aad4e47fe6f62c83748f0af258fb0e6645af030f8d91a384f9521f51

          SHA512

          0b9244fa99982e252bea21d8d608782434609366aa2561d85d6a03fe007463e966d057569f14fbabc659866733afbe4a15da4e01e76ba0ae893b0e7ed1e25fd9

        • C:\Windows\System\ycAfikw.exe

          Filesize

          5.2MB

          MD5

          faefe76c74cf04f80cd5825b01c4be82

          SHA1

          f189fcb06e791edcc108995641d94efb87151f85

          SHA256

          dce9ee0a64b0e124cc689c88e1b81433f91adb65ebe5db209f2d2db63e0a6526

          SHA512

          2a7e303731446c61065b6bf79b067231f3a49d3633c967ed524688399d6d962701850348a22d8dd21afd9eee53ac47cc59e26702c844ed08e89c510bdde1e8c6

        • memory/452-62-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp

          Filesize

          3.3MB

        • memory/452-209-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp

          Filesize

          3.3MB

        • memory/452-15-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp

          Filesize

          3.3MB

        • memory/1692-146-0x00007FF7159C0000-0x00007FF715D11000-memory.dmp

          Filesize

          3.3MB

        • memory/1692-265-0x00007FF7159C0000-0x00007FF715D11000-memory.dmp

          Filesize

          3.3MB

        • memory/1764-166-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp

          Filesize

          3.3MB

        • memory/1764-267-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp

          Filesize

          3.3MB

        • memory/1764-140-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp

          Filesize

          3.3MB

        • memory/1816-249-0x00007FF704B30000-0x00007FF704E81000-memory.dmp

          Filesize

          3.3MB

        • memory/1816-152-0x00007FF704B30000-0x00007FF704E81000-memory.dmp

          Filesize

          3.3MB

        • memory/1816-96-0x00007FF704B30000-0x00007FF704E81000-memory.dmp

          Filesize

          3.3MB

        • memory/2236-235-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp

          Filesize

          3.3MB

        • memory/2236-55-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp

          Filesize

          3.3MB

        • memory/2236-145-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp

          Filesize

          3.3MB

        • memory/2960-77-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp

          Filesize

          3.3MB

        • memory/2960-18-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp

          Filesize

          3.3MB

        • memory/2960-211-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp

          Filesize

          3.3MB

        • memory/2992-228-0x00007FF752390000-0x00007FF7526E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2992-129-0x00007FF752390000-0x00007FF7526E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2992-49-0x00007FF752390000-0x00007FF7526E1000-memory.dmp

          Filesize

          3.3MB

        • memory/3220-243-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp

          Filesize

          3.3MB

        • memory/3220-83-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp

          Filesize

          3.3MB

        • memory/3220-150-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp

          Filesize

          3.3MB

        • memory/3248-151-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp

          Filesize

          3.3MB

        • memory/3248-95-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp

          Filesize

          3.3MB

        • memory/3248-247-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp

          Filesize

          3.3MB

        • memory/3476-164-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp

          Filesize

          3.3MB

        • memory/3476-264-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp

          Filesize

          3.3MB

        • memory/3476-135-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp

          Filesize

          3.3MB

        • memory/3688-69-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp

          Filesize

          3.3MB

        • memory/3688-239-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp

          Filesize

          3.3MB

        • memory/3688-148-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp

          Filesize

          3.3MB

        • memory/3828-130-0x00007FF6EAF80000-0x00007FF6EB2D1000-memory.dmp

          Filesize

          3.3MB

        • memory/3828-259-0x00007FF6EAF80000-0x00007FF6EB2D1000-memory.dmp

          Filesize

          3.3MB

        • memory/4140-147-0x00007FF7100E0000-0x00007FF710431000-memory.dmp

          Filesize

          3.3MB

        • memory/4140-63-0x00007FF7100E0000-0x00007FF710431000-memory.dmp

          Filesize

          3.3MB

        • memory/4140-237-0x00007FF7100E0000-0x00007FF710431000-memory.dmp

          Filesize

          3.3MB

        • memory/4220-88-0x00007FF627890000-0x00007FF627BE1000-memory.dmp

          Filesize

          3.3MB

        • memory/4220-215-0x00007FF627890000-0x00007FF627BE1000-memory.dmp

          Filesize

          3.3MB

        • memory/4220-33-0x00007FF627890000-0x00007FF627BE1000-memory.dmp

          Filesize

          3.3MB

        • memory/4416-154-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp

          Filesize

          3.3MB

        • memory/4416-0-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp

          Filesize

          3.3MB

        • memory/4416-54-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp

          Filesize

          3.3MB

        • memory/4416-176-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp

          Filesize

          3.3MB

        • memory/4416-1-0x00000201EF090000-0x00000201EF0A0000-memory.dmp

          Filesize

          64KB

        • memory/4428-82-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp

          Filesize

          3.3MB

        • memory/4428-25-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp

          Filesize

          3.3MB

        • memory/4428-213-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp

          Filesize

          3.3MB

        • memory/4448-35-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp

          Filesize

          3.3MB

        • memory/4448-217-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp

          Filesize

          3.3MB

        • memory/4448-90-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp

          Filesize

          3.3MB

        • memory/4636-149-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4636-241-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4636-78-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4660-98-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp

          Filesize

          3.3MB

        • memory/4660-37-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp

          Filesize

          3.3MB

        • memory/4660-219-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp

          Filesize

          3.3MB

        • memory/4884-207-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4884-10-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4884-60-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4952-262-0x00007FF798E30000-0x00007FF799181000-memory.dmp

          Filesize

          3.3MB

        • memory/4952-143-0x00007FF798E30000-0x00007FF799181000-memory.dmp

          Filesize

          3.3MB

        • memory/5000-121-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp

          Filesize

          3.3MB

        • memory/5000-258-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp

          Filesize

          3.3MB

        • memory/5000-153-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp

          Filesize

          3.3MB