Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/10/2024, 08:09

General

  • Target

    2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.9MB

  • MD5

    79cfa455a7475312ddd7046196206b64

  • SHA1

    6445efa927d97ca04df74ac8a0ebd63708a32c90

  • SHA256

    b4fa2fb5b500915e79f08d7ae82fe28c8b89bdea6fdb905dcf929765daa037bf

  • SHA512

    41c254e79265e899217662c51f4bbd6e67d1b269a4e0b3f576878c63399b96ac1cf063925894747f6faf838a631715e598b8cb7bfb1c31a4dfd4843b76acf6af

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUM:Q+856utgpPF8u/7M

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Cobaltstrike family
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-26_79cfa455a7475312ddd7046196206b64_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\System\YTbEkPC.exe
      C:\Windows\System\YTbEkPC.exe
      2⤵
      • Executes dropped EXE
      PID:2076
    • C:\Windows\System\tIaYhHq.exe
      C:\Windows\System\tIaYhHq.exe
      2⤵
      • Executes dropped EXE
      PID:4476
    • C:\Windows\System\PVxXWGp.exe
      C:\Windows\System\PVxXWGp.exe
      2⤵
      • Executes dropped EXE
      PID:2740
    • C:\Windows\System\bBZblvc.exe
      C:\Windows\System\bBZblvc.exe
      2⤵
      • Executes dropped EXE
      PID:4192
    • C:\Windows\System\nDEcwty.exe
      C:\Windows\System\nDEcwty.exe
      2⤵
      • Executes dropped EXE
      PID:5084
    • C:\Windows\System\XTVWKmc.exe
      C:\Windows\System\XTVWKmc.exe
      2⤵
      • Executes dropped EXE
      PID:564
    • C:\Windows\System\SOkhteF.exe
      C:\Windows\System\SOkhteF.exe
      2⤵
      • Executes dropped EXE
      PID:4724
    • C:\Windows\System\EMMVihc.exe
      C:\Windows\System\EMMVihc.exe
      2⤵
      • Executes dropped EXE
      PID:4912
    • C:\Windows\System\btrTfKH.exe
      C:\Windows\System\btrTfKH.exe
      2⤵
      • Executes dropped EXE
      PID:2088
    • C:\Windows\System\RiiBeas.exe
      C:\Windows\System\RiiBeas.exe
      2⤵
      • Executes dropped EXE
      PID:1444
    • C:\Windows\System\PgIFhUg.exe
      C:\Windows\System\PgIFhUg.exe
      2⤵
      • Executes dropped EXE
      PID:1780
    • C:\Windows\System\pIYyiRC.exe
      C:\Windows\System\pIYyiRC.exe
      2⤵
      • Executes dropped EXE
      PID:100
    • C:\Windows\System\XEuZzSH.exe
      C:\Windows\System\XEuZzSH.exe
      2⤵
      • Executes dropped EXE
      PID:4244
    • C:\Windows\System\RQeGoSC.exe
      C:\Windows\System\RQeGoSC.exe
      2⤵
      • Executes dropped EXE
      PID:2084
    • C:\Windows\System\fIVqvmO.exe
      C:\Windows\System\fIVqvmO.exe
      2⤵
      • Executes dropped EXE
      PID:2676
    • C:\Windows\System\QLXczht.exe
      C:\Windows\System\QLXczht.exe
      2⤵
      • Executes dropped EXE
      PID:924
    • C:\Windows\System\PqiiUlk.exe
      C:\Windows\System\PqiiUlk.exe
      2⤵
      • Executes dropped EXE
      PID:1620
    • C:\Windows\System\qXOJkBA.exe
      C:\Windows\System\qXOJkBA.exe
      2⤵
      • Executes dropped EXE
      PID:464
    • C:\Windows\System\fVRVBOM.exe
      C:\Windows\System\fVRVBOM.exe
      2⤵
      • Executes dropped EXE
      PID:652
    • C:\Windows\System\CBUMvsu.exe
      C:\Windows\System\CBUMvsu.exe
      2⤵
      • Executes dropped EXE
      PID:2268
    • C:\Windows\System\dAcnonA.exe
      C:\Windows\System\dAcnonA.exe
      2⤵
      • Executes dropped EXE
      PID:3832

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System\CBUMvsu.exe

          Filesize

          5.9MB

          MD5

          3d81d419eb4d38e06fa9432a063a343b

          SHA1

          3f2898ca7d20ee013d39cdae71745e0a072e22e7

          SHA256

          9fa1fb5cd7c94a18933532ac3254ec3fc6dec0e8eca84179b1eb1768093eb4e3

          SHA512

          e2dd8599eca2bbd7054827d34670759f613f6ab25b0908b2d02c095c32cfae8aa050ad1de6dae4ab6c968b0418c5ed3f981c6ccc219ec9197288c0d6139ca185

        • C:\Windows\System\EMMVihc.exe

          Filesize

          5.9MB

          MD5

          542fee9f4589ff5906d816474c1af4e3

          SHA1

          c157fcb7c7c9cae74c8ccce5229d84027d682ac4

          SHA256

          bdb60821794d34de6249d90cd5e42809eee7c1969fc8a82418c25a30968b7c30

          SHA512

          08c55a0584b929d3a693b3200aa42838a47df7dd3483662d0e4a80aba1a30f2c409e12603781231bf532efc9ddbfff3c77d8211772477d4225c55297c9c57e6b

        • C:\Windows\System\PVxXWGp.exe

          Filesize

          5.9MB

          MD5

          677599c398b0f0b609a618a0e1fcea3c

          SHA1

          c0663243544a0dc22e687be0f5142c9df21d8d0f

          SHA256

          0eafb559a25ad592648fccf582454220d2761b46f77c5fad89195c9e9c48c2b5

          SHA512

          4e33bc13204020e39fa4cd12522af809ea09e901153c727ee30265b6914f365c6d15dc7d0096cebc8ff7564a5e574c4f57a9c258c9b1323a789493d9b3fee281

        • C:\Windows\System\PgIFhUg.exe

          Filesize

          5.9MB

          MD5

          6001b10572dcaf7012234360d3b6140b

          SHA1

          59ef2de36af5a65f4c8729ee36a229c47393db9b

          SHA256

          730565fbc5acb340611489f2cc798131b02d0fd91250f6ac1a82ee85c0b54da4

          SHA512

          79e1c5de0c461de5012cee211175643f557628c66bc86c7dc878342a18cf03ee1cc6a6f395c2ece38114116e8d3066734a249623b4fb2f8f26ecf7202052b3e2

        • C:\Windows\System\PqiiUlk.exe

          Filesize

          5.9MB

          MD5

          3f658c0f6bee5188ebae59dc0cde0bad

          SHA1

          133cb7623374adcb879a7aca88817930fe0aee9d

          SHA256

          285ec3548ea9d0834c30c60deb8fb39e700b7da858f4b858c2a828c3d7fa4bad

          SHA512

          81d059c4ba391a7ae51a5de0f056039bbd916f1ee98bd1719be5fe6fe7f776f93cf143909c1085f386c3a74782fd0c63a323d4fff3a4876463a82a81a3335434

        • C:\Windows\System\QLXczht.exe

          Filesize

          5.9MB

          MD5

          e6ba6c64202c45ce190b2eda1638c3f4

          SHA1

          bf32902f374af113ec9172be7a1fd5bae4a0cc40

          SHA256

          4e98b665c6e04d5ac618bd89f0c27e58f3c24b75e9ab0d8d179f1586d79064ed

          SHA512

          00b6b0b4f975f03f9819f2cd2ae10498c21d3cfed4df0d282dc04b92ecb416dcc28a411edce8a8ed62e0cc13364237a627ef00a473862635741eb5a47bdd95af

        • C:\Windows\System\RQeGoSC.exe

          Filesize

          5.9MB

          MD5

          4d5df144fd633a324a08e89e1b7ee699

          SHA1

          69d740b4c0eb8540409179722473be2633ef1a32

          SHA256

          ebf6d814383afc3ba5e242efde13aecbee03ac590bbf292cc084cb2db1b0f01b

          SHA512

          7b4d4a37d95dda5cbf0b132376a74b83243f2f9ffba34c7ccdb91613742c288b48063c6fd1b9efdd4725426b59e5e116778bed242e7371406dd405d3576a298c

        • C:\Windows\System\RiiBeas.exe

          Filesize

          5.9MB

          MD5

          2fd724adaaee04b4eaea3c70b65018d8

          SHA1

          044d38b465cb4843e087d85d4abc9f67372649dd

          SHA256

          83a379108aaf46bf2d7be97965d6e4737c2aac64f7bb287ec31bf54c0978b735

          SHA512

          a66b0d7e8357348dcdce8e7c650b5f000e994a6ace55d01d7d2efdd75ec62156a46a475214c822ade219449470b59633ab69900fcebba4713d1a630375c5ecf6

        • C:\Windows\System\SOkhteF.exe

          Filesize

          5.9MB

          MD5

          5b4a909a6c9f1b3ea3dd4d19c964a183

          SHA1

          140c96e512c141410e2a6c7faa1dff5918bff700

          SHA256

          05124766391d6320478be8183b8ebf673aa1183191a94e25ac8a4e632c572d13

          SHA512

          400b50bacf5c8104cb75f7b434d844eeaa9a9ef2c63fdcbcae6af54d9faa20e493cb1557026d1038f81ef61dbc890c0f3894e75171d96e7f1666a01cc5dab305

        • C:\Windows\System\XEuZzSH.exe

          Filesize

          5.9MB

          MD5

          57e34f6db90145013d23c873a9c3ef04

          SHA1

          e3afd3ea016c4fb6c31fc08056b9db2b5b133260

          SHA256

          beca7bb084927228f6049ec8b4157a3ea60d33debc1520b146481fa57bc0f80f

          SHA512

          6b5cd0165b92f6e375ad86401022820f7ea6afae573416efbee1e33fa70ff1080c10654339b1f50a4360e64307394e90086f75d995df4bc58a2a684c79693345

        • C:\Windows\System\XTVWKmc.exe

          Filesize

          5.9MB

          MD5

          879a8abf41bd39bd2f43d9fb6d0f5446

          SHA1

          119857551598ed85aa7b8a72b6e0513c50f36347

          SHA256

          041839934a5ca715233dc2badca664d7e1b8a57df30245c45ee31eb1435ed147

          SHA512

          a28d26c3da9f08b25ead51ddbc909f91207c6a0f1f70e900e841d08c899a3ebfa28e7542b40c6a73eb7d052d502fbe2da9ad1a9f2e1d2f81a19399128283efe5

        • C:\Windows\System\YTbEkPC.exe

          Filesize

          5.9MB

          MD5

          dd66a2c5322056d989dcc480853af3e3

          SHA1

          bc4ef536f6d13751670b4d6ec24481acb9c2faed

          SHA256

          8d03b108ad39483a18c8df9f34468c833a50093aaf658682c25b32487af5b80e

          SHA512

          a87bb287b151e2bba1c1f311e7e924a9469c01bffff7951549fd9506629b915808fa27b07927a55d4773521d26cd82d87aceb5e3aca749de99e3a2e5cde4730c

        • C:\Windows\System\bBZblvc.exe

          Filesize

          5.9MB

          MD5

          1a6ce6156dc8d8ad34633976fa603b72

          SHA1

          b1866ad4b5b293bb24c15eb64ae69da7e8c093bf

          SHA256

          8eba42e4c0b381994730b415027c7bf81a63f85bf3fc23939684e8cdec019946

          SHA512

          65027670c0b76d62f050576f600a8863dadbf28804832175befe3e67d7ccb7f15cad980a2265c8049728c578e6ab8c4aa55d3d440de0682da99b99cd1965a362

        • C:\Windows\System\btrTfKH.exe

          Filesize

          5.9MB

          MD5

          401418ec7479777cfd10b176e53ff207

          SHA1

          45eaed19818a695cadcc38e7bba71ec816b6be8e

          SHA256

          0be2f8fda6eb74b4b574e87c673e13232922b07260a39ed278a5a1477ec51baf

          SHA512

          1f2dccc7f6261e25274a0aebe3dbcfc8ee3bcf782659cf64d216b29b36cdd0efb8a522f4ddd2eea2fbae142ad7e00329f2b3bfe6a64bf8150bcd5e37e249e9e5

        • C:\Windows\System\dAcnonA.exe

          Filesize

          5.9MB

          MD5

          fc5133fa2746a1350451e57490df69d6

          SHA1

          03365b7a4decb1346179bed7db62b254332a73ad

          SHA256

          2b60bd382d39dd8bdc948efff989cdff809496db0c55c191d344e63609ee66da

          SHA512

          0a11422f23db3b1acf214d793d8bdc9e9f7bb71c254be3ccaa949c5db76c3862b0ffb8f75a8aebae104bce69ac4e23cece124f0c9ef8500a7b740a9adf716414

        • C:\Windows\System\fIVqvmO.exe

          Filesize

          5.9MB

          MD5

          94b1ee4c7013549f38343c2d46287ace

          SHA1

          3c7f01dbbc98645cfe4e86b2128e4c97dade5f1e

          SHA256

          3263c262871ee8a6fb4b0932580dc33cea41c801e2c7b05469059d4cd1748893

          SHA512

          1c3914b9d7e3eb19d8884b019a6a43c8c76216765541cd0145814776cc9010dc0e95189133a471ed2ad131d3153883e750e7e743b2afc0553e95cd4ace922bd1

        • C:\Windows\System\fVRVBOM.exe

          Filesize

          5.9MB

          MD5

          57942433141b6f0942e6eb324c73bf3c

          SHA1

          c9c87b235c3fc0e5d8368bac4f7b662c25d1d0ac

          SHA256

          5183db18d45d94faed9f2cf16ff96c923a2381aa8adf3b7404ff2572d2362b18

          SHA512

          c073749503cfec3776bdce8369254c7abafa4e1259bd87881482248e682ee06061db350d405577e2fe55046b485fb4c2df6d4807f6a7b9088495da538a1d39de

        • C:\Windows\System\nDEcwty.exe

          Filesize

          5.9MB

          MD5

          4e107e092f20d8dd52812cd848a0055d

          SHA1

          680385cfb451bbfcec994617b947426b505346a4

          SHA256

          d9b34fccc23e967380eddcf665b6f05b8e2f592e51988e86c6f7af70b3ac3e56

          SHA512

          88502aa64806d490904ca82c1b659da08cf49a3d83ad49bb0b8b3029c4156c7926af84f8954dd76550931093a6f6fce612f1300eb1148cdc248c78c86299b012

        • C:\Windows\System\pIYyiRC.exe

          Filesize

          5.9MB

          MD5

          bc3aee856a70d0f8cc2e1a0baef0e88a

          SHA1

          d2a5cfe8fbd36f8df82f467b31f3d1ffd0048b69

          SHA256

          b14d24b060f792ede7d3cc5b2ee09cc26e739a9f6560d87a5222b36956895a05

          SHA512

          8765fcd5db25c5fbe761734495efe4ff8107a094bde7867305c7dbbe152223b183ff9820acf1f76ba8168049ab52ba04cff0477424ed2419f4a49054050c81b1

        • C:\Windows\System\qXOJkBA.exe

          Filesize

          5.9MB

          MD5

          63625f67893c95577b3d385396923960

          SHA1

          451d7bd856b2354be8dc411edbe355c16c96a414

          SHA256

          c9f4b9917f8c264113885de6885ba8ce54621536df5b343e16f7a1856f76b0ee

          SHA512

          ef346660e18789848c9057e17360bdb5efee87f06c8d8d4984eb4f61f44f32e20a9f0f4218727c401041087578404b183c678dffcd96187d558f54316dcbd0d6

        • C:\Windows\System\tIaYhHq.exe

          Filesize

          5.9MB

          MD5

          e469b3a46ccd6220eb3c3c4f49695417

          SHA1

          3067ff8585b60f00c46ee5912802ff2137e404b7

          SHA256

          b7137a423c21d2c769ebdea5e06e30f7750515b357d066a9c26cddabe4253303

          SHA512

          ffaea29f713ed333f0318c7a7817bb7a659c3e13f8e6ffdb7d826274e38f3e93cad139ba98ec53b7769442752c3ba3f8332700e48f99ef40c8602b04cab6247c

        • memory/100-124-0x00007FF6F4B80000-0x00007FF6F4ED4000-memory.dmp

          Filesize

          3.3MB

        • memory/100-158-0x00007FF6F4B80000-0x00007FF6F4ED4000-memory.dmp

          Filesize

          3.3MB

        • memory/100-76-0x00007FF6F4B80000-0x00007FF6F4ED4000-memory.dmp

          Filesize

          3.3MB

        • memory/464-117-0x00007FF75BD80000-0x00007FF75C0D4000-memory.dmp

          Filesize

          3.3MB

        • memory/464-143-0x00007FF75BD80000-0x00007FF75C0D4000-memory.dmp

          Filesize

          3.3MB

        • memory/464-164-0x00007FF75BD80000-0x00007FF75C0D4000-memory.dmp

          Filesize

          3.3MB

        • memory/564-36-0x00007FF7C0730000-0x00007FF7C0A84000-memory.dmp

          Filesize

          3.3MB

        • memory/564-152-0x00007FF7C0730000-0x00007FF7C0A84000-memory.dmp

          Filesize

          3.3MB

        • memory/564-90-0x00007FF7C0730000-0x00007FF7C0A84000-memory.dmp

          Filesize

          3.3MB

        • memory/652-125-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp

          Filesize

          3.3MB

        • memory/652-144-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp

          Filesize

          3.3MB

        • memory/652-165-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp

          Filesize

          3.3MB

        • memory/924-141-0x00007FF756070000-0x00007FF7563C4000-memory.dmp

          Filesize

          3.3MB

        • memory/924-162-0x00007FF756070000-0x00007FF7563C4000-memory.dmp

          Filesize

          3.3MB

        • memory/924-104-0x00007FF756070000-0x00007FF7563C4000-memory.dmp

          Filesize

          3.3MB

        • memory/1444-110-0x00007FF64C320000-0x00007FF64C674000-memory.dmp

          Filesize

          3.3MB

        • memory/1444-66-0x00007FF64C320000-0x00007FF64C674000-memory.dmp

          Filesize

          3.3MB

        • memory/1444-156-0x00007FF64C320000-0x00007FF64C674000-memory.dmp

          Filesize

          3.3MB

        • memory/1620-163-0x00007FF647590000-0x00007FF6478E4000-memory.dmp

          Filesize

          3.3MB

        • memory/1620-142-0x00007FF647590000-0x00007FF6478E4000-memory.dmp

          Filesize

          3.3MB

        • memory/1620-111-0x00007FF647590000-0x00007FF6478E4000-memory.dmp

          Filesize

          3.3MB

        • memory/1780-157-0x00007FF7A2710000-0x00007FF7A2A64000-memory.dmp

          Filesize

          3.3MB

        • memory/1780-75-0x00007FF7A2710000-0x00007FF7A2A64000-memory.dmp

          Filesize

          3.3MB

        • memory/1780-116-0x00007FF7A2710000-0x00007FF7A2A64000-memory.dmp

          Filesize

          3.3MB

        • memory/2076-148-0x00007FF7830C0000-0x00007FF783414000-memory.dmp

          Filesize

          3.3MB

        • memory/2076-52-0x00007FF7830C0000-0x00007FF783414000-memory.dmp

          Filesize

          3.3MB

        • memory/2076-6-0x00007FF7830C0000-0x00007FF783414000-memory.dmp

          Filesize

          3.3MB

        • memory/2084-160-0x00007FF67B2A0000-0x00007FF67B5F4000-memory.dmp

          Filesize

          3.3MB

        • memory/2084-92-0x00007FF67B2A0000-0x00007FF67B5F4000-memory.dmp

          Filesize

          3.3MB

        • memory/2088-61-0x00007FF7C1280000-0x00007FF7C15D4000-memory.dmp

          Filesize

          3.3MB

        • memory/2088-155-0x00007FF7C1280000-0x00007FF7C15D4000-memory.dmp

          Filesize

          3.3MB

        • memory/2088-103-0x00007FF7C1280000-0x00007FF7C15D4000-memory.dmp

          Filesize

          3.3MB

        • memory/2268-166-0x00007FF71A140000-0x00007FF71A494000-memory.dmp

          Filesize

          3.3MB

        • memory/2268-145-0x00007FF71A140000-0x00007FF71A494000-memory.dmp

          Filesize

          3.3MB

        • memory/2268-131-0x00007FF71A140000-0x00007FF71A494000-memory.dmp

          Filesize

          3.3MB

        • memory/2676-96-0x00007FF653140000-0x00007FF653494000-memory.dmp

          Filesize

          3.3MB

        • memory/2676-161-0x00007FF653140000-0x00007FF653494000-memory.dmp

          Filesize

          3.3MB

        • memory/2676-140-0x00007FF653140000-0x00007FF653494000-memory.dmp

          Filesize

          3.3MB

        • memory/2740-20-0x00007FF6AC250000-0x00007FF6AC5A4000-memory.dmp

          Filesize

          3.3MB

        • memory/2740-62-0x00007FF6AC250000-0x00007FF6AC5A4000-memory.dmp

          Filesize

          3.3MB

        • memory/2740-149-0x00007FF6AC250000-0x00007FF6AC5A4000-memory.dmp

          Filesize

          3.3MB

        • memory/2884-0-0x00007FF7F2C90000-0x00007FF7F2FE4000-memory.dmp

          Filesize

          3.3MB

        • memory/2884-46-0x00007FF7F2C90000-0x00007FF7F2FE4000-memory.dmp

          Filesize

          3.3MB

        • memory/2884-1-0x0000021CAFA20000-0x0000021CAFA30000-memory.dmp

          Filesize

          64KB

        • memory/3832-137-0x00007FF7B0150000-0x00007FF7B04A4000-memory.dmp

          Filesize

          3.3MB

        • memory/3832-146-0x00007FF7B0150000-0x00007FF7B04A4000-memory.dmp

          Filesize

          3.3MB

        • memory/3832-167-0x00007FF7B0150000-0x00007FF7B04A4000-memory.dmp

          Filesize

          3.3MB

        • memory/4192-150-0x00007FF784460000-0x00007FF7847B4000-memory.dmp

          Filesize

          3.3MB

        • memory/4192-31-0x00007FF784460000-0x00007FF7847B4000-memory.dmp

          Filesize

          3.3MB

        • memory/4192-67-0x00007FF784460000-0x00007FF7847B4000-memory.dmp

          Filesize

          3.3MB

        • memory/4244-136-0x00007FF79F8F0000-0x00007FF79FC44000-memory.dmp

          Filesize

          3.3MB

        • memory/4244-82-0x00007FF79F8F0000-0x00007FF79FC44000-memory.dmp

          Filesize

          3.3MB

        • memory/4244-159-0x00007FF79F8F0000-0x00007FF79FC44000-memory.dmp

          Filesize

          3.3MB

        • memory/4476-14-0x00007FF7ABD10000-0x00007FF7AC064000-memory.dmp

          Filesize

          3.3MB

        • memory/4476-147-0x00007FF7ABD10000-0x00007FF7AC064000-memory.dmp

          Filesize

          3.3MB

        • memory/4724-42-0x00007FF6D4200000-0x00007FF6D4554000-memory.dmp

          Filesize

          3.3MB

        • memory/4724-153-0x00007FF6D4200000-0x00007FF6D4554000-memory.dmp

          Filesize

          3.3MB

        • memory/4724-94-0x00007FF6D4200000-0x00007FF6D4554000-memory.dmp

          Filesize

          3.3MB

        • memory/4912-154-0x00007FF66CA70000-0x00007FF66CDC4000-memory.dmp

          Filesize

          3.3MB

        • memory/4912-47-0x00007FF66CA70000-0x00007FF66CDC4000-memory.dmp

          Filesize

          3.3MB

        • memory/4912-99-0x00007FF66CA70000-0x00007FF66CDC4000-memory.dmp

          Filesize

          3.3MB

        • memory/5084-32-0x00007FF6C8840000-0x00007FF6C8B94000-memory.dmp

          Filesize

          3.3MB

        • memory/5084-151-0x00007FF6C8840000-0x00007FF6C8B94000-memory.dmp

          Filesize

          3.3MB