Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 04:24

General

  • Target

    2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    ba2cfae820b48b90488536770b7d5b73

  • SHA1

    65ea5d166e2dce4eb49b24ddc0689c985e709f5d

  • SHA256

    953fed62f0a7328e96c4626e0bac4f00e3a427040f4467724b1c8a5ce1c76e8b

  • SHA512

    cdbdd3854d7a7ee8f82493df2d65381247c6df6971a69465a83a77b4034139555590c70734f1907614319ded59af030ab1bfb9eaa713626250ea3d72b4531392

  • SSDEEP

    49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibd56utgpPFotBER/mQ32lUK

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Cobaltstrike family
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 45 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4516
    • C:\Windows\System\mRQLVRU.exe
      C:\Windows\System\mRQLVRU.exe
      2⤵
      • Executes dropped EXE
      PID:372
    • C:\Windows\System\vGlFjMQ.exe
      C:\Windows\System\vGlFjMQ.exe
      2⤵
      • Executes dropped EXE
      PID:4524
    • C:\Windows\System\GkLwGdC.exe
      C:\Windows\System\GkLwGdC.exe
      2⤵
      • Executes dropped EXE
      PID:4612
    • C:\Windows\System\DgxhDJt.exe
      C:\Windows\System\DgxhDJt.exe
      2⤵
      • Executes dropped EXE
      PID:2780
    • C:\Windows\System\wMdeBKq.exe
      C:\Windows\System\wMdeBKq.exe
      2⤵
      • Executes dropped EXE
      PID:2964
    • C:\Windows\System\GPBDtXJ.exe
      C:\Windows\System\GPBDtXJ.exe
      2⤵
      • Executes dropped EXE
      PID:2204
    • C:\Windows\System\iRrUCrO.exe
      C:\Windows\System\iRrUCrO.exe
      2⤵
      • Executes dropped EXE
      PID:2184
    • C:\Windows\System\DQhLWsb.exe
      C:\Windows\System\DQhLWsb.exe
      2⤵
      • Executes dropped EXE
      PID:972
    • C:\Windows\System\HRCpIfY.exe
      C:\Windows\System\HRCpIfY.exe
      2⤵
      • Executes dropped EXE
      PID:2364
    • C:\Windows\System\LjQiQzM.exe
      C:\Windows\System\LjQiQzM.exe
      2⤵
      • Executes dropped EXE
      PID:1604
    • C:\Windows\System\VnwJAtc.exe
      C:\Windows\System\VnwJAtc.exe
      2⤵
      • Executes dropped EXE
      PID:4744
    • C:\Windows\System\QysedPq.exe
      C:\Windows\System\QysedPq.exe
      2⤵
      • Executes dropped EXE
      PID:3732
    • C:\Windows\System\LYZnAmh.exe
      C:\Windows\System\LYZnAmh.exe
      2⤵
      • Executes dropped EXE
      PID:2820
    • C:\Windows\System\NOkWqTW.exe
      C:\Windows\System\NOkWqTW.exe
      2⤵
      • Executes dropped EXE
      PID:4316
    • C:\Windows\System\fHwxncM.exe
      C:\Windows\System\fHwxncM.exe
      2⤵
      • Executes dropped EXE
      PID:512
    • C:\Windows\System\KCQiTsV.exe
      C:\Windows\System\KCQiTsV.exe
      2⤵
      • Executes dropped EXE
      PID:4992
    • C:\Windows\System\MKhgWEn.exe
      C:\Windows\System\MKhgWEn.exe
      2⤵
      • Executes dropped EXE
      PID:4820
    • C:\Windows\System\cVfOTwD.exe
      C:\Windows\System\cVfOTwD.exe
      2⤵
      • Executes dropped EXE
      PID:2708
    • C:\Windows\System\zZrmOKH.exe
      C:\Windows\System\zZrmOKH.exe
      2⤵
      • Executes dropped EXE
      PID:5112
    • C:\Windows\System\QdNftHv.exe
      C:\Windows\System\QdNftHv.exe
      2⤵
      • Executes dropped EXE
      PID:3372
    • C:\Windows\System\ndrHcns.exe
      C:\Windows\System\ndrHcns.exe
      2⤵
      • Executes dropped EXE
      PID:4496

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System\DQhLWsb.exe

          Filesize

          5.2MB

          MD5

          cf441bfa7e65c48abdc919b69694f922

          SHA1

          ad5874b4a5881ecefdada7f0fd18e4024f6ef765

          SHA256

          d92152641b93e00afbbe8c37c2e0069b1aece73a3b7789eff664bc7700d2ecd4

          SHA512

          e93c4678e183fb37dabaa308957ac1ba8eeb7d524e40088f7361a64c8f3d23a1188bd46713b52e9a68f7f5c553c8ab73a0ec698f7fa646035732d130479a708d

        • C:\Windows\System\DgxhDJt.exe

          Filesize

          5.2MB

          MD5

          e7ab49e273cc6abfec5ba44e0657b222

          SHA1

          7c87fe9a470d0cff16d2678e9b6ba2a2fa788283

          SHA256

          24af2bf4e2f2d01a4df9f45684785e190379ea157e2662fea346967d875ed835

          SHA512

          f1af31fc5849664683f4c564d6fbdd03ed8378a70634288924c7882fb2117e4756960afab2042fe8bca5e7e9aea4f544947b87a69dfb630db582e3ab7325af0d

        • C:\Windows\System\GPBDtXJ.exe

          Filesize

          5.2MB

          MD5

          5bd69306bfe3a3bb3dd7b1946bb97557

          SHA1

          1de90c05b54a18757e054ebae9dca2034ade5d20

          SHA256

          ebbba21aa8ada1b3b226cd1e0a2060152b6042ae1491766b202a794844210091

          SHA512

          5e255ba9cd0559ef5ce1532c96d298681cc3f9fd5ee1b73b61f3ac25448dc9bf3df43dee1699398b3c3a8cf6fa5780fb1ad35c29adfc55646ac1b4c68393efe8

        • C:\Windows\System\GkLwGdC.exe

          Filesize

          5.2MB

          MD5

          0fbeb471a644231f4410d7d29fade268

          SHA1

          afbead12b0fe5b8167640cf1c8623a2a62e8ab57

          SHA256

          a37303f66b38b3e1291767ca42f8cb5afa9e3a804b3c8dc69c9b22d47210a761

          SHA512

          65393efa2b57848f4de1f04504873d989955ab5e44fb813fdc2bf5057f4927294eebcfcb607af49fd2b692ac3160f665318fd7f6c7982a5a83ff615cf2c5978c

        • C:\Windows\System\HRCpIfY.exe

          Filesize

          5.2MB

          MD5

          84200ff8311afd0d50c67a30e139911a

          SHA1

          c05cc42b768356e0a2c0615329b0824c103df9c0

          SHA256

          56d2a047bc0f123e1b006042958dea1b681ef744c42bee2fbf4098193f4405dc

          SHA512

          27306e01381f89b8cfad5863a815edee7fe7de3570c66568947791d0c274866ae9f5b4b67442ccadd755087681ec88835f107034279133b55115a641545d7dc4

        • C:\Windows\System\KCQiTsV.exe

          Filesize

          5.2MB

          MD5

          1eaeb46198548a7b0ac38f28bc432f98

          SHA1

          d56a60055b82fafbd061cfcbfb8fd5c5304df8c8

          SHA256

          3b2b674d1f08387582d88b5a73b10d996a7ad511ab4eae2d975e877e01dd7edd

          SHA512

          77e5f11d0160855e61fc7a9037035c2c20309edc118a8c1f213e8de99f484c28873def1c47900743064025ef77573e5e30fdd8f8fdb7a2042fbcb20024999dc3

        • C:\Windows\System\LYZnAmh.exe

          Filesize

          5.2MB

          MD5

          04aa99884df19bc2a35ef0303678996f

          SHA1

          08e4f84b64886d110596e884000af0ae3dd23494

          SHA256

          9f0a0fd1972997f1cea5e31518a8a67fe168d0d98ae864c8b4e1d9c4db00069a

          SHA512

          aa663002b0808b99f488fc86db7f40fd12f7e0b8a13d7f59dd533b12ac5e2ab129c397d605b330eb7acd0bd5f232c51507be09304cbb35b0f3074d2b1f3164aa

        • C:\Windows\System\LjQiQzM.exe

          Filesize

          5.2MB

          MD5

          28c2a268709f39979e61fa35b569b919

          SHA1

          df03f63deb6c1ba0d1dc9f6ead12fcb1030d0356

          SHA256

          db3904f18d71ba50820db0cccd4cc274637fb53d5455f336cb9beddcf8627ca8

          SHA512

          48099b94dac5d219bc4e8d58ad705d37d54240e100715d0e114b008501fdc237c9302e8e1a926f21c00a8bbd21e6b11051d0abc5cd053d3a211887b52f91ceb5

        • C:\Windows\System\MKhgWEn.exe

          Filesize

          5.2MB

          MD5

          da3d556930b03ea63f54d1e77f313345

          SHA1

          bd77a2e54d1044ae1302c29d676698eb1b40ec26

          SHA256

          318e48ed9e7305c55ebd954e283e073392e61b3b4e7a5db3c74d492d16293923

          SHA512

          09fe4903913a16f56a44abd2adecfb3418aa24177b1b8f0b6b5268d522a1fb22c8f39f70b8a0a04f887553ee46f247fcac94aabbe2d804ec7f323f56fd3c20e3

        • C:\Windows\System\NOkWqTW.exe

          Filesize

          5.2MB

          MD5

          84951bceaaf1a164418d439bfe8dea24

          SHA1

          0ba5a3f1a613267d9dc52a1788ae6066e27cd073

          SHA256

          4fbcbcbd36a28bbdb3f9f7e28ec58e3197804259638946690cf6b9f42b73210f

          SHA512

          e2573decc80e3b68b44df1dd3ded48221ec6f4a193be649a8b38abd7c5c28bf5527e57478da1c26f190fc5a1b05c9f7248352d68a6cd5fb347f2762ee5a5781e

        • C:\Windows\System\QdNftHv.exe

          Filesize

          5.2MB

          MD5

          0e0fe668542a1061d86b2dd76e73d6f1

          SHA1

          e32a8003022eb8cffa3eade5d370773be5f42f2e

          SHA256

          c87fcda703358ba8aba9491f78c10e582154a4b5a4bad5c9d3c731e518f5da43

          SHA512

          a987a530985e57dc489afb4c7ef66c9ee7c81b3e7dd96b1a21ba6066bbbbcfe5fcc143827b9e06d4ef360aa367c1e0133cf2f9e8d5669c65929f2769745a2c02

        • C:\Windows\System\QysedPq.exe

          Filesize

          5.2MB

          MD5

          f0452a0a7130ef39a2095cbb0494b57f

          SHA1

          d1cc189f678a795fc3d4a324bf0ac967ca77f313

          SHA256

          eaa6ed4b56dc6285f413a27835b8b3bbf7a45bee29f7c9432b6acb75dab3df3b

          SHA512

          c07dbe7c95c3a41ed4bebcf57034a174c8f8e171f73290500abb94e506a2614637df7036fbad8fbbe80e4c77173e1b35cebda77404b77564f4f41ef6ca474faf

        • C:\Windows\System\VnwJAtc.exe

          Filesize

          5.2MB

          MD5

          e5c90b80ac23cd41376519717edf380a

          SHA1

          b409fb49d2cf05bd2f4206bb30fd260568f2ec68

          SHA256

          6f9a455a7a91f3fe33f6659418f220a1533f564eb83f300f5be44c2aefefdca6

          SHA512

          594c95cc93102c4f3a00f7ae1eed0c9107ee9d27f5287df1457e8ddcfe7aebcb3633866dfb7bac8ec98923fffe787823a570eecf81b55571a97be37002dbdca7

        • C:\Windows\System\cVfOTwD.exe

          Filesize

          5.2MB

          MD5

          222f22dea2210524fb9beab7a35f83f0

          SHA1

          9d148d8b5f651dfb0480ed749870931a45ccb5e9

          SHA256

          732af093dc0be8eea3b1d8294739de4416988f59b30027ecfdad5240e02e075b

          SHA512

          20efc86e4e58d88b5ca5eae0ab5775cc18cab8de8ed26d800bac494bc80a105008ee7fe05a05b5b55e7b0f1bc74936afece9fd830c4672a3eb73d08121c17490

        • C:\Windows\System\fHwxncM.exe

          Filesize

          5.2MB

          MD5

          aa7ea32bb0ffeb0c891eb76e3f5822da

          SHA1

          f58f65830c9cd91d137313cf642a67bd0140323f

          SHA256

          971983d40235071bdfeb193040e9c1c681f97ccad1bc730c4c8543b290e823ce

          SHA512

          8f43d0a06274080ff3cc3f51c93ff2cfdda50cca3e6e20e09ad998992a8d098a5e20aeedbeea9896a3e6efe8d41d5887e7a94470643f86cdf76255cc3444b51b

        • C:\Windows\System\iRrUCrO.exe

          Filesize

          5.2MB

          MD5

          4ce1915625b6b9ca3e07c1373bbf3cd7

          SHA1

          393982f93d4fcd8a3ec19c1f0273e19120b95c08

          SHA256

          7b065bb2eea17c40a5d9a1c85ca3f7dfec037296f8a896a358e621761f1c1a9f

          SHA512

          9030b64ff1e4bd40f6366cb334682cd759e6e13034511a75f15b9480c32d46cdc97846a8c3b6672229b54fdb456a20ff0c949a076e2a578766a0aefbd23ea0e3

        • C:\Windows\System\mRQLVRU.exe

          Filesize

          5.2MB

          MD5

          41ec2fc56131d536fb6389562c289205

          SHA1

          f0fb645c218089b483d2051e365b035e3bd836f3

          SHA256

          a56518c1a7bed7091dde2a35111aa668e71d8f91117ddc259e669b035a8c2acd

          SHA512

          50e3c459acde9acf9472c52374ba4210ea774d37f4a80d98db2b02f8e3b210d3c1344fc9df8c7cae13d283b968d7ba44dbc3025b5cfa6b1fc2d266dcdf8f40e6

        • C:\Windows\System\ndrHcns.exe

          Filesize

          5.2MB

          MD5

          cc366d2d8d4077fff8e6b550dd1bce99

          SHA1

          3772aa184281ec10fb1510688b19e05bd82d73b5

          SHA256

          940c0aaca5802dcf9e402b97ea02d823c406f434d92963236c3b47d6a8999817

          SHA512

          f3d36acd66084b12946f1074e706404d2f330ff2c910d34c5d08975534f95c5659691cbba2dc1989801a08be610a7b09e7540bd42d0597a5c24e02fe1b5c1c31

        • C:\Windows\System\vGlFjMQ.exe

          Filesize

          5.2MB

          MD5

          49e4ea8d05e643feee9bba73735c958f

          SHA1

          ff7ed2156b905fb87a00b16e5ee66f3ea476de55

          SHA256

          9e59ce1675204e88c2479a73357ac92b4068470a4ad0695e1239d2ac8d3a5a42

          SHA512

          219d2f7b375d5593deb30b2f1d372e7ea8565d3d4024a3fc81e8e1e85a26ac8466ae7567f339468247fc267ad510267f290786cc4e462034ddb8e0a03828b98f

        • C:\Windows\System\wMdeBKq.exe

          Filesize

          5.2MB

          MD5

          3591026ef9fe2232a8cee7850b34f944

          SHA1

          1546702addf32c7a3107264902b272f0235c9579

          SHA256

          ff29eac87170eece6e7d2b654415f43704fa050ecf5004ac3d8ffd69c4ed4eb6

          SHA512

          0fa218b59771445a08be01345df7fc0d3ee46071f625b3657dea10d3ebfbccbf15973874acbf7c1c687ef761d4be738369d660a04a8831d073fe3aeddde39b72

        • C:\Windows\System\zZrmOKH.exe

          Filesize

          5.2MB

          MD5

          8207ad73776225da657854da82fed1df

          SHA1

          d7db7b1a2fbd171360162e062f2f56138b792bd0

          SHA256

          15f4f5f95494c7f93d222098a2214f2771c2cfcba641dd8e121e0f134622bef4

          SHA512

          61b66a547622a1c8437982a084da266889c6f160b02eee7fe9cb46ed4f95ed76a18de94e94868ff36f6b0957edf6e74b6613c2e74a88ef59cc1d81010a1735dc

        • memory/372-209-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp

          Filesize

          3.3MB

        • memory/372-66-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp

          Filesize

          3.3MB

        • memory/372-7-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp

          Filesize

          3.3MB

        • memory/512-114-0x00007FF62BD10000-0x00007FF62C061000-memory.dmp

          Filesize

          3.3MB

        • memory/512-255-0x00007FF62BD10000-0x00007FF62C061000-memory.dmp

          Filesize

          3.3MB

        • memory/972-231-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp

          Filesize

          3.3MB

        • memory/972-133-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp

          Filesize

          3.3MB

        • memory/972-50-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp

          Filesize

          3.3MB

        • memory/1604-135-0x00007FF7655F0000-0x00007FF765941000-memory.dmp

          Filesize

          3.3MB

        • memory/1604-62-0x00007FF7655F0000-0x00007FF765941000-memory.dmp

          Filesize

          3.3MB

        • memory/1604-235-0x00007FF7655F0000-0x00007FF765941000-memory.dmp

          Filesize

          3.3MB

        • memory/2184-44-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp

          Filesize

          3.3MB

        • memory/2184-119-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp

          Filesize

          3.3MB

        • memory/2184-234-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp

          Filesize

          3.3MB

        • memory/2204-43-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp

          Filesize

          3.3MB

        • memory/2204-226-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp

          Filesize

          3.3MB

        • memory/2204-89-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp

          Filesize

          3.3MB

        • memory/2364-230-0x00007FF74A320000-0x00007FF74A671000-memory.dmp

          Filesize

          3.3MB

        • memory/2364-51-0x00007FF74A320000-0x00007FF74A671000-memory.dmp

          Filesize

          3.3MB

        • memory/2364-134-0x00007FF74A320000-0x00007FF74A671000-memory.dmp

          Filesize

          3.3MB

        • memory/2708-263-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp

          Filesize

          3.3MB

        • memory/2708-117-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp

          Filesize

          3.3MB

        • memory/2708-156-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp

          Filesize

          3.3MB

        • memory/2780-223-0x00007FF737950000-0x00007FF737CA1000-memory.dmp

          Filesize

          3.3MB

        • memory/2780-26-0x00007FF737950000-0x00007FF737CA1000-memory.dmp

          Filesize

          3.3MB

        • memory/2780-88-0x00007FF737950000-0x00007FF737CA1000-memory.dmp

          Filesize

          3.3MB

        • memory/2820-86-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp

          Filesize

          3.3MB

        • memory/2820-248-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp

          Filesize

          3.3MB

        • memory/2820-149-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp

          Filesize

          3.3MB

        • memory/2964-227-0x00007FF78B600000-0x00007FF78B951000-memory.dmp

          Filesize

          3.3MB

        • memory/2964-35-0x00007FF78B600000-0x00007FF78B951000-memory.dmp

          Filesize

          3.3MB

        • memory/2964-113-0x00007FF78B600000-0x00007FF78B951000-memory.dmp

          Filesize

          3.3MB

        • memory/3372-144-0x00007FF639440000-0x00007FF639791000-memory.dmp

          Filesize

          3.3MB

        • memory/3372-162-0x00007FF639440000-0x00007FF639791000-memory.dmp

          Filesize

          3.3MB

        • memory/3372-268-0x00007FF639440000-0x00007FF639791000-memory.dmp

          Filesize

          3.3MB

        • memory/3732-75-0x00007FF635B10000-0x00007FF635E61000-memory.dmp

          Filesize

          3.3MB

        • memory/3732-246-0x00007FF635B10000-0x00007FF635E61000-memory.dmp

          Filesize

          3.3MB

        • memory/3732-148-0x00007FF635B10000-0x00007FF635E61000-memory.dmp

          Filesize

          3.3MB

        • memory/4316-95-0x00007FF67B6D0000-0x00007FF67BA21000-memory.dmp

          Filesize

          3.3MB

        • memory/4316-253-0x00007FF67B6D0000-0x00007FF67BA21000-memory.dmp

          Filesize

          3.3MB

        • memory/4496-147-0x00007FF611980000-0x00007FF611CD1000-memory.dmp

          Filesize

          3.3MB

        • memory/4496-173-0x00007FF611980000-0x00007FF611CD1000-memory.dmp

          Filesize

          3.3MB

        • memory/4496-270-0x00007FF611980000-0x00007FF611CD1000-memory.dmp

          Filesize

          3.3MB

        • memory/4516-0-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp

          Filesize

          3.3MB

        • memory/4516-158-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp

          Filesize

          3.3MB

        • memory/4516-1-0x00000205CFE60000-0x00000205CFE70000-memory.dmp

          Filesize

          64KB

        • memory/4516-60-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp

          Filesize

          3.3MB

        • memory/4524-211-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp

          Filesize

          3.3MB

        • memory/4524-70-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp

          Filesize

          3.3MB

        • memory/4524-12-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp

          Filesize

          3.3MB

        • memory/4612-82-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp

          Filesize

          3.3MB

        • memory/4612-20-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp

          Filesize

          3.3MB

        • memory/4612-221-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp

          Filesize

          3.3MB

        • memory/4744-239-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp

          Filesize

          3.3MB

        • memory/4744-67-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp

          Filesize

          3.3MB

        • memory/4744-136-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp

          Filesize

          3.3MB

        • memory/4820-116-0x00007FF74A220000-0x00007FF74A571000-memory.dmp

          Filesize

          3.3MB

        • memory/4820-259-0x00007FF74A220000-0x00007FF74A571000-memory.dmp

          Filesize

          3.3MB

        • memory/4992-118-0x00007FF6C6D20000-0x00007FF6C7071000-memory.dmp

          Filesize

          3.3MB

        • memory/4992-257-0x00007FF6C6D20000-0x00007FF6C7071000-memory.dmp

          Filesize

          3.3MB

        • memory/5112-120-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp

          Filesize

          3.3MB

        • memory/5112-261-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp

          Filesize

          3.3MB

        • memory/5112-157-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp

          Filesize

          3.3MB