Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 04:38

General

  • Target

    2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    e596b4b937b540e38c5b747c14972cfe

  • SHA1

    cc99fd2e0b1c5c7508accd3324e0e8fd4430c054

  • SHA256

    cdb51c813437685db3fbd116ecd6522a14e57ca10dd958f748b4156fe51fbc64

  • SHA512

    c6d17ce8cb5f7e55465a31acdafda49b88d94d721c46ab4b334ab56cb052c387ae7ad59a2e3997a88eabc849c2e6acbe5b71ee7241170d6218357969df9b8ce4

  • SSDEEP

    49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lc:RWWBibd56utgpPFotBER/mQ32lUA

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Cobaltstrike family
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 45 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Windows\System\smlUjnr.exe
      C:\Windows\System\smlUjnr.exe
      2⤵
      • Executes dropped EXE
      PID:4936
    • C:\Windows\System\zYRLSqe.exe
      C:\Windows\System\zYRLSqe.exe
      2⤵
      • Executes dropped EXE
      PID:2552
    • C:\Windows\System\XCMBDxJ.exe
      C:\Windows\System\XCMBDxJ.exe
      2⤵
      • Executes dropped EXE
      PID:4664
    • C:\Windows\System\ustqoxO.exe
      C:\Windows\System\ustqoxO.exe
      2⤵
      • Executes dropped EXE
      PID:384
    • C:\Windows\System\rRVNpIO.exe
      C:\Windows\System\rRVNpIO.exe
      2⤵
      • Executes dropped EXE
      PID:1936
    • C:\Windows\System\YgdsyZC.exe
      C:\Windows\System\YgdsyZC.exe
      2⤵
      • Executes dropped EXE
      PID:2832
    • C:\Windows\System\IjfTcZX.exe
      C:\Windows\System\IjfTcZX.exe
      2⤵
      • Executes dropped EXE
      PID:1796
    • C:\Windows\System\SzYyHRW.exe
      C:\Windows\System\SzYyHRW.exe
      2⤵
      • Executes dropped EXE
      PID:4620
    • C:\Windows\System\KYOKlIU.exe
      C:\Windows\System\KYOKlIU.exe
      2⤵
      • Executes dropped EXE
      PID:2004
    • C:\Windows\System\XBEYyIk.exe
      C:\Windows\System\XBEYyIk.exe
      2⤵
      • Executes dropped EXE
      PID:2064
    • C:\Windows\System\yOnzGkV.exe
      C:\Windows\System\yOnzGkV.exe
      2⤵
      • Executes dropped EXE
      PID:1132
    • C:\Windows\System\GHKtyld.exe
      C:\Windows\System\GHKtyld.exe
      2⤵
      • Executes dropped EXE
      PID:1172
    • C:\Windows\System\IFOCDno.exe
      C:\Windows\System\IFOCDno.exe
      2⤵
      • Executes dropped EXE
      PID:2584
    • C:\Windows\System\zZMGLkm.exe
      C:\Windows\System\zZMGLkm.exe
      2⤵
      • Executes dropped EXE
      PID:4116
    • C:\Windows\System\VNWUtXU.exe
      C:\Windows\System\VNWUtXU.exe
      2⤵
      • Executes dropped EXE
      PID:3404
    • C:\Windows\System\hoEzqbm.exe
      C:\Windows\System\hoEzqbm.exe
      2⤵
      • Executes dropped EXE
      PID:4568
    • C:\Windows\System\DsjwAKj.exe
      C:\Windows\System\DsjwAKj.exe
      2⤵
      • Executes dropped EXE
      PID:3224
    • C:\Windows\System\UPnUpUX.exe
      C:\Windows\System\UPnUpUX.exe
      2⤵
      • Executes dropped EXE
      PID:2824
    • C:\Windows\System\weYIamj.exe
      C:\Windows\System\weYIamj.exe
      2⤵
      • Executes dropped EXE
      PID:4616
    • C:\Windows\System\rLSXZJl.exe
      C:\Windows\System\rLSXZJl.exe
      2⤵
      • Executes dropped EXE
      PID:1916
    • C:\Windows\System\yFfJJxH.exe
      C:\Windows\System\yFfJJxH.exe
      2⤵
      • Executes dropped EXE
      PID:4928

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System\DsjwAKj.exe

          Filesize

          5.2MB

          MD5

          772435871c1ae1dafb756d130d46339a

          SHA1

          c82e7cf5578cda9877b7249cff04aa328526c2c9

          SHA256

          91bb1ca6e2d63025610ffb57856ca805e1f3f9399a4d44b50a7e0b3e7ee6da64

          SHA512

          2c595f4ada0b27cded5296a16bf04cc1a125e55d5dffbe6f299704b978fca420f64e7101d94f12420851a10d2f5928f4e937b56e3efc047917953eb5644b9584

        • C:\Windows\System\GHKtyld.exe

          Filesize

          5.2MB

          MD5

          c8c2b8a67f81a7519331476a0e26ba00

          SHA1

          f42d00836fc843cd3e9f5a5707709403728acd5f

          SHA256

          c725e46fe08ecb396356181830003f2bd65d83041faffd9613c8db5ef2f09388

          SHA512

          c119fafcfd2a04112f13af23761704b8045408c87134237b18daa4661f94674cc5aa9482c4c5d2a3d5db8bcb25d5e9087db399bf5cdde19ea1084cdf60853336

        • C:\Windows\System\IFOCDno.exe

          Filesize

          5.2MB

          MD5

          f518981dfbd9eaabfb1169c1cbbe8589

          SHA1

          a2e7a07d06f339041d8d100bb58717cf1db6911d

          SHA256

          e1b901ef9f1685b2b0cf5b05681f97e32d333e784a6c2d2af57a9be2696f6d04

          SHA512

          f26a6ae8c1ae07bdde48021b96acc12f723305946363b6e54edb548c1131aa488e3493db2a816c222d4cf259eca3fcf16c112c79ac44a6c9569508e63597edd4

        • C:\Windows\System\IjfTcZX.exe

          Filesize

          5.2MB

          MD5

          2c2640ac9eed8ed79bbad9c6a605f472

          SHA1

          ec939cd2358849e2676752486c5fe26f0c0cc98f

          SHA256

          e178c6ccf1237718cee1807e4572379e0130348dea5d20f8de2b598258522a63

          SHA512

          e03c33fb411317205cbc504d0a294459907c912f8e4d50392477c943de937393dbe63b679fa1a9420de88660c85da40e84efdd5e768584b33f3282538c35839a

        • C:\Windows\System\KYOKlIU.exe

          Filesize

          5.2MB

          MD5

          e9c5bb137f7d493cafe84140f52fd15f

          SHA1

          d8c567ca4b2f89d2e42d4213e286831668c79619

          SHA256

          f466c486a32a67fe8e214e2b5a33b91f36b1912475f4c09fa96f4c057e38b3b3

          SHA512

          54551ac2e0b421fe1e17e154f16822931d34e769b6d26e0a12f26fc6ea1122054361bdfbc3988cb177fcd54a6373e98196136cc798a3edd6448b163122aee5ae

        • C:\Windows\System\SzYyHRW.exe

          Filesize

          5.2MB

          MD5

          217f6b22ca587af978bd39e75080ae57

          SHA1

          07c35c5a1ae7ac2b723fa1e30f9b2895f6313d0e

          SHA256

          b8eb1346a991058f139b44edf4b58f235c9d1fe4e272ef4457009985bf1d9e1c

          SHA512

          a97bcf80fe2edd3ae7bd1b90560a82d42380714debb7517984c24fb8ddaf091fccb9e6ad7b8d7f0ad0233bbac233d79ce5607ca649caab9e48e0ef6ce1d242a8

        • C:\Windows\System\UPnUpUX.exe

          Filesize

          5.2MB

          MD5

          cbc737f339a9d7bd6e77d34b89368eaf

          SHA1

          d0a74499f28c665f7723b16b66f97027b708a67a

          SHA256

          c1b9a5a8a2bd575c9195fab67bdcaf88ebe30b95f447982fb716b32f40b86976

          SHA512

          568111174ab5645fe0852eb5d970a5097e007923434bc537647133ff497adf5e9b49e3794c0090610efe23aec06aab4d535b84c55fa44733d5c75b96313d10b8

        • C:\Windows\System\VNWUtXU.exe

          Filesize

          5.2MB

          MD5

          8ed47bd4484fac484f6c9ffe960e1b9c

          SHA1

          9736cec0c9582cecc473bc4eb0137ac7718b8aef

          SHA256

          73e3e14099460293a139109eef08bb541a18e11d83c4ddc6b4eabba275ca3772

          SHA512

          2868e057f9f569d960d5ef2e74d932c52bac47ae11b69b0066dc7192544ea4f92e22e770bb7ff14ef375be720d6294709e33377a39f1a77b53bf4db8bb945196

        • C:\Windows\System\XBEYyIk.exe

          Filesize

          5.2MB

          MD5

          78594d1b93326a67781d1bb490cb50a2

          SHA1

          338d49f13222146cdda7f62bd201752be06f423e

          SHA256

          86788bb1d369f0683bac2ef54ba61e7e71faed4fa4239c6eeb6bee96c575d580

          SHA512

          da1ee6d4413a91d7631734971489d4144dd136cb7a29fe53bdbfd86d422df656287be81a1a63438dfdb826a259dea97aedb7958d2b53d48a57906f42bfa99d3e

        • C:\Windows\System\XCMBDxJ.exe

          Filesize

          5.2MB

          MD5

          93ebb467f9b66f60b49ea98fc3d38d7a

          SHA1

          5a210f6093cc51feee4dabda1ad6165f24a20327

          SHA256

          30e975ded8edaa634cdb8e72f7626496e3cc4c753f795b0f4416469cdc5e4b0e

          SHA512

          d606cbcd0930a858e3dd5814ed49ab8059ca59927b8618900cf41b42575dbf452cd12a3cacd17295b81a574a375631747d45b37f7168aa518972fc7a6a1e31e2

        • C:\Windows\System\YgdsyZC.exe

          Filesize

          5.2MB

          MD5

          140b6f8f138e2e51411a2c2ec199c907

          SHA1

          61a986a89a06b1bc0f67608dc1aedff179ea28a7

          SHA256

          5ba64213d862b2bc578538cf6b5b95ab1c0661372c6416114372c3261a52fedb

          SHA512

          61a1b41c4fa7cde386255f31b2315f12c1efb153a88af3e419c2a7feda2b27867c9ef6f8a2eef8e382c1e050c8826512d132aaae2b6acc5bfc174f5bdf2f223b

        • C:\Windows\System\hoEzqbm.exe

          Filesize

          5.2MB

          MD5

          0260c5d41cce7411666ec923d9e21531

          SHA1

          14a0ae976b74eeff372998bc5e274f98a4327698

          SHA256

          33ff2accfd8dea886f77655c3cbe3015a9d29abb14fb81c609ab555ee6043c5a

          SHA512

          145e27a3bb5ea69d4de4248d388b1c584f9f4a1b64449ce0a64a7c994cac3f6ca8fde7641c77b6e9e4251abf8c66b718fdcd827c4e21c6f08bb9cbcae03b0cc6

        • C:\Windows\System\rLSXZJl.exe

          Filesize

          5.2MB

          MD5

          1f7dd2c68833ca454faba85da3652cfe

          SHA1

          bf2c7f45302279c10f332eb07dae49a9a5d38f1d

          SHA256

          71a8ea5f29fcc6836bd10867840f6b426785399554a6f486c500978224938a2f

          SHA512

          6d3592b99d3c67f64f329ad6f6ad86a9fad083ea45bef450d347243e7af953d1cb69656e998f2a0f02ca8dca87431bc3743176d50926140b0d1393e76cc59200

        • C:\Windows\System\rRVNpIO.exe

          Filesize

          5.2MB

          MD5

          022ff5d37de9c88d75d37e90c48077f2

          SHA1

          5bcc19ad9d17a3590a32777db12c5f5988c774c6

          SHA256

          57acb7a0feec1858e60ee432d356800c35c5a987c80c7d5043778e035aa95ef8

          SHA512

          711a040da47c9110f2ba14be4346bb1effe266e62104e7923b9e7ffe7c1bff40e4e305c55b12a9c6e991bd1f5407e2de73b23d0ed43d2a4579bc734ca3048e04

        • C:\Windows\System\smlUjnr.exe

          Filesize

          5.2MB

          MD5

          5756d6991c9d3f091efdc8812809b7aa

          SHA1

          563a747acfcb76f559a046cdcd15e2d28c751cde

          SHA256

          a3dba698730c7de87a2dfca1dcd2e39e99b452c0ef890ca636bc6e6136f69dca

          SHA512

          e2a59ded82631fa577f6197a79334dc54dbdf955d82fca68e1dc736d44bfeca5373f6b360323909bd147e175ab397efc6fb866e536c243ea3b9ced7cc6b5b3ad

        • C:\Windows\System\ustqoxO.exe

          Filesize

          5.2MB

          MD5

          7c94b56fed2e1c6458d245cbd8b0e217

          SHA1

          5ca0080eb9de0971b1d25e4737d1753d6b649474

          SHA256

          b357737c567813098f659c10cdbe95c796726a4dd1ceef4128def600006bbcf6

          SHA512

          a3d5123a65d477ffd7cdd20e85b8d7914a050e87dc9b2fd040f676920949dbf0bcab7f193083d9b4988166c280eea3deac27af395d24ce7b19146e448950fb75

        • C:\Windows\System\weYIamj.exe

          Filesize

          5.2MB

          MD5

          d4e01206b136492ba1873f82eef288f3

          SHA1

          823e537fc4879c1a5633af6a74e33df84f9e866f

          SHA256

          9ca099e315ddb10e22201195e66420b024ad59973e3fede6035437d9fa3ff0e1

          SHA512

          eb8a44eb1ff713c86b25d925abb5b309e3747a2b85796cb34269e43877632a846e7bb8eb896aa4f141b8d5e9638d61da3b398685d4dcade8490804b42e7dc9a0

        • C:\Windows\System\yFfJJxH.exe

          Filesize

          5.2MB

          MD5

          4e4e71a1b0e55eebf40722b576d61c22

          SHA1

          af62eb20e2d8d2ac5f6aaf08552ab9894c0d2b51

          SHA256

          a86424af3dc60f5b3a0a2f66dfe1b95ac7017f058f6b38f62445d8410ef532ed

          SHA512

          8a02fc17734d43cbdc17a5337f70b7352e93f876ec83a2cef981cc566c8d9a113ea1d3749dc77b52090961455ac7a44ac02b5de8f717831d9946c5dd5e50d869

        • C:\Windows\System\yOnzGkV.exe

          Filesize

          5.2MB

          MD5

          d70c4650764d59b421e4b848dc2448fc

          SHA1

          7e5977afcc39621fe32ce024abccfb883a37be25

          SHA256

          0dbace26a16580e700cc140d10991ef67dc36f5240a39b432cb1e9b77b3134e2

          SHA512

          749a5b2c3e5f358ccb309e55091620367769a15f02759086afd01426f5b64873fb9b4685162b4568cf6973801fd275027302028caba82a428981fa50fc56f051

        • C:\Windows\System\zYRLSqe.exe

          Filesize

          5.2MB

          MD5

          2eea7f32bd3b237ab80c20968761b76b

          SHA1

          1d207d4091f9401cf23698c1933d9507553fd493

          SHA256

          a6c07ded74083ad009f52a5a4dc02d7aa42fc39eb1c105a9e4b8b0635174ed24

          SHA512

          50564b81b9ebf894e6c93a2eaedd63993769f548ba9f94fe7264c59d28e14d69274a94037045b19c8892ef04c2eb134b39d23cae17cb06cf1779fa4f5a5736e5

        • C:\Windows\System\zZMGLkm.exe

          Filesize

          5.2MB

          MD5

          ce92e3b12e4e21c205e2d8d03120a7a9

          SHA1

          5f750aa332f998586f908cc0ec3048ee9c345d95

          SHA256

          f4ce984df512c92fc3935061d40478ef7908ebfc79ab6bb69df37ae25a7de409

          SHA512

          0036c70c883cf675942ee0e56dd0a843dde96c562fcb010d84fb142bb8f2623c768500abfa9026f88155fb80bc22d34e8abd13cd37a9729c2369c971fa48b625

        • memory/384-132-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp

          Filesize

          3.3MB

        • memory/384-24-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp

          Filesize

          3.3MB

        • memory/384-212-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp

          Filesize

          3.3MB

        • memory/1132-236-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp

          Filesize

          3.3MB

        • memory/1132-144-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp

          Filesize

          3.3MB

        • memory/1132-92-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp

          Filesize

          3.3MB

        • memory/1172-145-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp

          Filesize

          3.3MB

        • memory/1172-244-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp

          Filesize

          3.3MB

        • memory/1172-70-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp

          Filesize

          3.3MB

        • memory/1796-231-0x00007FF6642C0000-0x00007FF664611000-memory.dmp

          Filesize

          3.3MB

        • memory/1796-140-0x00007FF6642C0000-0x00007FF664611000-memory.dmp

          Filesize

          3.3MB

        • memory/1796-49-0x00007FF6642C0000-0x00007FF664611000-memory.dmp

          Filesize

          3.3MB

        • memory/1916-124-0x00007FF701F10000-0x00007FF702261000-memory.dmp

          Filesize

          3.3MB

        • memory/1916-257-0x00007FF701F10000-0x00007FF702261000-memory.dmp

          Filesize

          3.3MB

        • memory/1916-153-0x00007FF701F10000-0x00007FF702261000-memory.dmp

          Filesize

          3.3MB

        • memory/1936-33-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp

          Filesize

          3.3MB

        • memory/1936-226-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp

          Filesize

          3.3MB

        • memory/1936-138-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp

          Filesize

          3.3MB

        • memory/2004-142-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp

          Filesize

          3.3MB

        • memory/2004-234-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp

          Filesize

          3.3MB

        • memory/2004-61-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp

          Filesize

          3.3MB

        • memory/2064-242-0x00007FF771C00000-0x00007FF771F51000-memory.dmp

          Filesize

          3.3MB

        • memory/2064-69-0x00007FF771C00000-0x00007FF771F51000-memory.dmp

          Filesize

          3.3MB

        • memory/2064-143-0x00007FF771C00000-0x00007FF771F51000-memory.dmp

          Filesize

          3.3MB

        • memory/2552-208-0x00007FF665010000-0x00007FF665361000-memory.dmp

          Filesize

          3.3MB

        • memory/2552-78-0x00007FF665010000-0x00007FF665361000-memory.dmp

          Filesize

          3.3MB

        • memory/2552-13-0x00007FF665010000-0x00007FF665361000-memory.dmp

          Filesize

          3.3MB

        • memory/2584-246-0x00007FF709D20000-0x00007FF70A071000-memory.dmp

          Filesize

          3.3MB

        • memory/2584-112-0x00007FF709D20000-0x00007FF70A071000-memory.dmp

          Filesize

          3.3MB

        • memory/2824-125-0x00007FF747660000-0x00007FF7479B1000-memory.dmp

          Filesize

          3.3MB

        • memory/2824-262-0x00007FF747660000-0x00007FF7479B1000-memory.dmp

          Filesize

          3.3MB

        • memory/2832-228-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp

          Filesize

          3.3MB

        • memory/2832-139-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp

          Filesize

          3.3MB

        • memory/2832-34-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp

          Filesize

          3.3MB

        • memory/3224-254-0x00007FF744000000-0x00007FF744351000-memory.dmp

          Filesize

          3.3MB

        • memory/3224-102-0x00007FF744000000-0x00007FF744351000-memory.dmp

          Filesize

          3.3MB

        • memory/3224-150-0x00007FF744000000-0x00007FF744351000-memory.dmp

          Filesize

          3.3MB

        • memory/3404-252-0x00007FF762790000-0x00007FF762AE1000-memory.dmp

          Filesize

          3.3MB

        • memory/3404-148-0x00007FF762790000-0x00007FF762AE1000-memory.dmp

          Filesize

          3.3MB

        • memory/3404-101-0x00007FF762790000-0x00007FF762AE1000-memory.dmp

          Filesize

          3.3MB

        • memory/4116-248-0x00007FF705F00000-0x00007FF706251000-memory.dmp

          Filesize

          3.3MB

        • memory/4116-113-0x00007FF705F00000-0x00007FF706251000-memory.dmp

          Filesize

          3.3MB

        • memory/4568-251-0x00007FF638FD0000-0x00007FF639321000-memory.dmp

          Filesize

          3.3MB

        • memory/4568-118-0x00007FF638FD0000-0x00007FF639321000-memory.dmp

          Filesize

          3.3MB

        • memory/4616-129-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp

          Filesize

          3.3MB

        • memory/4616-259-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp

          Filesize

          3.3MB

        • memory/4616-152-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp

          Filesize

          3.3MB

        • memory/4620-141-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp

          Filesize

          3.3MB

        • memory/4620-42-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp

          Filesize

          3.3MB

        • memory/4620-232-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp

          Filesize

          3.3MB

        • memory/4664-130-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp

          Filesize

          3.3MB

        • memory/4664-210-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp

          Filesize

          3.3MB

        • memory/4664-15-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp

          Filesize

          3.3MB

        • memory/4928-128-0x00007FF7D3BF0000-0x00007FF7D3F41000-memory.dmp

          Filesize

          3.3MB

        • memory/4928-260-0x00007FF7D3BF0000-0x00007FF7D3F41000-memory.dmp

          Filesize

          3.3MB

        • memory/4936-77-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp

          Filesize

          3.3MB

        • memory/4936-204-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp

          Filesize

          3.3MB

        • memory/4936-8-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp

          Filesize

          3.3MB

        • memory/4960-133-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp

          Filesize

          3.3MB

        • memory/4960-155-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp

          Filesize

          3.3MB

        • memory/4960-62-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp

          Filesize

          3.3MB

        • memory/4960-0-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp

          Filesize

          3.3MB

        • memory/4960-1-0x000001E27CB20000-0x000001E27CB30000-memory.dmp

          Filesize

          64KB