Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 05:09

General

  • Target

    2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    6ff5e93034cdb528937a2784f31a1dc0

  • SHA1

    e66cce1f569d0bab4f2cca45de16ed9d4821a7a6

  • SHA256

    86256cba6711c887e414aaa9acdaac0e92f65adc08fee3717d39253c5859d6b8

  • SHA512

    ac56213627792da72f3073be83cfd694a94084849d9fdbbe50a9070278d663e0b2f467dd97a658d38fb4f07ccd352e3bb45885c52951ecc931124e325af4b535

  • SSDEEP

    49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6li:RWWBibf56utgpPFotBER/mQ32lUe

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Cobaltstrike family
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 45 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\System\dioKWDf.exe
      C:\Windows\System\dioKWDf.exe
      2⤵
      • Executes dropped EXE
      PID:4972
    • C:\Windows\System\dGkAbDO.exe
      C:\Windows\System\dGkAbDO.exe
      2⤵
      • Executes dropped EXE
      PID:3400
    • C:\Windows\System\bZWUChq.exe
      C:\Windows\System\bZWUChq.exe
      2⤵
      • Executes dropped EXE
      PID:4824
    • C:\Windows\System\nAiXdkx.exe
      C:\Windows\System\nAiXdkx.exe
      2⤵
      • Executes dropped EXE
      PID:3144
    • C:\Windows\System\BxwHviW.exe
      C:\Windows\System\BxwHviW.exe
      2⤵
      • Executes dropped EXE
      PID:1476
    • C:\Windows\System\AYFVATx.exe
      C:\Windows\System\AYFVATx.exe
      2⤵
      • Executes dropped EXE
      PID:1776
    • C:\Windows\System\BaLMWvK.exe
      C:\Windows\System\BaLMWvK.exe
      2⤵
      • Executes dropped EXE
      PID:4700
    • C:\Windows\System\nZFLGnf.exe
      C:\Windows\System\nZFLGnf.exe
      2⤵
      • Executes dropped EXE
      PID:2280
    • C:\Windows\System\eVWJdId.exe
      C:\Windows\System\eVWJdId.exe
      2⤵
      • Executes dropped EXE
      PID:2404
    • C:\Windows\System\gkMSHoC.exe
      C:\Windows\System\gkMSHoC.exe
      2⤵
      • Executes dropped EXE
      PID:1076
    • C:\Windows\System\NabdSfH.exe
      C:\Windows\System\NabdSfH.exe
      2⤵
      • Executes dropped EXE
      PID:4820
    • C:\Windows\System\RcFOTMH.exe
      C:\Windows\System\RcFOTMH.exe
      2⤵
      • Executes dropped EXE
      PID:876
    • C:\Windows\System\ZXarzTp.exe
      C:\Windows\System\ZXarzTp.exe
      2⤵
      • Executes dropped EXE
      PID:4928
    • C:\Windows\System\XTwkKQo.exe
      C:\Windows\System\XTwkKQo.exe
      2⤵
      • Executes dropped EXE
      PID:1136
    • C:\Windows\System\hbwyyFA.exe
      C:\Windows\System\hbwyyFA.exe
      2⤵
      • Executes dropped EXE
      PID:4276
    • C:\Windows\System\SiUPAeO.exe
      C:\Windows\System\SiUPAeO.exe
      2⤵
      • Executes dropped EXE
      PID:3856
    • C:\Windows\System\rFufkAx.exe
      C:\Windows\System\rFufkAx.exe
      2⤵
      • Executes dropped EXE
      PID:1828
    • C:\Windows\System\YFVmWYL.exe
      C:\Windows\System\YFVmWYL.exe
      2⤵
      • Executes dropped EXE
      PID:2320
    • C:\Windows\System\KpAggWA.exe
      C:\Windows\System\KpAggWA.exe
      2⤵
      • Executes dropped EXE
      PID:3444
    • C:\Windows\System\XpKyJpi.exe
      C:\Windows\System\XpKyJpi.exe
      2⤵
      • Executes dropped EXE
      PID:4832
    • C:\Windows\System\lLUrZGP.exe
      C:\Windows\System\lLUrZGP.exe
      2⤵
      • Executes dropped EXE
      PID:3048

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System\AYFVATx.exe

          Filesize

          5.2MB

          MD5

          b22a605671e71f6fec34da692835cf9b

          SHA1

          1aa09dbb8c804db873a5670e50b8cd8f0a3c243a

          SHA256

          481f85bbc6e57169403d8faf16ae5eb912442ce3d73296cae3102ef153a68d74

          SHA512

          3012b27527706ae376886db708dc603134437f63ec081787c1711c41ef47fb23c07df56d41e39dced3a688baba18d0249d4b51c55da70dff6f18b9fbc6637bf7

        • C:\Windows\System\BaLMWvK.exe

          Filesize

          5.2MB

          MD5

          5c7a9eb27baf41bd10c0c59857ffc101

          SHA1

          6ce4e94ae9ee220c4a34188df0c3ce9a7706979a

          SHA256

          8f4eacc0cf2f7b41803b4dd9958535af711595b4011ef9692e4debfe1f0432f7

          SHA512

          351788bfa6be17ea411ac7558b8ff13854e223fb60542bc13e0422982adef715d6f5e5172b3d5e2ebe7440b82677a556d3b742e91ac211e03cdcef2a7ba502a1

        • C:\Windows\System\BxwHviW.exe

          Filesize

          5.2MB

          MD5

          1fe3f4c70b409662980e63cc0528d7c4

          SHA1

          21dd63392fb55f454ee1ff5a257e887c30f0fb2d

          SHA256

          8e1032b3f9db429c87eb610c31c9625f84459dc93c50232b4d3fb1de896c73a1

          SHA512

          8b8cda9b0a427e7d3d666c3f7d5e6cc15c57a6c06e05362a7bfca30d1e067619ef7ce33fc21c93dbf61901c87a5ab7a8a5cadc5637f4145c916c63714d904b30

        • C:\Windows\System\KpAggWA.exe

          Filesize

          5.2MB

          MD5

          bf0c8bfd7f22e6ff8e552a28e862fe48

          SHA1

          c460ab22a49c17daeb088a99bb52e40d28b4368b

          SHA256

          34edd75c920861f68d0f7fdb6e67a6039859431bc673fcc8ef897447e77d3473

          SHA512

          8e64027e0fff581c3af3328f7e4bd0c57d66d0414486f2e4b9d3cca2444701ffca730f897afcff820e7d0d5da59669af70b87ae2e139e2a221d8d219ccbb2186

        • C:\Windows\System\NabdSfH.exe

          Filesize

          5.2MB

          MD5

          8bd0e9b54931884bb46b2d740a6514ef

          SHA1

          2ff2c8c63dd839afe3e7ae8990e370487e5fe1a7

          SHA256

          a510297fe96b37f880bef41578aff3c27ba0bc2e685d100999c2aef33c299f58

          SHA512

          1a1ec044228e933f7ab1f5a9854e56abbeba25f542af593b4f249473d7e7232fb137d1076e7ec0d5cb87f1fab481ff53933ce3b343915d52e139817825263f19

        • C:\Windows\System\RcFOTMH.exe

          Filesize

          5.2MB

          MD5

          f48157a9adff1091b37d4c7e4db4d78d

          SHA1

          929f0598320fe66b20db7c4df6b3e6590ac1ff2f

          SHA256

          63d109f1f03ce774eeff23e3c9a43d23ebe939b5b949a55d5d247495e5419c92

          SHA512

          f1a5dd1826992362ac753aaa9aba83c3e88e90f9817227b2a52be51c7f89f6a1228d759347b0f42314d393c944075b554d5154842709a9886d1debb4287c0d72

        • C:\Windows\System\SiUPAeO.exe

          Filesize

          5.2MB

          MD5

          2cfc7fc8fcd083ede56767e5de3838d2

          SHA1

          b406cf747831e78351df07ab4b655cd797f87ca7

          SHA256

          97b4c4f8d3c3a3896fc4a1f36f4c0b42823255a3c3e56d489783cf0cb335119e

          SHA512

          0981252e2a132711ab04c128bce674b96b3bcb43d16561a0c0ad947752b0939fa11ec48933d9bf070c21222cb2be7c6fb6d80d72e74336cf61c7f903d90a5455

        • C:\Windows\System\XTwkKQo.exe

          Filesize

          5.2MB

          MD5

          4c94fe49795e0d6be48022ad8b5902db

          SHA1

          fa1143dcca5089d2f0d3818521bb7e18d33585fa

          SHA256

          acdb3d95cf30e1372c05adc7b4d2c957a74d1eb47145c9aeaeef91a173454e8e

          SHA512

          6f9d582bfa7112414a2c0c5727e077321ffcc296e214e76ceb5bdea49586a40846f896d0d652daab2efaa2e8f281a823248c330065760ab69959455e5dd8bd02

        • C:\Windows\System\XpKyJpi.exe

          Filesize

          5.2MB

          MD5

          399e029107c74168559b21ac0d83efb5

          SHA1

          a6fcf4782af02f147a23d0850dfd8dc690f92970

          SHA256

          8077d2956bc4bb6905b71bc4b962c352c0eaf1ecd845042b6605d62573056a04

          SHA512

          f63c70b4226284fa5869fd34e8814770533721e0abab003e2e6f8013924e9de53d341633ec155fc8dbadda1878f8c69570ae978a92900b1d0a393789ea9e6bc6

        • C:\Windows\System\YFVmWYL.exe

          Filesize

          5.2MB

          MD5

          0dddfd823e31748767b1d701941e577a

          SHA1

          b64b12354b912d5aef54702e485970a63dffd64b

          SHA256

          afa9ecb554496dcbf700fe5c51b4e97013d0c0d262d40c81e6b917a21ae5c885

          SHA512

          f1c6213acace074511452636323e2be4207785140081670da2bbdf6dc04573626bbedf6bae42f9a3ed21ae88e1dee8c7ebfdfc294046b017222b8efc10f127a9

        • C:\Windows\System\ZXarzTp.exe

          Filesize

          5.2MB

          MD5

          1b190420d3e8e719fd17588b7dec41bb

          SHA1

          a575d19c2095919b3c81241cff683303b357d112

          SHA256

          027cb3972c5d368a50e2e1e32256de0d62ef73ecfae46bd0fef435e11092ef17

          SHA512

          8d5a2dbb42034721268e22a32c11970f50ed0f7683982d9d445b2e0f0d3ee43934d813efe9bb21d049400ba84c53cc111f0ca5d498edaab699c19a433039538a

        • C:\Windows\System\bZWUChq.exe

          Filesize

          5.2MB

          MD5

          7df7c44b2a73500f44936264e179d93e

          SHA1

          6b376badba3082a1e6290172d86031e4573ff1d1

          SHA256

          3a43c2916988b2563faf4fbfa69d9f0ba22cc1986e5b9c5e4d28e27b9fc1c3a0

          SHA512

          368b07f4cd468ac6a8299cf067c9f524d898c7d30b0acf3f552ddff6d6ad5d8c05214aa730eddc355bd3ea2f38d7b1a84ce0c5fd61100d80d730275bd8f9ee84

        • C:\Windows\System\dGkAbDO.exe

          Filesize

          5.2MB

          MD5

          5773764c26ed9d5368519c905ca756fa

          SHA1

          f118f48fbe73f3feec8c450590068ded5075f0d8

          SHA256

          d3d71e53d38c07d04278616853415b97dd24177803c7a9aee2071dcf1d27d0b1

          SHA512

          2506aa18df9c0d54058b9dc0575639cdf80fda76954e282c22ce07fb2f8f22591725690a1e1e05b53734d072aa39ff2a10fc80b587003f9ac516fdceb66e3583

        • C:\Windows\System\dioKWDf.exe

          Filesize

          5.2MB

          MD5

          39482f6df253b06f26e7df52b88f62cb

          SHA1

          844c011c8fe099a36ab0ff4bc2551d25e74fbe2f

          SHA256

          c74deb546ffb90e41fad9fac7cc03331b4e255623e687d7c58674f1493325b31

          SHA512

          81256c58df67a3eefd5386b02cf6a056f8c771f5d60fecfc4eaa1b0c57f53b55d656e5ffcb5f803ad397fb8d9e3ad994a316f9215c6346e2bd13c75df0ced48f

        • C:\Windows\System\eVWJdId.exe

          Filesize

          5.2MB

          MD5

          0ef7f836c40f6a9ee72f186658caf266

          SHA1

          9e4fc784ad7e2ddd052c9052e6fab3cf72bf6364

          SHA256

          8c4a71c71b6287a6409ff7a6974d1f10afac0b0463c95163364361867fca8051

          SHA512

          e05956865482d3fcad12972da495192a93419239eb02f750e4270c1bb12b948e2c66aac8dbba17d1281a3bfe57d342cbc09adf0b4285275072e4b0486242119c

        • C:\Windows\System\gkMSHoC.exe

          Filesize

          5.2MB

          MD5

          9f3cac22287d5a7ca07391fe7eb5c48f

          SHA1

          589dca361830a0539bdb5eb411cc63a566e7d1d6

          SHA256

          cd7b723e1c256512923f36db40b97cc4a3ad3ef05713e7d87fd4625af3ee9a14

          SHA512

          d12fefe605a7415ebe739905ed4b897a267100ff044c6f1690e6a9c047359692ff51398959816a3e1a9501d84954634c27df311fea36011ce1adf9fc991aae76

        • C:\Windows\System\hbwyyFA.exe

          Filesize

          5.2MB

          MD5

          61cc04584aac211a6f70fa0b019b6536

          SHA1

          8ca7013c06a3a952c309a325242a0ab302a36b3b

          SHA256

          d52c9eed94e35ffb1ed46f5cdebefa0a94e64f0a0dcff49103cec498857c020c

          SHA512

          92752a680649b4acee36632c62788fff8296eac8fa7ca41e9be045348e66d6a97e2f910b768404aa49a6db8584a77a089e1d59e6e8710efc362fbce759a6bb4a

        • C:\Windows\System\lLUrZGP.exe

          Filesize

          5.2MB

          MD5

          c9f671b8a638c78c3bbb4d51ed34ec59

          SHA1

          c7e2ea688c6a6521c548d0a224240aa3c64ce024

          SHA256

          781f2605c85e391b04319f5cfebc3befca548084cd0488bbc29088d3ad4e81ad

          SHA512

          06240ed7eb9e8ce830998396d3bd7ea15f606b0f49014ec2a771a32795c2e00ba9a2df9810a9bae7fb3da79abf3e2306b2a374d1768011fdd6f7346b1a4eb940

        • C:\Windows\System\nAiXdkx.exe

          Filesize

          5.2MB

          MD5

          798776519caf580bc16b615ee42396a9

          SHA1

          b9701e5de037ba91c42b9de96c25047a1fcd9452

          SHA256

          92ff3dadcf213576eaa7242632b014853c985f0c268707894538a01543011480

          SHA512

          a80c597e217db1ee02cb9cf6e398a000709353119b28ace61995d04acbb8d6423e888012b6be5f7de0acd8f4342e7f7d98e31b2279394028bc3d9dc79e1f5e59

        • C:\Windows\System\nZFLGnf.exe

          Filesize

          5.2MB

          MD5

          2c1441bc0909cc8a0007c9468d4fe6a6

          SHA1

          47475b7decc703ad2248bfff39b8625b882bc9c2

          SHA256

          bbdfc2ba69408928a703b99571c92707f17b77c871c0f67688cdfeda70fe93ee

          SHA512

          c8ef2407a34d083bba08fde84a8fb826183b88ae6ad0c2bfdbf1e7bd2bafddd99e3ac089de056cf8942e3033e228d96fac4c250a9980edffd43573ad2f8a5eb6

        • C:\Windows\System\rFufkAx.exe

          Filesize

          5.2MB

          MD5

          ace24cf805a15e0d7b56efa9e90d2fc9

          SHA1

          02e838588072b89202c2617b031ead98bcae891f

          SHA256

          dc661e1cad58b100e8cbb1fdd4118ceab5606ba2efc15163c621f8a806f18bd1

          SHA512

          5a71b619d4c223cbbf61f1ddcf010d53173c34ce550f533ab5b9f530d6af00a1b04815abf6b438b1f891e5f956d47e253e57c71b5789d93b9f3b29149324bf96

        • memory/876-232-0x00007FF611E40000-0x00007FF612191000-memory.dmp

          Filesize

          3.3MB

        • memory/876-128-0x00007FF611E40000-0x00007FF612191000-memory.dmp

          Filesize

          3.3MB

        • memory/1076-126-0x00007FF7644A0000-0x00007FF7647F1000-memory.dmp

          Filesize

          3.3MB

        • memory/1076-219-0x00007FF7644A0000-0x00007FF7647F1000-memory.dmp

          Filesize

          3.3MB

        • memory/1136-228-0x00007FF75E450000-0x00007FF75E7A1000-memory.dmp

          Filesize

          3.3MB

        • memory/1136-130-0x00007FF75E450000-0x00007FF75E7A1000-memory.dmp

          Filesize

          3.3MB

        • memory/1476-121-0x00007FF6B6A80000-0x00007FF6B6DD1000-memory.dmp

          Filesize

          3.3MB

        • memory/1476-226-0x00007FF6B6A80000-0x00007FF6B6DD1000-memory.dmp

          Filesize

          3.3MB

        • memory/1776-214-0x00007FF73F7C0000-0x00007FF73FB11000-memory.dmp

          Filesize

          3.3MB

        • memory/1776-44-0x00007FF73F7C0000-0x00007FF73FB11000-memory.dmp

          Filesize

          3.3MB

        • memory/1828-133-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp

          Filesize

          3.3MB

        • memory/1828-245-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp

          Filesize

          3.3MB

        • memory/1936-116-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp

          Filesize

          3.3MB

        • memory/1936-1-0x000001E343020000-0x000001E343030000-memory.dmp

          Filesize

          64KB

        • memory/1936-139-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp

          Filesize

          3.3MB

        • memory/1936-138-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp

          Filesize

          3.3MB

        • memory/1936-0-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp

          Filesize

          3.3MB

        • memory/2280-54-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp

          Filesize

          3.3MB

        • memory/2280-223-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp

          Filesize

          3.3MB

        • memory/2280-124-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp

          Filesize

          3.3MB

        • memory/2320-134-0x00007FF778510000-0x00007FF778861000-memory.dmp

          Filesize

          3.3MB

        • memory/2320-241-0x00007FF778510000-0x00007FF778861000-memory.dmp

          Filesize

          3.3MB

        • memory/2404-230-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp

          Filesize

          3.3MB

        • memory/2404-125-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp

          Filesize

          3.3MB

        • memory/2404-64-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp

          Filesize

          3.3MB

        • memory/3048-238-0x00007FF68B4B0000-0x00007FF68B801000-memory.dmp

          Filesize

          3.3MB

        • memory/3048-137-0x00007FF68B4B0000-0x00007FF68B801000-memory.dmp

          Filesize

          3.3MB

        • memory/3144-34-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp

          Filesize

          3.3MB

        • memory/3144-120-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp

          Filesize

          3.3MB

        • memory/3144-213-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp

          Filesize

          3.3MB

        • memory/3400-193-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp

          Filesize

          3.3MB

        • memory/3400-18-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp

          Filesize

          3.3MB

        • memory/3400-118-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp

          Filesize

          3.3MB

        • memory/3444-236-0x00007FF691AE0000-0x00007FF691E31000-memory.dmp

          Filesize

          3.3MB

        • memory/3444-135-0x00007FF691AE0000-0x00007FF691E31000-memory.dmp

          Filesize

          3.3MB

        • memory/3856-132-0x00007FF68E310000-0x00007FF68E661000-memory.dmp

          Filesize

          3.3MB

        • memory/3856-246-0x00007FF68E310000-0x00007FF68E661000-memory.dmp

          Filesize

          3.3MB

        • memory/4276-131-0x00007FF67B6F0000-0x00007FF67BA41000-memory.dmp

          Filesize

          3.3MB

        • memory/4276-221-0x00007FF67B6F0000-0x00007FF67BA41000-memory.dmp

          Filesize

          3.3MB

        • memory/4700-123-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp

          Filesize

          3.3MB

        • memory/4700-216-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp

          Filesize

          3.3MB

        • memory/4820-100-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4820-127-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4820-234-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4824-22-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp

          Filesize

          3.3MB

        • memory/4824-119-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp

          Filesize

          3.3MB

        • memory/4824-206-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp

          Filesize

          3.3MB

        • memory/4832-243-0x00007FF6472C0000-0x00007FF647611000-memory.dmp

          Filesize

          3.3MB

        • memory/4832-136-0x00007FF6472C0000-0x00007FF647611000-memory.dmp

          Filesize

          3.3MB

        • memory/4928-224-0x00007FF730CE0000-0x00007FF731031000-memory.dmp

          Filesize

          3.3MB

        • memory/4928-129-0x00007FF730CE0000-0x00007FF731031000-memory.dmp

          Filesize

          3.3MB

        • memory/4928-82-0x00007FF730CE0000-0x00007FF731031000-memory.dmp

          Filesize

          3.3MB

        • memory/4972-117-0x00007FF69E330000-0x00007FF69E681000-memory.dmp

          Filesize

          3.3MB

        • memory/4972-9-0x00007FF69E330000-0x00007FF69E681000-memory.dmp

          Filesize

          3.3MB

        • memory/4972-191-0x00007FF69E330000-0x00007FF69E681000-memory.dmp

          Filesize

          3.3MB