Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 06:36

General

  • Target

    2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    b3d35da5da48e4ced28158bef6ea655c

  • SHA1

    149f19200f8a34bcdb69a09b904a0a79192a7807

  • SHA256

    0cf3ef2b5d3a03e167031cf19840724f03214ba8cb1e9a59754fcfe2e5492e03

  • SHA512

    384d7e8a9399872bb138da11389a4bef77ee7a8ca55067619cee6e1fbfd44c6b45aaed627f15c9da3b61f2ad12d85fd2c032bf256cbfb0ff53652c23f836323a

  • SSDEEP

    49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lUQ

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Cobaltstrike family
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 45 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Windows\System\REEvpab.exe
      C:\Windows\System\REEvpab.exe
      2⤵
      • Executes dropped EXE
      PID:4520
    • C:\Windows\System\HLxZxNg.exe
      C:\Windows\System\HLxZxNg.exe
      2⤵
      • Executes dropped EXE
      PID:1140
    • C:\Windows\System\cpQuocK.exe
      C:\Windows\System\cpQuocK.exe
      2⤵
      • Executes dropped EXE
      PID:1728
    • C:\Windows\System\bsnFqyA.exe
      C:\Windows\System\bsnFqyA.exe
      2⤵
      • Executes dropped EXE
      PID:5020
    • C:\Windows\System\moCTHqA.exe
      C:\Windows\System\moCTHqA.exe
      2⤵
      • Executes dropped EXE
      PID:5028
    • C:\Windows\System\wXDJfYR.exe
      C:\Windows\System\wXDJfYR.exe
      2⤵
      • Executes dropped EXE
      PID:4480
    • C:\Windows\System\fYdIJAb.exe
      C:\Windows\System\fYdIJAb.exe
      2⤵
      • Executes dropped EXE
      PID:3608
    • C:\Windows\System\uKIysLq.exe
      C:\Windows\System\uKIysLq.exe
      2⤵
      • Executes dropped EXE
      PID:4980
    • C:\Windows\System\GNvyzoj.exe
      C:\Windows\System\GNvyzoj.exe
      2⤵
      • Executes dropped EXE
      PID:4456
    • C:\Windows\System\TZHSWgD.exe
      C:\Windows\System\TZHSWgD.exe
      2⤵
      • Executes dropped EXE
      PID:2672
    • C:\Windows\System\aPGTrEQ.exe
      C:\Windows\System\aPGTrEQ.exe
      2⤵
      • Executes dropped EXE
      PID:3648
    • C:\Windows\System\QBXVDDS.exe
      C:\Windows\System\QBXVDDS.exe
      2⤵
      • Executes dropped EXE
      PID:2780
    • C:\Windows\System\JmrCQAc.exe
      C:\Windows\System\JmrCQAc.exe
      2⤵
      • Executes dropped EXE
      PID:3616
    • C:\Windows\System\qHLrMtQ.exe
      C:\Windows\System\qHLrMtQ.exe
      2⤵
      • Executes dropped EXE
      PID:4868
    • C:\Windows\System\gDafbKx.exe
      C:\Windows\System\gDafbKx.exe
      2⤵
      • Executes dropped EXE
      PID:3440
    • C:\Windows\System\gvidqzI.exe
      C:\Windows\System\gvidqzI.exe
      2⤵
      • Executes dropped EXE
      PID:1112
    • C:\Windows\System\hLFMPXQ.exe
      C:\Windows\System\hLFMPXQ.exe
      2⤵
      • Executes dropped EXE
      PID:3288
    • C:\Windows\System\mIPqLPP.exe
      C:\Windows\System\mIPqLPP.exe
      2⤵
      • Executes dropped EXE
      PID:1388
    • C:\Windows\System\QcPciEV.exe
      C:\Windows\System\QcPciEV.exe
      2⤵
      • Executes dropped EXE
      PID:4924
    • C:\Windows\System\ozBMmoc.exe
      C:\Windows\System\ozBMmoc.exe
      2⤵
      • Executes dropped EXE
      PID:1640
    • C:\Windows\System\jaiWjkb.exe
      C:\Windows\System\jaiWjkb.exe
      2⤵
      • Executes dropped EXE
      PID:3160

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System\GNvyzoj.exe

          Filesize

          5.2MB

          MD5

          d1919ecff259ac1a2229e3eaec8782de

          SHA1

          2e5a06074b25cb410fc962ab71edce4068176cb6

          SHA256

          844cd34f68b5195a0ab4ac7391fe986946d5e3c0e9cff05108f417da837973e3

          SHA512

          2cafb29ca50fb91bff52bda82fc1d9b21fd0be64ca8ef0d9b2ea45885cd7c6cf84cebce3c28934532ce8a645808b6c51949ab4756160ed883242645baa7c01f3

        • C:\Windows\System\HLxZxNg.exe

          Filesize

          5.2MB

          MD5

          c226c4a793e532cdddbcb6eab02e65ff

          SHA1

          48d06c9d3d6c09efacf2941ce94c7a10219684b5

          SHA256

          3a170fb3ea26aec8ef6992bf35bba6169413e8573b8e28828c42e92fbdb733d7

          SHA512

          252bc14c6e634dd9030a8e87249b2c42eb3d1c3af15a2bc68c1900367b501d62492335897d46a7ba51b19086058c9b7842d15b6a3789d2ae3537021afef9ffcc

        • C:\Windows\System\JmrCQAc.exe

          Filesize

          5.2MB

          MD5

          0e811e25105f06fd703efa76094a0172

          SHA1

          dc191ce7141d0fbac06b45fb56e56a51baedd8d1

          SHA256

          d5e68ae252262decf21e93f9225a7bf0d28e2931f76f7337082b0373dc2fd755

          SHA512

          e66de1ec15525152d9839136d36cbb275be84e879200d8f284029c30764bde31cdc5013f6e419008053afa6fa8f9e75cf718cf10335bd893ababd7fba38e0e9e

        • C:\Windows\System\QBXVDDS.exe

          Filesize

          5.2MB

          MD5

          b3eed2f9b9ea32596f62d0d423013b16

          SHA1

          b5c01f9f5f4002c0dc1215a80b9ab88df9578050

          SHA256

          5f044e86bd5dc982d9c8420999581da80be04e22bf6014bb5ffd2051b4283671

          SHA512

          f755349df980420421e232b2795b1bbdddc81db068f2de19dcfd3a98b1f0ebd88f1b58d770d2abb2fef55ebefd2cf34d5ba693d8a805f1dd6df34cd1341e526b

        • C:\Windows\System\QcPciEV.exe

          Filesize

          5.2MB

          MD5

          789a05f9b6e8e7345afe1642e8d37d32

          SHA1

          c97e923274732b6ce834aeede176c5bb5b31f17d

          SHA256

          aa9985456e9723b411ee231494b3626c40e741aca0bceb6b105fbe09c6dda859

          SHA512

          54fb9b1a1043283dfe93bde18ff81088fd9b0faa2c399a9803bf7e2941d3b24654f67ffc385e28cd4d4542e4402b24c2778c08a647b99534bbe8e3caddd7b8ba

        • C:\Windows\System\REEvpab.exe

          Filesize

          5.2MB

          MD5

          f72cbbbf686f81ebabc23252ac7aeb7b

          SHA1

          87098c09a2f829563841e118ec1efb288398f718

          SHA256

          0e4c733ad4d8c0bd6392065baeba831fa40198a0216e6e35938bbadeb690f852

          SHA512

          fe6df8794bde67896d38b563ffc84d0f18892f492e7120d7874e31d534f5d8a4e2a8a3e487e8d271ee80f9fc6ac8bbd36c6421820706e588cbe62e5dbcf7512b

        • C:\Windows\System\TZHSWgD.exe

          Filesize

          5.2MB

          MD5

          c5b64e1c51e0f8243f0028ba24a592ec

          SHA1

          55640b9098fd8c70a0c06f3639a22d35392a19a4

          SHA256

          8561678b78ab3e32b2820b2883fe9eb69b1d6390baebf131f24fbd2cada15b87

          SHA512

          a00b00c8d11ca190372b8fefa006b3a4d986c4fa71401ccbfd1de7e52bd5de0591e2917ec6e124237ae7dfcd970a0a933d7c1734a98d60f09905bc3204795718

        • C:\Windows\System\aPGTrEQ.exe

          Filesize

          5.2MB

          MD5

          52675f4ab5ec8513ecf507c4655ddf78

          SHA1

          88d9bc40a590c61629d1f99e3976b6c5ca2666d8

          SHA256

          97652f2ea3c8997cdfd6651bb6792de47cf3793f9a5d3436572ff12d480246b8

          SHA512

          a4d462dc312fd877b21f0f009f8ec8995c11c8ef0158da0c185ca82739922e747ed279a0be005a8548ba3d302375a7ca22c8c1137c11c49c436198d3edb118f0

        • C:\Windows\System\bsnFqyA.exe

          Filesize

          5.2MB

          MD5

          14bf91da3603fd349bbba121711563d6

          SHA1

          4858e142b233c8931b95a3a427b2fdf94b83765f

          SHA256

          a4eb03c8520a239adb4eb50031ddc4465dd1f72c43fa5ac723239991d22b47ef

          SHA512

          e8d7d75f583c37e16177250f69843b6d14d9dda92610a7c7573547cc903947997dffa7226b087651800ae2daea52bb1b91405cafbe1d549d65073d77366bffe4

        • C:\Windows\System\cpQuocK.exe

          Filesize

          5.2MB

          MD5

          905edd8c977a24a4a54272327e33d76d

          SHA1

          36387748787931d9b83d686ddf43dd697a96afe1

          SHA256

          a457e9d615583800831490ec65216a208ada7671f3f3383e1c0ab354d02e4700

          SHA512

          33bad3aded3495005c53461159d3bff9452585e0fa14dba5c368f78d3055f3f5203179e6492630633207e2cf7888c56b2ecb93b9faa8a465a8cebf50b316305a

        • C:\Windows\System\fYdIJAb.exe

          Filesize

          5.2MB

          MD5

          87fab2e9d189500aff27ae2950946e42

          SHA1

          1e1ab35d64ef66c9b40b6d9c7c64aa2dee4a9e5e

          SHA256

          7e2b97e76f54ed393a37cbd9238693ec596c4db2db6d6941c6ef93d0dbeb8b08

          SHA512

          16a7f0749c15ddbbf8db0d2fa2c5bbb1c453b69cf2cae3f82d57badf407b5d294e9eb72383d1aa2df0daf6a44b098f9b77bcab49ea364ea8ce3e60470955ce43

        • C:\Windows\System\gDafbKx.exe

          Filesize

          5.2MB

          MD5

          ef6109cccfca1d7c1191ca99413f1ee7

          SHA1

          10fca5f9b551c0220f63fb4368a0dcb15893acfd

          SHA256

          c54fc13d73d517517dbc77c6a31d815892bebd34785a89e6334f04ee98c00e40

          SHA512

          b05ad0be48c86fed176ea687f1a287467744b25ca69486dcf189720413c3928692180184af38308bb7d0791f685cd412df762ea996b3f022a62246a5dfedf06c

        • C:\Windows\System\gvidqzI.exe

          Filesize

          5.2MB

          MD5

          5545fd5d54df4b4e9920dcf7b9402e18

          SHA1

          081113b1ccc72803bf213229241f02ae66533247

          SHA256

          4c8bbea5e8e3bc6912c4e317b90f555cab16c765a77f03c76d73169c0b0528d9

          SHA512

          3f8da1a573570300959f478ffdac77376da57882e141289394fcf522770f852771e35411029eae60cfffc049d77f129ad48795c98f9f5d745e0feb62e79f32ab

        • C:\Windows\System\hLFMPXQ.exe

          Filesize

          5.2MB

          MD5

          c4d1afaeacdfbb0bae4c3ce5f59f61a9

          SHA1

          4f2268e3993d127269307f29b64bbca21c8ee3c1

          SHA256

          0e8ba8f3352e52c6c808187866ed1157308c81423b26d769f15437bd8052f45a

          SHA512

          3176f6f63a8ddb3b9c5120717f7b4bb5ea82fa3d0e07620ddffc85de189b35f4698aca220f883eef04e59175ee6f055b86182495652d1b58fdb4478fcd99314a

        • C:\Windows\System\jaiWjkb.exe

          Filesize

          5.2MB

          MD5

          9b80ca68c41d236bee400b74bce759f6

          SHA1

          745e6d218103a5dde73da619c1ac7f5c3f05680f

          SHA256

          62a1cb7134826e3824d12f67b7df53b058778642c355c0b7d2d97409b70b8ff9

          SHA512

          902fdf43dde008fb753a59a9a53093cdbe7c4ef101713c811368c4c8bbd5c040bd92eeb937e81917cb0989bfe4ecddfa117a3c9e9f88a6afc96d070a996edf06

        • C:\Windows\System\mIPqLPP.exe

          Filesize

          5.2MB

          MD5

          36b8c4f1c36996fb3c1a722975fb3cc6

          SHA1

          e35f73f534b3b7581b37c0d3d84b80570361c033

          SHA256

          e5f2e79ec221efe355dddf4c0d7db9dd8555f1d9511e4fb69e224683fbdb90e1

          SHA512

          1888a905fbde245a96206e4ff61b0b6b8bab9634ecb54b035643f9bcf1a2b80b8470ff4e7190a6c1aa3861c98074526f9a44f3bc02e509fc9a3beb745d4d7fad

        • C:\Windows\System\moCTHqA.exe

          Filesize

          5.2MB

          MD5

          7c426409871a0240fca054e04bdeefd7

          SHA1

          2c4964a4ff6d4ee2f867c30bd0a312fde8010c47

          SHA256

          87153fedc1ae604f1e8f91bdc43648eacceed42d072c3b12722a98e5dc986836

          SHA512

          e209b3f876d90dee7ef1f772df7d5f60530326f64a622f480aa92e733d266c1cb6858d3f0ca585d963d06590fb59f4734bdf75c078ff3d52527f5abc18daf950

        • C:\Windows\System\ozBMmoc.exe

          Filesize

          5.2MB

          MD5

          edd7c433e42ee7473657fa3e6a9db27a

          SHA1

          63a7bad2107b5706474440b31ce480d41cecd7d9

          SHA256

          96ceb81fcc33d049947a10be5a002622a8c6e6ae1dc9cc58726393cc8f2ed4a1

          SHA512

          a23eb6a87fb0f7a6eff484599a3d90a02d0160febacd8db23dc8c0f4b2d57c013eeae8fb00d1dcd70af61ceb6b0ff48fb77338d9b309f12f9bf7b79fffdc49ab

        • C:\Windows\System\qHLrMtQ.exe

          Filesize

          5.2MB

          MD5

          bdad01dd6d071e03cc2455a246989d10

          SHA1

          83729ffdab11661c3008387d16ec3ea016150193

          SHA256

          faf9df1e168f7916ef4920cea772288bc349227a51ab29eae0dbebfa0b0da30b

          SHA512

          ad216c516a3e82343e3f60aa87b3b7fe9d975ca70e9526c3e5a6ee5a8c53203f750be3294d74fe2578b10b3d1904dc0c2ff9023ba433e02a32e958f42f61617f

        • C:\Windows\System\uKIysLq.exe

          Filesize

          5.2MB

          MD5

          80e8b9e21d517d54922ccd579c0be708

          SHA1

          6aee4de544e97e36134c1dc6c38ce681b15db545

          SHA256

          ceaa3dfb352966fc5d146eaa8654a5fe37e57cc8d109c7b4d15e46b807e65002

          SHA512

          7b745636846987e2c46e215dafac67edc92bf972c568cf334897611d736998d8ae57b6fad561d3cd2d422bec921f3b7dccc9f8b4688f149239b905d2f0d7f7d3

        • C:\Windows\System\wXDJfYR.exe

          Filesize

          5.2MB

          MD5

          5c15806a07c61df9d50ff0550d289a3c

          SHA1

          c38a4049cabc1d9b82542015e1f59ee88ec64a15

          SHA256

          ad19fee7173c6b17fb1d5b7224a68fb1ef9a651db67a8e496f8f3b504991f091

          SHA512

          26636242647ff7002623712ae2a25fb1d89478471b8510f201888d5c7ac7936046eba6d3b4fd070dc6232770f07da1b0bfd68bc6a5acbdd12add9e41e3253380

        • memory/1112-261-0x00007FF796EE0000-0x00007FF797231000-memory.dmp

          Filesize

          3.3MB

        • memory/1112-159-0x00007FF796EE0000-0x00007FF797231000-memory.dmp

          Filesize

          3.3MB

        • memory/1112-113-0x00007FF796EE0000-0x00007FF797231000-memory.dmp

          Filesize

          3.3MB

        • memory/1140-12-0x00007FF737ED0000-0x00007FF738221000-memory.dmp

          Filesize

          3.3MB

        • memory/1140-62-0x00007FF737ED0000-0x00007FF738221000-memory.dmp

          Filesize

          3.3MB

        • memory/1140-214-0x00007FF737ED0000-0x00007FF738221000-memory.dmp

          Filesize

          3.3MB

        • memory/1388-126-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp

          Filesize

          3.3MB

        • memory/1388-168-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp

          Filesize

          3.3MB

        • memory/1388-269-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp

          Filesize

          3.3MB

        • memory/1640-273-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp

          Filesize

          3.3MB

        • memory/1640-171-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp

          Filesize

          3.3MB

        • memory/1640-139-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp

          Filesize

          3.3MB

        • memory/1728-18-0x00007FF74A310000-0x00007FF74A661000-memory.dmp

          Filesize

          3.3MB

        • memory/1728-63-0x00007FF74A310000-0x00007FF74A661000-memory.dmp

          Filesize

          3.3MB

        • memory/1728-216-0x00007FF74A310000-0x00007FF74A661000-memory.dmp

          Filesize

          3.3MB

        • memory/2672-239-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp

          Filesize

          3.3MB

        • memory/2672-125-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp

          Filesize

          3.3MB

        • memory/2672-64-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp

          Filesize

          3.3MB

        • memory/2780-250-0x00007FF767870000-0x00007FF767BC1000-memory.dmp

          Filesize

          3.3MB

        • memory/2780-77-0x00007FF767870000-0x00007FF767BC1000-memory.dmp

          Filesize

          3.3MB

        • memory/2780-138-0x00007FF767870000-0x00007FF767BC1000-memory.dmp

          Filesize

          3.3MB

        • memory/3160-275-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp

          Filesize

          3.3MB

        • memory/3160-152-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp

          Filesize

          3.3MB

        • memory/3288-267-0x00007FF625010000-0x00007FF625361000-memory.dmp

          Filesize

          3.3MB

        • memory/3288-123-0x00007FF625010000-0x00007FF625361000-memory.dmp

          Filesize

          3.3MB

        • memory/3440-107-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp

          Filesize

          3.3MB

        • memory/3440-259-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp

          Filesize

          3.3MB

        • memory/3608-236-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp

          Filesize

          3.3MB

        • memory/3608-45-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp

          Filesize

          3.3MB

        • memory/3608-108-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp

          Filesize

          3.3MB

        • memory/3616-252-0x00007FF642050000-0x00007FF6423A1000-memory.dmp

          Filesize

          3.3MB

        • memory/3616-150-0x00007FF642050000-0x00007FF6423A1000-memory.dmp

          Filesize

          3.3MB

        • memory/3616-85-0x00007FF642050000-0x00007FF6423A1000-memory.dmp

          Filesize

          3.3MB

        • memory/3648-75-0x00007FF75DD10000-0x00007FF75E061000-memory.dmp

          Filesize

          3.3MB

        • memory/3648-248-0x00007FF75DD10000-0x00007FF75E061000-memory.dmp

          Filesize

          3.3MB

        • memory/4456-55-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp

          Filesize

          3.3MB

        • memory/4456-120-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp

          Filesize

          3.3MB

        • memory/4456-242-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp

          Filesize

          3.3MB

        • memory/4480-234-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp

          Filesize

          3.3MB

        • memory/4480-104-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp

          Filesize

          3.3MB

        • memory/4480-36-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp

          Filesize

          3.3MB

        • memory/4492-157-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp

          Filesize

          3.3MB

        • memory/4492-1-0x00000239FAE70000-0x00000239FAE80000-memory.dmp

          Filesize

          64KB

        • memory/4492-183-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp

          Filesize

          3.3MB

        • memory/4492-0-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp

          Filesize

          3.3MB

        • memory/4492-48-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp

          Filesize

          3.3MB

        • memory/4520-54-0x00007FF734400000-0x00007FF734751000-memory.dmp

          Filesize

          3.3MB

        • memory/4520-7-0x00007FF734400000-0x00007FF734751000-memory.dmp

          Filesize

          3.3MB

        • memory/4520-212-0x00007FF734400000-0x00007FF734751000-memory.dmp

          Filesize

          3.3MB

        • memory/4868-90-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp

          Filesize

          3.3MB

        • memory/4868-254-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp

          Filesize

          3.3MB

        • memory/4868-153-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp

          Filesize

          3.3MB

        • memory/4924-173-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp

          Filesize

          3.3MB

        • memory/4924-132-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp

          Filesize

          3.3MB

        • memory/4924-271-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp

          Filesize

          3.3MB

        • memory/4980-241-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp

          Filesize

          3.3MB

        • memory/4980-111-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp

          Filesize

          3.3MB

        • memory/4980-52-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp

          Filesize

          3.3MB

        • memory/5020-71-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp

          Filesize

          3.3MB

        • memory/5020-24-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp

          Filesize

          3.3MB

        • memory/5020-218-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp

          Filesize

          3.3MB

        • memory/5028-29-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp

          Filesize

          3.3MB

        • memory/5028-223-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp

          Filesize

          3.3MB

        • memory/5028-83-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp

          Filesize

          3.3MB