Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 15:48

General

  • Target

    2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    4e0987837fb5da33e09b7852d3075ee5

  • SHA1

    aeaff3e4506f4d14b22a848cd7290dd1e5dcfe3b

  • SHA256

    627bf59509313d97ab8a2972bd27135583fccd1ec2054d9c818bdbdb2d76797f

  • SHA512

    2d7c3360bc5c0b7aee18bd9b49903151b6e9dfa526117283dade959364b254b1a2b16d786f7931a3e9ef7a034365f420d982f09928e6623e01a3455a3c4ad138

  • SSDEEP

    49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lg:RWWBibd56utgpPFotBER/mQ32lUM

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Cobaltstrike family
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 46 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\System\dOlJUfP.exe
      C:\Windows\System\dOlJUfP.exe
      2⤵
      • Executes dropped EXE
      PID:4424
    • C:\Windows\System\dhRCBfx.exe
      C:\Windows\System\dhRCBfx.exe
      2⤵
      • Executes dropped EXE
      PID:3464
    • C:\Windows\System\cNjqzlW.exe
      C:\Windows\System\cNjqzlW.exe
      2⤵
      • Executes dropped EXE
      PID:1572
    • C:\Windows\System\pfNoDHV.exe
      C:\Windows\System\pfNoDHV.exe
      2⤵
      • Executes dropped EXE
      PID:4244
    • C:\Windows\System\mMTdqMD.exe
      C:\Windows\System\mMTdqMD.exe
      2⤵
      • Executes dropped EXE
      PID:5056
    • C:\Windows\System\KyKCGvg.exe
      C:\Windows\System\KyKCGvg.exe
      2⤵
      • Executes dropped EXE
      PID:4776
    • C:\Windows\System\xmaJdvR.exe
      C:\Windows\System\xmaJdvR.exe
      2⤵
      • Executes dropped EXE
      PID:4392
    • C:\Windows\System\jzInWfI.exe
      C:\Windows\System\jzInWfI.exe
      2⤵
      • Executes dropped EXE
      PID:4336
    • C:\Windows\System\AiTHIwA.exe
      C:\Windows\System\AiTHIwA.exe
      2⤵
      • Executes dropped EXE
      PID:1420
    • C:\Windows\System\ITGtWPq.exe
      C:\Windows\System\ITGtWPq.exe
      2⤵
      • Executes dropped EXE
      PID:4360
    • C:\Windows\System\BduGTDT.exe
      C:\Windows\System\BduGTDT.exe
      2⤵
      • Executes dropped EXE
      PID:732
    • C:\Windows\System\lwpFgQI.exe
      C:\Windows\System\lwpFgQI.exe
      2⤵
      • Executes dropped EXE
      PID:2840
    • C:\Windows\System\uuZPvEe.exe
      C:\Windows\System\uuZPvEe.exe
      2⤵
      • Executes dropped EXE
      PID:3680
    • C:\Windows\System\aEygsxg.exe
      C:\Windows\System\aEygsxg.exe
      2⤵
      • Executes dropped EXE
      PID:3772
    • C:\Windows\System\bwjaFhf.exe
      C:\Windows\System\bwjaFhf.exe
      2⤵
      • Executes dropped EXE
      PID:892
    • C:\Windows\System\zufUofr.exe
      C:\Windows\System\zufUofr.exe
      2⤵
      • Executes dropped EXE
      PID:4444
    • C:\Windows\System\adnyHxz.exe
      C:\Windows\System\adnyHxz.exe
      2⤵
      • Executes dropped EXE
      PID:2372
    • C:\Windows\System\tViZCKL.exe
      C:\Windows\System\tViZCKL.exe
      2⤵
      • Executes dropped EXE
      PID:2996
    • C:\Windows\System\ykTtcUq.exe
      C:\Windows\System\ykTtcUq.exe
      2⤵
      • Executes dropped EXE
      PID:752
    • C:\Windows\System\gMEWJjN.exe
      C:\Windows\System\gMEWJjN.exe
      2⤵
      • Executes dropped EXE
      PID:1324
    • C:\Windows\System\nAZnDdo.exe
      C:\Windows\System\nAZnDdo.exe
      2⤵
      • Executes dropped EXE
      PID:888

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\System\AiTHIwA.exe

          Filesize

          5.2MB

          MD5

          c87529a90e6f9c71b1cde0c4618143d0

          SHA1

          fc6e2d3f7e4e4b2b9c187952046f4387b8e0ec07

          SHA256

          5ddf0ff59084c491527f50db1f14138317015dc58c11f87fa52bce1d7f96c6cd

          SHA512

          b163b4b4288da8c4557e29a9ffaa1479ce9f10e1b4c835b8f5cfdd8a0f6c15702e707ad5aee8c5c0ee1eb5326af56bedda6985a365bc9a5f9de76b6ada3afc99

        • C:\Windows\System\BduGTDT.exe

          Filesize

          5.2MB

          MD5

          fe3788f812d5180761888e5fa1a25392

          SHA1

          727c7c8542acc9e5ef31b35ec4f7294f6e0daaf3

          SHA256

          9ade302588f06b61b3ae753eff2b2992e333043f1d80aba3c2419deb217167ed

          SHA512

          43b66b4114bfc8d1a99bdeafefccb785e06b8e70704c69449db6acc19c3a6f519101a631af1be8aa239d4ba15dce8c3b2f6a97267b50219658a2d3c379f891c2

        • C:\Windows\System\ITGtWPq.exe

          Filesize

          5.2MB

          MD5

          f6cff765ca7358ec6e9aceaf8114857f

          SHA1

          3735b376b472d5e5d16d2393884ff9649ace8f20

          SHA256

          3cf1749e131adcf89cd98574a1484650c693245b925e005f9733dcb652f0f492

          SHA512

          e894e08353e883633b82b5a072a6110693b183df810f4ae4f2c83adcf8b2ff194b5d313763abd0142fdb38b0abd76da9017b7ad5f38b136f661225f882bd04a8

        • C:\Windows\System\KyKCGvg.exe

          Filesize

          5.2MB

          MD5

          bd8219a4c62cff3e8c4fa6d14b364fe7

          SHA1

          45c21dd3260e0334f136299d6129c9fe5d9adf62

          SHA256

          b45cc4dc517dfa86df52a198dca1c055f1ad0463c40fa6e294dc068a3fa2062c

          SHA512

          429c550b5072a6c2b360d5f6b51827b933b9a79beffd4dfe037f429ab90392b55b5faa7436321094f59ae239fa4720c6d1410bb707f5cc78d815a0da6b47c0a3

        • C:\Windows\System\aEygsxg.exe

          Filesize

          5.2MB

          MD5

          4853deb4b8bbcdf358dbf95a67d8c966

          SHA1

          10508b7e466f71d776460701244e82b6dcc3cf1c

          SHA256

          5f123c9f2f6d6e01c3ee6aa498889d3c935784979e8bebd61c8652b9ffb23e5c

          SHA512

          6fb151dd1166c5aaceb5eabd339f4fc61cab2b47e9c10a8f3a6720f98ec4a91f228b8ff89cd1727edb7b86f3007efae9761980e78e41d5fefdcbdcee17827940

        • C:\Windows\System\adnyHxz.exe

          Filesize

          5.2MB

          MD5

          8f23d394252f614a39815d8d0f76d938

          SHA1

          1f11b6fc6408f929ec6bbc689309393e9c7ccbc6

          SHA256

          1eda6ef0a95528cd3f8be7687cb99489f9c27fe6762648cf55238905779facb8

          SHA512

          88cacee4f2b1ad3c624ad4210ecdf88a44d2aa016980e96c2836f1bdafffdd62da1cc5a24ff29629547db8089433ffb7ecc23f6f5b880e25c49936aff729d419

        • C:\Windows\System\bwjaFhf.exe

          Filesize

          5.2MB

          MD5

          7480fb196400e769b7efbb179794105f

          SHA1

          6c757e4d80aaf91070480e0f97fb7a6906cab291

          SHA256

          64f385f6df99ea05030f1f424bec2344fd90d711471fc8ccfbfb8c1a0298d471

          SHA512

          9316daff5c13e72fa7736443bd9e2496a8eef341e0f279c2838918d529898fb411632571f2641be678cda53f7581ecf39d1484192831f27c8c1b05a79c4a5243

        • C:\Windows\System\cNjqzlW.exe

          Filesize

          5.2MB

          MD5

          c0b94d705346add5f44eb1fa1e6f3e26

          SHA1

          68b23878921759eac92370d077540c5eb8f2dc8d

          SHA256

          7ee9f817b95ecf504adb3ed0da9b725b1fdd343318fcdea72f39419008a467fd

          SHA512

          558df339682bcaf076752da39016c817ce1bedff372b34fb9dd81c906e935e3b4038cc987f92429f5bfbdf88bc51812613c52c47a0046198cad55f98debfe224

        • C:\Windows\System\dOlJUfP.exe

          Filesize

          5.2MB

          MD5

          e9a6a9dbb85ea60ddfcb370611edf874

          SHA1

          dd0f54478055adcd41edacf5a59374f4bb3c401b

          SHA256

          365f6b879ee7b4c243e987d0a989285c782b40680d4cd457a40cdce4acb70e44

          SHA512

          9677b171986bb2c964f35f032c916d7d9afd4ce0a0885f7409c350978cce1dcf978750c153f26c74bcad1451f7c2a1ddff421f54d6159cb79f42e19ca80228cb

        • C:\Windows\System\dhRCBfx.exe

          Filesize

          5.2MB

          MD5

          079762613fed53684b685794bc83b4bf

          SHA1

          369ef5fcc3b85a80dcb4e40aba4c3105cf95f60c

          SHA256

          e0e00eafa99127dd6430f9be654d15b7c527509d2dc3a4b6f4922cf1ea68bcf9

          SHA512

          8e6eba0baceb7357a6cc930405aab592dff7d515fa3940910c43f5e6b01669aab6e71f41732c72246051098acc9fe80800269609b1619fae87648aa7db83edef

        • C:\Windows\System\gMEWJjN.exe

          Filesize

          5.2MB

          MD5

          0d1e720bd7c19c293034eb8eb399472e

          SHA1

          31ee9bceb9919f3e17d3dae12c4b1293b6521caf

          SHA256

          5504997df9f4a1e6948b64c8e417a3d517e8b0c8500a62a96ae6dcef39346b89

          SHA512

          157235d4e61476ea7cb121bec4ab8b1ac726fbd59c893bcc3f0c2724e063a69ac0d982acb7d6b25584d23214820369a8448e05e2eeac3b11f86199b1064d15f4

        • C:\Windows\System\jzInWfI.exe

          Filesize

          5.2MB

          MD5

          92a702da68428067fb8148e4ed1e94ce

          SHA1

          638c795226ed6d804d76199beccb11c2bbe223de

          SHA256

          abff49ed1640169e4dfd8eb2326bdef59e17432675522b61a8ad7dd8c18b1831

          SHA512

          b6bfe99234b44ed9614de1e8d2a108ab46214e779cdeadb477e523e270cd383a9eeb5f10eb46ec4702232eb7811a797735af70cf5a8a0c7bac65801a886ab75b

        • C:\Windows\System\lwpFgQI.exe

          Filesize

          5.2MB

          MD5

          16896adb283d0a022b07b6aaf2a058a9

          SHA1

          cc15666a4c59ed26bf6dc27704ec0d9b222104ef

          SHA256

          3a3ce17d54fd381f3b3e28816d4543ab432d5ed0814926ab479120d815d05933

          SHA512

          1dfd0966b375cac69a31f58b1a7860c6df72f2130684e9beb8435dbae01f6bd6c83ed0e867235376972ee2dd31c205714439ce4c073c3381773a65466e2b471f

        • C:\Windows\System\mMTdqMD.exe

          Filesize

          5.2MB

          MD5

          23e02ffc2d38395979c020b146d82878

          SHA1

          b761e07714d931ae3742b9332e4d26991404dc39

          SHA256

          2a2e36762374ae06fdd77efe70eb8001412b8a9ac247fba6e6d13d0c4b54c9b5

          SHA512

          7eb8f6a19db0b8ae7feed5c84a8fe6749819429347b17723448f73a1f96c9be4a86b35aefa035c74f0a55d3bb33fad13ede65d4f9508dd2a5d53eee6e5e3cc66

        • C:\Windows\System\nAZnDdo.exe

          Filesize

          5.2MB

          MD5

          3eab7768f05066a7d957f76138b2318a

          SHA1

          d4ebb9d8edcc74365a22cbdde44a4ad7cce234e0

          SHA256

          d1619364fded668f8a384dbe1a9503e3a03c50ec66c5f4a6dfaed7b634a5dcfe

          SHA512

          894228044e906ce492fb4a743d75f9d45d3af63301a4790762dd0f318bc229b2ac0d255afd691c176901922ee8a357ca3974e64441926e616af9c79ded35b68b

        • C:\Windows\System\pfNoDHV.exe

          Filesize

          5.2MB

          MD5

          bd6b7aa99d22efa76da26000c0ccb11c

          SHA1

          041ccb7544cacfd8080e316e97cef08f457008ef

          SHA256

          253b447a9cec0bd03f521c7e00434ce41bee007f211365f3382a028fd523a9fa

          SHA512

          c84a635141d5992560931d670d3884a87cd635ad7134ae972debfc5579d3df3211e1aa572b02e62222e908f0822d68178f1f3363aca00a843a93ac39fdbae1e8

        • C:\Windows\System\tViZCKL.exe

          Filesize

          5.2MB

          MD5

          ece8dab3448b67fa23e9fd9750c2b21f

          SHA1

          a611749afc53a0e92849eb5646a20ba5ea871c82

          SHA256

          a6fb17a06521085380cdc3525775c733fe7baea49e4fff3d1b39e547aadb451a

          SHA512

          767a9cf2499bab55080de8f6febc502888bd3b6b32a51686e22d622ba82cb1c6acdeff5daceac0b03a5380e2482158e89fdaa4c8e782763d0de2ab63c484a02a

        • C:\Windows\System\uuZPvEe.exe

          Filesize

          5.2MB

          MD5

          d2bc4d1392ac8bfc558d8d60c79c12ed

          SHA1

          4575e24b8143efc6bc7ff3568a7dac55eeddf745

          SHA256

          9e983b7aaa75376974d975cde5bbbdd098d9260ad802163845e3a520de9d49e6

          SHA512

          37a2cb5e67a5595d7613d8133107bbba434a21d4a370fdf8c3e75be6415a8fe638ff7311da9d8138b4ca9b36cab55ae1d75d1d59f00b7bd07ae93e257aa82451

        • C:\Windows\System\xmaJdvR.exe

          Filesize

          5.2MB

          MD5

          22fd57850ffa55b526f92c267489b661

          SHA1

          cbe5bc43b1780cc8b89be23be9b0945dd30a9617

          SHA256

          e788fbce21a1d87aec42e206e6f07e38841702138fe72075cf08bf3804059451

          SHA512

          2506312a5704fd5d1c1a18d2cc8a99ee83210e3bd4f6da456b360118ddf1a1415d39f7c335e6d5cd3c28b9b41dc73715e6e5bd1c629e43bdcbbee643befff75a

        • C:\Windows\System\ykTtcUq.exe

          Filesize

          5.2MB

          MD5

          e6f81648a19159a1c1e9fd69454521f9

          SHA1

          42fd0feaff8c10fd43a3e37a9d31e883f69dd0c3

          SHA256

          5d7f68c07d40ffd3c409e6b0a2e26fc97e5fa45d4e64ee37eb692fbc0be5da36

          SHA512

          022efff137e0da4a04ce36fd0ccbd0cd1c39c5be480019cd4db06f007e6e9740941a648e8d9e0f20bc7ffa9fa859730ef394e10383a61c17e5ca180c0c10ec98

        • C:\Windows\System\zufUofr.exe

          Filesize

          5.2MB

          MD5

          8b33dce1c03a7828016f39d8cb18481d

          SHA1

          058f6b1d52bb8dc2ae1844280dc99ef765383d07

          SHA256

          b14e6965d26545912384a50eba38b42ffe5ff8a26fb68673729a4c79f089c4ed

          SHA512

          cdd67d74f72340448dd8194fb74efd9301b25fd00ee952a0b300b0f92dd25ce1ffdcd3f3bd68f0e34607baca92605e899faf7671357f29fca488f38614d79a1b

        • memory/732-243-0x00007FF6940B0000-0x00007FF694401000-memory.dmp

          Filesize

          3.3MB

        • memory/732-87-0x00007FF6940B0000-0x00007FF694401000-memory.dmp

          Filesize

          3.3MB

        • memory/752-257-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp

          Filesize

          3.3MB

        • memory/752-135-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp

          Filesize

          3.3MB

        • memory/752-165-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp

          Filesize

          3.3MB

        • memory/888-251-0x00007FF625970000-0x00007FF625CC1000-memory.dmp

          Filesize

          3.3MB

        • memory/888-144-0x00007FF625970000-0x00007FF625CC1000-memory.dmp

          Filesize

          3.3MB

        • memory/892-235-0x00007FF780DD0000-0x00007FF781121000-memory.dmp

          Filesize

          3.3MB

        • memory/892-98-0x00007FF780DD0000-0x00007FF781121000-memory.dmp

          Filesize

          3.3MB

        • memory/1324-143-0x00007FF745B80000-0x00007FF745ED1000-memory.dmp

          Filesize

          3.3MB

        • memory/1324-255-0x00007FF745B80000-0x00007FF745ED1000-memory.dmp

          Filesize

          3.3MB

        • memory/1420-82-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp

          Filesize

          3.3MB

        • memory/1420-234-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp

          Filesize

          3.3MB

        • memory/1572-23-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp

          Filesize

          3.3MB

        • memory/1572-211-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp

          Filesize

          3.3MB

        • memory/1572-105-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp

          Filesize

          3.3MB

        • memory/2372-254-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp

          Filesize

          3.3MB

        • memory/2372-163-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp

          Filesize

          3.3MB

        • memory/2372-132-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp

          Filesize

          3.3MB

        • memory/2840-88-0x00007FF6464E0000-0x00007FF646831000-memory.dmp

          Filesize

          3.3MB

        • memory/2840-241-0x00007FF6464E0000-0x00007FF646831000-memory.dmp

          Filesize

          3.3MB

        • memory/2996-164-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp

          Filesize

          3.3MB

        • memory/2996-259-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp

          Filesize

          3.3MB

        • memory/2996-134-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp

          Filesize

          3.3MB

        • memory/3464-207-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp

          Filesize

          3.3MB

        • memory/3464-18-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp

          Filesize

          3.3MB

        • memory/3464-103-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp

          Filesize

          3.3MB

        • memory/3680-230-0x00007FF7476A0000-0x00007FF7479F1000-memory.dmp

          Filesize

          3.3MB

        • memory/3680-97-0x00007FF7476A0000-0x00007FF7479F1000-memory.dmp

          Filesize

          3.3MB

        • memory/3772-89-0x00007FF78B8D0000-0x00007FF78BC21000-memory.dmp

          Filesize

          3.3MB

        • memory/3772-239-0x00007FF78B8D0000-0x00007FF78BC21000-memory.dmp

          Filesize

          3.3MB

        • memory/4244-209-0x00007FF74C110000-0x00007FF74C461000-memory.dmp

          Filesize

          3.3MB

        • memory/4244-106-0x00007FF74C110000-0x00007FF74C461000-memory.dmp

          Filesize

          3.3MB

        • memory/4244-31-0x00007FF74C110000-0x00007FF74C461000-memory.dmp

          Filesize

          3.3MB

        • memory/4336-96-0x00007FF703120000-0x00007FF703471000-memory.dmp

          Filesize

          3.3MB

        • memory/4336-219-0x00007FF703120000-0x00007FF703471000-memory.dmp

          Filesize

          3.3MB

        • memory/4360-231-0x00007FF630CA0000-0x00007FF630FF1000-memory.dmp

          Filesize

          3.3MB

        • memory/4360-86-0x00007FF630CA0000-0x00007FF630FF1000-memory.dmp

          Filesize

          3.3MB

        • memory/4392-77-0x00007FF7E0C40000-0x00007FF7E0F91000-memory.dmp

          Filesize

          3.3MB

        • memory/4392-216-0x00007FF7E0C40000-0x00007FF7E0F91000-memory.dmp

          Filesize

          3.3MB

        • memory/4424-102-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp

          Filesize

          3.3MB

        • memory/4424-205-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp

          Filesize

          3.3MB

        • memory/4424-8-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp

          Filesize

          3.3MB

        • memory/4444-238-0x00007FF771710000-0x00007FF771A61000-memory.dmp

          Filesize

          3.3MB

        • memory/4444-94-0x00007FF771710000-0x00007FF771A61000-memory.dmp

          Filesize

          3.3MB

        • memory/4716-0-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4716-168-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4716-146-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4716-145-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4716-101-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp

          Filesize

          3.3MB

        • memory/4716-1-0x0000026926780000-0x0000026926790000-memory.dmp

          Filesize

          64KB

        • memory/4776-217-0x00007FF73C590000-0x00007FF73C8E1000-memory.dmp

          Filesize

          3.3MB

        • memory/4776-95-0x00007FF73C590000-0x00007FF73C8E1000-memory.dmp

          Filesize

          3.3MB

        • memory/5056-214-0x00007FF64ED20000-0x00007FF64F071000-memory.dmp

          Filesize

          3.3MB

        • memory/5056-68-0x00007FF64ED20000-0x00007FF64F071000-memory.dmp

          Filesize

          3.3MB