Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 00:32

General

  • Target

    2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe

  • Size

    6.0MB

  • MD5

    2813aa71cdf8402a6ee5bf5f96c4bc60

  • SHA1

    bc884edd93b5d355abc015a743233d2f10657419

  • SHA256

    cca4bfa4f0a43fda6b2362704760d62e9bbc9c7fa60d66dd73b29f70f450d1ce

  • SHA512

    833dcd48ecad8d6b3b2ba13b5c6c4e8401142ebd158864d31222542bdf1aab4e10dc4f4341717e56d4f31637cd70f766124389490a14e1cbeb0e204496c8d246

  • SSDEEP

    98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUJ:T+856utgpPF8u/7J

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 64 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-01_2813aa71cdf8402a6ee5bf5f96c4bc60_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\System\IMGfHfd.exe
      C:\Windows\System\IMGfHfd.exe
      2⤵
      • Executes dropped EXE
      PID:4768
    • C:\Windows\System\zjHMvUc.exe
      C:\Windows\System\zjHMvUc.exe
      2⤵
      • Executes dropped EXE
      PID:3740
    • C:\Windows\System\rPAPjPI.exe
      C:\Windows\System\rPAPjPI.exe
      2⤵
      • Executes dropped EXE
      PID:4932
    • C:\Windows\System\mjuHzQK.exe
      C:\Windows\System\mjuHzQK.exe
      2⤵
      • Executes dropped EXE
      PID:3592
    • C:\Windows\System\KzHuCuY.exe
      C:\Windows\System\KzHuCuY.exe
      2⤵
      • Executes dropped EXE
      PID:564
    • C:\Windows\System\dAzmTul.exe
      C:\Windows\System\dAzmTul.exe
      2⤵
      • Executes dropped EXE
      PID:2940
    • C:\Windows\System\oXIFNVU.exe
      C:\Windows\System\oXIFNVU.exe
      2⤵
      • Executes dropped EXE
      PID:3840
    • C:\Windows\System\OMCymCG.exe
      C:\Windows\System\OMCymCG.exe
      2⤵
      • Executes dropped EXE
      PID:4904
    • C:\Windows\System\nteFmYg.exe
      C:\Windows\System\nteFmYg.exe
      2⤵
      • Executes dropped EXE
      PID:4512
    • C:\Windows\System\OXivdMJ.exe
      C:\Windows\System\OXivdMJ.exe
      2⤵
      • Executes dropped EXE
      PID:3348
    • C:\Windows\System\YNfGhGY.exe
      C:\Windows\System\YNfGhGY.exe
      2⤵
      • Executes dropped EXE
      PID:1228
    • C:\Windows\System\sNccuAy.exe
      C:\Windows\System\sNccuAy.exe
      2⤵
      • Executes dropped EXE
      PID:1216
    • C:\Windows\System\obJvWOq.exe
      C:\Windows\System\obJvWOq.exe
      2⤵
      • Executes dropped EXE
      PID:704
    • C:\Windows\System\kDeQZSW.exe
      C:\Windows\System\kDeQZSW.exe
      2⤵
      • Executes dropped EXE
      PID:3344
    • C:\Windows\System\ICrOyOp.exe
      C:\Windows\System\ICrOyOp.exe
      2⤵
      • Executes dropped EXE
      PID:1296
    • C:\Windows\System\bHKntbb.exe
      C:\Windows\System\bHKntbb.exe
      2⤵
      • Executes dropped EXE
      PID:1924
    • C:\Windows\System\lzdgTZH.exe
      C:\Windows\System\lzdgTZH.exe
      2⤵
      • Executes dropped EXE
      PID:2596
    • C:\Windows\System\dBSTeWl.exe
      C:\Windows\System\dBSTeWl.exe
      2⤵
      • Executes dropped EXE
      PID:1692
    • C:\Windows\System\IACfwoW.exe
      C:\Windows\System\IACfwoW.exe
      2⤵
      • Executes dropped EXE
      PID:1592
    • C:\Windows\System\IwQpjtY.exe
      C:\Windows\System\IwQpjtY.exe
      2⤵
      • Executes dropped EXE
      PID:4008
    • C:\Windows\System\gXnETnq.exe
      C:\Windows\System\gXnETnq.exe
      2⤵
      • Executes dropped EXE
      PID:1392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\IACfwoW.exe

    Filesize

    6.0MB

    MD5

    4108c5d7740e8f70d359e7554d79c782

    SHA1

    9411c95287c41db5af312cc3afd02066b34d173e

    SHA256

    414578a5bcc69fa9b550735b68c3bad4b0dadbce6cdd2c65d131453c4a604e4a

    SHA512

    8f3e7b87ed9634fe0b0e65f77c1b079a0d47bb889c5a7c6275653e6bfaa4840ff13fd3fc189b10d2f1eb911efdc6776095c29612d77ede4c24e8f9cc89d59bb3

  • C:\Windows\System\ICrOyOp.exe

    Filesize

    6.0MB

    MD5

    7606e4a28cb007e97ca502c595822637

    SHA1

    0a597ae9c7f0e0279b4d2696dcce407bab308a0a

    SHA256

    f85f1d6f5d1492af6204966887fe02ffb8b2a0691957408798bfdc2ae33cfecd

    SHA512

    33f6ba2d496148af5d308146949540dec8a94b06163e410687a981a6da52edf5d5584371db850cdd0b7d932897abf8bfefda9bc793ecc6882ce8e8838ada6b3b

  • C:\Windows\System\IMGfHfd.exe

    Filesize

    6.0MB

    MD5

    4ec11e717d41f5f11f382fda587e6940

    SHA1

    55568acedea52eec497a2bde9e2e8a92e6719728

    SHA256

    8844199e1d64d1086bb52d4cb773443c104ad71d8f1e9952c1935e2b5604fb4c

    SHA512

    bc3e7f31a07faf522c5631d2a6fe92bffbcb0b18169124219c8ef5b8e9a692a535a124973301188238f5ec1a714484ee86573dd1f285a9a93638c6a3be452758

  • C:\Windows\System\IwQpjtY.exe

    Filesize

    6.0MB

    MD5

    03bcc13922121dd6b7dfc0791f17132d

    SHA1

    27a9b6e7059a23cb710747cb5f27a74ef02c05a3

    SHA256

    c945ffc9a464fa721cc2b5eca0b489727edf4c06c2ca34bf3928ed7722690732

    SHA512

    21fe2295dd58cef199cca4c4b5cf5fc01c10c4e7f3f46bb5c2b5144bc077dfffa981b50f99611351b7110dbddd5d6df383dc309d9ad63901b28a037fc96f8ea3

  • C:\Windows\System\KzHuCuY.exe

    Filesize

    6.0MB

    MD5

    e57762736c9536c18a0d4e99e75fadd4

    SHA1

    4255b7ae160ef5f9cd60004fb3e666c494f45ec9

    SHA256

    cc1c16b42b05cb7216f5b3fb53789dab9e75eca21db12987dba00d776d12ef69

    SHA512

    d4c8a4dfab3125e4daff952f3d2415d0ddc77dbbef64838dcfb470a541ed168ce4547d5e3fe15ef757c1654ae140525e571a0024cc642098577b985b9d660fc5

  • C:\Windows\System\OMCymCG.exe

    Filesize

    6.0MB

    MD5

    d3a6c1b14106368e95adf2aa86cd6717

    SHA1

    ccf737b534eba31f840cae357651a2545ea4caa1

    SHA256

    9398037d4c76ee236694afc027f06a79152f97060c6df6c3ebd39f89c82148e0

    SHA512

    35c836cb74f51ed1d994d2d5ee413f4b8ee32d8e08293f3f43172a1fdb39fabe97a8ce6bf4154f91bcde4c96628bd627d99825ddd336bc1ac5359fe8c0862583

  • C:\Windows\System\OXivdMJ.exe

    Filesize

    6.0MB

    MD5

    4ff731363d840945a35397940d49a14b

    SHA1

    60fe36c99226d090e4d9b7eee525f2613eb1c53d

    SHA256

    6fb3ec50e6f594314cdc067b0a70b264f673554ecee8d4d33f97f7745d16dc93

    SHA512

    8e15516554471bfa872f62e501f56d40a7db7514a525c0cd6a35bd8502f1bb5ccea274667e9444b00790a90995b1717c6d8a767fb84836f20b578465a7eb6966

  • C:\Windows\System\YNfGhGY.exe

    Filesize

    6.0MB

    MD5

    f2de52387f86444895abf431220b2ce1

    SHA1

    5c10000a4f08f3e6cd292c857064874824f49403

    SHA256

    ab103f09f8a371532168214375ea7f1d53c83e102aa009f544c0751978ce7126

    SHA512

    ad0d4d2499a9a06c7348c7dea7c1d34d7dce555bb393d970821b2485efdaecc8c11b170f6209cab3a3455f17230e806468aa184bb53622c13f25c04623c2c9f7

  • C:\Windows\System\bHKntbb.exe

    Filesize

    6.0MB

    MD5

    2b340e898d947006fe0b4c296c2bc6de

    SHA1

    3defae3b5213f674ddf642fd4fbe298a5450d379

    SHA256

    27dbd43af11a0ca7bf30a7501ac7a50851bdcd2960a568f96d0e53fc8372d767

    SHA512

    71d01e71b05d3c88f1338a7f0d02fccad4f95d44dd98aefbea71fd547461eaf718abc1696297272b144213723dcac8a0b670d329d8ba22caf0ba22b6923aa864

  • C:\Windows\System\dAzmTul.exe

    Filesize

    6.0MB

    MD5

    60a6c3fee6862201e6dac742cd1feeee

    SHA1

    b3b8b9fe1bb4fd317baa0f036d8dbd8a0ec85f4c

    SHA256

    3b2e20cf90537c01ba8d5b545df6b17d2804f869fc2723c03b557a578ed44988

    SHA512

    57456d10c544e7d77568039215a9ae8108b610ebf1731918eb503915c0e0a6c6e576cbea9f4c90fedbb5fdfaea62e57b598278d26cfa73bae3f21e448a84036f

  • C:\Windows\System\dBSTeWl.exe

    Filesize

    6.0MB

    MD5

    ebb32630365a7d6730550d8197b8741c

    SHA1

    a19ac6ad7553ddc55848d65f372eebcf238b7748

    SHA256

    00a3404738eeb9fdb63ca4700ffa0c1acb00c7043df389feb626f26511e2f1c7

    SHA512

    8357c899e54c0feb5a22ccab57e2df2553932c1ec3a2220da2a2f730e89722e94ed8170217fbd2d5a4f1c32548d017ee17fd05477076569e9020af847bc26b82

  • C:\Windows\System\gXnETnq.exe

    Filesize

    6.0MB

    MD5

    c138c7c2e8febbe1e31975ae82fc44cf

    SHA1

    7dfa7bef0ef3906fa124c82b4a76a95b31f3f527

    SHA256

    e60fd70c639b948e2f3b72584b655b5c0dc44e25924f96812722752917a27c5c

    SHA512

    4959006274f926b4b574f02710b569d1178b2c41c92cadb6cf1638f5eeb48e262752b383f69202e397afd071c11cac02cf87838cee40dc5913cdc2a2aed7a1e9

  • C:\Windows\System\kDeQZSW.exe

    Filesize

    6.0MB

    MD5

    42ea0c9d2295c1d067a23eb5292ae1a5

    SHA1

    cbfe6f7606a333c60063d91cd5a2f94e700f61c8

    SHA256

    16b45e7e650e88f8c8a14311f6e1939c08b8b366a12b578c4057001991ae5c3f

    SHA512

    528dbdbb4593c0c2005297fd49522665d58d549caf09bd63c77d8e05b79b249b3c3547c1b3857b9fea09e6f01a465914cea85d2780b4d609d7c22574b7bcc266

  • C:\Windows\System\lzdgTZH.exe

    Filesize

    6.0MB

    MD5

    1e12f7d3aea495c9e6f3dc1b94009b2c

    SHA1

    f13b7c56a991151b8079988c3c3566f5a5d35584

    SHA256

    e660ec83d5e7221f936bf7c24dfc8a71408b60e450a0aac6e51e27d04158a5eb

    SHA512

    a082b973d45d51ae36db5454d97a0da3fe25b5caef9f80636d493d1cc2609acc7d1c0f511ac776d3c29602de9aba314d0d312cd7479a739939d4a6004c1504d6

  • C:\Windows\System\mjuHzQK.exe

    Filesize

    6.0MB

    MD5

    3b1f5000148f4a6d8bfdfcfc73c51f4a

    SHA1

    0b1115cd58dfa0fbbb974be41066f36a0058a29f

    SHA256

    85858479a938fa748cc87e153968a78b87cbc48ef66f65c293172a986d38ef6b

    SHA512

    1803e1c6fe25820544cefcad52687dad7674ed364bc056e0afc7e00e4ecdd460bd4ca61adaa05d876bbdf6a0bb44a29ac7c8aac5cb1e9f86c6da63b911df8e09

  • C:\Windows\System\nteFmYg.exe

    Filesize

    6.0MB

    MD5

    f2f3260cc76592544cb6b5d9f2b28c1f

    SHA1

    915c9bd39465f829f702961dc1334dfb8bcee443

    SHA256

    7a3e75430ceee7090d5742f149f4d30f0246ea191ee502f5a0673e4fc706b75a

    SHA512

    6761095833cfcab93645006a222e12db9a728f5bccd0824b08ab54aa5c4ff748061748c2c552f62ea2609454db81c601173b6a870fdc6508776231db951d352f

  • C:\Windows\System\oXIFNVU.exe

    Filesize

    6.0MB

    MD5

    c9a1d13b355164b12ba61b9314c281a8

    SHA1

    66c4777dd4a9e20aa265fd5027287e416f155154

    SHA256

    0b0512a16dd97d7b82b8a00504e985480577253ac6559ffeb3d63a9a20aec8f3

    SHA512

    a675063ec7ff1ebf70b7e32f97fe81d5168bb7ffc6a11477af9bacdb74e8bbfb1534cbae171f6f7ec13fa34f9f8c04586b9d2fb02a580e208ce967ebd43f7054

  • C:\Windows\System\obJvWOq.exe

    Filesize

    6.0MB

    MD5

    cdb320bb855d23ae8b19f70e5c668c44

    SHA1

    cdcd2a52d6faf9fc490eee8fcdfad6e16f6c7139

    SHA256

    d4f5d75deb40d2bad3d91998ee13f56089e822ebeed1a4dbbb5cd571bacbb705

    SHA512

    3360afa4137f07ca485dff204af3b2ae2882c66eac746f648e3cab5b4bab28fd1bd03e1df0b9d799a8a2b4ce3c4e5e872fc849379185fc704f05cee078d50ba4

  • C:\Windows\System\rPAPjPI.exe

    Filesize

    6.0MB

    MD5

    44f7eb60c3ec02ba3be8f2fab7de5487

    SHA1

    fd978fa62ee5c26567e49f97cdd921af50248c85

    SHA256

    aefd3efb296d0ac39ef0f55203d9499b9aaf13072fe2e00d9eed82495f7ce731

    SHA512

    b139b71ad988890557d792d6d0ac62c2f623765c30c509f4bfffb09d136d9c5af27a879e235c06158554be9bae87a1cec54dfcdaee8c02721303039212be018d

  • C:\Windows\System\sNccuAy.exe

    Filesize

    6.0MB

    MD5

    d7afe95a0e90ca8fa1fcfa71522bbf80

    SHA1

    73d49a2164b71daf3aa73ce83505008a2a1a04e3

    SHA256

    2752e057c4d0bb20c29d634afa30b22d6a51bbfafbcbf87891e9c2633bb49011

    SHA512

    48c0dc9bd4d0c7d10f5c8122219b2cb37e7a52c991d48050dccf66442b0c0465306e3ff9b5e8aa127913bfd4f8302511f57dddef0e1e32cc43b12e7383e02eba

  • C:\Windows\System\zjHMvUc.exe

    Filesize

    6.0MB

    MD5

    3c01e170710c2ca1b72b34439eef8be6

    SHA1

    307d51a6856c3046cae3527691fe463e147e45d8

    SHA256

    fb49ee3c01386c618592e6ba6f9d1b50e8ea6e464e68aaa3dbdcb78dacdbaf97

    SHA512

    f8decc6c9c390bd003230bf5e620bcc11368b931b58ddd75cc1d8193cf42e2171fc179406df815e36b97b387d060a93a713295171f0c51e804715e4217b15e97

  • memory/564-145-0x00007FF7E13C0000-0x00007FF7E1714000-memory.dmp

    Filesize

    3.3MB

  • memory/564-42-0x00007FF7E13C0000-0x00007FF7E1714000-memory.dmp

    Filesize

    3.3MB

  • memory/704-152-0x00007FF706460000-0x00007FF7067B4000-memory.dmp

    Filesize

    3.3MB

  • memory/704-80-0x00007FF706460000-0x00007FF7067B4000-memory.dmp

    Filesize

    3.3MB

  • memory/1216-74-0x00007FF6D0DB0000-0x00007FF6D1104000-memory.dmp

    Filesize

    3.3MB

  • memory/1216-150-0x00007FF6D0DB0000-0x00007FF6D1104000-memory.dmp

    Filesize

    3.3MB

  • memory/1228-66-0x00007FF666D00000-0x00007FF667054000-memory.dmp

    Filesize

    3.3MB

  • memory/1228-151-0x00007FF666D00000-0x00007FF667054000-memory.dmp

    Filesize

    3.3MB

  • memory/1228-134-0x00007FF666D00000-0x00007FF667054000-memory.dmp

    Filesize

    3.3MB

  • memory/1296-135-0x00007FF688150000-0x00007FF6884A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1296-156-0x00007FF688150000-0x00007FF6884A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1296-108-0x00007FF688150000-0x00007FF6884A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1392-129-0x00007FF68DAD0000-0x00007FF68DE24000-memory.dmp

    Filesize

    3.3MB

  • memory/1392-157-0x00007FF68DAD0000-0x00007FF68DE24000-memory.dmp

    Filesize

    3.3MB

  • memory/1592-112-0x00007FF633910000-0x00007FF633C64000-memory.dmp

    Filesize

    3.3MB

  • memory/1592-137-0x00007FF633910000-0x00007FF633C64000-memory.dmp

    Filesize

    3.3MB

  • memory/1592-159-0x00007FF633910000-0x00007FF633C64000-memory.dmp

    Filesize

    3.3MB

  • memory/1692-120-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1692-138-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1692-158-0x00007FF75C080000-0x00007FF75C3D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1924-155-0x00007FF722670000-0x00007FF7229C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1924-136-0x00007FF722670000-0x00007FF7229C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1924-109-0x00007FF722670000-0x00007FF7229C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2596-154-0x00007FF761F80000-0x00007FF7622D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2596-116-0x00007FF761F80000-0x00007FF7622D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2940-48-0x00007FF634EF0000-0x00007FF635244000-memory.dmp

    Filesize

    3.3MB

  • memory/2940-144-0x00007FF634EF0000-0x00007FF635244000-memory.dmp

    Filesize

    3.3MB

  • memory/2968-91-0x00007FF6A6920000-0x00007FF6A6C74000-memory.dmp

    Filesize

    3.3MB

  • memory/2968-1-0x00000208A8050000-0x00000208A8060000-memory.dmp

    Filesize

    64KB

  • memory/2968-0-0x00007FF6A6920000-0x00007FF6A6C74000-memory.dmp

    Filesize

    3.3MB

  • memory/3344-100-0x00007FF698230000-0x00007FF698584000-memory.dmp

    Filesize

    3.3MB

  • memory/3344-153-0x00007FF698230000-0x00007FF698584000-memory.dmp

    Filesize

    3.3MB

  • memory/3348-133-0x00007FF6A0A70000-0x00007FF6A0DC4000-memory.dmp

    Filesize

    3.3MB

  • memory/3348-149-0x00007FF6A0A70000-0x00007FF6A0DC4000-memory.dmp

    Filesize

    3.3MB

  • memory/3348-60-0x00007FF6A0A70000-0x00007FF6A0DC4000-memory.dmp

    Filesize

    3.3MB

  • memory/3592-41-0x00007FF7BF660000-0x00007FF7BF9B4000-memory.dmp

    Filesize

    3.3MB

  • memory/3592-143-0x00007FF7BF660000-0x00007FF7BF9B4000-memory.dmp

    Filesize

    3.3MB

  • memory/3740-25-0x00007FF7828E0000-0x00007FF782C34000-memory.dmp

    Filesize

    3.3MB

  • memory/3740-141-0x00007FF7828E0000-0x00007FF782C34000-memory.dmp

    Filesize

    3.3MB

  • memory/3840-148-0x00007FF6CFC80000-0x00007FF6CFFD4000-memory.dmp

    Filesize

    3.3MB

  • memory/3840-44-0x00007FF6CFC80000-0x00007FF6CFFD4000-memory.dmp

    Filesize

    3.3MB

  • memory/3840-131-0x00007FF6CFC80000-0x00007FF6CFFD4000-memory.dmp

    Filesize

    3.3MB

  • memory/4008-128-0x00007FF698130000-0x00007FF698484000-memory.dmp

    Filesize

    3.3MB

  • memory/4008-139-0x00007FF698130000-0x00007FF698484000-memory.dmp

    Filesize

    3.3MB

  • memory/4008-160-0x00007FF698130000-0x00007FF698484000-memory.dmp

    Filesize

    3.3MB

  • memory/4512-146-0x00007FF7F2000000-0x00007FF7F2354000-memory.dmp

    Filesize

    3.3MB

  • memory/4512-54-0x00007FF7F2000000-0x00007FF7F2354000-memory.dmp

    Filesize

    3.3MB

  • memory/4512-132-0x00007FF7F2000000-0x00007FF7F2354000-memory.dmp

    Filesize

    3.3MB

  • memory/4768-15-0x00007FF7AEB10000-0x00007FF7AEE64000-memory.dmp

    Filesize

    3.3MB

  • memory/4768-140-0x00007FF7AEB10000-0x00007FF7AEE64000-memory.dmp

    Filesize

    3.3MB

  • memory/4904-147-0x00007FF745930000-0x00007FF745C84000-memory.dmp

    Filesize

    3.3MB

  • memory/4904-127-0x00007FF745930000-0x00007FF745C84000-memory.dmp

    Filesize

    3.3MB

  • memory/4904-53-0x00007FF745930000-0x00007FF745C84000-memory.dmp

    Filesize

    3.3MB

  • memory/4932-142-0x00007FF78DEE0000-0x00007FF78E234000-memory.dmp

    Filesize

    3.3MB

  • memory/4932-94-0x00007FF78DEE0000-0x00007FF78E234000-memory.dmp

    Filesize

    3.3MB

  • memory/4932-21-0x00007FF78DEE0000-0x00007FF78E234000-memory.dmp

    Filesize

    3.3MB