Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 02:04

General

  • Target

    2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe

  • Size

    6.0MB

  • MD5

    90047872f2c0969d6b491d0868202ed4

  • SHA1

    776c22d4579f2f4aeceed35a7adc4abc9661705c

  • SHA256

    521e02eb3fa8e32014a9c2f0fcbd5bf91d3a1755824b7c32d5306c5b6ae241c2

  • SHA512

    47a39935fcd51a819339e16f05d2c909dfec2980d5d68a141ead808573c9fa807d76d328a34c72d434987245fc4a2f3b88af32a9723876fce335e3842e5c0eb0

  • SSDEEP

    98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUd:T+856utgpPF8u/7d

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 64 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\System\qIOtdLR.exe
      C:\Windows\System\qIOtdLR.exe
      2⤵
      • Executes dropped EXE
      PID:1280
    • C:\Windows\System\JBFzBau.exe
      C:\Windows\System\JBFzBau.exe
      2⤵
      • Executes dropped EXE
      PID:1960
    • C:\Windows\System\oLRXEGe.exe
      C:\Windows\System\oLRXEGe.exe
      2⤵
      • Executes dropped EXE
      PID:440
    • C:\Windows\System\xanDRnO.exe
      C:\Windows\System\xanDRnO.exe
      2⤵
      • Executes dropped EXE
      PID:3068
    • C:\Windows\System\cWxtIcm.exe
      C:\Windows\System\cWxtIcm.exe
      2⤵
      • Executes dropped EXE
      PID:3700
    • C:\Windows\System\tXNCKPs.exe
      C:\Windows\System\tXNCKPs.exe
      2⤵
      • Executes dropped EXE
      PID:4116
    • C:\Windows\System\xDyJnap.exe
      C:\Windows\System\xDyJnap.exe
      2⤵
      • Executes dropped EXE
      PID:4584
    • C:\Windows\System\uMqKLXA.exe
      C:\Windows\System\uMqKLXA.exe
      2⤵
      • Executes dropped EXE
      PID:3964
    • C:\Windows\System\lrZppvC.exe
      C:\Windows\System\lrZppvC.exe
      2⤵
      • Executes dropped EXE
      PID:3492
    • C:\Windows\System\fUwMWcX.exe
      C:\Windows\System\fUwMWcX.exe
      2⤵
      • Executes dropped EXE
      PID:4956
    • C:\Windows\System\MIymbDQ.exe
      C:\Windows\System\MIymbDQ.exe
      2⤵
      • Executes dropped EXE
      PID:1104
    • C:\Windows\System\YzACIjm.exe
      C:\Windows\System\YzACIjm.exe
      2⤵
      • Executes dropped EXE
      PID:1304
    • C:\Windows\System\mDuMJMc.exe
      C:\Windows\System\mDuMJMc.exe
      2⤵
      • Executes dropped EXE
      PID:1464
    • C:\Windows\System\lyClhaA.exe
      C:\Windows\System\lyClhaA.exe
      2⤵
      • Executes dropped EXE
      PID:4452
    • C:\Windows\System\lOIkzwG.exe
      C:\Windows\System\lOIkzwG.exe
      2⤵
      • Executes dropped EXE
      PID:876
    • C:\Windows\System\krUoYdK.exe
      C:\Windows\System\krUoYdK.exe
      2⤵
      • Executes dropped EXE
      PID:4676
    • C:\Windows\System\fvuuKQa.exe
      C:\Windows\System\fvuuKQa.exe
      2⤵
      • Executes dropped EXE
      PID:3300
    • C:\Windows\System\TzMHeCe.exe
      C:\Windows\System\TzMHeCe.exe
      2⤵
      • Executes dropped EXE
      PID:1096
    • C:\Windows\System\ZlPwDvw.exe
      C:\Windows\System\ZlPwDvw.exe
      2⤵
      • Executes dropped EXE
      PID:4780
    • C:\Windows\System\EdLTCKR.exe
      C:\Windows\System\EdLTCKR.exe
      2⤵
      • Executes dropped EXE
      PID:2532
    • C:\Windows\System\UpEALZr.exe
      C:\Windows\System\UpEALZr.exe
      2⤵
      • Executes dropped EXE
      PID:4304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\EdLTCKR.exe

    Filesize

    6.0MB

    MD5

    27052b12168f4f522e153da35ae8bef9

    SHA1

    199fab6f5682f74346b365059b112e85bd54935d

    SHA256

    c33d7117d8b3deab24e3fc9579a1459bad40a0569c267ed8ba5552fd22ac3e56

    SHA512

    fcbeae439169df4bead7c091d6464ed1d6d07578b8856d2dc216ee3a7243b209a5503a44e9c7bc3d6cdff1243f8846bfd14f1b491a0c4417c9ad00e9190d6577

  • C:\Windows\System\JBFzBau.exe

    Filesize

    6.0MB

    MD5

    a9d8ff8800a40a402e2e8ca9418b6b98

    SHA1

    595a6f50c33025693bd5247ad0ca05c64eb277a5

    SHA256

    82508a753347412e5f709a29bca9e36c969bae150cd922acfae3988de3c0925b

    SHA512

    06cf4df22152d1e67cf7cc7a544ad049ea0aab213c62020cd6ecbbffce72b18a3840e3573f78a4c230ab136ee453abf87826382cc6e34f90e9c20517120e8928

  • C:\Windows\System\MIymbDQ.exe

    Filesize

    6.0MB

    MD5

    d2e6e085a9b463b53dac57cbb2c7166b

    SHA1

    161d35fe2aac2b1edef0036c77aecb56f6cb6c99

    SHA256

    f2ad287d4e6e4a8bd6a426c1f7a45aa8c0a7e4471f1308b9ed9d1237cbfb5a02

    SHA512

    4e01dd5f6e9d894aa77d053dfc5cd01212cde5876f4c19db652f09dfff5da8853a1e893e82aa62d5d985197067220484324cc793d369332f1026923c3732aa99

  • C:\Windows\System\TzMHeCe.exe

    Filesize

    6.0MB

    MD5

    9701861d0834556b62382f6c2cb44623

    SHA1

    6cbf15a1c1a0c363cfa44e102664aa3ddfe505b3

    SHA256

    3db2fc801534166c97f630b92a2cda14e42c830095da15e285e04fc72a13ff08

    SHA512

    4a29910a1a11d0c256d249afa9ae669ae09be2431d13bcb18584af8230f1bbd95afdde22f10d439f6991f63f475fd92e08823131d2e8a3b1defa8f191a6d7d2e

  • C:\Windows\System\UpEALZr.exe

    Filesize

    6.0MB

    MD5

    579cc1f1dcf541603209e769bf35fda5

    SHA1

    6068c37ad72da3279621ea35013e19a08d6254fc

    SHA256

    744673dbe1813a95244521bb2924f19a2e3706da8c05c89cfe459d2398b1c855

    SHA512

    28b97eb11c57fdd3461ab7651566e34255bf7f4579435b8b880568f695b003761452fb5643971be6466dc6b02a9bc736adfc83d34fca828cecccef92a6626ec3

  • C:\Windows\System\YzACIjm.exe

    Filesize

    6.0MB

    MD5

    b368bc9ec7471d9b934b8d3c0c52fbeb

    SHA1

    162c0ce7bfe9ef6196b7944eb0233b73d29493e6

    SHA256

    849f397ba9ac3a064a3be0dd127517b81b78669d39821c5d299c2b7a346a319e

    SHA512

    4d2570255c46543a91d8d46ff76fc0401c905ccac24799511465e5d57389841d89d99393b2f22c8510986bc60db5625d887e62c1eff846d7997f031b0850f2f0

  • C:\Windows\System\ZlPwDvw.exe

    Filesize

    6.0MB

    MD5

    f3d49e40271062090f7fe504fbc7f267

    SHA1

    f5e54e27e2c69238f5fbac7090b4ed6e9854e9e4

    SHA256

    c0d7db5370ee09115efdd4f5fe0f44d988765d20f83c05e62e874cc5a676dc10

    SHA512

    84d57abbff487a5635972d305e9a40936ae51dc9753416d50f9a47c57bb78dcebcecef66afc11af15290200ee5a08e00277e186cc6f6e7c48839f91e808045e5

  • C:\Windows\System\cWxtIcm.exe

    Filesize

    6.0MB

    MD5

    bc0ede90b798c35a516a21964670236c

    SHA1

    0b9f8b3d2e563221d06ae4f12c9cfc944f768972

    SHA256

    ad856135592cdc6230e7b362d06277057bb6dfc5b0753c022732031888632fe4

    SHA512

    85d6b4f0311e2997fcfce559e4abc1daa2723d02d2ab2fc9674bddf80a341af567224d0aff173914b98d83fd2207eabde3309912128f3cd94c43725e87be08a6

  • C:\Windows\System\fUwMWcX.exe

    Filesize

    6.0MB

    MD5

    35e6869f514b905ed83a0b7999cb4c94

    SHA1

    207c13318089616b81c73729c01ca328c7175aaa

    SHA256

    c636c535318ff4c286d2e510a2cce1955b2e7e461c48b781e40034773f6d093c

    SHA512

    46c5ad107f5009ae84f9bdb32064ea1bf15a88ba7bbe12192f7a98d57b9f8a7c230ef4e3c075a0f7292dc6869c694a22aa6161f147f03f9acdeab31e60417d88

  • C:\Windows\System\fvuuKQa.exe

    Filesize

    6.0MB

    MD5

    bbd5b2ef9f02f4fe684bd8de4f5ad9e6

    SHA1

    200bc677b6f86067c7bca0ce168c08f9e2650775

    SHA256

    66fa6a2b19ab4e26a33ab3613b08379019134440a7bd7acae00d140b1d6af315

    SHA512

    c59b9363594a9ff644fd1da25e39834cade7c2f5888819419bc5c31d9369a6da849aff6a72a5463f13ecae07bcf7ad043199eac24577383096aff77c4820ee2f

  • C:\Windows\System\krUoYdK.exe

    Filesize

    6.0MB

    MD5

    5f6b6369a522b7f6c460cc5996cb6969

    SHA1

    bf0617e3a1ae8c9a1442cf68979aa4a1da50e0a4

    SHA256

    4e3e14f6cddf35780070532de9bf3752452de2ae6abbc24300fd521e84be7f5c

    SHA512

    978fe8af9d3afeb563043872f4c3b2eeb9dbdb8fe77d1eb63228252daed32d27e10b2aab55144df90887b8aaf370e48827875670d75b36505d8b0b0b0949a581

  • C:\Windows\System\lOIkzwG.exe

    Filesize

    6.0MB

    MD5

    c74ba07d3e2c5e6aea0a3211b39a3bb2

    SHA1

    582a4d790c74e22d91670c6fac9cff0cdaf4c6e6

    SHA256

    e9ca328fbdd3c453e19ea3e521ab57ea226866239d3d1e3aca739684da931d27

    SHA512

    07975343c023e5c58b76ab2f58507a2fcd3f301f5afc8235d77887f77a02f1269a1e669c531cfdc94408055e3c0077ea5487b976a3024961cfd7848fdbf1839f

  • C:\Windows\System\lrZppvC.exe

    Filesize

    6.0MB

    MD5

    517ecc25db1408227d63448e3f109b50

    SHA1

    7c6f7b3a50dfe12cf469d2ea7d60b0068f466911

    SHA256

    7a1f7a9bdc1f71d7c95fc48b75c513c86ad625868358355fbe3b3835df731b94

    SHA512

    d06da86a33400ca0c13e81c716fdf725eecf2b8fa834ddc5272e4891ef04dd26cb726c81a1c60dc67c287e6de6113160e4dbd27e32f400f91ca1073cbc373e40

  • C:\Windows\System\lyClhaA.exe

    Filesize

    6.0MB

    MD5

    cdbb9db60f39383239b2dbdd8b7f7147

    SHA1

    28c3aff6a2a6c06fa490ab8cee38c2238f77c8e8

    SHA256

    1ab2b461867f7ff0576e7b94d6372a0057bcd0821a76521791304b952d0a3020

    SHA512

    c9c98a7edd5756fce84dd22e6d6376968ff5bfa9eea00a203198e7dfa37739331100333fea522fe5501ab39e5056dac9b48ed4f10501d027f44f5bf6e6ac51c9

  • C:\Windows\System\mDuMJMc.exe

    Filesize

    6.0MB

    MD5

    ab38304fc9c20e4b86ab0194732d046f

    SHA1

    21d90ab70b60c8c1f86c96c9722f420948dfe2ae

    SHA256

    e53b090858d65bec5be5a1b4acf0e46f63023119f21b85a6c8aba328b414edcb

    SHA512

    2c4bb4e7e57e63dd7bc3e1f1dcd78566ee7989731f062b917751066cb1595b9f3ca2669ded5d8b280a1690ff5876d5ce79cfbadf08e11b8756a4cc6e2354dbdf

  • C:\Windows\System\oLRXEGe.exe

    Filesize

    6.0MB

    MD5

    8e03bf1f8c60cdb2396090e6567c19cf

    SHA1

    8cfdacad918420e1389b33f75e3b4de20b7dc144

    SHA256

    48e694e3693d4e8d516396b3610fdfceeece9771bbafe845732e5fee5e2bff87

    SHA512

    e3fc87322b315eb163096ab800f547a9d5013a1d7061b93858cce31f65f80bb2f8224a643fad868eb8023de7d8a2565597075c7a382899b2fdb89386b4c073b5

  • C:\Windows\System\qIOtdLR.exe

    Filesize

    6.0MB

    MD5

    c96fda308b100c2cdcf4f57b1f29ae75

    SHA1

    41d44c381ebe2516a33f9bb04a1f3ea8028197c2

    SHA256

    efa5eb0b687138c6bb09d321b1113eca024a052220d54dd40d241a7a0dab6d1a

    SHA512

    50365b7ce8c45541f61ca1a0cfef01b6e15305f99d7f04921b0d9332238f5d135a1a9d92434bba37bf193bec75d42932dd5378c89ab0588275327955a49b9b81

  • C:\Windows\System\tXNCKPs.exe

    Filesize

    6.0MB

    MD5

    46d9b68f3f6bc2761f0def51e0553fc2

    SHA1

    a948eccb4301593eb420d089dfde6123d3611c93

    SHA256

    fbce5acf0c681247d8155b7ac3519b7de2cfdd404cac31404513e928c858d7fb

    SHA512

    c551e8b3a0301147030f151da0541b6658be9582da4735490584daf6cbc4f086ac238a90e805750dd77079033fee792a786c0116c8d5c73adcd696cbf734c8ea

  • C:\Windows\System\uMqKLXA.exe

    Filesize

    6.0MB

    MD5

    db85d91f87fe8dfadab46603f00cbdac

    SHA1

    1c5fab9ad894e9ceeb11fecbf38098f332d01ab1

    SHA256

    6ce83122dcb370cce6e387788373f4407f11cb06daf2262686b3e3e9086d8016

    SHA512

    879ba2af4f54d0b59cf08530abab79ab632ab444a380d888d457996b26189c03b245a58d62d292369768e39e2e04d3da2728074ed7e03a05e7b591d092e1e5ec

  • C:\Windows\System\xDyJnap.exe

    Filesize

    6.0MB

    MD5

    cab3a51afebff338b6d2d23c3ebcaf88

    SHA1

    a30a612f21729962a6fe32bf1b2e53cf631bba9a

    SHA256

    e1e8a1b32edf3bb71a171f412d3a4116bc38857bd9e9f4a48f6cc8ee37c8fe03

    SHA512

    14eb22eec7a1b6f750028929f95e7f860f1dcfa704a691dd1677d6c5272b9c67bfc30e09f2621a67e7ee9cb533f150b4b5703ee1217e48d44aa346f2a0e0a105

  • C:\Windows\System\xanDRnO.exe

    Filesize

    6.0MB

    MD5

    efdde6babf1b66668635aab3341b2416

    SHA1

    ef4ef910c99ce54c06350e9681f7696b414657ea

    SHA256

    2b07a3f60dc76dc38fc99fa90ed298e6847a34efaf0aebc0008d99faaa105c32

    SHA512

    33aef3e830dfafec094accad70b2058af1726fd0139c4c6be6edca5f896476a5437488bd07a00639966b23559ff463279ea59d00c9081fa0db9430a04868bd04

  • memory/440-138-0x00007FF738FF0000-0x00007FF739344000-memory.dmp

    Filesize

    3.3MB

  • memory/440-20-0x00007FF738FF0000-0x00007FF739344000-memory.dmp

    Filesize

    3.3MB

  • memory/876-95-0x00007FF7F7470000-0x00007FF7F77C4000-memory.dmp

    Filesize

    3.3MB

  • memory/876-133-0x00007FF7F7470000-0x00007FF7F77C4000-memory.dmp

    Filesize

    3.3MB

  • memory/876-150-0x00007FF7F7470000-0x00007FF7F77C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1096-114-0x00007FF7BEA50000-0x00007FF7BEDA4000-memory.dmp

    Filesize

    3.3MB

  • memory/1096-153-0x00007FF7BEA50000-0x00007FF7BEDA4000-memory.dmp

    Filesize

    3.3MB

  • memory/1104-146-0x00007FF756FA0000-0x00007FF7572F4000-memory.dmp

    Filesize

    3.3MB

  • memory/1104-69-0x00007FF756FA0000-0x00007FF7572F4000-memory.dmp

    Filesize

    3.3MB

  • memory/1164-66-0x00007FF61C6B0000-0x00007FF61CA04000-memory.dmp

    Filesize

    3.3MB

  • memory/1164-0-0x00007FF61C6B0000-0x00007FF61CA04000-memory.dmp

    Filesize

    3.3MB

  • memory/1164-1-0x000001C82E3A0000-0x000001C82E3B0000-memory.dmp

    Filesize

    64KB

  • memory/1280-81-0x00007FF6EEE30000-0x00007FF6EF184000-memory.dmp

    Filesize

    3.3MB

  • memory/1280-136-0x00007FF6EEE30000-0x00007FF6EF184000-memory.dmp

    Filesize

    3.3MB

  • memory/1280-8-0x00007FF6EEE30000-0x00007FF6EF184000-memory.dmp

    Filesize

    3.3MB

  • memory/1304-82-0x00007FF674890000-0x00007FF674BE4000-memory.dmp

    Filesize

    3.3MB

  • memory/1304-147-0x00007FF674890000-0x00007FF674BE4000-memory.dmp

    Filesize

    3.3MB

  • memory/1464-85-0x00007FF6E0AC0000-0x00007FF6E0E14000-memory.dmp

    Filesize

    3.3MB

  • memory/1464-148-0x00007FF6E0AC0000-0x00007FF6E0E14000-memory.dmp

    Filesize

    3.3MB

  • memory/1960-137-0x00007FF6E38A0000-0x00007FF6E3BF4000-memory.dmp

    Filesize

    3.3MB

  • memory/1960-92-0x00007FF6E38A0000-0x00007FF6E3BF4000-memory.dmp

    Filesize

    3.3MB

  • memory/1960-12-0x00007FF6E38A0000-0x00007FF6E3BF4000-memory.dmp

    Filesize

    3.3MB

  • memory/2532-125-0x00007FF70D210000-0x00007FF70D564000-memory.dmp

    Filesize

    3.3MB

  • memory/2532-155-0x00007FF70D210000-0x00007FF70D564000-memory.dmp

    Filesize

    3.3MB

  • memory/2532-135-0x00007FF70D210000-0x00007FF70D564000-memory.dmp

    Filesize

    3.3MB

  • memory/3068-26-0x00007FF74D280000-0x00007FF74D5D4000-memory.dmp

    Filesize

    3.3MB

  • memory/3068-139-0x00007FF74D280000-0x00007FF74D5D4000-memory.dmp

    Filesize

    3.3MB

  • memory/3300-152-0x00007FF768B00000-0x00007FF768E54000-memory.dmp

    Filesize

    3.3MB

  • memory/3300-107-0x00007FF768B00000-0x00007FF768E54000-memory.dmp

    Filesize

    3.3MB

  • memory/3492-144-0x00007FF7D4A10000-0x00007FF7D4D64000-memory.dmp

    Filesize

    3.3MB

  • memory/3492-56-0x00007FF7D4A10000-0x00007FF7D4D64000-memory.dmp

    Filesize

    3.3MB

  • memory/3700-140-0x00007FF6E6DE0000-0x00007FF6E7134000-memory.dmp

    Filesize

    3.3MB

  • memory/3700-113-0x00007FF6E6DE0000-0x00007FF6E7134000-memory.dmp

    Filesize

    3.3MB

  • memory/3700-31-0x00007FF6E6DE0000-0x00007FF6E7134000-memory.dmp

    Filesize

    3.3MB

  • memory/3964-50-0x00007FF655180000-0x00007FF6554D4000-memory.dmp

    Filesize

    3.3MB

  • memory/3964-143-0x00007FF655180000-0x00007FF6554D4000-memory.dmp

    Filesize

    3.3MB

  • memory/4116-141-0x00007FF659B20000-0x00007FF659E74000-memory.dmp

    Filesize

    3.3MB

  • memory/4116-120-0x00007FF659B20000-0x00007FF659E74000-memory.dmp

    Filesize

    3.3MB

  • memory/4116-36-0x00007FF659B20000-0x00007FF659E74000-memory.dmp

    Filesize

    3.3MB

  • memory/4304-132-0x00007FF7EFFA0000-0x00007FF7F02F4000-memory.dmp

    Filesize

    3.3MB

  • memory/4304-156-0x00007FF7EFFA0000-0x00007FF7F02F4000-memory.dmp

    Filesize

    3.3MB

  • memory/4452-88-0x00007FF702410000-0x00007FF702764000-memory.dmp

    Filesize

    3.3MB

  • memory/4452-149-0x00007FF702410000-0x00007FF702764000-memory.dmp

    Filesize

    3.3MB

  • memory/4584-46-0x00007FF798000000-0x00007FF798354000-memory.dmp

    Filesize

    3.3MB

  • memory/4584-142-0x00007FF798000000-0x00007FF798354000-memory.dmp

    Filesize

    3.3MB

  • memory/4676-151-0x00007FF66D400000-0x00007FF66D754000-memory.dmp

    Filesize

    3.3MB

  • memory/4676-134-0x00007FF66D400000-0x00007FF66D754000-memory.dmp

    Filesize

    3.3MB

  • memory/4676-99-0x00007FF66D400000-0x00007FF66D754000-memory.dmp

    Filesize

    3.3MB

  • memory/4780-154-0x00007FF69BA00000-0x00007FF69BD54000-memory.dmp

    Filesize

    3.3MB

  • memory/4780-122-0x00007FF69BA00000-0x00007FF69BD54000-memory.dmp

    Filesize

    3.3MB

  • memory/4956-145-0x00007FF6ACDA0000-0x00007FF6AD0F4000-memory.dmp

    Filesize

    3.3MB

  • memory/4956-67-0x00007FF6ACDA0000-0x00007FF6AD0F4000-memory.dmp

    Filesize

    3.3MB