Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 03:41

General

  • Target

    2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    f00200d632c1950d7cf9e7652d1305fa

  • SHA1

    fa385e0ff00d506c7db967e491ecfaf5c88b8546

  • SHA256

    1f9909a3a2f29fbfa912809ab13d5a7caf2556e1fd53516e819947a94cbb4e25

  • SHA512

    fcaefd0dbee3b7350fcb48a9cb59fd8e5d24d04b1ee43abbc5dae0d263e8be087359ac74c50cd5132093e2637064dd2ec66b6aadb8a34277856b6e531e55626c

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUW:Q+856utgpPF8u/7W

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 64 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\System\UkBFCja.exe
      C:\Windows\System\UkBFCja.exe
      2⤵
      • Executes dropped EXE
      PID:3616
    • C:\Windows\System\mrgafwu.exe
      C:\Windows\System\mrgafwu.exe
      2⤵
      • Executes dropped EXE
      PID:2908
    • C:\Windows\System\gJPLEoE.exe
      C:\Windows\System\gJPLEoE.exe
      2⤵
      • Executes dropped EXE
      PID:4000
    • C:\Windows\System\AorrAyZ.exe
      C:\Windows\System\AorrAyZ.exe
      2⤵
      • Executes dropped EXE
      PID:1860
    • C:\Windows\System\rOAAXVf.exe
      C:\Windows\System\rOAAXVf.exe
      2⤵
      • Executes dropped EXE
      PID:3352
    • C:\Windows\System\wkmqOnD.exe
      C:\Windows\System\wkmqOnD.exe
      2⤵
      • Executes dropped EXE
      PID:4588
    • C:\Windows\System\hfhKkJh.exe
      C:\Windows\System\hfhKkJh.exe
      2⤵
      • Executes dropped EXE
      PID:1188
    • C:\Windows\System\KWqzdvt.exe
      C:\Windows\System\KWqzdvt.exe
      2⤵
      • Executes dropped EXE
      PID:3984
    • C:\Windows\System\LwjQfgn.exe
      C:\Windows\System\LwjQfgn.exe
      2⤵
      • Executes dropped EXE
      PID:1772
    • C:\Windows\System\bgeMDbo.exe
      C:\Windows\System\bgeMDbo.exe
      2⤵
      • Executes dropped EXE
      PID:5032
    • C:\Windows\System\aWuExFY.exe
      C:\Windows\System\aWuExFY.exe
      2⤵
      • Executes dropped EXE
      PID:4960
    • C:\Windows\System\hcEMQHy.exe
      C:\Windows\System\hcEMQHy.exe
      2⤵
      • Executes dropped EXE
      PID:3836
    • C:\Windows\System\CpkHKQF.exe
      C:\Windows\System\CpkHKQF.exe
      2⤵
      • Executes dropped EXE
      PID:1056
    • C:\Windows\System\eEHpcye.exe
      C:\Windows\System\eEHpcye.exe
      2⤵
      • Executes dropped EXE
      PID:1456
    • C:\Windows\System\OVbWmzO.exe
      C:\Windows\System\OVbWmzO.exe
      2⤵
      • Executes dropped EXE
      PID:3692
    • C:\Windows\System\yqJWayl.exe
      C:\Windows\System\yqJWayl.exe
      2⤵
      • Executes dropped EXE
      PID:1828
    • C:\Windows\System\hZiwQlW.exe
      C:\Windows\System\hZiwQlW.exe
      2⤵
      • Executes dropped EXE
      PID:4640
    • C:\Windows\System\bNfgltV.exe
      C:\Windows\System\bNfgltV.exe
      2⤵
      • Executes dropped EXE
      PID:2052
    • C:\Windows\System\NseSjQW.exe
      C:\Windows\System\NseSjQW.exe
      2⤵
      • Executes dropped EXE
      PID:3276
    • C:\Windows\System\mpoVQVv.exe
      C:\Windows\System\mpoVQVv.exe
      2⤵
      • Executes dropped EXE
      PID:548
    • C:\Windows\System\WFyAIVs.exe
      C:\Windows\System\WFyAIVs.exe
      2⤵
      • Executes dropped EXE
      PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\AorrAyZ.exe

    Filesize

    5.9MB

    MD5

    866f684b2162a71f17c9bf3b3ef81bb2

    SHA1

    2941067abd07d7cd24ce442441c8a666dfde215c

    SHA256

    6a17dfce2cf9a8cd4fae138c3f348b83c5d9d78650ba9ac010874da42a9304fc

    SHA512

    6c733c654e36f235d824727f50367e9c49f20435a9e1b07e4aa05e219ddcb41cbb3f7726283e52a35da468b32e117755115d9144f67f37f72679b035de2465ef

  • C:\Windows\System\CpkHKQF.exe

    Filesize

    5.9MB

    MD5

    9b893823981d689417498b7684c71ed3

    SHA1

    1da0537ae7b130b9e5bb03784a03af85a47773e9

    SHA256

    ede7b5c981506144b0c54ed72531f5b50c5541b3a038150d75ad47d9e6bd6b06

    SHA512

    71f91e7c5b3801c4874ff19ec1f87528b3d6582960c1721eb0199ee53bf12020e9bd5db17c84d6136458056f3300af2c74329b6a29d0f3ee7aff9c5398df0ef7

  • C:\Windows\System\KWqzdvt.exe

    Filesize

    5.9MB

    MD5

    2f640df748fcc87c11dc7b99ad3bcc78

    SHA1

    853b953bb686a9647fd121722b2f088ed701520a

    SHA256

    c87d909581b26b77e35c29165fa44484ba6ab30570acb5be64492452a097116b

    SHA512

    56a72601dae3fddd442d82d325d838f4e16daf7960b3b3adec1372eee684a734ffa6419f0b2dbf815e945fd3e3d0d8cab95fb0ae7b073739fd073b7ceff93795

  • C:\Windows\System\LwjQfgn.exe

    Filesize

    5.9MB

    MD5

    8ecb008a810880ab341d703629a4543a

    SHA1

    e33eeb5917ed4aecb08f5db0666d0504e833bf4b

    SHA256

    4b422613fb6a13ee72fb2144bd541545d9a8e15e7963360695d0e98b5336aa63

    SHA512

    fb38ab4619c9c2b2cac42869066af04e5961cc6ff86539aeed6e159159a98d7e486c3a982a1df5f027cf144880635bfae450fde63f4f5ae6451158c16a7c381a

  • C:\Windows\System\NseSjQW.exe

    Filesize

    5.9MB

    MD5

    6cbabaa0c7e70d577bfc2b37f361b4c4

    SHA1

    2359c57aff0a11568f2f8c53ff077833d9c821a0

    SHA256

    a8cdb08a4c9fdf7986aaf817c29a7c454ace6685bbbb2b74cf9b9d3600e47380

    SHA512

    547fb1c3b50d7e1b40eae11327ade6e0d8a4a3834d0b1b85112e3d8e2daeb0baa597570a07ca2be61a230a975086cac09538e0c2aea7ecd66871baa9b2666b2c

  • C:\Windows\System\OVbWmzO.exe

    Filesize

    5.9MB

    MD5

    74838fc9ca0a1dd4b19c670ff6fb6fa3

    SHA1

    23a55a1f51e10412608334bebbdbf35b9b50d10e

    SHA256

    b395932e8b88b92bb03e9cf2ec2365bc2e066b0a6c869fda0b1103e46e859fc4

    SHA512

    c24698e0ac5d5a765dd26e075a37fa0dc95e315b4bd7fc366655596fb0944e06591db50b988c28e3d60ba5a7ca96211217e345c71b958ba96f679a6c57de2671

  • C:\Windows\System\UkBFCja.exe

    Filesize

    5.9MB

    MD5

    60cedd9baa3e2e3734ec8e077a1fa9db

    SHA1

    da2154152c94911b76772917ca7ddaf15b90a4aa

    SHA256

    03cbba4e7c23793ebd1b0bb809ffd0a5fbfc17c52c8e709e7330054efed61af6

    SHA512

    5ea53bedd71af593d9b87e0d3f44e73c8948e398faf1fc1b916b54596526d0b05704afef011dfe0fea90a9f85e440339d48b1c1e52969ccf839229004846b027

  • C:\Windows\System\WFyAIVs.exe

    Filesize

    5.9MB

    MD5

    77187a09043c04865b2ac0c9724cfa0a

    SHA1

    523f687eb4b2d2290217f2ffb873cdfc50aa1748

    SHA256

    36ee5fbb4178c9417a2b9e38bdaabdb2a6eb9c80ff716104a6c491cd3a2671ff

    SHA512

    a058abf514ba4d435488419b0c49ad37028c70903ccbb2ff25bd8bfbdad57456da693ec1d18e61a5ccf88a38c3f938f2ec2ce3dd3165b58c2ee328b1989933cf

  • C:\Windows\System\aWuExFY.exe

    Filesize

    5.9MB

    MD5

    9cca80c762346b7a9090a103eb2acd94

    SHA1

    e078fd4db1bd73c4889f3e9f6eb379a87b257adf

    SHA256

    1ead1ec34f543bd08ed7492c86bbf98bfc28b35cc4cc582eda61befbfa07dd8d

    SHA512

    1d65645c330a3b47187f4af0c443f75e47cac17ce0fe95906c85c903ba78caea8305d6cf15c0fbc8471cd532db5a3b51ae1fd243aac151735df5904b78ed5e01

  • C:\Windows\System\bNfgltV.exe

    Filesize

    5.9MB

    MD5

    c4ebe12fc5337027356af5fdf173fdd8

    SHA1

    e28c17cc8ba539be8eb00c90d77d00118832cf53

    SHA256

    e76d19ca2318661ee6eed141f8a2ea83ba1135174e88a4b0db650f9420912915

    SHA512

    ee74fdf8315f48f9e5a0575ac214b23698ae02578735a9432d23d323d49539d67a4f9d25c8ca1c925389968807c5f86cfa31c9e8eeeff5aafa9675d926564052

  • C:\Windows\System\bgeMDbo.exe

    Filesize

    5.9MB

    MD5

    afb2c4c7a63f33151ce858ed80ed76cd

    SHA1

    be746d3f3b446bd2b9406fc8cd1fb048dd322562

    SHA256

    ed4315d5285d2e44c70a1064f16c47178460b218b506a78bdba015072cd8f3fd

    SHA512

    b0284e229a8a3841ba5a2363ac844682e801bc5228359396e36621fb10fecece83f3bb108f5a74f1b95a847575f254ac42e821144e080c63111895d5fb48766d

  • C:\Windows\System\eEHpcye.exe

    Filesize

    5.9MB

    MD5

    02285cfbb760f6088440b4231bc88c31

    SHA1

    ee50ab697facd057cd6c44acc23e83a79041851d

    SHA256

    35bc5f6da5840511d04ba4b5eb4769af65e885189768aee8da5f00e031912b08

    SHA512

    a593cbd867ff6383dfc26d6ac5e9addf8ca7e0171ed1d882b975b3c00354c746014dc902789316ef3c180d5f5b1719fdeb1a81789a292c84de7cba753392a25a

  • C:\Windows\System\gJPLEoE.exe

    Filesize

    5.9MB

    MD5

    0894ce9d6bec28b5b1c41e08c7d511d7

    SHA1

    e51c0aa1df2adb2eed01f7e0575b215e94f61b3f

    SHA256

    f8505e9a97887f627ff3b268885b940049a38f9c908d715a296dee34c4130c89

    SHA512

    4adb9e090a4a3ae2c2454984f890053ffb44e4849d41c45cd88a09cb5d632df00cad741ab65ed12b975dd12658d027eb205062300b35eb9bda1fd69959158ba4

  • C:\Windows\System\hZiwQlW.exe

    Filesize

    5.9MB

    MD5

    e8835c32ba7523af40953e6d532fba24

    SHA1

    11ccab4b1ce7cdf4c095d0d7b8f58fde2392e385

    SHA256

    3db9d7efb7342573bf36bf50c897575e968b2847d04d808f762a6a27bebdaf38

    SHA512

    80107b79bf89daa834932ccadd0abdfdf460b2f2444be2a070dbf659ff51eae4e0219cc6595eec45fe61644e6f0561cd0ae14d309d37a6f390ecab1c05a1e46e

  • C:\Windows\System\hcEMQHy.exe

    Filesize

    5.9MB

    MD5

    3b2ea452999f095ce15fad591d391921

    SHA1

    b4b5b0f282935af3029436cc3a5e65580cf99514

    SHA256

    25bb3b9a4d4a324a8ce337349df44c3da451947814b956ead27c5bff39edd124

    SHA512

    d13aa6cb6a2e03d60bb0bab923a4016e58383598406388832a9f38059369008048f7229f35864b970a23f7b8d40dfadc1333ec11fa886bbbc5dff19ffa4a2e89

  • C:\Windows\System\hfhKkJh.exe

    Filesize

    5.9MB

    MD5

    3c540c7f0a9e42e8a219756bb2711e15

    SHA1

    0d09fb911a2ea63c03be6ac158a5346828384668

    SHA256

    85eeb9df2e1713b3663a63b71b8eaed1c15b89dbd2a38ac8f5381bad9b038d70

    SHA512

    63e0dd315aecfde4507e581936e394c91c2c0c471a8aecef1232fb28688bca9835fc64333e6f9cf6fa52068830616af1e250e26a07a371b75356292031442e37

  • C:\Windows\System\mpoVQVv.exe

    Filesize

    5.9MB

    MD5

    403746b09524bacc4dad0886fb6df1db

    SHA1

    899474c32dfff3c3797353376c085b7449b5c6cd

    SHA256

    425fc793a67373c39bf48b75316deea637f9daf0dec382cda576d6e152292d08

    SHA512

    c33420b165d9d4101fbcafa4a25ad4a422e5ddb46278fb0dbfce92414255d2723074ddabfc4a6f276ce9a0f955002755434b8bbbbd75d490b092382c86c9c49c

  • C:\Windows\System\mrgafwu.exe

    Filesize

    5.9MB

    MD5

    b26601fb208ce14f6ae3c2047decefbc

    SHA1

    9be44a670c4f6af416c9de38a48177ebbefbc1ca

    SHA256

    9261ea2d70aca11aacc7543119ca5f49c7e0e48002aa3bc1375dbd7fdbbb4bc8

    SHA512

    7532d6015e391bd22bb3221a77f3531c367d1a1649b601ef78a83ac856e926c86c77b6c903d300a3f36804b59b260f86d243749070ef72c2569c6c1299566895

  • C:\Windows\System\rOAAXVf.exe

    Filesize

    5.9MB

    MD5

    e06d6a94d27fa3c2b4bd4b545b3b81dc

    SHA1

    086a7d6be2757884a88d826ec62aedff8385115e

    SHA256

    6de12742eaf4c14eefddd76c0f6fb8c56bd98a8ce561049175bfab352d0ec762

    SHA512

    1cd541814e0cd4004ad1ef2223eed35568c7da05e818fac19a36f3bf8126e721d51b90c056bd78838c2b2889b399b0923a6617d6d1738a3db9f5144c99378151

  • C:\Windows\System\wkmqOnD.exe

    Filesize

    5.9MB

    MD5

    c89070583acd5c0a87b6d6aaebbd70ff

    SHA1

    4f1f67f4eafd26afe5da2d7c1e8e701ebd926190

    SHA256

    c333cc7e15da842fbded61e78143b53747fe16148c1eb501f115c3f804e04c92

    SHA512

    c4a925c3fece476fdd5193616cbe5017ef1331bbb3f7ff49bca27bf0d830fa4e48908cb2c8b2f58a347f757ec3f6a43e56c5e027f969b7ebb0021bbff9bb371b

  • C:\Windows\System\yqJWayl.exe

    Filesize

    5.9MB

    MD5

    6a8c8174574a5fc420c809a5577f54fc

    SHA1

    31a6985e7c901221b43cfda69986adf7330c31dd

    SHA256

    95976b7df46241e9df5e4c78600d65a22bfc4f40453c6d66c145180208998a44

    SHA512

    eee5c5767e6f524633f1be2006b9c6b0ce520f6f17a2b74b6badb22aef934eeb3cd7902e12e0265f43ab69e3eb3fec6f059554679082075e711fe376eff9728e

  • memory/548-140-0x00007FF6ED260000-0x00007FF6ED5B4000-memory.dmp

    Filesize

    3.3MB

  • memory/548-123-0x00007FF6ED260000-0x00007FF6ED5B4000-memory.dmp

    Filesize

    3.3MB

  • memory/548-158-0x00007FF6ED260000-0x00007FF6ED5B4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-153-0x00007FF75ADC0000-0x00007FF75B114000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-83-0x00007FF75ADC0000-0x00007FF75B114000-memory.dmp

    Filesize

    3.3MB

  • memory/1188-109-0x00007FF6187C0000-0x00007FF618B14000-memory.dmp

    Filesize

    3.3MB

  • memory/1188-147-0x00007FF6187C0000-0x00007FF618B14000-memory.dmp

    Filesize

    3.3MB

  • memory/1188-42-0x00007FF6187C0000-0x00007FF618B14000-memory.dmp

    Filesize

    3.3MB

  • memory/1456-155-0x00007FF743A30000-0x00007FF743D84000-memory.dmp

    Filesize

    3.3MB

  • memory/1456-88-0x00007FF743A30000-0x00007FF743D84000-memory.dmp

    Filesize

    3.3MB

  • memory/1456-135-0x00007FF743A30000-0x00007FF743D84000-memory.dmp

    Filesize

    3.3MB

  • memory/1496-133-0x00007FF62E8F0000-0x00007FF62EC44000-memory.dmp

    Filesize

    3.3MB

  • memory/1496-161-0x00007FF62E8F0000-0x00007FF62EC44000-memory.dmp

    Filesize

    3.3MB

  • memory/1772-132-0x00007FF6B1F20000-0x00007FF6B2274000-memory.dmp

    Filesize

    3.3MB

  • memory/1772-149-0x00007FF6B1F20000-0x00007FF6B2274000-memory.dmp

    Filesize

    3.3MB

  • memory/1772-56-0x00007FF6B1F20000-0x00007FF6B2274000-memory.dmp

    Filesize

    3.3MB

  • memory/1828-137-0x00007FF6F0C80000-0x00007FF6F0FD4000-memory.dmp

    Filesize

    3.3MB

  • memory/1828-102-0x00007FF6F0C80000-0x00007FF6F0FD4000-memory.dmp

    Filesize

    3.3MB

  • memory/1828-157-0x00007FF6F0C80000-0x00007FF6F0FD4000-memory.dmp

    Filesize

    3.3MB

  • memory/1860-26-0x00007FF6D9C70000-0x00007FF6D9FC4000-memory.dmp

    Filesize

    3.3MB

  • memory/1860-87-0x00007FF6D9C70000-0x00007FF6D9FC4000-memory.dmp

    Filesize

    3.3MB

  • memory/1860-144-0x00007FF6D9C70000-0x00007FF6D9FC4000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-120-0x00007FF6723E0000-0x00007FF672734000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-159-0x00007FF6723E0000-0x00007FF672734000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-138-0x00007FF6723E0000-0x00007FF672734000-memory.dmp

    Filesize

    3.3MB

  • memory/2908-75-0x00007FF7827C0000-0x00007FF782B14000-memory.dmp

    Filesize

    3.3MB

  • memory/2908-13-0x00007FF7827C0000-0x00007FF782B14000-memory.dmp

    Filesize

    3.3MB

  • memory/2908-142-0x00007FF7827C0000-0x00007FF782B14000-memory.dmp

    Filesize

    3.3MB

  • memory/3064-0-0x00007FF61DFB0000-0x00007FF61E304000-memory.dmp

    Filesize

    3.3MB

  • memory/3064-1-0x0000023DC17F0000-0x0000023DC1800000-memory.dmp

    Filesize

    64KB

  • memory/3064-67-0x00007FF61DFB0000-0x00007FF61E304000-memory.dmp

    Filesize

    3.3MB

  • memory/3276-121-0x00007FF72D680000-0x00007FF72D9D4000-memory.dmp

    Filesize

    3.3MB

  • memory/3276-156-0x00007FF72D680000-0x00007FF72D9D4000-memory.dmp

    Filesize

    3.3MB

  • memory/3352-32-0x00007FF754890000-0x00007FF754BE4000-memory.dmp

    Filesize

    3.3MB

  • memory/3352-145-0x00007FF754890000-0x00007FF754BE4000-memory.dmp

    Filesize

    3.3MB

  • memory/3616-73-0x00007FF797360000-0x00007FF7976B4000-memory.dmp

    Filesize

    3.3MB

  • memory/3616-141-0x00007FF797360000-0x00007FF7976B4000-memory.dmp

    Filesize

    3.3MB

  • memory/3616-8-0x00007FF797360000-0x00007FF7976B4000-memory.dmp

    Filesize

    3.3MB

  • memory/3692-154-0x00007FF6FBE60000-0x00007FF6FC1B4000-memory.dmp

    Filesize

    3.3MB

  • memory/3692-136-0x00007FF6FBE60000-0x00007FF6FC1B4000-memory.dmp

    Filesize

    3.3MB

  • memory/3692-94-0x00007FF6FBE60000-0x00007FF6FC1B4000-memory.dmp

    Filesize

    3.3MB

  • memory/3836-152-0x00007FF78F260000-0x00007FF78F5B4000-memory.dmp

    Filesize

    3.3MB

  • memory/3836-74-0x00007FF78F260000-0x00007FF78F5B4000-memory.dmp

    Filesize

    3.3MB

  • memory/3836-134-0x00007FF78F260000-0x00007FF78F5B4000-memory.dmp

    Filesize

    3.3MB

  • memory/3984-50-0x00007FF654500000-0x00007FF654854000-memory.dmp

    Filesize

    3.3MB

  • memory/3984-148-0x00007FF654500000-0x00007FF654854000-memory.dmp

    Filesize

    3.3MB

  • memory/4000-143-0x00007FF7B29E0000-0x00007FF7B2D34000-memory.dmp

    Filesize

    3.3MB

  • memory/4000-20-0x00007FF7B29E0000-0x00007FF7B2D34000-memory.dmp

    Filesize

    3.3MB

  • memory/4588-146-0x00007FF7757D0000-0x00007FF775B24000-memory.dmp

    Filesize

    3.3MB

  • memory/4588-38-0x00007FF7757D0000-0x00007FF775B24000-memory.dmp

    Filesize

    3.3MB

  • memory/4640-113-0x00007FF7D5D80000-0x00007FF7D60D4000-memory.dmp

    Filesize

    3.3MB

  • memory/4640-139-0x00007FF7D5D80000-0x00007FF7D60D4000-memory.dmp

    Filesize

    3.3MB

  • memory/4640-160-0x00007FF7D5D80000-0x00007FF7D60D4000-memory.dmp

    Filesize

    3.3MB

  • memory/4960-150-0x00007FF71EA00000-0x00007FF71ED54000-memory.dmp

    Filesize

    3.3MB

  • memory/4960-72-0x00007FF71EA00000-0x00007FF71ED54000-memory.dmp

    Filesize

    3.3MB

  • memory/5032-69-0x00007FF70ADC0000-0x00007FF70B114000-memory.dmp

    Filesize

    3.3MB

  • memory/5032-151-0x00007FF70ADC0000-0x00007FF70B114000-memory.dmp

    Filesize

    3.3MB