Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 03:42

General

  • Target

    2024-06-01_f4f0e1196cabb94ee4c5095237582584_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    f4f0e1196cabb94ee4c5095237582584

  • SHA1

    c9f002c6cecf0dafbeadf24dcee7fa48174fd7a6

  • SHA256

    5ab9536e2b123a93b736f01b3ac3ef45c6ef0366615633c08de686c491e1df62

  • SHA512

    b5ea61f8be67fcb07ec086d54eccb19eca6c983ee793c7e3ec69fe46fda27749d075e7b24da5f201faa719873a8c913b951c154bbe3c8aec1e2c832f29e25ff0

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUl:Q+856utgpPF8u/7l

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 64 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-01_f4f0e1196cabb94ee4c5095237582584_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f4f0e1196cabb94ee4c5095237582584_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\System\PtbCGYe.exe
      C:\Windows\System\PtbCGYe.exe
      2⤵
      • Executes dropped EXE
      PID:536
    • C:\Windows\System\yDxcSAU.exe
      C:\Windows\System\yDxcSAU.exe
      2⤵
      • Executes dropped EXE
      PID:232
    • C:\Windows\System\BWCRjkF.exe
      C:\Windows\System\BWCRjkF.exe
      2⤵
      • Executes dropped EXE
      PID:3548
    • C:\Windows\System\rdIQJEY.exe
      C:\Windows\System\rdIQJEY.exe
      2⤵
      • Executes dropped EXE
      PID:2040
    • C:\Windows\System\egnRHEY.exe
      C:\Windows\System\egnRHEY.exe
      2⤵
      • Executes dropped EXE
      PID:1568
    • C:\Windows\System\ccBWWXU.exe
      C:\Windows\System\ccBWWXU.exe
      2⤵
      • Executes dropped EXE
      PID:2216
    • C:\Windows\System\iCLvQSN.exe
      C:\Windows\System\iCLvQSN.exe
      2⤵
      • Executes dropped EXE
      PID:4548
    • C:\Windows\System\RbDYSnN.exe
      C:\Windows\System\RbDYSnN.exe
      2⤵
      • Executes dropped EXE
      PID:2152
    • C:\Windows\System\iJYlmup.exe
      C:\Windows\System\iJYlmup.exe
      2⤵
      • Executes dropped EXE
      PID:1296
    • C:\Windows\System\IItwkro.exe
      C:\Windows\System\IItwkro.exe
      2⤵
      • Executes dropped EXE
      PID:1152
    • C:\Windows\System\ozkwEzP.exe
      C:\Windows\System\ozkwEzP.exe
      2⤵
      • Executes dropped EXE
      PID:3048
    • C:\Windows\System\BtrmrMh.exe
      C:\Windows\System\BtrmrMh.exe
      2⤵
      • Executes dropped EXE
      PID:4108
    • C:\Windows\System\PldxwHl.exe
      C:\Windows\System\PldxwHl.exe
      2⤵
      • Executes dropped EXE
      PID:5084
    • C:\Windows\System\uspNldK.exe
      C:\Windows\System\uspNldK.exe
      2⤵
      • Executes dropped EXE
      PID:1984
    • C:\Windows\System\isNNgmm.exe
      C:\Windows\System\isNNgmm.exe
      2⤵
      • Executes dropped EXE
      PID:2800
    • C:\Windows\System\rLRurxo.exe
      C:\Windows\System\rLRurxo.exe
      2⤵
      • Executes dropped EXE
      PID:2124
    • C:\Windows\System\upEdJpU.exe
      C:\Windows\System\upEdJpU.exe
      2⤵
      • Executes dropped EXE
      PID:1076
    • C:\Windows\System\KCsAqBx.exe
      C:\Windows\System\KCsAqBx.exe
      2⤵
      • Executes dropped EXE
      PID:2748
    • C:\Windows\System\rvvBUzh.exe
      C:\Windows\System\rvvBUzh.exe
      2⤵
      • Executes dropped EXE
      PID:3012
    • C:\Windows\System\TTNiknC.exe
      C:\Windows\System\TTNiknC.exe
      2⤵
      • Executes dropped EXE
      PID:1516
    • C:\Windows\System\GuLkOZs.exe
      C:\Windows\System\GuLkOZs.exe
      2⤵
      • Executes dropped EXE
      PID:2568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\BWCRjkF.exe

    Filesize

    5.9MB

    MD5

    1207b82fdaea14c234253a3e7cf3a3fa

    SHA1

    b216116b38ea508a3cd395097e0d650fee5f6e57

    SHA256

    0572a146141007717c1185f380f0df71fb7a7842975db85d49d3edd35b6037b1

    SHA512

    0c5dd1da93bdbda68e9a743ba53d5f5565e6bebffd56c86fd2869d3ee7a11278ac7da66a30c4b691a5af50bdfc9773a61b366c1167fe9294ec56471541b8695f

  • C:\Windows\System\BtrmrMh.exe

    Filesize

    5.9MB

    MD5

    d89db565af779c4ce17aa928496d77b9

    SHA1

    f42308fc5c9ff2374250d79dae07bef363f631b1

    SHA256

    a044040e624aa135af2da12a64db83c9b75805cd00e554a8516a3648038e5360

    SHA512

    ad4a176aff6c14d55c9894a07588d3d0ae25e47d2ea49ebdfa4298b4048ecd7779ecd4096672297a65ea14744881c246a2f4019a2ccf6ce9df5fc3e7193d2025

  • C:\Windows\System\GuLkOZs.exe

    Filesize

    5.9MB

    MD5

    c80ad6b415c9f04a53b51d8b0e9c01c1

    SHA1

    6e807987f1b634b4eedcb3c6d0aa0a6284ca79a5

    SHA256

    339a7dfc47af6d1e2c10aa416a65cb42cf16407a619fbe7aba8963aab803825e

    SHA512

    8fd9c485566c70c1c8ff2f4b762cae8d5cad191dada66c911b3b03e302da0fbd17befb9b7ee88c7fa7c25c994453caa6a8943ec0ac2365eba2da57fb9d914f23

  • C:\Windows\System\IItwkro.exe

    Filesize

    5.9MB

    MD5

    3318bc748bc16e7ffa2990730f5a6c3a

    SHA1

    8fb730075e9ddb46c923b198a93b9a09ab7bdf36

    SHA256

    afa9929a60660b12affe2415b15196fbc1ed36048e36c412dd7a945afc0f179c

    SHA512

    384983b62b459ecedae87fcd5e67055359eb268a6f5e0bb66d7a82769864084bead6628c01af6a2f6f7a9b7165c0906869b500203602b454721813f898c535d8

  • C:\Windows\System\KCsAqBx.exe

    Filesize

    5.9MB

    MD5

    85bf8664ab41bae97d809d22dc73b6f2

    SHA1

    82578727983e83deef5cf2e084b2e03a98bf577e

    SHA256

    29b47cac35a35a9bf5d11a4b245d0fba37a29096d23a6ecf386a397dceb80771

    SHA512

    6ba6e8abdae3099f87e9cfad113a9351ae6bb6b6c5acced675a15487ddbab4a1fd00056d554f23ae2717a6709f879e99d8a464512f65f0d642282b68a4df0c87

  • C:\Windows\System\PldxwHl.exe

    Filesize

    5.9MB

    MD5

    6f0d181fd09becafda8a560b0068a50b

    SHA1

    29cb281bcc53834821dc99c8c22ff5e73b724d91

    SHA256

    9e458671a323366f4ba5d2b071e4025d0790793479dbda1eccfbf3f857f88740

    SHA512

    a821e4cb83793434620ee458e2c0a86673befd42e714cd467c69c60a7b4911825fc0dc31567dd6b73e8af5c79945c3eee630e5c240596cb8c506a75a01e6cd20

  • C:\Windows\System\PtbCGYe.exe

    Filesize

    5.9MB

    MD5

    25ec551d9776b81f1216df11e4dfed20

    SHA1

    49d64d50aca5d7d1ab5f1673c89c13181d689d14

    SHA256

    897f7e1ae96d8c34b93bad43a55657c25340caacc9c55d8a495127142293004a

    SHA512

    d344eeca63af4776b0122384fbe978ae4d162c8049d58e6af409c8fa93af35376c6aa66040033d4f6ab113cb854c24596092f110944b5c8d5411993652fd169f

  • C:\Windows\System\RbDYSnN.exe

    Filesize

    5.9MB

    MD5

    530e85fcd86416cbda51f4c2548b7cc6

    SHA1

    252aa640a721e30ab8739124d3c2d10ec621bb37

    SHA256

    b0dd0e3bb50bc3675e2de4ac901f744ffd15661d81a270b66fb28a885b8365b2

    SHA512

    cce43d13d254633bea1a41a0de0971ecc5194e8518524e8515bdb74b7b473b62ae949060cb079e7f3d7c20465ab3a42c47e84ac31bd1426386d72f0da31fa0c3

  • C:\Windows\System\TTNiknC.exe

    Filesize

    5.9MB

    MD5

    f5f051e2b7f5ec53dcbfd06e5d0c31bb

    SHA1

    42d67434217bba8dc08d78fea952e42f8fc6aec3

    SHA256

    c90e33c0c926b3e4c51d777eb1c6951054816f7d794ca8c4d5a2a71576689c26

    SHA512

    74dc1b645cd032793826a5e9403c9144e72d1985a07d17d832bc8f24ee3bc399c6239cc4f98ca34c2d2b2d3fca9f7dbdbb3abfeea4efe0e4458bf1d49d33697f

  • C:\Windows\System\ccBWWXU.exe

    Filesize

    5.9MB

    MD5

    c31f526518fc197dd6b31ed92a7e6f6d

    SHA1

    8ee84244f0403b8a708523cf6f5ed90dca593bd2

    SHA256

    d82372543f7f581cc36ff0dd07cdafc85f5556cd19d87873aa0104789e09cd24

    SHA512

    40943e766a6588056b68dea8926f37c7dd37a3fd17b26a4d8997921334c035be33f9ed4105ca33850d1461956fb5f6ec2b07efc2103e31ca660134d6feb4bee9

  • C:\Windows\System\egnRHEY.exe

    Filesize

    5.9MB

    MD5

    6a983f74654186362df998ed95c465ef

    SHA1

    0dfa6744682bb9fe97915496672d924ba016e9bb

    SHA256

    89565e6492d66c11940c74fdb75346dc97a20ba8c73446df77cbc27887a3899b

    SHA512

    6582116266a889ccfc85460f0a28a648cf032d6339d87c2c73ec24e943d73b3f982124d07d628ca61fb9b07da62794c24e79ba93857da4c3ff0483b9d540217c

  • C:\Windows\System\iCLvQSN.exe

    Filesize

    5.9MB

    MD5

    81c694a0168be528b03eb39800b66055

    SHA1

    6bfb6b36b63cce4716b271303d6a6504889eb215

    SHA256

    95b49d76f053460b19c16d09251d77337f85de9062d9a2697d3bf2f9f59fbae1

    SHA512

    a22dfd01c7d01b6c586acd4ed3f0c3112cb27122dc8f91d6f1e9449b723d8b85fd9fa4005a062e529dca67bdf7a060ac9ea24b957b898db1f0ac7ad792afba7f

  • C:\Windows\System\iJYlmup.exe

    Filesize

    5.9MB

    MD5

    890b063c15aeb84ed0748cbd94328b1c

    SHA1

    04b51ebb4d7094bfcee3f62e7119a8ea00a19619

    SHA256

    198c9d0f51038a29076cbdf830c259a782d560c5ef2a599ebac8ae4a9ca71af9

    SHA512

    e6e349940cf1e57bcca8f5c1d92effeb7b2c50037b311c293c15aa5f323db0820c686c14b449408c1f01e2dc15c5c1a5a5606ec21119749802df489389c47af3

  • C:\Windows\System\isNNgmm.exe

    Filesize

    5.9MB

    MD5

    f556bc3dfd1590d2a74dbcda4bc7b21a

    SHA1

    a06bea4380fc5205062a2daf409f85d5381e32dc

    SHA256

    72155f8813f12b63718d829c1774b7b7ea96a64682e18d5f6b2fb3ba7a4266aa

    SHA512

    73982bbc19a21794021893d6568be7c571d35cd5242691ecdb36f4be0a1f7aefc20eef2962eb4328263175fd45f64f5fe4c8bdd069364cb9dc4fa00f54a33507

  • C:\Windows\System\ozkwEzP.exe

    Filesize

    5.9MB

    MD5

    7b642fd032d8ac9a40d40aff934aa234

    SHA1

    6e94c5b8e605e46f3d98ee7c8a2b4792fd5d3176

    SHA256

    50555f44d31e17e9495c55126ed3252907540e412765ae68cfa087a89d59225b

    SHA512

    2c4bcdaf3e0bb1420c53aeacf8667fd4ade30a64642188fbd3d002baba4edc836fed422d363eb4b4b8077e4d6cb6ab5f61d8f4927299c6532d74e70978fa08fd

  • C:\Windows\System\rLRurxo.exe

    Filesize

    5.9MB

    MD5

    4faa4027e008b8320d52ef93c8e7d53d

    SHA1

    08acb1a718783b1eaf59fd0db4a682fd06f3fd9e

    SHA256

    628f2d36d4a3d7ac752a2ef88a3e25dd9fa84fbcd56e9895e83bdc5bb9cc056a

    SHA512

    5ab81c6b18c416f2dfeb3f4dda17ec748e9ff9a1b6823d7f2130d76a332b07adac330832633426b49148afe5df4dc88aaa9be7888975ce41868b7b8f96840c40

  • C:\Windows\System\rdIQJEY.exe

    Filesize

    5.9MB

    MD5

    86e180c89e27d8a12e9cf260a210d974

    SHA1

    d21e7ade6ce414fe9102ce63478c561441dad930

    SHA256

    09afa404d5613f97a72aaa8d58d3c0d9193e74d3d5c8f593539614a2f5fe639a

    SHA512

    6636e8e52f3fc4dc676da4ecdb905461d04dc7104f6431ab17e9de3abd8d9d39f0a285a1c3ef0e3f920ddf5bf2ab2930f6eb0061efca514f9695afad784895e3

  • C:\Windows\System\rvvBUzh.exe

    Filesize

    5.9MB

    MD5

    d4d56d5be8a96b35b5d053e3cabdfca0

    SHA1

    67719fb86c23e60d6c5a4ff33c0f7dd827c39c4c

    SHA256

    d2bccf875cc184599e2bead49a48e389d719e08ca0daf119973340e3c3c027ff

    SHA512

    167e428d38e14dd01aa48c6e975ad526bfb66f43bedee47299ddb92ed0f302707a99f2f022367539fd3dd44c0b1a3118ba5e042873cc0caa14183980532e15a9

  • C:\Windows\System\upEdJpU.exe

    Filesize

    5.9MB

    MD5

    b0115820ae7391bcb50a655c03c3f132

    SHA1

    256e4869087f9d279f72367c271ece27441b4be4

    SHA256

    dcab42a2e6417dbdd6ee1fc0eb6fa03efe89bf80de14f1aad3a6b0fca35fcf24

    SHA512

    06cddb4a7a5a9b2ca325194420e766b3b0454f72ad238db87a29e01d92567d2a56fbd0507104b295ef73c83d562fcf8a4eaab9412eea568009a47e99f7b495d6

  • C:\Windows\System\uspNldK.exe

    Filesize

    5.9MB

    MD5

    901593e43df02fcb506ee95061a4334c

    SHA1

    58954d89d52d049baf52e40b07d6ef6873995be3

    SHA256

    b51cce4b39d83cf05c0dde7ffe0400862d39401efab7ccee2d86d7d5ebcd2932

    SHA512

    1a62554863c4fb33d7f400d3c9c675c0b8b616d9a6c7cba7663af91bb83d7017f9d3f36b7152ce2d1d4256967646fe985b2d14280e248a753520cb93be0f137c

  • C:\Windows\System\yDxcSAU.exe

    Filesize

    5.9MB

    MD5

    be6b10620fd705ea1a48479ca8b20945

    SHA1

    93075cf251182763634e344d3d5867ed8a107791

    SHA256

    5b1a8df58fc0f567d019b6721a8ddf045f976c05fcf4f0ee6a46efba47eae18b

    SHA512

    e7989a389ed76c63ff65ac03f16d92c7724b1b0a37ffa3bccf1bae002f62d8c98e94ac6eab865ffc1f3b243e8d708e08bae49a4c7bc9549b54a860955c07d04f

  • memory/232-76-0x00007FF798C10000-0x00007FF798F64000-memory.dmp

    Filesize

    3.3MB

  • memory/232-137-0x00007FF798C10000-0x00007FF798F64000-memory.dmp

    Filesize

    3.3MB

  • memory/232-12-0x00007FF798C10000-0x00007FF798F64000-memory.dmp

    Filesize

    3.3MB

  • memory/536-71-0x00007FF7BAC70000-0x00007FF7BAFC4000-memory.dmp

    Filesize

    3.3MB

  • memory/536-136-0x00007FF7BAC70000-0x00007FF7BAFC4000-memory.dmp

    Filesize

    3.3MB

  • memory/536-7-0x00007FF7BAC70000-0x00007FF7BAFC4000-memory.dmp

    Filesize

    3.3MB

  • memory/1076-125-0x00007FF6DFC70000-0x00007FF6DFFC4000-memory.dmp

    Filesize

    3.3MB

  • memory/1076-155-0x00007FF6DFC70000-0x00007FF6DFFC4000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-70-0x00007FF6B7F70000-0x00007FF6B82C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-145-0x00007FF6B7F70000-0x00007FF6B82C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1296-144-0x00007FF7F2500000-0x00007FF7F2854000-memory.dmp

    Filesize

    3.3MB

  • memory/1296-133-0x00007FF7F2500000-0x00007FF7F2854000-memory.dmp

    Filesize

    3.3MB

  • memory/1296-56-0x00007FF7F2500000-0x00007FF7F2854000-memory.dmp

    Filesize

    3.3MB

  • memory/1516-128-0x00007FF70A3B0000-0x00007FF70A704000-memory.dmp

    Filesize

    3.3MB

  • memory/1516-151-0x00007FF70A3B0000-0x00007FF70A704000-memory.dmp

    Filesize

    3.3MB

  • memory/1568-140-0x00007FF61F940000-0x00007FF61FC94000-memory.dmp

    Filesize

    3.3MB

  • memory/1568-32-0x00007FF61F940000-0x00007FF61FC94000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-131-0x00007FF7FD500000-0x00007FF7FD854000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-149-0x00007FF7FD500000-0x00007FF7FD854000-memory.dmp

    Filesize

    3.3MB

  • memory/2040-139-0x00007FF697350000-0x00007FF6976A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2040-130-0x00007FF697350000-0x00007FF6976A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2040-25-0x00007FF697350000-0x00007FF6976A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2124-124-0x00007FF6DCFB0000-0x00007FF6DD304000-memory.dmp

    Filesize

    3.3MB

  • memory/2124-156-0x00007FF6DCFB0000-0x00007FF6DD304000-memory.dmp

    Filesize

    3.3MB

  • memory/2152-143-0x00007FF6A3440000-0x00007FF6A3794000-memory.dmp

    Filesize

    3.3MB

  • memory/2152-50-0x00007FF6A3440000-0x00007FF6A3794000-memory.dmp

    Filesize

    3.3MB

  • memory/2216-141-0x00007FF6FF900000-0x00007FF6FFC54000-memory.dmp

    Filesize

    3.3MB

  • memory/2216-38-0x00007FF6FF900000-0x00007FF6FFC54000-memory.dmp

    Filesize

    3.3MB

  • memory/2568-154-0x00007FF72C220000-0x00007FF72C574000-memory.dmp

    Filesize

    3.3MB

  • memory/2568-129-0x00007FF72C220000-0x00007FF72C574000-memory.dmp

    Filesize

    3.3MB

  • memory/2748-153-0x00007FF717C20000-0x00007FF717F74000-memory.dmp

    Filesize

    3.3MB

  • memory/2748-126-0x00007FF717C20000-0x00007FF717F74000-memory.dmp

    Filesize

    3.3MB

  • memory/2800-132-0x00007FF60E190000-0x00007FF60E4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2800-150-0x00007FF60E190000-0x00007FF60E4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/3008-62-0x00007FF6473E0000-0x00007FF647734000-memory.dmp

    Filesize

    3.3MB

  • memory/3008-0-0x00007FF6473E0000-0x00007FF647734000-memory.dmp

    Filesize

    3.3MB

  • memory/3008-1-0x00000291C5FE0000-0x00000291C5FF0000-memory.dmp

    Filesize

    64KB

  • memory/3012-152-0x00007FF7D05B0000-0x00007FF7D0904000-memory.dmp

    Filesize

    3.3MB

  • memory/3012-127-0x00007FF7D05B0000-0x00007FF7D0904000-memory.dmp

    Filesize

    3.3MB

  • memory/3048-75-0x00007FF6CC7C0000-0x00007FF6CCB14000-memory.dmp

    Filesize

    3.3MB

  • memory/3048-146-0x00007FF6CC7C0000-0x00007FF6CCB14000-memory.dmp

    Filesize

    3.3MB

  • memory/3548-138-0x00007FF710DF0000-0x00007FF711144000-memory.dmp

    Filesize

    3.3MB

  • memory/3548-18-0x00007FF710DF0000-0x00007FF711144000-memory.dmp

    Filesize

    3.3MB

  • memory/3548-81-0x00007FF710DF0000-0x00007FF711144000-memory.dmp

    Filesize

    3.3MB

  • memory/4108-147-0x00007FF7D6BD0000-0x00007FF7D6F24000-memory.dmp

    Filesize

    3.3MB

  • memory/4108-78-0x00007FF7D6BD0000-0x00007FF7D6F24000-memory.dmp

    Filesize

    3.3MB

  • memory/4108-134-0x00007FF7D6BD0000-0x00007FF7D6F24000-memory.dmp

    Filesize

    3.3MB

  • memory/4548-44-0x00007FF6AFC60000-0x00007FF6AFFB4000-memory.dmp

    Filesize

    3.3MB

  • memory/4548-142-0x00007FF6AFC60000-0x00007FF6AFFB4000-memory.dmp

    Filesize

    3.3MB

  • memory/5084-148-0x00007FF6007F0000-0x00007FF600B44000-memory.dmp

    Filesize

    3.3MB

  • memory/5084-135-0x00007FF6007F0000-0x00007FF600B44000-memory.dmp

    Filesize

    3.3MB

  • memory/5084-87-0x00007FF6007F0000-0x00007FF600B44000-memory.dmp

    Filesize

    3.3MB