Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2024 22:22

General

  • Target

    2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    8668c8f2f3e9fa8c6c7e9d4a3dd1ec08

  • SHA1

    9897e9b1b3e3c2743dc60303ccd6fe14b81f4d6d

  • SHA256

    bb7e98681e0fa5c70515989a29b492392c48c83e0cb41e505eccc6e71408d4b4

  • SHA512

    9fb6aa4c915e9cd5667e3a875e04cb97b6010b7ec41409503d55276228d4a0ad787d948723fe5cdc96ba5bc9c5806d524198af894c740f99c05abcb6263926c6

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUN:Q+856utgpPF8u/7N

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 4 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 4 IoCs
  • UPX dump on OEP (original entry point) 50 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-06_8668c8f2f3e9fa8c6c7e9d4a3dd1ec08_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Windows\System\ZmpHGwy.exe
      C:\Windows\System\ZmpHGwy.exe
      2⤵
      • Executes dropped EXE
      PID:1788
    • C:\Windows\System\tUVSrsK.exe
      C:\Windows\System\tUVSrsK.exe
      2⤵
      • Executes dropped EXE
      PID:4376
    • C:\Windows\System\hRgCHIi.exe
      C:\Windows\System\hRgCHIi.exe
      2⤵
      • Executes dropped EXE
      PID:468
    • C:\Windows\System\dlBLvsy.exe
      C:\Windows\System\dlBLvsy.exe
      2⤵
      • Executes dropped EXE
      PID:4832
    • C:\Windows\System\phYEEAb.exe
      C:\Windows\System\phYEEAb.exe
      2⤵
      • Executes dropped EXE
      PID:1164
    • C:\Windows\System\RqyeXLY.exe
      C:\Windows\System\RqyeXLY.exe
      2⤵
      • Executes dropped EXE
      PID:1476
    • C:\Windows\System\bRuPPpf.exe
      C:\Windows\System\bRuPPpf.exe
      2⤵
      • Executes dropped EXE
      PID:4280
    • C:\Windows\System\diBDrhz.exe
      C:\Windows\System\diBDrhz.exe
      2⤵
      • Executes dropped EXE
      PID:4540
    • C:\Windows\System\iscjGGR.exe
      C:\Windows\System\iscjGGR.exe
      2⤵
      • Executes dropped EXE
      PID:2588
    • C:\Windows\System\bvFXWpt.exe
      C:\Windows\System\bvFXWpt.exe
      2⤵
      • Executes dropped EXE
      PID:4996
    • C:\Windows\System\IsWCUGA.exe
      C:\Windows\System\IsWCUGA.exe
      2⤵
      • Executes dropped EXE
      PID:2512
    • C:\Windows\System\iDDcGHa.exe
      C:\Windows\System\iDDcGHa.exe
      2⤵
      • Executes dropped EXE
      PID:4836
    • C:\Windows\System\xCIkquB.exe
      C:\Windows\System\xCIkquB.exe
      2⤵
      • Executes dropped EXE
      PID:4552
    • C:\Windows\System\ropVOqb.exe
      C:\Windows\System\ropVOqb.exe
      2⤵
      • Executes dropped EXE
      PID:2008
    • C:\Windows\System\dplpwIn.exe
      C:\Windows\System\dplpwIn.exe
      2⤵
      • Executes dropped EXE
      PID:2212
    • C:\Windows\System\sQPsBQz.exe
      C:\Windows\System\sQPsBQz.exe
      2⤵
      • Executes dropped EXE
      PID:2620
    • C:\Windows\System\LdJjERU.exe
      C:\Windows\System\LdJjERU.exe
      2⤵
      • Executes dropped EXE
      PID:3204
    • C:\Windows\System\AtGKlQa.exe
      C:\Windows\System\AtGKlQa.exe
      2⤵
      • Executes dropped EXE
      PID:1660
    • C:\Windows\System\tgDTONA.exe
      C:\Windows\System\tgDTONA.exe
      2⤵
      • Executes dropped EXE
      PID:1316
    • C:\Windows\System\fjzPiXT.exe
      C:\Windows\System\fjzPiXT.exe
      2⤵
      • Executes dropped EXE
      PID:4128
    • C:\Windows\System\ZYktjwb.exe
      C:\Windows\System\ZYktjwb.exe
      2⤵
      • Executes dropped EXE
      PID:1216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\AtGKlQa.exe

    Filesize

    1.8MB

    MD5

    4ebd1901e669a14d40cee031fd206e82

    SHA1

    48b4d9303ce77228a3ead5a9a71386291542a98f

    SHA256

    877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1

    SHA512

    c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087

  • C:\Windows\System\AtGKlQa.exe

    Filesize

    1.9MB

    MD5

    0b1dc771469fa6753e7aace834956918

    SHA1

    ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7

    SHA256

    60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6

    SHA512

    6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60

  • C:\Windows\System\IsWCUGA.exe

    Filesize

    1.8MB

    MD5

    c665d55523745ebd550a2c4296ad8ec9

    SHA1

    43f72a8e93454ded742dbec7a7c84f59cb0d6520

    SHA256

    4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b

    SHA512

    57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454

  • C:\Windows\System\RqyeXLY.exe

    Filesize

    5.9MB

    MD5

    fad07c7a375cc77c8bad2ea403df7368

    SHA1

    8200f7b45ecaed3456453756d4786a31808f3cfd

    SHA256

    848657e546ac40e70071a28e39a41e9f0cee0588a6bdcdef5b8fb03d5de4f894

    SHA512

    d89f63fb6b3890d9d0d0450493738c1a7fd582703900f09647482ca9fef7f0381cd65a49803cbe6b29cf051716ac782e278d093757a86d15a4e9b25cc419cbe6

  • C:\Windows\System\ZYktjwb.exe

    Filesize

    5.9MB

    MD5

    743c7a20f2416269c3c8d975e4f19d3c

    SHA1

    ec03184ed7d21e18ad8febd61a391967dd7c43fa

    SHA256

    5268a9f9c3d42bc7a82775797a6ec28c7588a17d79fc51326d6588568564e10a

    SHA512

    b1cd99523c5be9a534c9ef28e57b8e1e140d71839b403f162bfe939de2f7f0ebf35a9df380b91846f3d2e9d464027806147a61b7c336973bd2a0e93c87567250

  • C:\Windows\System\ZmpHGwy.exe

    Filesize

    5.6MB

    MD5

    1e2459942327eb396bd8cd9cbc885d14

    SHA1

    b979cbcb517509c30843efb1d91bef30f1f24a44

    SHA256

    54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a

    SHA512

    62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

  • C:\Windows\System\ZmpHGwy.exe

    Filesize

    5.9MB

    MD5

    d3837ca3413f4d20dc77c300ad94bf7b

    SHA1

    5edb0290bb49eebe78382797deb751c35ada0f2e

    SHA256

    b8684428e6d0602a5a0ae01f4fefbc058e0f7a274b072f4dc06fc74bb2bee322

    SHA512

    0a6886de3310457e99409e144bd9702c17e905523c9c76ffbcf077d1d2be8a48d5cfb28a7a54919d7bbe79362504be1bbdc3b2d22c40e1842cd31b89fd9fa46a

  • C:\Windows\System\bRuPPpf.exe

    Filesize

    5.5MB

    MD5

    992e15ebc2245cf970acce9948576d6c

    SHA1

    3322f50d4aebf915abc8a5277cd07a23adf5f127

    SHA256

    34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5

    SHA512

    2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7

  • C:\Windows\System\bvFXWpt.exe

    Filesize

    1.1MB

    MD5

    cefe7ebbcbdc6a5e5023e2ad8530b25b

    SHA1

    6e0d7ab1a6ddd7ee739d050791a70816c80e15a8

    SHA256

    6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475

    SHA512

    93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844

  • C:\Windows\System\diBDrhz.exe

    Filesize

    3.6MB

    MD5

    b5d6c8b472f6137523570f20868f4041

    SHA1

    61a520c4e5802e3278d223745c0d5b53798489c3

    SHA256

    df7d971e23b4ededa31b1693094cae103f35c8a092bea9c558c1e9bba9ccc324

    SHA512

    310f2bca69858a022c70080fd06c881ff6459ee943f0afef48d3fc47591912fad27b5857e0c076a90ca0c03ab0f8ff278f0a7686305712014a6bb182fc4a4229

  • C:\Windows\System\dlBLvsy.exe

    Filesize

    5.8MB

    MD5

    984a8cf637fc9f46a5be1646493a183b

    SHA1

    eff3045fcb5d0b4a9321004fdd3e94f3f336f5af

    SHA256

    0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068

    SHA512

    f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

  • C:\Windows\System\dplpwIn.exe

    Filesize

    5.9MB

    MD5

    f6cdfb3d88537b367792cbd894bd98ed

    SHA1

    3d3f99c94c72c456dffcf949bc5d30603a7e936c

    SHA256

    05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86

    SHA512

    0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

  • C:\Windows\System\hRgCHIi.exe

    Filesize

    5.6MB

    MD5

    38e1b7b0b9aa649f5c14f03127a6d132

    SHA1

    3917ca36707cd2c4dba6b6926d34a14a7bb117b1

    SHA256

    ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72

    SHA512

    47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

  • C:\Windows\System\hRgCHIi.exe

    Filesize

    3.6MB

    MD5

    0628374c349921c969043e8b725a574d

    SHA1

    d4d4b61d7abb11c25e423140f9a833a035819e3d

    SHA256

    6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0

    SHA512

    2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

  • C:\Windows\System\iDDcGHa.exe

    Filesize

    1.7MB

    MD5

    170dd624fc04fc3839f9c4b66a089ce7

    SHA1

    689050489367e9d7989856de58d7dae4b3e867bb

    SHA256

    2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b

    SHA512

    6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a

  • C:\Windows\System\iDDcGHa.exe

    Filesize

    2.7MB

    MD5

    93bacfc3d845f374627b012c3a61a1e5

    SHA1

    f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae

    SHA256

    4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d

    SHA512

    63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

  • C:\Windows\System\iscjGGR.exe

    Filesize

    5.9MB

    MD5

    8b592ebc427ce6b4826fa180a69cff56

    SHA1

    acfc770de548ae9c41e951ebf8abf5982f9294d6

    SHA256

    81a46b1e4dd2171ddec998b02bdfd73ebdac717ca7fd10ee232b057422b63dfd

    SHA512

    8643954ce51286995297408025887a21e022256d16986e79cc5da9d8bfa1a3d6a134715963c7034b704067d4d6faac5b6f2e0c5f8fc35e4eb33d354c717e50f8

  • C:\Windows\System\phYEEAb.exe

    Filesize

    1.2MB

    MD5

    3ed5a609fc99609f477b127cb1075f8e

    SHA1

    efbe9eae011603d0818e0ea87d848f4505a8ca00

    SHA256

    f5c7ed548f4ba98079252e02c14f981d3b1b5468313f0be262b25ccc06a1f939

    SHA512

    adf3c7526c8d008f32ef1391728203330e532d5ab3157f9a2a7fe21b8a1324527c1ba05f5b2198a9d7b1cc621dddfe091207ec334b309442cd5608fc15d0fd18

  • C:\Windows\System\sQPsBQz.exe

    Filesize

    1.2MB

    MD5

    711965c0ed770375b388ea9b5ea57c70

    SHA1

    21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2

    SHA256

    c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666

    SHA512

    1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428

  • C:\Windows\System\sQPsBQz.exe

    Filesize

    5.4MB

    MD5

    8003c8ca1c6255c4a9df50b61d369786

    SHA1

    ef521c59d5519424152618453d9a1ec413a267cf

    SHA256

    caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8

    SHA512

    0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

  • C:\Windows\System\tUVSrsK.exe

    Filesize

    1.9MB

    MD5

    ca2c8fc23ac2c4dd58545d16927e5bef

    SHA1

    b94b35150eb75787af3ce6aea401e04f2ec70fc4

    SHA256

    51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef

    SHA512

    1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce

  • C:\Windows\System\tUVSrsK.exe

    Filesize

    5.8MB

    MD5

    d087d60bee972482ba414dde57d94064

    SHA1

    0e58102d75409e85387c950e86f4cc96da371515

    SHA256

    1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9

    SHA512

    500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b

  • C:\Windows\System\xCIkquB.exe

    Filesize

    1.1MB

    MD5

    d872631fef320bcfe95799f5b4c466cb

    SHA1

    451a1400f207f69d35ba907e243aed76879dcd2c

    SHA256

    2c35d06862247b330fc3f8d9e6af582fea555fda1909ac568685a45fc440b438

    SHA512

    2386867492e72b11ef633226d6bd8e4694f30ef287e4120da56c256823abf746800962069c455536682137d30dfdae1f3be9dfc70d5390788973809462de138d

  • memory/468-20-0x00007FF655CD0000-0x00007FF656024000-memory.dmp

    Filesize

    3.3MB

  • memory/468-143-0x00007FF655CD0000-0x00007FF656024000-memory.dmp

    Filesize

    3.3MB

  • memory/1164-145-0x00007FF6AEED0000-0x00007FF6AF224000-memory.dmp

    Filesize

    3.3MB

  • memory/1164-97-0x00007FF6AEED0000-0x00007FF6AF224000-memory.dmp

    Filesize

    3.3MB

  • memory/1164-30-0x00007FF6AEED0000-0x00007FF6AF224000-memory.dmp

    Filesize

    3.3MB

  • memory/1216-140-0x00007FF69A3B0000-0x00007FF69A704000-memory.dmp

    Filesize

    3.3MB

  • memory/1216-161-0x00007FF69A3B0000-0x00007FF69A704000-memory.dmp

    Filesize

    3.3MB

  • memory/1216-134-0x00007FF69A3B0000-0x00007FF69A704000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-139-0x00007FF63CE10000-0x00007FF63D164000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-159-0x00007FF63CE10000-0x00007FF63D164000-memory.dmp

    Filesize

    3.3MB

  • memory/1316-121-0x00007FF63CE10000-0x00007FF63D164000-memory.dmp

    Filesize

    3.3MB

  • memory/1476-102-0x00007FF6C92E0000-0x00007FF6C9634000-memory.dmp

    Filesize

    3.3MB

  • memory/1476-146-0x00007FF6C92E0000-0x00007FF6C9634000-memory.dmp

    Filesize

    3.3MB

  • memory/1476-36-0x00007FF6C92E0000-0x00007FF6C9634000-memory.dmp

    Filesize

    3.3MB

  • memory/1660-158-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp

    Filesize

    3.3MB

  • memory/1660-119-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp

    Filesize

    3.3MB

  • memory/1660-138-0x00007FF7E98F0000-0x00007FF7E9C44000-memory.dmp

    Filesize

    3.3MB

  • memory/1788-141-0x00007FF796670000-0x00007FF7969C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1788-71-0x00007FF796670000-0x00007FF7969C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1788-7-0x00007FF796670000-0x00007FF7969C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2008-154-0x00007FF6F5E90000-0x00007FF6F61E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2008-136-0x00007FF6F5E90000-0x00007FF6F61E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2008-87-0x00007FF6F5E90000-0x00007FF6F61E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2212-101-0x00007FF77B7D0000-0x00007FF77BB24000-memory.dmp

    Filesize

    3.3MB

  • memory/2212-155-0x00007FF77B7D0000-0x00007FF77BB24000-memory.dmp

    Filesize

    3.3MB

  • memory/2512-74-0x00007FF77EEA0000-0x00007FF77F1F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2512-151-0x00007FF77EEA0000-0x00007FF77F1F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2588-59-0x00007FF7EC5D0000-0x00007FF7EC924000-memory.dmp

    Filesize

    3.3MB

  • memory/2588-149-0x00007FF7EC5D0000-0x00007FF7EC924000-memory.dmp

    Filesize

    3.3MB

  • memory/2588-117-0x00007FF7EC5D0000-0x00007FF7EC924000-memory.dmp

    Filesize

    3.3MB

  • memory/2620-156-0x00007FF798E90000-0x00007FF7991E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2620-106-0x00007FF798E90000-0x00007FF7991E4000-memory.dmp

    Filesize

    3.3MB

  • memory/3204-108-0x00007FF694EA0000-0x00007FF6951F4000-memory.dmp

    Filesize

    3.3MB

  • memory/3204-157-0x00007FF694EA0000-0x00007FF6951F4000-memory.dmp

    Filesize

    3.3MB

  • memory/3204-137-0x00007FF694EA0000-0x00007FF6951F4000-memory.dmp

    Filesize

    3.3MB

  • memory/4128-160-0x00007FF710D30000-0x00007FF711084000-memory.dmp

    Filesize

    3.3MB

  • memory/4128-129-0x00007FF710D30000-0x00007FF711084000-memory.dmp

    Filesize

    3.3MB

  • memory/4280-147-0x00007FF7C7F80000-0x00007FF7C82D4000-memory.dmp

    Filesize

    3.3MB

  • memory/4280-41-0x00007FF7C7F80000-0x00007FF7C82D4000-memory.dmp

    Filesize

    3.3MB

  • memory/4280-107-0x00007FF7C7F80000-0x00007FF7C82D4000-memory.dmp

    Filesize

    3.3MB

  • memory/4376-14-0x00007FF7FB510000-0x00007FF7FB864000-memory.dmp

    Filesize

    3.3MB

  • memory/4376-142-0x00007FF7FB510000-0x00007FF7FB864000-memory.dmp

    Filesize

    3.3MB

  • memory/4476-0-0x00007FF768BE0000-0x00007FF768F34000-memory.dmp

    Filesize

    3.3MB

  • memory/4476-64-0x00007FF768BE0000-0x00007FF768F34000-memory.dmp

    Filesize

    3.3MB

  • memory/4476-1-0x0000021B2A800000-0x0000021B2A810000-memory.dmp

    Filesize

    64KB

  • memory/4540-148-0x00007FF6CD0A0000-0x00007FF6CD3F4000-memory.dmp

    Filesize

    3.3MB

  • memory/4540-52-0x00007FF6CD0A0000-0x00007FF6CD3F4000-memory.dmp

    Filesize

    3.3MB

  • memory/4552-81-0x00007FF79CBC0000-0x00007FF79CF14000-memory.dmp

    Filesize

    3.3MB

  • memory/4552-135-0x00007FF79CBC0000-0x00007FF79CF14000-memory.dmp

    Filesize

    3.3MB

  • memory/4552-153-0x00007FF79CBC0000-0x00007FF79CF14000-memory.dmp

    Filesize

    3.3MB

  • memory/4832-86-0x00007FF7C0410000-0x00007FF7C0764000-memory.dmp

    Filesize

    3.3MB

  • memory/4832-26-0x00007FF7C0410000-0x00007FF7C0764000-memory.dmp

    Filesize

    3.3MB

  • memory/4832-144-0x00007FF7C0410000-0x00007FF7C0764000-memory.dmp

    Filesize

    3.3MB

  • memory/4836-76-0x00007FF684E40000-0x00007FF685194000-memory.dmp

    Filesize

    3.3MB

  • memory/4836-152-0x00007FF684E40000-0x00007FF685194000-memory.dmp

    Filesize

    3.3MB

  • memory/4996-150-0x00007FF78F8F0000-0x00007FF78FC44000-memory.dmp

    Filesize

    3.3MB

  • memory/4996-65-0x00007FF78F8F0000-0x00007FF78FC44000-memory.dmp

    Filesize

    3.3MB