Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2024 11:49

General

  • Target

    2024-06-06_81937f385524e513c3335390ffa4ce94_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    81937f385524e513c3335390ffa4ce94

  • SHA1

    0e836b276b1fcc4d451ff8c690dbfcd24ea8d7d1

  • SHA256

    acfc09ac9e8ace846210d8ad53a648cd365c36142abad8f6f1e379ebc0b1214f

  • SHA512

    70cd7e8fde42b50d7e0299b960851e10f4239d7ff4002e8c93a2bb132e6a4510dd48d1c1b29634f0ef4e71325cbd4890cd9e6f20e5341709dc36731a2acb9424

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUO:Q+856utgpPF8u/7O

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 64 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-06_81937f385524e513c3335390ffa4ce94_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-06_81937f385524e513c3335390ffa4ce94_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\System\nXsHXFY.exe
      C:\Windows\System\nXsHXFY.exe
      2⤵
      • Executes dropped EXE
      PID:2148
    • C:\Windows\System\PWGBVOb.exe
      C:\Windows\System\PWGBVOb.exe
      2⤵
      • Executes dropped EXE
      PID:2880
    • C:\Windows\System\sSIqCzj.exe
      C:\Windows\System\sSIqCzj.exe
      2⤵
      • Executes dropped EXE
      PID:2324
    • C:\Windows\System\EvjEtQL.exe
      C:\Windows\System\EvjEtQL.exe
      2⤵
      • Executes dropped EXE
      PID:1688
    • C:\Windows\System\epeDNbi.exe
      C:\Windows\System\epeDNbi.exe
      2⤵
      • Executes dropped EXE
      PID:4712
    • C:\Windows\System\FUqmXqb.exe
      C:\Windows\System\FUqmXqb.exe
      2⤵
      • Executes dropped EXE
      PID:232
    • C:\Windows\System\LPlorLY.exe
      C:\Windows\System\LPlorLY.exe
      2⤵
      • Executes dropped EXE
      PID:5020
    • C:\Windows\System\ZesCYKz.exe
      C:\Windows\System\ZesCYKz.exe
      2⤵
      • Executes dropped EXE
      PID:1552
    • C:\Windows\System\BrKTDjT.exe
      C:\Windows\System\BrKTDjT.exe
      2⤵
      • Executes dropped EXE
      PID:872
    • C:\Windows\System\zVpXoOW.exe
      C:\Windows\System\zVpXoOW.exe
      2⤵
      • Executes dropped EXE
      PID:4640
    • C:\Windows\System\IfAWSZi.exe
      C:\Windows\System\IfAWSZi.exe
      2⤵
      • Executes dropped EXE
      PID:1680
    • C:\Windows\System\tFknxzi.exe
      C:\Windows\System\tFknxzi.exe
      2⤵
      • Executes dropped EXE
      PID:1368
    • C:\Windows\System\HEQyIRI.exe
      C:\Windows\System\HEQyIRI.exe
      2⤵
      • Executes dropped EXE
      PID:1816
    • C:\Windows\System\nUqijBj.exe
      C:\Windows\System\nUqijBj.exe
      2⤵
      • Executes dropped EXE
      PID:408
    • C:\Windows\System\QwqHcuC.exe
      C:\Windows\System\QwqHcuC.exe
      2⤵
      • Executes dropped EXE
      PID:1248
    • C:\Windows\System\NBgemjV.exe
      C:\Windows\System\NBgemjV.exe
      2⤵
      • Executes dropped EXE
      PID:4968
    • C:\Windows\System\THCqdYe.exe
      C:\Windows\System\THCqdYe.exe
      2⤵
      • Executes dropped EXE
      PID:904
    • C:\Windows\System\BzJOQQk.exe
      C:\Windows\System\BzJOQQk.exe
      2⤵
      • Executes dropped EXE
      PID:3732
    • C:\Windows\System\bqaQwLa.exe
      C:\Windows\System\bqaQwLa.exe
      2⤵
      • Executes dropped EXE
      PID:3584
    • C:\Windows\System\svLuXCV.exe
      C:\Windows\System\svLuXCV.exe
      2⤵
      • Executes dropped EXE
      PID:1940
    • C:\Windows\System\jCyywLm.exe
      C:\Windows\System\jCyywLm.exe
      2⤵
      • Executes dropped EXE
      PID:4692
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4328 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3368

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System\BrKTDjT.exe

      Filesize

      5.9MB

      MD5

      34580d84c21bf253872782fb85f88fc2

      SHA1

      9a4779eb0851537c391cf77f83bc60679466e372

      SHA256

      e90ce16d7cb5bfb2702facd9fc663f64ce2315420429ad0f316d9c83c703696c

      SHA512

      8623554300e79935f2b68779639e0eb5774fb48e54591904eeaf7f2bd301689b92acfb7f79eb6efb2cd855c148d543b73c8825da76f4844d9ea13844efd5da67

    • C:\Windows\System\BzJOQQk.exe

      Filesize

      4.0MB

      MD5

      f505e9632fbd4a5d58adc9e4173d1271

      SHA1

      1bde162a3fb4ccb17e2151f596876ce0481e68a3

      SHA256

      470c9e84848117759613eb687b446759f7d07a7f41d04dc436b012f7f509e2e6

      SHA512

      e198372dce29bd351d9034837bc88bf336ab45518f945c233b0df8303eb7db6dfe81aa40e79300136ac6bc7ee0344b1f19f04eb515a02bbb33d814e047faaccf

    • C:\Windows\System\BzJOQQk.exe

      Filesize

      5.9MB

      MD5

      ba204c26b3c105b8dae1ff23b8788069

      SHA1

      e7e6d6e5375683dbf4a37603625920bef60385ec

      SHA256

      d3c84cec93ab3c11cd3b9f875171af2dfb7191c77a251c92d5edab0092028182

      SHA512

      b4a2cde55af39eb076f927c04db1553c59f7e04799dec73e965eba8446734142c1a559a36e6caf7106001757b5a3e86f1f0ec11f239c9955ece1e9af02f2530d

    • C:\Windows\System\EvjEtQL.exe

      Filesize

      5.9MB

      MD5

      4946978206da5c92b0a80e5895287180

      SHA1

      949eff4a57a54dae69531d30aae1170ab864a89a

      SHA256

      dcf0c461fd4ad38afee5cf800716757fee3e78834ba852e2416105f7de292a5a

      SHA512

      a64a103744c31ef676d314da4a31a18219d4d075ca807dc0d0aec1a4fd4301bf93461e9501704a5bca2172fdfce0dbb7c73eda8d02b300796a85998f90901487

    • C:\Windows\System\FUqmXqb.exe

      Filesize

      5.9MB

      MD5

      4c8deee6a6e894500c41feb5511a9609

      SHA1

      17341a466914dcd52a5a27c8bd54408ea956d630

      SHA256

      dc3ca37576ae633c6856bb57d1e4f3fb98153292c573160a14645420293583e4

      SHA512

      a9272146309cf567e26ee21ea5e130c0b46fe65d7cec86eb0913d1fffbbd3f88a4e4cc3a98c2d3e40138c61c98f3a68b289d3caad190d5f686c9b16c8601b1d1

    • C:\Windows\System\HEQyIRI.exe

      Filesize

      5.9MB

      MD5

      93d282c52edcf97cac98f5b82de612c0

      SHA1

      48faa3b43c8610915f1910be6851b45ed7797df4

      SHA256

      95c900258a20b5c5d1ee0a28bdd807638b98306bffc1dd9d72098ca531e687d7

      SHA512

      b7590ca1602e7bf36b3612c7a4f6d052bc68264d41cd86613f79a3fd5f970a2e27d390704a1ee8865d3ceb374682bfbd31d591cc0a7dc31106d42095e5939889

    • C:\Windows\System\IfAWSZi.exe

      Filesize

      5.9MB

      MD5

      4023ec3db7b50b526e46f86fa04e8ab0

      SHA1

      cbbd633405e09e38b67d8964c63225c107775ffa

      SHA256

      93f8a7c81584900788e708fd610efbed073e0a9b7431e6273ed1ed31812ada8b

      SHA512

      354d50e57e8e710fdb401696d2018a589ae08407da3e71c41a05853f410f6f2efa7cef152047667206a92478f878162739817dd6855fc5bd2f234eec0d4f895b

    • C:\Windows\System\LPlorLY.exe

      Filesize

      5.9MB

      MD5

      df7c78c9245b448ca9c2d969b42f96e8

      SHA1

      804c04df9fa11d7181db7f980937e1fdfa045f44

      SHA256

      efbc77d339212deef25d643ee73e71ef366fe243e99cd97244a5c10285874a0e

      SHA512

      90a086865d77c97a1a5d95ee08f704d1ef6b19c09439a3b58cdcbbcf11cc265b4f111b046ad0d28b80f9963295d5f7a235f36f01b65bbd79ed355865c94b927c

    • C:\Windows\System\NBgemjV.exe

      Filesize

      5.9MB

      MD5

      84e3cc23a0cc4db6c2824a7297e85585

      SHA1

      58b3aaf55d93f4f97ac6637b711931b1532573c5

      SHA256

      f06fd810daff294fff159499c1f035659a7c239b00df3d7c295e999eb1698db1

      SHA512

      2f1d439f17f59d1d376970d6928840c534aff27d77c18d574f088e4db23b14b0164327751bf8181a2bcd198296af6da5705b77a40d8833761c20e3b5e725ca34

    • C:\Windows\System\PWGBVOb.exe

      Filesize

      5.9MB

      MD5

      f2328333dcf994fc988d26d232ca05b4

      SHA1

      ac78350eb11d1e45ab0dc251fd35a0fdb04a41d7

      SHA256

      633f236b1b14110734a81690c784ecbecb64bf38f31b239b81041e53a8314481

      SHA512

      99940524266a6d187080be67c482320ff9536efc936849058cbb9857c3007a4405d3e0e21bf60c2d81b14a3c18675c6179663df5be322a5d6e7fd19c514bcebc

    • C:\Windows\System\QwqHcuC.exe

      Filesize

      5.9MB

      MD5

      d93bab9e68d38387d55b0f8e83bca1be

      SHA1

      80e3790b645c787913c0645d99ca91834b65eaae

      SHA256

      439e39e2f481127bfca865abea772a1854c398f85b6d6f410d02586f3cd455bb

      SHA512

      556a5a13bd1bc4dee94694aa2f609aa71a2ad16fe0259e4333276b817ee0a0e8b6c4b9531f07b771f109c7cf62a58197c553847228aa3261e78e3b9ec9d9d609

    • C:\Windows\System\THCqdYe.exe

      Filesize

      5.9MB

      MD5

      f1adbed926c94b447add99bdb12fc033

      SHA1

      2a85f6310cce1f98051691ef41017f71bb3adfad

      SHA256

      50b50f85ebad328fd4961a85e433f06ce00f7863efef1e74bd0c553939781049

      SHA512

      f79b96a40e30c01480529421dd20d1b682db7577ddd192a6fd328edaa57698a047ee2bf1644a38e5be1adaa1660b960b4ae4424ae0da51a9bbd704f150952a52

    • C:\Windows\System\ZesCYKz.exe

      Filesize

      5.9MB

      MD5

      a96cc16bebb83d25bd469d712f4a922e

      SHA1

      1df160176cadc3d9c90c221d5d3c146c1d7548ee

      SHA256

      812f7f7c46df507b73766c51d7e14ed699d7602b0f363d9ea4926bc099228945

      SHA512

      97004e02ce42a87199c194c1da9710d64c43bf48412fc9a758be0370144be4561b07c7781e1b86da1fe8fb1724f060b1dec252774df5e4dc85c0722a67f17cc8

    • C:\Windows\System\bqaQwLa.exe

      Filesize

      5.9MB

      MD5

      c75339da5c2b2c7529f3d87eaacc2c2d

      SHA1

      d2cd15fd8fc7e07b08ee48d26134922f7bf420a3

      SHA256

      a17ca365cc9916e897627acb2968f7b00de1e69fa3e5b02d893e7e2fa560ba70

      SHA512

      4a2d85502fe0f4f40763c4bce7647c328c1fce9b691e0c9e1cb25435fa98d5d2cacd62040b257d2ef6f426efe5eef04f3a78201734f66b632a6afb5c9d394488

    • C:\Windows\System\epeDNbi.exe

      Filesize

      5.9MB

      MD5

      67678c7d734b32e238fdff4acdd891f4

      SHA1

      07cb730edd4e1a859a2b003b0d143711f6a31a20

      SHA256

      b38c1b1fd0bbb4abc05b2881889b986d1c71db1f2fec4b3538d632f8fd2ef4f9

      SHA512

      d755d777642fc177febcc8109bd84401c3b58dbc114aa1295eb8a05b8081d7bfdd8055738bc597320750fec70159085c59d6bd4789f85845f4691585a97170ad

    • C:\Windows\System\jCyywLm.exe

      Filesize

      5.4MB

      MD5

      8003c8ca1c6255c4a9df50b61d369786

      SHA1

      ef521c59d5519424152618453d9a1ec413a267cf

      SHA256

      caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8

      SHA512

      0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

    • C:\Windows\System\jCyywLm.exe

      Filesize

      5.9MB

      MD5

      55c02656e6928f889a6a18d13ce9aada

      SHA1

      7f79721be2dd807c6a9f4fe32b8c9b88fba1b76b

      SHA256

      afdac34a6632971aa741a45f658133ccdd0111ac50334457a4c97eeec63a5e2b

      SHA512

      89c75cf1c3c62c5dabe2b6f4f44bc28a9a4f37e75b6d6098e32315ba4750564e31fc26fd9f0333ae53465b901c6f692e3e806d70ff0447d1bb553b930b9ebfff

    • C:\Windows\System\nUqijBj.exe

      Filesize

      5.9MB

      MD5

      957f826706292e24fd92a9c0d874f4de

      SHA1

      5580de874b29f47de9fe15cc78cce6e9b29ede53

      SHA256

      d2a35892671a5d92507c46c707bab861af1dfc793245510d99077e0dcc1e0c14

      SHA512

      169ce0d4221d745e9e2e55ba5866fad909ecdf42e0e88fc7873bedd1a7e639b740f7ed667fc1ef42d32b7821ec3f91469cd9248a57d1a028a8cc2b88d4d7c246

    • C:\Windows\System\nXsHXFY.exe

      Filesize

      5.9MB

      MD5

      fe9a15d0b4074e67cdf8282ae13343ec

      SHA1

      9bdb69dffb6b69efa2853cccdc80e4d98ccc3827

      SHA256

      48faf902c69df78fc533582efb15b14413d216a9da3fc4d8a3a96c7312012d66

      SHA512

      81651b5114e18296985af5267f0f846524f9ffac4c985ce8d5587708167fa5d8cf701a39b0e3d11b57f2b6df8987d259950d02fa623363e2e2a9bb77bd9d51b8

    • C:\Windows\System\sSIqCzj.exe

      Filesize

      5.9MB

      MD5

      453eb2880726823f66f8f07c4811a28c

      SHA1

      bd807a619d102530fdfac629c3e50eb42a088bc4

      SHA256

      ba9891410100674c12b78c500e01d1c5907ce74f06fc2c0f4766eff2eeb113e4

      SHA512

      b5f9dc2941ac839ad5d9a972d77ac337c06ebe1b864f7fec800d31984ba82d3949c37b1d33ab7085ec9ea19456f03677535965bbfd0561daa92d39c11b26d497

    • C:\Windows\System\svLuXCV.exe

      Filesize

      5.9MB

      MD5

      c787af84586e6c632b01bf5ea9f8726e

      SHA1

      2708f42d050d7d1a8b25102807764bada03848c7

      SHA256

      ef4889d9a40898207eb22d765059293d0c7664626dc22bc6016c18c3673a35fe

      SHA512

      4f0cfca0a9244730bbb80818bf0290bec9a6be291aeca4ef6828b6af33ec35c73d88f4c320637f2885b3037bb8baaff22a223701b00c05d163b2bc0bc31d5cd1

    • C:\Windows\System\tFknxzi.exe

      Filesize

      5.9MB

      MD5

      485275387e4bab1522dd2973564651b7

      SHA1

      cf67b4da186f3a48dda29d7e3f3deba397f1bc6b

      SHA256

      9620d335f9d1c347679d07c181d331d72605bd4c425b5e126d1fb470b5c7917f

      SHA512

      b8a5602a147194c5d73797cab48f8b21974ec5d8399af51459a4a7bb0f7e5a80fbaa58642f8d709e5806ae72e3207b2ce88888ee57b9a2adf2157b030aacdee8

    • C:\Windows\System\zVpXoOW.exe

      Filesize

      5.9MB

      MD5

      6c9a45b7e5bc2d164043bc399d5a9aa2

      SHA1

      adb9e2f53ee4ac7dcc3b9408b44ffce6ea1bbdf0

      SHA256

      7b49d1d627ab16c848caf53cba729d6b2884797d4b1666aadf84d47cac1be267

      SHA512

      23c08d6bae3defbe7da35a099c95ffd7293ffe105fc4f431b5bf57564a702b6e2815b394aad8ea1229a212326588fbb9852d4d09b4b63d244c8220eb3610b8d1

    • memory/232-115-0x00007FF6110B0000-0x00007FF611404000-memory.dmp

      Filesize

      3.3MB

    • memory/232-145-0x00007FF6110B0000-0x00007FF611404000-memory.dmp

      Filesize

      3.3MB

    • memory/232-38-0x00007FF6110B0000-0x00007FF611404000-memory.dmp

      Filesize

      3.3MB

    • memory/408-92-0x00007FF798880000-0x00007FF798BD4000-memory.dmp

      Filesize

      3.3MB

    • memory/408-153-0x00007FF798880000-0x00007FF798BD4000-memory.dmp

      Filesize

      3.3MB

    • memory/872-130-0x00007FF7153D0000-0x00007FF715724000-memory.dmp

      Filesize

      3.3MB

    • memory/872-148-0x00007FF7153D0000-0x00007FF715724000-memory.dmp

      Filesize

      3.3MB

    • memory/872-55-0x00007FF7153D0000-0x00007FF715724000-memory.dmp

      Filesize

      3.3MB

    • memory/904-112-0x00007FF689CB0000-0x00007FF68A004000-memory.dmp

      Filesize

      3.3MB

    • memory/904-156-0x00007FF689CB0000-0x00007FF68A004000-memory.dmp

      Filesize

      3.3MB

    • memory/1248-154-0x00007FF7D0410000-0x00007FF7D0764000-memory.dmp

      Filesize

      3.3MB

    • memory/1248-93-0x00007FF7D0410000-0x00007FF7D0764000-memory.dmp

      Filesize

      3.3MB

    • memory/1248-137-0x00007FF7D0410000-0x00007FF7D0764000-memory.dmp

      Filesize

      3.3MB

    • memory/1368-79-0x00007FF7B9E50000-0x00007FF7BA1A4000-memory.dmp

      Filesize

      3.3MB

    • memory/1368-151-0x00007FF7B9E50000-0x00007FF7BA1A4000-memory.dmp

      Filesize

      3.3MB

    • memory/1552-129-0x00007FF636470000-0x00007FF6367C4000-memory.dmp

      Filesize

      3.3MB

    • memory/1552-50-0x00007FF636470000-0x00007FF6367C4000-memory.dmp

      Filesize

      3.3MB

    • memory/1552-147-0x00007FF636470000-0x00007FF6367C4000-memory.dmp

      Filesize

      3.3MB

    • memory/1680-78-0x00007FF7B2EB0000-0x00007FF7B3204000-memory.dmp

      Filesize

      3.3MB

    • memory/1680-150-0x00007FF7B2EB0000-0x00007FF7B3204000-memory.dmp

      Filesize

      3.3MB

    • memory/1688-143-0x00007FF6A9790000-0x00007FF6A9AE4000-memory.dmp

      Filesize

      3.3MB

    • memory/1688-94-0x00007FF6A9790000-0x00007FF6A9AE4000-memory.dmp

      Filesize

      3.3MB

    • memory/1688-24-0x00007FF6A9790000-0x00007FF6A9AE4000-memory.dmp

      Filesize

      3.3MB

    • memory/1816-152-0x00007FF6FB9C0000-0x00007FF6FBD14000-memory.dmp

      Filesize

      3.3MB

    • memory/1816-90-0x00007FF6FB9C0000-0x00007FF6FBD14000-memory.dmp

      Filesize

      3.3MB

    • memory/1940-133-0x00007FF73BF50000-0x00007FF73C2A4000-memory.dmp

      Filesize

      3.3MB

    • memory/1940-159-0x00007FF73BF50000-0x00007FF73C2A4000-memory.dmp

      Filesize

      3.3MB

    • memory/2148-74-0x00007FF64FEA0000-0x00007FF6501F4000-memory.dmp

      Filesize

      3.3MB

    • memory/2148-7-0x00007FF64FEA0000-0x00007FF6501F4000-memory.dmp

      Filesize

      3.3MB

    • memory/2148-140-0x00007FF64FEA0000-0x00007FF6501F4000-memory.dmp

      Filesize

      3.3MB

    • memory/2324-20-0x00007FF6EABF0000-0x00007FF6EAF44000-memory.dmp

      Filesize

      3.3MB

    • memory/2324-142-0x00007FF6EABF0000-0x00007FF6EAF44000-memory.dmp

      Filesize

      3.3MB

    • memory/2748-1-0x00000213668C0000-0x00000213668D0000-memory.dmp

      Filesize

      64KB

    • memory/2748-0-0x00007FF7761F0000-0x00007FF776544000-memory.dmp

      Filesize

      3.3MB

    • memory/2748-62-0x00007FF7761F0000-0x00007FF776544000-memory.dmp

      Filesize

      3.3MB

    • memory/2880-14-0x00007FF742DD0000-0x00007FF743124000-memory.dmp

      Filesize

      3.3MB

    • memory/2880-80-0x00007FF742DD0000-0x00007FF743124000-memory.dmp

      Filesize

      3.3MB

    • memory/2880-141-0x00007FF742DD0000-0x00007FF743124000-memory.dmp

      Filesize

      3.3MB

    • memory/3584-138-0x00007FF6861C0000-0x00007FF686514000-memory.dmp

      Filesize

      3.3MB

    • memory/3584-122-0x00007FF6861C0000-0x00007FF686514000-memory.dmp

      Filesize

      3.3MB

    • memory/3584-158-0x00007FF6861C0000-0x00007FF686514000-memory.dmp

      Filesize

      3.3MB

    • memory/3732-157-0x00007FF689BB0000-0x00007FF689F04000-memory.dmp

      Filesize

      3.3MB

    • memory/3732-118-0x00007FF689BB0000-0x00007FF689F04000-memory.dmp

      Filesize

      3.3MB

    • memory/4640-149-0x00007FF790A90000-0x00007FF790DE4000-memory.dmp

      Filesize

      3.3MB

    • memory/4640-65-0x00007FF790A90000-0x00007FF790DE4000-memory.dmp

      Filesize

      3.3MB

    • memory/4692-139-0x00007FF739720000-0x00007FF739A74000-memory.dmp

      Filesize

      3.3MB

    • memory/4692-160-0x00007FF739720000-0x00007FF739A74000-memory.dmp

      Filesize

      3.3MB

    • memory/4692-136-0x00007FF739720000-0x00007FF739A74000-memory.dmp

      Filesize

      3.3MB

    • memory/4712-31-0x00007FF6FACE0000-0x00007FF6FB034000-memory.dmp

      Filesize

      3.3MB

    • memory/4712-144-0x00007FF6FACE0000-0x00007FF6FB034000-memory.dmp

      Filesize

      3.3MB

    • memory/4712-107-0x00007FF6FACE0000-0x00007FF6FB034000-memory.dmp

      Filesize

      3.3MB

    • memory/4968-111-0x00007FF697160000-0x00007FF6974B4000-memory.dmp

      Filesize

      3.3MB

    • memory/4968-155-0x00007FF697160000-0x00007FF6974B4000-memory.dmp

      Filesize

      3.3MB

    • memory/5020-42-0x00007FF7C5450000-0x00007FF7C57A4000-memory.dmp

      Filesize

      3.3MB

    • memory/5020-120-0x00007FF7C5450000-0x00007FF7C57A4000-memory.dmp

      Filesize

      3.3MB

    • memory/5020-146-0x00007FF7C5450000-0x00007FF7C57A4000-memory.dmp

      Filesize

      3.3MB