Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-06-2024 14:02

General

  • Target

    2024-06-06_a3dc0d6f7e449349de7ca5b4f83b0a6f_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    a3dc0d6f7e449349de7ca5b4f83b0a6f

  • SHA1

    c9b14f0029676258d9d3cb301dd35974c4ad0e01

  • SHA256

    0abd22c36c4ee358aa6f8e14db796def6f1c98d166a226975ca1dc60d5101d35

  • SHA512

    a439dc995ff5e729d720d028dc8fa453154624dc91930a15afc0873a7d3cf8f4141e8a3178fb3a74a2537ed4b6b6b7b992de900fd8705c0a257c3f3712bff13e

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUM:Q+856utgpPF8u/7M

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 19 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 19 IoCs
  • UPX dump on OEP (original entry point) 64 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-06_a3dc0d6f7e449349de7ca5b4f83b0a6f_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-06_a3dc0d6f7e449349de7ca5b4f83b0a6f_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:32
    • C:\Windows\System\VfuwvgK.exe
      C:\Windows\System\VfuwvgK.exe
      2⤵
      • Executes dropped EXE
      PID:376
    • C:\Windows\System\laNvDFB.exe
      C:\Windows\System\laNvDFB.exe
      2⤵
      • Executes dropped EXE
      PID:1396
    • C:\Windows\System\efreIVY.exe
      C:\Windows\System\efreIVY.exe
      2⤵
      • Executes dropped EXE
      PID:1612
    • C:\Windows\System\OgQoeWt.exe
      C:\Windows\System\OgQoeWt.exe
      2⤵
      • Executes dropped EXE
      PID:3400
    • C:\Windows\System\UfNIYOI.exe
      C:\Windows\System\UfNIYOI.exe
      2⤵
      • Executes dropped EXE
      PID:2512
    • C:\Windows\System\YHNOPdu.exe
      C:\Windows\System\YHNOPdu.exe
      2⤵
      • Executes dropped EXE
      PID:2448
    • C:\Windows\System\HdCGQsl.exe
      C:\Windows\System\HdCGQsl.exe
      2⤵
      • Executes dropped EXE
      PID:2680
    • C:\Windows\System\fswQUlt.exe
      C:\Windows\System\fswQUlt.exe
      2⤵
      • Executes dropped EXE
      PID:2892
    • C:\Windows\System\LOIVOMe.exe
      C:\Windows\System\LOIVOMe.exe
      2⤵
      • Executes dropped EXE
      PID:3056
    • C:\Windows\System\HaSpCmP.exe
      C:\Windows\System\HaSpCmP.exe
      2⤵
      • Executes dropped EXE
      PID:3212
    • C:\Windows\System\ajrKQMD.exe
      C:\Windows\System\ajrKQMD.exe
      2⤵
      • Executes dropped EXE
      PID:2360
    • C:\Windows\System\ujWqeGj.exe
      C:\Windows\System\ujWqeGj.exe
      2⤵
      • Executes dropped EXE
      PID:1104
    • C:\Windows\System\cEXKour.exe
      C:\Windows\System\cEXKour.exe
      2⤵
      • Executes dropped EXE
      PID:892
    • C:\Windows\System\RSQTWbJ.exe
      C:\Windows\System\RSQTWbJ.exe
      2⤵
      • Executes dropped EXE
      PID:2232
    • C:\Windows\System\VibtlVK.exe
      C:\Windows\System\VibtlVK.exe
      2⤵
      • Executes dropped EXE
      PID:3308
    • C:\Windows\System\BEEBoAT.exe
      C:\Windows\System\BEEBoAT.exe
      2⤵
      • Executes dropped EXE
      PID:4488
    • C:\Windows\System\BsArtGv.exe
      C:\Windows\System\BsArtGv.exe
      2⤵
      • Executes dropped EXE
      PID:1092
    • C:\Windows\System\jvAEELF.exe
      C:\Windows\System\jvAEELF.exe
      2⤵
      • Executes dropped EXE
      PID:2128
    • C:\Windows\System\hBHAPlK.exe
      C:\Windows\System\hBHAPlK.exe
      2⤵
      • Executes dropped EXE
      PID:4060
    • C:\Windows\System\IMgPdlL.exe
      C:\Windows\System\IMgPdlL.exe
      2⤵
      • Executes dropped EXE
      PID:2640
    • C:\Windows\System\LLQrNCY.exe
      C:\Windows\System\LLQrNCY.exe
      2⤵
      • Executes dropped EXE
      PID:3544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\BEEBoAT.exe

    Filesize

    5.6MB

    MD5

    1e2459942327eb396bd8cd9cbc885d14

    SHA1

    b979cbcb517509c30843efb1d91bef30f1f24a44

    SHA256

    54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a

    SHA512

    62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

  • C:\Windows\System\BEEBoAT.exe

    Filesize

    5.9MB

    MD5

    77f8f21072dac1ee9d07d840530c306f

    SHA1

    b65ead298f6cd1fa23e97699165db581e72ee7b2

    SHA256

    2d6aba2aaeba18cc06f762f8364357b655a69ddd9dbcf2c8ff45bb564e565604

    SHA512

    3dbd8f5d62bb53d28e78e9e0f7d48cafc944e1b0da976cbd3eac372d54877ad67b53d48b2c75d22f634e24f7a5b3566f636c4cd311cdbf7bba364366007c1183

  • C:\Windows\System\BsArtGv.exe

    Filesize

    5.9MB

    MD5

    ec62c0e86d0f36f59df06eb52a678187

    SHA1

    c0e16dd397cb50916b9f7de2c69aa57ffd2c3776

    SHA256

    1cb0f1ada403f1f51497355481fdeb64a524b58b51336ac271cb58529d7fa9b4

    SHA512

    4f8f6d146199912b2882837c53d4234d13f94f1c6024ffe8aff4d92b2ad75c7fa714ce58947e5eefd41f04ed03ee3d38109387b2d9e87ccebfda58d66651ff67

  • C:\Windows\System\HaSpCmP.exe

    Filesize

    5.9MB

    MD5

    3b4457ade964db5acf793e21c2fe581e

    SHA1

    63da2219fb1bff858ac2695df466da45a1895125

    SHA256

    bcfd7e8015587afdf48f44787a05df4c1934f630618165c026b4c4db747b14c2

    SHA512

    6bb279df7e5c88c241279a105c3bc24876542b739dc635a290c8de793439e2b5db89076f841aef2e759d1ca9d9c7329c22da648136adbff11c180c5a8effd7c3

  • C:\Windows\System\HdCGQsl.exe

    Filesize

    5.9MB

    MD5

    fbe32ce044f8dfc66a37a3c38c83b598

    SHA1

    aedb44f2a6fed4339a87ce76630fa973287bf8a3

    SHA256

    567e6b7953bb0c31e42904b404798049d017a550715ccd4c1b1243edc5e2a387

    SHA512

    3ce659ba733b453cbcf4b5a1280975401ee4424b33f8b6a19b49209f8bc04c85e74373eaa4180fd3ebba6dda5ed2d4785d08159b990d503513e790627b711498

  • C:\Windows\System\IMgPdlL.exe

    Filesize

    5.8MB

    MD5

    984a8cf637fc9f46a5be1646493a183b

    SHA1

    eff3045fcb5d0b4a9321004fdd3e94f3f336f5af

    SHA256

    0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068

    SHA512

    f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

  • C:\Windows\System\LLQrNCY.exe

    Filesize

    5.9MB

    MD5

    16b2f93ed6b38ef6bc92b73f200d8e1e

    SHA1

    87519f601ce5125521bfce35d7118b11371e1c61

    SHA256

    4886906caf92a14794047a517b5f3cdb89c7ea395814c57712e0e75186e3859e

    SHA512

    e27df770ae77007a032ecaf8cb731f57114a10ebd6c0e63a535da0efbb8f3c6db02be78dd1ca2155c7da1d4663d1555fb3d4f18dcacb04edbcc0793acb2e4fc6

  • C:\Windows\System\LOIVOMe.exe

    Filesize

    5.9MB

    MD5

    2ddedcb6d02b5ac7b0d5db9d1afeeb9e

    SHA1

    b4b6a0f50913c354b550a9ab4f842102a774f3ac

    SHA256

    d344cfd9f3290a0ce0db2d6e5866413262389ba6aa8566459f8290c94bfc448d

    SHA512

    00343f42973e5440bc9e6f6ce9de20b8fd4c6d891c618cea6276079b47d3960ebf6e21bde10f0ad717a4167da6723ff7c2fc76299d0736681cd00f0bc88f3fde

  • C:\Windows\System\OgQoeWt.exe

    Filesize

    5.9MB

    MD5

    1ff2638ea02f70e22a2558f39c42461c

    SHA1

    068947e1adb37e128ee1960344d150a054c30cd9

    SHA256

    55812e32dd6d26bb23445f14a0360f91e9d1deea4589e3842ef0605515d05c00

    SHA512

    c02739a756a230b3dec7aabb0b80d76473ce8408a803ddf54bf53156b375068c2e637302b2b98d2e04d048c2022141081d46e0a06f3193b5c35397ece85989dd

  • C:\Windows\System\RSQTWbJ.exe

    Filesize

    5.9MB

    MD5

    f6cdfb3d88537b367792cbd894bd98ed

    SHA1

    3d3f99c94c72c456dffcf949bc5d30603a7e936c

    SHA256

    05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86

    SHA512

    0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

  • C:\Windows\System\RSQTWbJ.exe

    Filesize

    5.9MB

    MD5

    91c1aa234a43fc4c00247a0ebd6d1744

    SHA1

    ccb1441534b3255f355ead6795eb1a6bff504983

    SHA256

    5ced6765b3a3b8819763905fe34bb275625d7a72bd47c00703a4d035400e6184

    SHA512

    af51849a9d5e18524bec51453342933c25dc26994f65620d17eb734e007a6bf489b4d5fc8c09dc44552f84e9d79a3b76e4b32d5af40a62cdff2d4139a81b410f

  • C:\Windows\System\UfNIYOI.exe

    Filesize

    5.9MB

    MD5

    e1bdb469eaa5b9cdc9d97e719becbc50

    SHA1

    87985523fe2110e1e4068ac1c5b252ba9c66182b

    SHA256

    48eb198427c489d7a8088252ad97dae114774fdf2adec424121d1452e97d49cb

    SHA512

    ad234777538013b8444fb4b2135e66d3ca82b720d9c428a71d4cf143e49601b44beb39e6f789dfc04330a4785db375ca625601378766f6ef5e2b04d51819e5d7

  • C:\Windows\System\VfuwvgK.exe

    Filesize

    5.9MB

    MD5

    19e1cdcaddb559a183f9d8a428c6d4c6

    SHA1

    559515d5f69b401c10f9182700d863694b828bf6

    SHA256

    f57928d4720b704725050c24fa4b0b5283e67ac265a2c78e5528114c5e575956

    SHA512

    be35b527bf577761e7db30ea83f219aad13c9d5aae61e4bc1f5b5a39e8c5eb5aef8aed4a2347e5cca89ece654c6ffef2171726296ca1fa4fdc0f2be9e69bb95a

  • C:\Windows\System\VibtlVK.exe

    Filesize

    5.9MB

    MD5

    02bd553a239ddb5b26594aadb11982e4

    SHA1

    cdd6fd75a6c30b2ba45a811890dc53a163bdfa20

    SHA256

    8009c5532748c8687e03fb9e7ce8ef2abaff7147ce97f18f8966a945cbbf2a8a

    SHA512

    74a5910d424e32de5227915d3421e5579c25944d6e33327e941965e81a25dbe1b9d7f0f44a72afe1b8a481ad4b7a540b68716b7d91c647c16e851d823df4b4d9

  • C:\Windows\System\YHNOPdu.exe

    Filesize

    5.9MB

    MD5

    23031c30d35e79c1000b8e405c195f93

    SHA1

    28efef1e36016d265baa06e0b2072bbc98cddca3

    SHA256

    a99c4db148672df82fd8efddba1d6725375c9f02af0371f7cf7ff4dea47bd102

    SHA512

    bcbc2593de0886003e524576da8f004fbaf9bddb1c318cbdbfa68faca18c58cb61b09817741b5476d3b808508077933e0c362628baaf7ed13181479eb84d9f15

  • C:\Windows\System\ajrKQMD.exe

    Filesize

    5.9MB

    MD5

    3b450bd4056c45056503849e4ecd9de5

    SHA1

    4084f5ff469c45c23c726d39d7d6c13d5c8141e5

    SHA256

    a5f654d467eadc4a4cdb5d62128ac409aab76a74cb25f096be51080d27d69b7d

    SHA512

    adcabfe70d7be232e7a1f9a6ef6c8cac824dd9c93cd27fca36f7b319b523fc3569ad857634a50f497e487956146ac309d90dc1fbab808d3aee9e7e0ddebc0571

  • C:\Windows\System\cEXKour.exe

    Filesize

    5.9MB

    MD5

    de279d7b14af2f4457c0f914ff4f256f

    SHA1

    73bc0cb5a874db3eed8730278bc8294b2ed2c229

    SHA256

    73a89c898c62bec2fdecd552bea169d35038ada86c7bd52c86b542764b420416

    SHA512

    960eb8a5a3b408510d5288b465fce43925f272a4d0b4ef8196b87a715c4e7069861508b1ebccf6bd947eb72824489e4bc55e4e936240dc72b29d4d4ec52524b0

  • C:\Windows\System\efreIVY.exe

    Filesize

    5.9MB

    MD5

    158526d65e6d0a61ae4738f66f28ced7

    SHA1

    a3aa43b76faa284571504dfee028caf5048fc974

    SHA256

    185dd90af24b4418ec5d8ffae01f63d562103b5d103e746b894305ba37f1c46a

    SHA512

    fea633999d109b5af584489f300428b34657b08ec4534717fe8038e3a89506c0eef757856bd90e64402ba2bf0f81980e33fa13e3b59bde8acabc6e602cecd057

  • C:\Windows\System\fswQUlt.exe

    Filesize

    5.9MB

    MD5

    573e468b32b3a64246af67a9b95082e4

    SHA1

    2d6c59220bbf43429654dfe27469cccdc8d6b31f

    SHA256

    356ff3455fe0ff2ca3192936a0dd911cf9da092cb916460ef4e7b402199abb85

    SHA512

    a7884a0cc8ffcf6558f26fa81c34e94289ac687582e3b3d42e436504f263640dfba025576e05df1087a38859dfe1428ac6380792bd833843e357251042ad122b

  • C:\Windows\System\jvAEELF.exe

    Filesize

    5.9MB

    MD5

    a101049315cff6c9687bc2c303397076

    SHA1

    df5294fc254392c5a4fd7904e28e2409343bc59b

    SHA256

    f93783fdcaf2982fd82b3caa3805d7b8607df6c2a8f8148dcafeff5d03c690ef

    SHA512

    d40642521207146da29467a9bfb024c3ac6997f5dd31bff3d543ace3692d137398804a110804b1a5de921a324f54048bf8a93e1d809da4fd076740d22bdc6794

  • C:\Windows\System\laNvDFB.exe

    Filesize

    5.9MB

    MD5

    c8a80bb3fd1ae73b187a9a0b71bc7286

    SHA1

    c9ff79bb427bd425199561c31596caa82dd3ec62

    SHA256

    3dd17e357e6bdb62a9f1588dd5414528d8fdf4cd466afc3e1e40d9bbb99b6f12

    SHA512

    01108986330704647ebe010acb6495056377805934075b01a7969023ae3d84a67efc20aa3e3a76dec73ba373693bd9b2c2eadf682e97d63d06563c590e9095ad

  • C:\Windows\System\ujWqeGj.exe

    Filesize

    5.9MB

    MD5

    0c9653e2ee79269ae196379a8593296b

    SHA1

    f6bc0638f250b62c13e3f761cb9cbf1c62b5e790

    SHA256

    4ea605f3cef7e1c3a8f05948508313c8e57dca774532980463b7068c4fd0c284

    SHA512

    ce67610928466578b83ade77a12104418f1589eb5784586bf4d22069e2eebfea6c55dc87367dc5f3901425ac77933c7352dd499a587511b01f311c7e2ed9bb5f

  • memory/32-1-0x000002D5A1D80000-0x000002D5A1D90000-memory.dmp

    Filesize

    64KB

  • memory/32-0-0x00007FF76B230000-0x00007FF76B584000-memory.dmp

    Filesize

    3.3MB

  • memory/32-68-0x00007FF76B230000-0x00007FF76B584000-memory.dmp

    Filesize

    3.3MB

  • memory/376-80-0x00007FF6B3090000-0x00007FF6B33E4000-memory.dmp

    Filesize

    3.3MB

  • memory/376-138-0x00007FF6B3090000-0x00007FF6B33E4000-memory.dmp

    Filesize

    3.3MB

  • memory/376-8-0x00007FF6B3090000-0x00007FF6B33E4000-memory.dmp

    Filesize

    3.3MB

  • memory/892-150-0x00007FF7BDA70000-0x00007FF7BDDC4000-memory.dmp

    Filesize

    3.3MB

  • memory/892-84-0x00007FF7BDA70000-0x00007FF7BDDC4000-memory.dmp

    Filesize

    3.3MB

  • memory/1092-134-0x00007FF793B00000-0x00007FF793E54000-memory.dmp

    Filesize

    3.3MB

  • memory/1092-111-0x00007FF793B00000-0x00007FF793E54000-memory.dmp

    Filesize

    3.3MB

  • memory/1092-154-0x00007FF793B00000-0x00007FF793E54000-memory.dmp

    Filesize

    3.3MB

  • memory/1104-149-0x00007FF6587C0000-0x00007FF658B14000-memory.dmp

    Filesize

    3.3MB

  • memory/1104-83-0x00007FF6587C0000-0x00007FF658B14000-memory.dmp

    Filesize

    3.3MB

  • memory/1396-13-0x00007FF7B7A90000-0x00007FF7B7DE4000-memory.dmp

    Filesize

    3.3MB

  • memory/1396-139-0x00007FF7B7A90000-0x00007FF7B7DE4000-memory.dmp

    Filesize

    3.3MB

  • memory/1396-85-0x00007FF7B7A90000-0x00007FF7B7DE4000-memory.dmp

    Filesize

    3.3MB

  • memory/1612-140-0x00007FF666C10000-0x00007FF666F64000-memory.dmp

    Filesize

    3.3MB

  • memory/1612-20-0x00007FF666C10000-0x00007FF666F64000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-155-0x00007FF762500000-0x00007FF762854000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-135-0x00007FF762500000-0x00007FF762854000-memory.dmp

    Filesize

    3.3MB

  • memory/2128-116-0x00007FF762500000-0x00007FF762854000-memory.dmp

    Filesize

    3.3MB

  • memory/2232-151-0x00007FF7BE8C0000-0x00007FF7BEC14000-memory.dmp

    Filesize

    3.3MB

  • memory/2232-89-0x00007FF7BE8C0000-0x00007FF7BEC14000-memory.dmp

    Filesize

    3.3MB

  • memory/2360-74-0x00007FF733B20000-0x00007FF733E74000-memory.dmp

    Filesize

    3.3MB

  • memory/2360-148-0x00007FF733B20000-0x00007FF733E74000-memory.dmp

    Filesize

    3.3MB

  • memory/2448-36-0x00007FF65B610000-0x00007FF65B964000-memory.dmp

    Filesize

    3.3MB

  • memory/2448-106-0x00007FF65B610000-0x00007FF65B964000-memory.dmp

    Filesize

    3.3MB

  • memory/2448-143-0x00007FF65B610000-0x00007FF65B964000-memory.dmp

    Filesize

    3.3MB

  • memory/2512-142-0x00007FF7A9B40000-0x00007FF7A9E94000-memory.dmp

    Filesize

    3.3MB

  • memory/2512-32-0x00007FF7A9B40000-0x00007FF7A9E94000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-125-0x00007FF72C4C0000-0x00007FF72C814000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-137-0x00007FF72C4C0000-0x00007FF72C814000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-157-0x00007FF72C4C0000-0x00007FF72C814000-memory.dmp

    Filesize

    3.3MB

  • memory/2680-144-0x00007FF7A25E0000-0x00007FF7A2934000-memory.dmp

    Filesize

    3.3MB

  • memory/2680-46-0x00007FF7A25E0000-0x00007FF7A2934000-memory.dmp

    Filesize

    3.3MB

  • memory/2892-55-0x00007FF72FF00000-0x00007FF730254000-memory.dmp

    Filesize

    3.3MB

  • memory/2892-145-0x00007FF72FF00000-0x00007FF730254000-memory.dmp

    Filesize

    3.3MB

  • memory/3056-57-0x00007FF7BEDB0000-0x00007FF7BF104000-memory.dmp

    Filesize

    3.3MB

  • memory/3056-146-0x00007FF7BEDB0000-0x00007FF7BF104000-memory.dmp

    Filesize

    3.3MB

  • memory/3212-62-0x00007FF668150000-0x00007FF6684A4000-memory.dmp

    Filesize

    3.3MB

  • memory/3212-147-0x00007FF668150000-0x00007FF6684A4000-memory.dmp

    Filesize

    3.3MB

  • memory/3308-152-0x00007FF7121E0000-0x00007FF712534000-memory.dmp

    Filesize

    3.3MB

  • memory/3308-94-0x00007FF7121E0000-0x00007FF712534000-memory.dmp

    Filesize

    3.3MB

  • memory/3308-133-0x00007FF7121E0000-0x00007FF712534000-memory.dmp

    Filesize

    3.3MB

  • memory/3400-93-0x00007FF64C6D0000-0x00007FF64CA24000-memory.dmp

    Filesize

    3.3MB

  • memory/3400-141-0x00007FF64C6D0000-0x00007FF64CA24000-memory.dmp

    Filesize

    3.3MB

  • memory/3400-26-0x00007FF64C6D0000-0x00007FF64CA24000-memory.dmp

    Filesize

    3.3MB

  • memory/3544-132-0x00007FF7F0880000-0x00007FF7F0BD4000-memory.dmp

    Filesize

    3.3MB

  • memory/3544-158-0x00007FF7F0880000-0x00007FF7F0BD4000-memory.dmp

    Filesize

    3.3MB

  • memory/4060-119-0x00007FF7D1D40000-0x00007FF7D2094000-memory.dmp

    Filesize

    3.3MB

  • memory/4060-156-0x00007FF7D1D40000-0x00007FF7D2094000-memory.dmp

    Filesize

    3.3MB

  • memory/4060-136-0x00007FF7D1D40000-0x00007FF7D2094000-memory.dmp

    Filesize

    3.3MB

  • memory/4488-102-0x00007FF68ED90000-0x00007FF68F0E4000-memory.dmp

    Filesize

    3.3MB

  • memory/4488-153-0x00007FF68ED90000-0x00007FF68F0E4000-memory.dmp

    Filesize

    3.3MB