Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2024 01:40

General

  • Target

    2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    8c16781cae7bb12c1986fd74494e9bd9

  • SHA1

    e3d7e89bfc3c3105a6e61abffd3908066c840661

  • SHA256

    f3f91ff34eb039f19fc642217809df770bd0ed7f832397ac80b2945e351e0574

  • SHA512

    a2a62eab4f9f2998054b012de30b2fe8d931001acc840047526fb4a30d2516ac5ae31e4612884efc93b29fbbe2191257f2b222b05d5ab115ffd3614dd7178f1e

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU5:Q+856utgpPF8u/75

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 64 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-07_8c16781cae7bb12c1986fd74494e9bd9_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Windows\System\xYDbKeq.exe
      C:\Windows\System\xYDbKeq.exe
      2⤵
      • Executes dropped EXE
      PID:1632
    • C:\Windows\System\ntTLUre.exe
      C:\Windows\System\ntTLUre.exe
      2⤵
      • Executes dropped EXE
      PID:804
    • C:\Windows\System\zxMDhTR.exe
      C:\Windows\System\zxMDhTR.exe
      2⤵
      • Executes dropped EXE
      PID:636
    • C:\Windows\System\wsuMAqY.exe
      C:\Windows\System\wsuMAqY.exe
      2⤵
      • Executes dropped EXE
      PID:404
    • C:\Windows\System\GqKdwli.exe
      C:\Windows\System\GqKdwli.exe
      2⤵
      • Executes dropped EXE
      PID:4168
    • C:\Windows\System\QjfRoYk.exe
      C:\Windows\System\QjfRoYk.exe
      2⤵
      • Executes dropped EXE
      PID:2224
    • C:\Windows\System\ANtztmS.exe
      C:\Windows\System\ANtztmS.exe
      2⤵
      • Executes dropped EXE
      PID:3388
    • C:\Windows\System\ohEhELp.exe
      C:\Windows\System\ohEhELp.exe
      2⤵
      • Executes dropped EXE
      PID:3428
    • C:\Windows\System\xrCcMMv.exe
      C:\Windows\System\xrCcMMv.exe
      2⤵
      • Executes dropped EXE
      PID:3500
    • C:\Windows\System\BirMLNn.exe
      C:\Windows\System\BirMLNn.exe
      2⤵
      • Executes dropped EXE
      PID:1420
    • C:\Windows\System\GfXapPr.exe
      C:\Windows\System\GfXapPr.exe
      2⤵
      • Executes dropped EXE
      PID:4872
    • C:\Windows\System\HGniUjs.exe
      C:\Windows\System\HGniUjs.exe
      2⤵
      • Executes dropped EXE
      PID:5096
    • C:\Windows\System\QWVdeqg.exe
      C:\Windows\System\QWVdeqg.exe
      2⤵
      • Executes dropped EXE
      PID:4904
    • C:\Windows\System\auxffal.exe
      C:\Windows\System\auxffal.exe
      2⤵
      • Executes dropped EXE
      PID:1668
    • C:\Windows\System\LAdNlsZ.exe
      C:\Windows\System\LAdNlsZ.exe
      2⤵
      • Executes dropped EXE
      PID:4480
    • C:\Windows\System\WhZfDxw.exe
      C:\Windows\System\WhZfDxw.exe
      2⤵
      • Executes dropped EXE
      PID:932
    • C:\Windows\System\kWDNLuI.exe
      C:\Windows\System\kWDNLuI.exe
      2⤵
      • Executes dropped EXE
      PID:4632
    • C:\Windows\System\xmWpVln.exe
      C:\Windows\System\xmWpVln.exe
      2⤵
      • Executes dropped EXE
      PID:4488
    • C:\Windows\System\TcovHfv.exe
      C:\Windows\System\TcovHfv.exe
      2⤵
      • Executes dropped EXE
      PID:4524
    • C:\Windows\System\GCcKkCN.exe
      C:\Windows\System\GCcKkCN.exe
      2⤵
      • Executes dropped EXE
      PID:3280
    • C:\Windows\System\ZMynxrp.exe
      C:\Windows\System\ZMynxrp.exe
      2⤵
      • Executes dropped EXE
      PID:4828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\ANtztmS.exe

    Filesize

    5.9MB

    MD5

    d944ca2612283e7cc8bff9c5d9b3e9c5

    SHA1

    a6bf45499331e7217e5a711bd6e191e6a4ad4849

    SHA256

    80a73b5162f8f2324a1f1339f24653a334baa6c77b9060f304e57857547d39f8

    SHA512

    39bc3090d954ef4785a72646db26eae12009c22fa6b38cdf3c2031a8c8b9004d8cd3d063be199f6cdf908e676458dc4555bacdb1ef902b552190a321cac8b387

  • C:\Windows\System\BirMLNn.exe

    Filesize

    5.9MB

    MD5

    d616c82a43b582913b15b54d6bde56f1

    SHA1

    271d5d32f29ec35e68b7d0c46766edcd6dad4584

    SHA256

    072a6077cd64f6872139b2491a83db308404d09990e24fbc17a087e13a08c858

    SHA512

    f1169530607db95b8031d9dbcbb08a4490163725baabaaccedaa4b96e3b7d40aef8cf94d0d79a88b046ddef95608f001cb332a4cde041ee4c79468c05175e87d

  • C:\Windows\System\GCcKkCN.exe

    Filesize

    5.9MB

    MD5

    fbca98362e27566b659da0a6693f3bb3

    SHA1

    dec4b89bebc0af02c8b15a763ca8324aa7e80283

    SHA256

    b28fcdac8afa569b2ad1d4bfea759734310d3d71d8ba1e0ad1d437a649c966eb

    SHA512

    c4ed3e57964b3a4851d00e1978b2dc4b0ef074d30be7aa6bf40e9d31d4ac60ec9403ec042ef5c5528ed0f772f8a97de9661d21941d07d01ce7d2da6ed820ce7e

  • C:\Windows\System\GfXapPr.exe

    Filesize

    5.9MB

    MD5

    7c4cef5f0bc0461873b814161f65a2ad

    SHA1

    b5cbc2c81fc667662f3e63ac586a06e06524dd49

    SHA256

    fc2b871201788f63fc8969f42384959b92c23915bc229232c181c1b25e2f7982

    SHA512

    0275c8ffa3471e57c95da6f412de6f7999e2577d230b6f3435979a735fa0319da4f2994ec2eb5e0e11273cb80ef6bb40756f7f9e218ed654d01ec4ddc24b0874

  • C:\Windows\System\GqKdwli.exe

    Filesize

    5.9MB

    MD5

    b14a6c224511f1aefcafa8ced45ed912

    SHA1

    496de9abca6b7178a0ab25b45e3a40bed5f3156c

    SHA256

    474ef8645d8a5401a6b40ba26bc363c55e27fc92834d1222ae069d6692f6b9cd

    SHA512

    696c040d552ea539bd85194508900adb7c4b9b00d91f43d2710069bc5cbef392525123f0c39b26636d3e0aebc05bbd11749d377951c00cfe4ce6d412263f1968

  • C:\Windows\System\HGniUjs.exe

    Filesize

    5.9MB

    MD5

    8a57c27852633556990c936dbb8ebe48

    SHA1

    c6772df46dee6c34fcbad590c64a707182eca2bc

    SHA256

    6a8baf96870e80b81af180ef40c057b22efdd8cb40c61e825d37a42797ccfcbd

    SHA512

    ad9249d53057fb136cd4aa75ccae4efa0d1dd1271f0b5d3a3a489ce1e160dc50c310207a3dd81f0db781943f85d8caa40ce6445b20eb82e95cbbacbbf5faec42

  • C:\Windows\System\LAdNlsZ.exe

    Filesize

    5.9MB

    MD5

    035369bb38dc7433bbf3084454c0a3d0

    SHA1

    e753ad21e77f44d80da622d214d383fed263cd38

    SHA256

    b64697cacaa097ccd9e6f9571b80e9309b8f6fa4661490b7cf4dc46c10998791

    SHA512

    e3707752500f9f62d1ed55c58cc7d1020e9c3f96e14d57a680aff5836a4d3d06927f6a0d0187f3fe961bd7c2c30c1e96c2504109f5560112fecad17b58aa640c

  • C:\Windows\System\QWVdeqg.exe

    Filesize

    5.9MB

    MD5

    8949e52dfa5f4c2902d97ebffd0ae1c0

    SHA1

    4296bd4079841c0a4c87bb2c1f15a30c74a9f81d

    SHA256

    09e76ba2d90e7c67f489ba3b6bbd1e3cefa9ee6f42ca61258fa5107409517d86

    SHA512

    e42909aa7095e68a1b2ef89ed2ed6ddf64025c5c3b522d16258431bfe32240f23215ad8459e104fb64001c7f776ffc214adfdd652fd6449c01bf68ab8b77b20d

  • C:\Windows\System\QjfRoYk.exe

    Filesize

    5.9MB

    MD5

    0e80086731dc1b320acf16112c5ed3a1

    SHA1

    54c907f72a07ad79fc9dabc8221aef5398055c88

    SHA256

    30e913d181f05c1e20eae95d57a9f0ed7679f509e1c05fb179b7574000b4c6cf

    SHA512

    49446352177b1bbaefd8e34cff61f6cf29edcd2dbc23b354482c7bca7815e13df8512ac12ea4a3868da6d7b93017a379e04e7684ba0fd988b3a7581b81be8042

  • C:\Windows\System\TcovHfv.exe

    Filesize

    5.9MB

    MD5

    b55ef8e0cce7d776385f7a663495e2ed

    SHA1

    735e1b262755238bfa4d0ca2da34cbe3eab77beb

    SHA256

    6cd215d30f0540277279191555e72183a5ca3a7def394888f8776e0cf68c1d57

    SHA512

    7615d4f57d3410181bf4c05436fff90316bcd27a3df4f4530caea8410018975722ea9bf7c398028dced45a1e693e67ed1be2ad0407a51c6340c53e6dbd18a94a

  • C:\Windows\System\WhZfDxw.exe

    Filesize

    5.9MB

    MD5

    a6194c4e0af6e6ecf5265365afccb48d

    SHA1

    098d1970e6d5c71ecb52a7399ed0da70f3bb37e1

    SHA256

    ee1e7065701a1b338541f962eee5e8cf87a5dfdc8dd21e19d6b486c7c2df6b08

    SHA512

    743e43464c86d598f1b1c1da8123d0406800b2bffd092c5723ad5de036dc6266b13abb62d4e891e2823d82af2735e8e98bffbb926c7867abfa7df0aa2234ffc9

  • C:\Windows\System\ZMynxrp.exe

    Filesize

    5.9MB

    MD5

    264994f620f47bb519839ef2660248ef

    SHA1

    f9ca76cf6e3d21b53ad1cad79711f55c92eed029

    SHA256

    f3f1ea74701fcded09cdd4dfd71aa8a2b8fba033d6aba248224b026212668713

    SHA512

    c1e10e4824ea417f259744e365fe2013c89000c12111c86821075de841c82febd7c7de81ceae55bc5db9beaab9538a71ec19a3de15b52b273f90da2a858a4a28

  • C:\Windows\System\auxffal.exe

    Filesize

    5.9MB

    MD5

    637e417546f1c80cf20bb26522ae62b4

    SHA1

    bc5e44a9b7a30387f9940cff2eb1df479f7b54db

    SHA256

    b37a6f7268eb48c2e95e223530c6f37873045e40dc12e46960bb1c18c0747ff1

    SHA512

    deea81301a6468246dfe2c7ab70e23916f9f76b949303dd47bc62da160b57890109cfaf4099a2c5a96b86db3d221f6cf3d6b9aeccf295067fe0dbd055386298f

  • C:\Windows\System\kWDNLuI.exe

    Filesize

    5.9MB

    MD5

    470c822166cb8a5730daef4fc67b0369

    SHA1

    422f7a2d0d3aa567e0827f60064eaf6b55934539

    SHA256

    220e439c7ebec889ab8b2c9761f58f43631236cfe19a518907b56cef1f46816a

    SHA512

    dca2545456014186415df12dec7d7f3ecf0007bcde6a25d2211deafea7fdecaebe7ee848b4a4df2685afe73fc51ab52c8da30725fc7b3363f8c029d8a456ebe4

  • C:\Windows\System\ntTLUre.exe

    Filesize

    5.9MB

    MD5

    da5a69fc30166be5f9930ae5cc05281e

    SHA1

    ae08c31288451ae2d043fa394b05ed31e8ab55f1

    SHA256

    4b57218118f3261599a3fcfb211d5b6cc2e105f372dee547ebffde85ad8cb7d9

    SHA512

    e394ee020267cb7d88d1f85a41ad050152a86f4bd804c7287ffd9fc6f97aacb0db2ab6ffbef7d35060af83a3f8a4e29d49797c78a0a301d691314cf34e0fee2c

  • C:\Windows\System\ohEhELp.exe

    Filesize

    5.9MB

    MD5

    ef2542bcc3d1c99d55947ed6343cee1c

    SHA1

    34933b0fe78c6f6996e05179e097a6fa15f157a1

    SHA256

    38391ed40efc23961566f20a30ccf940c5b30c7e3b8c0d6e7b57de4413c88c27

    SHA512

    9f79c2c41a499d90f8fc509cec16b00b6a44ff28d9995763b08e59c73f5acfe8b745e02e4ce2ccd32cf4c30f2c0f8c3487f119548a548d3f6ab2bebd24c6c3f9

  • C:\Windows\System\wsuMAqY.exe

    Filesize

    5.9MB

    MD5

    25836b8d7e7a7fb06831663c92558abf

    SHA1

    a80b66b3c43bdabed5282c08e9cfa07acecaba44

    SHA256

    88ec895e4338c687b9a5488fda9167a38a1c05b711f67cbc0db1c2d1ddc5eaae

    SHA512

    f9515c6d098eeb852a0e3f7a1e85d46ebc2a4787ea8a96d757765a0f5355a3b5407d03ab0be44fbc774fee2fa18e0229d9f4554baf5405895c4ef6fd914cf0dc

  • C:\Windows\System\xYDbKeq.exe

    Filesize

    5.9MB

    MD5

    27de40d259bb63ef2f65d4b219ccbc10

    SHA1

    fb2b10b9a0af73a04f360d905684d6fb89ed6f2d

    SHA256

    3195edec344e547ba69cfa35c849141709f52fb2c5014fa3264c7d8e34e5cd36

    SHA512

    6d186dfe4125cd1f28c3062f086751677ab0da06a0db570fd28354ca9a2e3a732c09148ac9f827a695f919ca4b3eaa460b95750db6d8a2e302c134eaec4c19a9

  • C:\Windows\System\xmWpVln.exe

    Filesize

    5.9MB

    MD5

    6f5d00f64858b7959c20b789aa2b43ef

    SHA1

    840521e64214a4791a9b66ec770d1d63337e2ac6

    SHA256

    1215e771aa37a1d253e47db0c4906be7eeed16b296142f8016682d53dc3a5570

    SHA512

    30d0ae9052a4013517ccd3e7d07bb5677cabdf4f15b8057c5f4250334cdc72aa29eaaf9450b87ed5912a6920c1274ab0553011cd2f525d4a0efa69be26798b77

  • C:\Windows\System\xrCcMMv.exe

    Filesize

    5.9MB

    MD5

    3c7917988a1673239a8640af55759f22

    SHA1

    35331c77e6df944a39deb8e626512ecdb86ae03d

    SHA256

    f94f009050eeb639998d005dc82464dbbc134b86874b6fea8f8b98984c76ab71

    SHA512

    43c682288cd0eab808622e4e78bcda987cf6f0e20fcec656e042fe90faecb3481fb8314921bf9b1b6805944394968f64bafee4b9c214581ea245c4661c5d0212

  • C:\Windows\System\zxMDhTR.exe

    Filesize

    5.9MB

    MD5

    fcc2ff7df0e337a858f18bcaea96a90a

    SHA1

    1a036c10e5c4844ddb53de3b9720ddcc85621d3f

    SHA256

    fff71d8cf1943bd266e6757ea1769cf2fce7b0b5854df645c9e1e7fbf9ad5de6

    SHA512

    222951c2c4c9a9d60e59d68d03c335e6a43aea3df38268e95118daf021ecb377f6cfda8e0b0c4c82f21c475b5a64e7b15c97ea9b2cfd11f0c72c2b5d2982e5a9

  • memory/404-27-0x00007FF7D9240000-0x00007FF7D9594000-memory.dmp

    Filesize

    3.3MB

  • memory/404-136-0x00007FF7D9240000-0x00007FF7D9594000-memory.dmp

    Filesize

    3.3MB

  • memory/636-135-0x00007FF6C5EE0000-0x00007FF6C6234000-memory.dmp

    Filesize

    3.3MB

  • memory/636-18-0x00007FF6C5EE0000-0x00007FF6C6234000-memory.dmp

    Filesize

    3.3MB

  • memory/636-131-0x00007FF6C5EE0000-0x00007FF6C6234000-memory.dmp

    Filesize

    3.3MB

  • memory/804-13-0x00007FF69F210000-0x00007FF69F564000-memory.dmp

    Filesize

    3.3MB

  • memory/804-134-0x00007FF69F210000-0x00007FF69F564000-memory.dmp

    Filesize

    3.3MB

  • memory/804-130-0x00007FF69F210000-0x00007FF69F564000-memory.dmp

    Filesize

    3.3MB

  • memory/932-122-0x00007FF7A0DA0000-0x00007FF7A10F4000-memory.dmp

    Filesize

    3.3MB

  • memory/932-148-0x00007FF7A0DA0000-0x00007FF7A10F4000-memory.dmp

    Filesize

    3.3MB

  • memory/1420-142-0x00007FF75D190000-0x00007FF75D4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1420-116-0x00007FF75D190000-0x00007FF75D4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1632-8-0x00007FF795B40000-0x00007FF795E94000-memory.dmp

    Filesize

    3.3MB

  • memory/1632-133-0x00007FF795B40000-0x00007FF795E94000-memory.dmp

    Filesize

    3.3MB

  • memory/1632-129-0x00007FF795B40000-0x00007FF795E94000-memory.dmp

    Filesize

    3.3MB

  • memory/1668-120-0x00007FF6012E0000-0x00007FF601634000-memory.dmp

    Filesize

    3.3MB

  • memory/1668-146-0x00007FF6012E0000-0x00007FF601634000-memory.dmp

    Filesize

    3.3MB

  • memory/2224-38-0x00007FF674400000-0x00007FF674754000-memory.dmp

    Filesize

    3.3MB

  • memory/2224-138-0x00007FF674400000-0x00007FF674754000-memory.dmp

    Filesize

    3.3MB

  • memory/3116-0-0x00007FF645530000-0x00007FF645884000-memory.dmp

    Filesize

    3.3MB

  • memory/3116-1-0x000002060F980000-0x000002060F990000-memory.dmp

    Filesize

    64KB

  • memory/3116-128-0x00007FF645530000-0x00007FF645884000-memory.dmp

    Filesize

    3.3MB

  • memory/3280-153-0x00007FF6E1760000-0x00007FF6E1AB4000-memory.dmp

    Filesize

    3.3MB

  • memory/3280-126-0x00007FF6E1760000-0x00007FF6E1AB4000-memory.dmp

    Filesize

    3.3MB

  • memory/3388-139-0x00007FF707E00000-0x00007FF708154000-memory.dmp

    Filesize

    3.3MB

  • memory/3388-42-0x00007FF707E00000-0x00007FF708154000-memory.dmp

    Filesize

    3.3MB

  • memory/3388-132-0x00007FF707E00000-0x00007FF708154000-memory.dmp

    Filesize

    3.3MB

  • memory/3428-140-0x00007FF7E7E20000-0x00007FF7E8174000-memory.dmp

    Filesize

    3.3MB

  • memory/3428-114-0x00007FF7E7E20000-0x00007FF7E8174000-memory.dmp

    Filesize

    3.3MB

  • memory/3500-115-0x00007FF7FD810000-0x00007FF7FDB64000-memory.dmp

    Filesize

    3.3MB

  • memory/3500-141-0x00007FF7FD810000-0x00007FF7FDB64000-memory.dmp

    Filesize

    3.3MB

  • memory/4168-137-0x00007FF69E510000-0x00007FF69E864000-memory.dmp

    Filesize

    3.3MB

  • memory/4168-34-0x00007FF69E510000-0x00007FF69E864000-memory.dmp

    Filesize

    3.3MB

  • memory/4480-147-0x00007FF66D670000-0x00007FF66D9C4000-memory.dmp

    Filesize

    3.3MB

  • memory/4480-121-0x00007FF66D670000-0x00007FF66D9C4000-memory.dmp

    Filesize

    3.3MB

  • memory/4488-150-0x00007FF7CA7E0000-0x00007FF7CAB34000-memory.dmp

    Filesize

    3.3MB

  • memory/4488-124-0x00007FF7CA7E0000-0x00007FF7CAB34000-memory.dmp

    Filesize

    3.3MB

  • memory/4524-151-0x00007FF6CD570000-0x00007FF6CD8C4000-memory.dmp

    Filesize

    3.3MB

  • memory/4524-125-0x00007FF6CD570000-0x00007FF6CD8C4000-memory.dmp

    Filesize

    3.3MB

  • memory/4632-149-0x00007FF790240000-0x00007FF790594000-memory.dmp

    Filesize

    3.3MB

  • memory/4632-123-0x00007FF790240000-0x00007FF790594000-memory.dmp

    Filesize

    3.3MB

  • memory/4828-127-0x00007FF7B9070000-0x00007FF7B93C4000-memory.dmp

    Filesize

    3.3MB

  • memory/4828-152-0x00007FF7B9070000-0x00007FF7B93C4000-memory.dmp

    Filesize

    3.3MB

  • memory/4872-143-0x00007FF7635B0000-0x00007FF763904000-memory.dmp

    Filesize

    3.3MB

  • memory/4872-117-0x00007FF7635B0000-0x00007FF763904000-memory.dmp

    Filesize

    3.3MB

  • memory/4904-145-0x00007FF787210000-0x00007FF787564000-memory.dmp

    Filesize

    3.3MB

  • memory/4904-119-0x00007FF787210000-0x00007FF787564000-memory.dmp

    Filesize

    3.3MB

  • memory/5096-144-0x00007FF6E7450000-0x00007FF6E77A4000-memory.dmp

    Filesize

    3.3MB

  • memory/5096-118-0x00007FF6E7450000-0x00007FF6E77A4000-memory.dmp

    Filesize

    3.3MB