Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-06-2024 04:16

General

  • Target

    2024-06-08_52e97a120d43e1836816f5a6f9dac14f_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    52e97a120d43e1836816f5a6f9dac14f

  • SHA1

    a0b84cf83c8d3dedfd6f4ea610aa45cc923c1290

  • SHA256

    1c0fab33e33f0ac4e6aec87af27cf6920c1a260222c6784810390a78f3b1476c

  • SHA512

    b7a27d1b94feb0cdae590e48291195bbadce42a10fc862851b72fbbc08f4f12b071d4b9e3753560e771b29f2af19882d27840a9482903bb7dbf5997dbaf55177

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUZ:Q+856utgpPF8u/7Z

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 19 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 19 IoCs
  • UPX dump on OEP (original entry point) 64 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-08_52e97a120d43e1836816f5a6f9dac14f_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-08_52e97a120d43e1836816f5a6f9dac14f_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3256
    • C:\Windows\System\GEHDpJe.exe
      C:\Windows\System\GEHDpJe.exe
      2⤵
      • Executes dropped EXE
      PID:1424
    • C:\Windows\System\EgEEApi.exe
      C:\Windows\System\EgEEApi.exe
      2⤵
      • Executes dropped EXE
      PID:2260
    • C:\Windows\System\gmXuAGS.exe
      C:\Windows\System\gmXuAGS.exe
      2⤵
      • Executes dropped EXE
      PID:1240
    • C:\Windows\System\XinJXEK.exe
      C:\Windows\System\XinJXEK.exe
      2⤵
      • Executes dropped EXE
      PID:2088
    • C:\Windows\System\XLsTzTw.exe
      C:\Windows\System\XLsTzTw.exe
      2⤵
      • Executes dropped EXE
      PID:3288
    • C:\Windows\System\lLRJWYK.exe
      C:\Windows\System\lLRJWYK.exe
      2⤵
      • Executes dropped EXE
      PID:4380
    • C:\Windows\System\itdshPf.exe
      C:\Windows\System\itdshPf.exe
      2⤵
      • Executes dropped EXE
      PID:4764
    • C:\Windows\System\fFKxpCf.exe
      C:\Windows\System\fFKxpCf.exe
      2⤵
      • Executes dropped EXE
      PID:4840
    • C:\Windows\System\QNtdydg.exe
      C:\Windows\System\QNtdydg.exe
      2⤵
      • Executes dropped EXE
      PID:4068
    • C:\Windows\System\mtxAhes.exe
      C:\Windows\System\mtxAhes.exe
      2⤵
      • Executes dropped EXE
      PID:3936
    • C:\Windows\System\WpdJIoY.exe
      C:\Windows\System\WpdJIoY.exe
      2⤵
      • Executes dropped EXE
      PID:1172
    • C:\Windows\System\steTLTE.exe
      C:\Windows\System\steTLTE.exe
      2⤵
      • Executes dropped EXE
      PID:2060
    • C:\Windows\System\CYSQnGH.exe
      C:\Windows\System\CYSQnGH.exe
      2⤵
      • Executes dropped EXE
      PID:804
    • C:\Windows\System\HvdkWbB.exe
      C:\Windows\System\HvdkWbB.exe
      2⤵
      • Executes dropped EXE
      PID:4736
    • C:\Windows\System\jsdlUEZ.exe
      C:\Windows\System\jsdlUEZ.exe
      2⤵
      • Executes dropped EXE
      PID:1032
    • C:\Windows\System\rFwMURl.exe
      C:\Windows\System\rFwMURl.exe
      2⤵
      • Executes dropped EXE
      PID:3164
    • C:\Windows\System\tlpXLMD.exe
      C:\Windows\System\tlpXLMD.exe
      2⤵
      • Executes dropped EXE
      PID:372
    • C:\Windows\System\kRLeWOA.exe
      C:\Windows\System\kRLeWOA.exe
      2⤵
      • Executes dropped EXE
      PID:1508
    • C:\Windows\System\kIniEsz.exe
      C:\Windows\System\kIniEsz.exe
      2⤵
      • Executes dropped EXE
      PID:4916
    • C:\Windows\System\cTwnmXw.exe
      C:\Windows\System\cTwnmXw.exe
      2⤵
      • Executes dropped EXE
      PID:4388
    • C:\Windows\System\DnUKaqX.exe
      C:\Windows\System\DnUKaqX.exe
      2⤵
      • Executes dropped EXE
      PID:3924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System\CYSQnGH.exe

    Filesize

    5.9MB

    MD5

    e490c0bda9e36a15cff5c2f4e0f6f174

    SHA1

    db824f75636da1ffb9acfca511a92a475358aebb

    SHA256

    ec2dadef4d571ae2a324a42e8f5a1ad798baeb2adfad0619f8be13a4d31d4de4

    SHA512

    b6e76b974bf0d41126639ac7158473ba9fc93452c3d47ad5c932f77a34537c17659909b1015d2eaed61dbce21f0ab0336aa64423db4cec690e980b9211ec1da3

  • C:\Windows\System\DnUKaqX.exe

    Filesize

    5.9MB

    MD5

    df2d2d445172f1bb73447ea4a48a03ad

    SHA1

    277c9439dfbf7c95abb70f0e79f89a3b0e6e1351

    SHA256

    e4fbfc104c191e5ca50f659a835f730b271bce6d3709d76a7846215450fdcecd

    SHA512

    f4288d6b4f5134ee0da0414df0674a54ca30bb786aa07f55a7f7183559c23e554b3115ff4b7e18a2cb694ccc70e39fa90db0d40fe7961017c69e891b42a937df

  • C:\Windows\System\EgEEApi.exe

    Filesize

    5.2MB

    MD5

    6e20c1464f2f11359d03740e39e646c8

    SHA1

    e90209ae46e403e71a97b0f056c5611d8850af0f

    SHA256

    e9593ce32c1f94db36680e392134bf6ea24ae6d0ede4ec413f37566a5f2d14d1

    SHA512

    3c5d83e738534c4ac0713b5c116bdf631b564cab66985488e774409d89d4217b15f7b4d1125192155a4943ff3a81fa41e606de408ffb1a46a6a0a426634ea7fe

  • C:\Windows\System\GEHDpJe.exe

    Filesize

    5.9MB

    MD5

    ec3d3ef8cbe74c8e10267a3d904f7905

    SHA1

    907e24d6c7b06d1d099f539452203f3106ff1ceb

    SHA256

    e18942be8526008f0955d305acac8c456ef5ca243760c4ad3b5aa750c14a8f2f

    SHA512

    fdd83d15074331a160614e4c8ea6b284ca1cc87402edf38832928424054f9d66a65c6594e72b2b8919ca8ed1a375fbf247bf96dbf285778620d7c1f98a787b90

  • C:\Windows\System\HvdkWbB.exe

    Filesize

    5.9MB

    MD5

    17e596d4b883e02b23a81b3e589bb611

    SHA1

    88b611b95bd4c568f0ddff2780b188b3a1326293

    SHA256

    b49cd7f3d59fff0a2fb74b4386378a250eea8d1189e26fa4e08fa23448eb49b4

    SHA512

    95a17f6af868e9eae43a633216419f69c27a4e9c7a87835de559fad11ff590337181a77251912618ca0321f1e46cc537ee2578b38f31c694d92133c1555657a1

  • C:\Windows\System\QNtdydg.exe

    Filesize

    5.9MB

    MD5

    b83b0fa4fa669304aa2bf969347e07db

    SHA1

    1ffeed1b6959369ebdac2956224c33f597929fa0

    SHA256

    267db8492ce6e10600445803f285ae2af24523218f9c98c7ea51358c46958e56

    SHA512

    64c489c21c239d6fa44c1b00e5843e40c5905e3fd3530e98ad72f9502135c107898300d4d5a9b537868ab21e2891e4cdf7bb6de4e0d487d17c4d301db244d4d9

  • C:\Windows\System\WpdJIoY.exe

    Filesize

    5.9MB

    MD5

    d30d3cb0d5c1e9aa9a0d29cac4632a64

    SHA1

    f0838cf874d131b3ab64cb2e4220873a0cf841e0

    SHA256

    634e49fb02baf7118c4ff0f6c95e6325dacedf0bc796bf520e17313bd393b05e

    SHA512

    4f8294d0c24edbc304b4a0520ff4c3b4385591777c49222c99ae747028bdde7ea91a3d35d32ea8da16977a016f258008780914b40bc4122e335fe6813b15c472

  • C:\Windows\System\XLsTzTw.exe

    Filesize

    5.9MB

    MD5

    9dc45c500a54b06aa71fda4d5a54ded6

    SHA1

    0b4e448c2052b2d219b2dcff92e902f6a4d17897

    SHA256

    109ac01fb5231d99f997e4b0bb3d33c036dcbb6590816f87645961adb5476e63

    SHA512

    c05260ae5b530a4400a810cc8a8bc4b4bd6df7a5117cde79176f1c0756876b21263f3b48936b6db720020392f18fd98d11ae83f544aa1cabfb755334b7af0322

  • C:\Windows\System\XinJXEK.exe

    Filesize

    5.9MB

    MD5

    6749f560e9d4fcbab822c559fd603cfc

    SHA1

    26f9bd3066b8d7c059ebe7d7e1fbfd937730f4a0

    SHA256

    c9a797c9f7cda2ad8a67682d2abff9adf14a4eca67f2f0b8a78542101185d778

    SHA512

    5edb1c8d0a1d0d30175f2430e9736b765e19cb64c808d22d4a5eba90f67559969412b687e4bb3244f4a122d168bfefb0f751fff8e19e4345f9263f389483cd5d

  • C:\Windows\System\cTwnmXw.exe

    Filesize

    5.9MB

    MD5

    47e1c949dadc469fd0a78f62b0ebcc4e

    SHA1

    c9909ffb5ad031715a558dec06458220ea438b13

    SHA256

    b17006c0e9275c21264298e3a3013c762e12418f4923659a3ad948308962cf3d

    SHA512

    ee2f1b14dc22e5b14c705043fa2c27e6cc16495bba3f69e74d636aa2b671e85a251209ea50e8af2376e11c14cd998107fd0447c3477912edbeb214f8d512d243

  • C:\Windows\System\fFKxpCf.exe

    Filesize

    5.8MB

    MD5

    984a8cf637fc9f46a5be1646493a183b

    SHA1

    eff3045fcb5d0b4a9321004fdd3e94f3f336f5af

    SHA256

    0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068

    SHA512

    f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

  • C:\Windows\System\fFKxpCf.exe

    Filesize

    5.9MB

    MD5

    bb33ee0423f926afd71d4e430a414c18

    SHA1

    73b56334926cbc9346e0184f9b9e5a8396c8a696

    SHA256

    58301cdc339218a65a7a961562b71f36aa556418dd1a9dd600c6445e6f082e42

    SHA512

    0925bfd2f7439f0ef0a9351c25d7a7e073d06dffec91124e2298ff958e2727e270a6c5c1f48b34ce20057f239e89707b61b6fae8ab968c7ff3bf28cca8313029

  • C:\Windows\System\gmXuAGS.exe

    Filesize

    5.9MB

    MD5

    7b93dc1034bf7eb30a10c2e5002ade77

    SHA1

    db92de6f9fe48e9cedbbabc5f8dc10955c723a0b

    SHA256

    ba0a0a285cc3003905703c67a521830e717b0fa1fbc9637d49d5c10f0cfc6720

    SHA512

    d93dc4ff337bbfec96f0bf721a3ec45e0220d35b6f882e7bad6e988816a0e165a2570d2c709c52a61fce08f648f1f609dd86afbabd4fec551e916b7ddea78c60

  • C:\Windows\System\itdshPf.exe

    Filesize

    5.9MB

    MD5

    d8e2d4d7cd62d032a0b0fb4b53da5918

    SHA1

    14f31689cf2d14507c39b3910e689041f5b0ff08

    SHA256

    60517c4ecf0b9094b0c51e9312dc893ad540e4bc1aba20ae15af751e9a459212

    SHA512

    52fc6f2eb183e755e1738e2ad367d5c4a3c46c11256b9af8eaaa6a9a4a2f8a9916f0644c0dfa1bbdd86805555bf01dfa9abce87d4fda85f1a37dec99e1eb6295

  • C:\Windows\System\jsdlUEZ.exe

    Filesize

    5.9MB

    MD5

    1326cf338b58382caf11326c26ca60d6

    SHA1

    56bab845bedb2fef36772e15af20785f733333a2

    SHA256

    c671df1e6a965ae9e34fb92c8a6e3544495c11dbf09a49171d5010e5dcc16306

    SHA512

    659265c8f44db4070222c28a81a5c36d894335899bab84d0a26823186b600a4c4d431cff1df7db28aee24c3cfa1a602d4dcb2b98a1b65f9be9a6e7ed87df5606

  • C:\Windows\System\kIniEsz.exe

    Filesize

    5.9MB

    MD5

    90aea5c098d350fa026d43d66e7e2db8

    SHA1

    ee7e691749d438b056191c736c54d060e4c9dbf0

    SHA256

    1089ba11f3e5218d4e64e495839081fc492a39904117e8462739d1b5b9f722fb

    SHA512

    4f58b7353a20243b3e8272a695391a00db21968cb21e2f94247f5d869cb9425fc483194abbf7f47d9250d877410ce51b9202e9739b29145acc105c6375a0de34

  • C:\Windows\System\kRLeWOA.exe

    Filesize

    5.9MB

    MD5

    3dce0e9447b2436a17fad704f076f94e

    SHA1

    d4aea26c87f2f47316732f93ae8b65a43bfb288d

    SHA256

    9c39a94b0096b0bfc26a5429dc4e0e048b25f150254810844d2a8eed542725ff

    SHA512

    bb2ede6bf4a1e93d1cc286180de793c5d3a0d48d37d07374de900de4244af6049a083a866c60ae28ebde7d77715c0aabda22102d7d07ccd4351b5e2895ab49bb

  • C:\Windows\System\lLRJWYK.exe

    Filesize

    5.9MB

    MD5

    a6111da166178b3bce834c317c41aad7

    SHA1

    c4479a9a35a6e1a72e5f9e72bb35a1b1fcfaeba4

    SHA256

    c57f230e3d5bbca372c969619e71282ca3efff0562e5566e7fa561737bfba705

    SHA512

    79b7e74a4d7be9713eb608b38e01d72c084e2fb0d6da66759f8282e53f42fdbeb6da70483171796ade8afebb973fae03a3a035002ff0716e0ac048172b0bf6af

  • C:\Windows\System\mtxAhes.exe

    Filesize

    5.9MB

    MD5

    8e975a0b16aded8dc97afd9bb6b353f8

    SHA1

    2986da2a051b6b370d218703443825bf4bf48dd3

    SHA256

    86daf609582c9c794a56ae26993a2dfa4af704141ad7763148c671f2e5395ba3

    SHA512

    1bef76ef34f69c6f0668a1e664bd1a18ba62a8c8d8c908a76dc82283d763f793d4b708483a25bca4f8b2149155922520188b86cc1f248c10a0a2b7fb66023e04

  • C:\Windows\System\rFwMURl.exe

    Filesize

    5.9MB

    MD5

    b4419fbad67f942d0b30e6516a3e91e7

    SHA1

    6bf1a56bcc46372b33c1616f2018ca73e5083943

    SHA256

    a299bbffde756a7d42e02a700e0172d490bbcd9d484bc779de91011b37b51d98

    SHA512

    15b556b6f607363bbd748c981d5e8b5a7e460b817cab07de553ee215329eab8a2dae2820fc3ba3fa810f46f463d843030c9f44fe184571cf0f34bc7106350918

  • C:\Windows\System\steTLTE.exe

    Filesize

    5.9MB

    MD5

    b65dc9da1636131cc4d8a1604e74f344

    SHA1

    643aaa9588c10ff017dc266626dc653964710268

    SHA256

    280e8b4ab5c35bbc6fd7601ddb84973c716eb21dc6574f1b22e3ce0fc7adc1fb

    SHA512

    bd03ea4914b22113d180a8f08101d778e6bd1edcb78c96ff233c9629c91c8ec60564d4cb4d11f9e585be0a1cfbeda5e0b77c29c8690f623d470375ade8595584

  • C:\Windows\System\tlpXLMD.exe

    Filesize

    5.9MB

    MD5

    f6cdfb3d88537b367792cbd894bd98ed

    SHA1

    3d3f99c94c72c456dffcf949bc5d30603a7e936c

    SHA256

    05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86

    SHA512

    0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

  • C:\Windows\System\tlpXLMD.exe

    Filesize

    5.6MB

    MD5

    1e2459942327eb396bd8cd9cbc885d14

    SHA1

    b979cbcb517509c30843efb1d91bef30f1f24a44

    SHA256

    54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a

    SHA512

    62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

  • memory/372-150-0x00007FF7517E0000-0x00007FF751B34000-memory.dmp

    Filesize

    3.3MB

  • memory/372-108-0x00007FF7517E0000-0x00007FF751B34000-memory.dmp

    Filesize

    3.3MB

  • memory/804-146-0x00007FF79BD90000-0x00007FF79C0E4000-memory.dmp

    Filesize

    3.3MB

  • memory/804-81-0x00007FF79BD90000-0x00007FF79C0E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1032-148-0x00007FF798AD0000-0x00007FF798E24000-memory.dmp

    Filesize

    3.3MB

  • memory/1032-95-0x00007FF798AD0000-0x00007FF798E24000-memory.dmp

    Filesize

    3.3MB

  • memory/1172-144-0x00007FF689170000-0x00007FF6894C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1172-74-0x00007FF689170000-0x00007FF6894C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1240-87-0x00007FF63A650000-0x00007FF63A9A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1240-136-0x00007FF63A650000-0x00007FF63A9A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1240-19-0x00007FF63A650000-0x00007FF63A9A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1424-134-0x00007FF7DBD10000-0x00007FF7DC064000-memory.dmp

    Filesize

    3.3MB

  • memory/1424-8-0x00007FF7DBD10000-0x00007FF7DC064000-memory.dmp

    Filesize

    3.3MB

  • memory/1508-151-0x00007FF7D05B0000-0x00007FF7D0904000-memory.dmp

    Filesize

    3.3MB

  • memory/1508-120-0x00007FF7D05B0000-0x00007FF7D0904000-memory.dmp

    Filesize

    3.3MB

  • memory/2060-145-0x00007FF7EA950000-0x00007FF7EACA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2060-75-0x00007FF7EA950000-0x00007FF7EACA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2088-137-0x00007FF602D10000-0x00007FF603064000-memory.dmp

    Filesize

    3.3MB

  • memory/2088-94-0x00007FF602D10000-0x00007FF603064000-memory.dmp

    Filesize

    3.3MB

  • memory/2088-26-0x00007FF602D10000-0x00007FF603064000-memory.dmp

    Filesize

    3.3MB

  • memory/2260-135-0x00007FF604600000-0x00007FF604954000-memory.dmp

    Filesize

    3.3MB

  • memory/2260-14-0x00007FF604600000-0x00007FF604954000-memory.dmp

    Filesize

    3.3MB

  • memory/3164-101-0x00007FF7FAAC0000-0x00007FF7FAE14000-memory.dmp

    Filesize

    3.3MB

  • memory/3164-149-0x00007FF7FAAC0000-0x00007FF7FAE14000-memory.dmp

    Filesize

    3.3MB

  • memory/3256-1-0x0000024533540000-0x0000024533550000-memory.dmp

    Filesize

    64KB

  • memory/3256-64-0x00007FF660980000-0x00007FF660CD4000-memory.dmp

    Filesize

    3.3MB

  • memory/3256-0-0x00007FF660980000-0x00007FF660CD4000-memory.dmp

    Filesize

    3.3MB

  • memory/3288-32-0x00007FF748830000-0x00007FF748B84000-memory.dmp

    Filesize

    3.3MB

  • memory/3288-138-0x00007FF748830000-0x00007FF748B84000-memory.dmp

    Filesize

    3.3MB

  • memory/3924-132-0x00007FF6B3330000-0x00007FF6B3684000-memory.dmp

    Filesize

    3.3MB

  • memory/3924-154-0x00007FF6B3330000-0x00007FF6B3684000-memory.dmp

    Filesize

    3.3MB

  • memory/3936-65-0x00007FF6970B0000-0x00007FF697404000-memory.dmp

    Filesize

    3.3MB

  • memory/3936-143-0x00007FF6970B0000-0x00007FF697404000-memory.dmp

    Filesize

    3.3MB

  • memory/4068-142-0x00007FF71BE20000-0x00007FF71C174000-memory.dmp

    Filesize

    3.3MB

  • memory/4068-56-0x00007FF71BE20000-0x00007FF71C174000-memory.dmp

    Filesize

    3.3MB

  • memory/4380-139-0x00007FF6AD8C0000-0x00007FF6ADC14000-memory.dmp

    Filesize

    3.3MB

  • memory/4380-107-0x00007FF6AD8C0000-0x00007FF6ADC14000-memory.dmp

    Filesize

    3.3MB

  • memory/4380-37-0x00007FF6AD8C0000-0x00007FF6ADC14000-memory.dmp

    Filesize

    3.3MB

  • memory/4388-133-0x00007FF62F310000-0x00007FF62F664000-memory.dmp

    Filesize

    3.3MB

  • memory/4388-125-0x00007FF62F310000-0x00007FF62F664000-memory.dmp

    Filesize

    3.3MB

  • memory/4388-153-0x00007FF62F310000-0x00007FF62F664000-memory.dmp

    Filesize

    3.3MB

  • memory/4736-88-0x00007FF620750000-0x00007FF620AA4000-memory.dmp

    Filesize

    3.3MB

  • memory/4736-147-0x00007FF620750000-0x00007FF620AA4000-memory.dmp

    Filesize

    3.3MB

  • memory/4764-114-0x00007FF7CD440000-0x00007FF7CD794000-memory.dmp

    Filesize

    3.3MB

  • memory/4764-140-0x00007FF7CD440000-0x00007FF7CD794000-memory.dmp

    Filesize

    3.3MB

  • memory/4764-42-0x00007FF7CD440000-0x00007FF7CD794000-memory.dmp

    Filesize

    3.3MB

  • memory/4840-55-0x00007FF783D60000-0x00007FF7840B4000-memory.dmp

    Filesize

    3.3MB

  • memory/4840-141-0x00007FF783D60000-0x00007FF7840B4000-memory.dmp

    Filesize

    3.3MB

  • memory/4916-124-0x00007FF65DD60000-0x00007FF65E0B4000-memory.dmp

    Filesize

    3.3MB

  • memory/4916-152-0x00007FF65DD60000-0x00007FF65E0B4000-memory.dmp

    Filesize

    3.3MB