Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 22:45

General

  • Target

    2024-05-29_6b2fd37e0351b8e06387dc846b1b6d08_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    6b2fd37e0351b8e06387dc846b1b6d08

  • SHA1

    346ebfadd478a182dce462c83f71c2286f4ef4dc

  • SHA256

    dec0a0b592694a6b013df76ee14ea042319b91cac64b202661023e3175b00b98

  • SHA512

    530ba5b83846b98246d8fcd9bee5729cd390625a506dc8a006ad7c76d51a074c14f4918b2ce43d989ae33ec7d40c8c5cbca1d6afa17926f2f966a4720a454adf

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU9:Q+856utgpPF8u/79

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 47 IoCs
  • XMRig Miner payload 47 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 47 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_6b2fd37e0351b8e06387dc846b1b6d08_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_6b2fd37e0351b8e06387dc846b1b6d08_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\System\jJUzQiG.exe
      C:\Windows\System\jJUzQiG.exe
      2⤵
      • Executes dropped EXE
      PID:2728
    • C:\Windows\System\laXVBcx.exe
      C:\Windows\System\laXVBcx.exe
      2⤵
      • Executes dropped EXE
      PID:2172
    • C:\Windows\System\NquUzYD.exe
      C:\Windows\System\NquUzYD.exe
      2⤵
      • Executes dropped EXE
      PID:2560
    • C:\Windows\System\tNAahSb.exe
      C:\Windows\System\tNAahSb.exe
      2⤵
      • Executes dropped EXE
      PID:2724
    • C:\Windows\System\RcClsli.exe
      C:\Windows\System\RcClsli.exe
      2⤵
      • Executes dropped EXE
      PID:2668
    • C:\Windows\System\VCsuHsu.exe
      C:\Windows\System\VCsuHsu.exe
      2⤵
      • Executes dropped EXE
      PID:2484
    • C:\Windows\System\OVciTjk.exe
      C:\Windows\System\OVciTjk.exe
      2⤵
      • Executes dropped EXE
      PID:2496
    • C:\Windows\System\RCsabdF.exe
      C:\Windows\System\RCsabdF.exe
      2⤵
      • Executes dropped EXE
      PID:2448
    • C:\Windows\System\YLrddpS.exe
      C:\Windows\System\YLrddpS.exe
      2⤵
      • Executes dropped EXE
      PID:2480
    • C:\Windows\System\WcdyTTA.exe
      C:\Windows\System\WcdyTTA.exe
      2⤵
      • Executes dropped EXE
      PID:2528
    • C:\Windows\System\YShmoFk.exe
      C:\Windows\System\YShmoFk.exe
      2⤵
      • Executes dropped EXE
      PID:2864
    • C:\Windows\System\iEKkLyw.exe
      C:\Windows\System\iEKkLyw.exe
      2⤵
      • Executes dropped EXE
      PID:2152
    • C:\Windows\System\xRXmHYo.exe
      C:\Windows\System\xRXmHYo.exe
      2⤵
      • Executes dropped EXE
      PID:2880
    • C:\Windows\System\FJllAdZ.exe
      C:\Windows\System\FJllAdZ.exe
      2⤵
      • Executes dropped EXE
      PID:1536
    • C:\Windows\System\WZNkszn.exe
      C:\Windows\System\WZNkszn.exe
      2⤵
      • Executes dropped EXE
      PID:1520
    • C:\Windows\System\uQCWbbO.exe
      C:\Windows\System\uQCWbbO.exe
      2⤵
      • Executes dropped EXE
      PID:2520
    • C:\Windows\System\RXTptOC.exe
      C:\Windows\System\RXTptOC.exe
      2⤵
      • Executes dropped EXE
      PID:2760
    • C:\Windows\System\JBjBCrs.exe
      C:\Windows\System\JBjBCrs.exe
      2⤵
      • Executes dropped EXE
      PID:2552
    • C:\Windows\System\XvxoVwU.exe
      C:\Windows\System\XvxoVwU.exe
      2⤵
      • Executes dropped EXE
      PID:1820
    • C:\Windows\System\GAEjeuB.exe
      C:\Windows\System\GAEjeuB.exe
      2⤵
      • Executes dropped EXE
      PID:1672
    • C:\Windows\System\kLgwnUR.exe
      C:\Windows\System\kLgwnUR.exe
      2⤵
      • Executes dropped EXE
      PID:2000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\FJllAdZ.exe

    Filesize

    5.9MB

    MD5

    6d330c1966c9cdeae92aa6903321d998

    SHA1

    13c651426fd996480aa73cda88cd4b7b4c14f11a

    SHA256

    fc0b0510b6d8d512d461056df902e00d8c4d2f19a23714320f42f87b23b3b7b9

    SHA512

    0a283f7d0312e40be28840448a1620dd859e99407d75bc0455093ec8e30831979ea385eda3e866da42f28d5fd698317f1519452ba61333d160efd5aefb637c39

  • C:\Windows\system\GAEjeuB.exe

    Filesize

    5.9MB

    MD5

    2a6d54a18ae458c1aae3f571570bc127

    SHA1

    7b9d1ac7bb726aaca82852fe6e9e0c937c8ff5de

    SHA256

    7f328448e35542704c42ab286f75261c28cbd7a2cbc35805a41390d59ffed327

    SHA512

    c1148a0500b928e668ec08c3f671e2efc936cc54c4683f45533c59410b103b06639e944d37374518a3744c2274d32e1768297d5db1dc9ceebc62d4a7da83e967

  • C:\Windows\system\JBjBCrs.exe

    Filesize

    5.9MB

    MD5

    40627e6ec8421aec581fb35eda999e66

    SHA1

    652d9d7c62d347042fb2bc0e253fa880630315ba

    SHA256

    bc69f7d4de45d07c1056e8e22ed4f804c76d47a33e170d31a3869900c603888e

    SHA512

    13bca3248dea7307f68f20109d15ffd4939d5584e59a2eddaa43062e38d3f35d475b833ba0f0d925d01527239ef8798bf34e00ce6c65652b4f99ebabf1d53566

  • C:\Windows\system\NquUzYD.exe

    Filesize

    5.9MB

    MD5

    bb8d47701e3ab19494b9bc8248140f78

    SHA1

    e6323f142cddbaee994396603ef3fd2b8387a1aa

    SHA256

    bf326d3852e4fb0939beccc357a94b052a159381c60ae2f3261781b1d35f0c7b

    SHA512

    d4e9b0185e88eb609a7e917499a2f203b35aba8be104267096cbf8caef3fb02626e583e8aca122cc059ec56aee60dc7bba2ba52858aa18956169b74261c369f0

  • C:\Windows\system\OVciTjk.exe

    Filesize

    5.9MB

    MD5

    a84d9032277eb02daa996d0504933d51

    SHA1

    781da81547284df63ec873f7d2634f558748fdb1

    SHA256

    84fe3e92c16590f9d13d869925d20f8fab608591a5b67a966f5139c788c8bad9

    SHA512

    7d5b7ed8b795cc0bd9c6f5f0af5d63fba8c4c40e10c73fe417a99eb1989424e32af45f2ed6be05442f9c5f52b81448fdc154817cb99fdca9ff87368c35a4b16e

  • C:\Windows\system\RCsabdF.exe

    Filesize

    5.9MB

    MD5

    5d5d57cfc8ec8f930d48c1935f9ee107

    SHA1

    0a8da8957730bfcf5e2c2057c90c505fb6c5e661

    SHA256

    731a890428fc95f8822cae2fd8870450475f83dc70d676e50e22470e60ee0b2b

    SHA512

    61719874d8c6c40ba8bce862d58543cf561d212bf40e5743ba895c4df595c58a61d4f75ea2be86517cd8bb52c45bbfdca923625fb24cd055fee5a39721ab52c9

  • C:\Windows\system\RcClsli.exe

    Filesize

    5.9MB

    MD5

    ab06e150e232557ad5b4ee843cd3987b

    SHA1

    d7cbb09f704e8e781bc5b2a745e3af227c158858

    SHA256

    babf663b26029e3179554f4db303b7e74fcd68026568fa355386c59b6d5d6408

    SHA512

    8cbda6f884a41d301e97b92af500048f4f86b830bfaa339da076773583a1f88fb95039a04b5f100211264bd00202b86262356e471b9a0a927050cc5266d58787

  • C:\Windows\system\VCsuHsu.exe

    Filesize

    5.9MB

    MD5

    1c1d0d48c2c3dc68d802ee61e9bbc60d

    SHA1

    37b6f4c82637660414f1f401d585bd120208f9d5

    SHA256

    fd1142782e8ebc38371c3366d60802abf60934cf028fea19f77732e115042593

    SHA512

    f721042182e7e32ddfd2838db92c0ddfed6f4d0364e9c4e0d3954ab0d4a2a7780a3940a9d172a948399cd41f3486fdd3864a955c752d6ceb5ffd1873f7f5929d

  • C:\Windows\system\WZNkszn.exe

    Filesize

    5.9MB

    MD5

    db0819b6f8ab260e7291f193aa5834e9

    SHA1

    af81683a7652dd9aacb15b42344df5a5cfcd8c68

    SHA256

    3f64a7a5157981b82c41941b7e13519417ad150c911ac32552fce4afbee3f8ad

    SHA512

    35bf074367e073cf83b2ff623a479aeedb9c63939c42813a39aca5b56e957de116ad4a06f2b57a2d45d40c60c2774d460bd1a7b533ee5b4a4aa1fd93201348f9

  • C:\Windows\system\WcdyTTA.exe

    Filesize

    5.9MB

    MD5

    f8a1f8a4131d885995a80cbee3b98deb

    SHA1

    109c1397efc5d3665c72221526be41ab25085e5a

    SHA256

    8ca8b58967a4810d4e8043215e6bff1ee6294f78e4862ac7d360d902706106f3

    SHA512

    d30a238677acd710b6544ec5c3ad8db6a1e69c5e4d0a600bd0352cc2d1b7907777d904d91a37d5f15226c93612ed6823dd1f98fcc24a54226b517561da11053b

  • C:\Windows\system\XvxoVwU.exe

    Filesize

    5.9MB

    MD5

    6dc2bf676d13969204e6d6288d2bd022

    SHA1

    05e00e519f82fb4cddf027a651a1cc43ca14dc24

    SHA256

    7afd060ccae999ba33d71bfb1453834b1584ceb94557f11a0497b7f400f3ebfb

    SHA512

    003f414731e04245aa6dab06955d981133b592b3847c67dcb6fde2539bf6a0f77f11d1e0acd9f26576b0ab62da0f4fffb81216d83d40b882a4991496e012218d

  • C:\Windows\system\YLrddpS.exe

    Filesize

    5.9MB

    MD5

    e190a94d44e009c4e87e13e580bafb93

    SHA1

    97ee320a7cab886354819fbba0228eae3d833b7a

    SHA256

    fb3b3665e889b76a6d35d04267d3c0b10562bee4b6dfebc00ceaf74647f059d7

    SHA512

    0cc2753b9d081233c74c427732dfa511c00950890868716f9ee1f81fd924bfdae46b798ad5e7bcd98a1b722e748ca3b4125fb5e3619106858268b40de22a8d3a

  • C:\Windows\system\YShmoFk.exe

    Filesize

    5.9MB

    MD5

    e845b8fce39f876a25b8a50f751a4432

    SHA1

    e5b853729afd6181d1f5ac630283087998b7ff1b

    SHA256

    136c8c92826662e86d192e3df150f0a95b53acd5237a8c56636ec3ade1c53818

    SHA512

    789510d00cb21692158adf2a990487930b8d9c53c51eaa497a49fcab533e25b43b9fb42c5e925ed0fe462245e70497dd4796b2e746a4a24c57ca73c4f69b95a6

  • C:\Windows\system\iEKkLyw.exe

    Filesize

    5.9MB

    MD5

    5f4c750b2106f9cd483dd68917b11a90

    SHA1

    62bd4d322a80d6e1a840d8f5ab9f86c5763be4df

    SHA256

    4da7e762fcd959b4eaa2550f1a167f3d18c44a626fb5bca4f4d61fca83b05eaa

    SHA512

    0838e30062c08728e2114bde21f3fd6dcfb3b8e3ff3207aa6aae00f37a8c3151b543ece3215c69a5325b421f0ad99f4d6b49152a207c96d5096e987e047cbd79

  • C:\Windows\system\kLgwnUR.exe

    Filesize

    5.9MB

    MD5

    2583ea539b40d634131a420f5ab05535

    SHA1

    d6977762b0853f2911de4328785fc51339ad13f2

    SHA256

    59f90855059c6f090dcf3034e4d0fe6bf2440580e96916ab7e18a15817f14a68

    SHA512

    e07fafeebdecbc687afe9edaafc0d79fa3bb6f770607ab9a53dbfc032489375300eaed9b21447f6e7a385c2b93c80f9cfcc013663e1de64199a4def16080f91a

  • C:\Windows\system\laXVBcx.exe

    Filesize

    5.9MB

    MD5

    81dd494392fdc4b514507b8965da4a65

    SHA1

    e5ca9dcf8fd7395d1ad72266d37deee97add3e57

    SHA256

    7b72b31c71c5587418309c74dbe205f1315e0b3757d97a95a81ecd3775c06490

    SHA512

    eb2c5ecb768ea8fba2ad4b10ea12fb89aff0ba9df3d45f44bdc224820cfa3e5b51b6b2cff5f5663002a68dba09ade3fc61db1eace3d4ab4c0e3efb4128458db0

  • C:\Windows\system\tNAahSb.exe

    Filesize

    5.9MB

    MD5

    8d4e42798b3d62167ff11ca3f642638b

    SHA1

    9a62f5159f6b5089c01d8044498ae116d2535d08

    SHA256

    2e2a6b81e5cb22b921bc05870de1fd403b2fc41681e8540d65286257a413c6ac

    SHA512

    5f7a82d27dca04ab093b700c8f136e6a2b867f4bc4414f8c5d207691305459d3b2f6ddda84997130e6d01d854bbddf44fb052644d4fd6fd5a5f62fae5c0f1999

  • C:\Windows\system\uQCWbbO.exe

    Filesize

    5.9MB

    MD5

    22483296a8dda791fcc85388af278fa6

    SHA1

    7edbcbe65a44f949bf2f8a7ee30850617a5a09f1

    SHA256

    116003a042e91c6fd63d20d985a54f1041928b0786b01e04cb78d6abc0582309

    SHA512

    b011ea31afb47eab4a5697b128988dc0514c85c02bbaf70783b2b59a028c8a6101c1b4be94ef6e54a7e88ae880fd18649793cc7f23466c35203e75ef4d71601e

  • C:\Windows\system\xRXmHYo.exe

    Filesize

    5.9MB

    MD5

    e438e17c045672d79947ae6790f5e9f9

    SHA1

    8d527ff204dfb9239450b3b8cbbb7cb37d96ced1

    SHA256

    816ff58a8f65a2dab8676e65eb27459d60f16527abb236435c9918cb6733650a

    SHA512

    e27c4d7719972c4eb26a203a32038a9839664a36a27b64922127b1bbbffd0b535c140118cd8f6216754ab8793e468a5c801e5e160aea5180a74e83e23bc0bf6d

  • \Windows\system\RXTptOC.exe

    Filesize

    5.9MB

    MD5

    346b9f7f7c6b81400a34ece9e9958482

    SHA1

    174383289a3a44fd0b6a4b3c0f931776b6e2f246

    SHA256

    4e3b87f00a2ab36a9844c4f4ca2797978af1e4d23ec9f08a8987872ddfc14bf9

    SHA512

    9003391b7b9f43dfc2336d39543357fda7273ff4803d25c93630f3f526a7e97eb27b0797c10767329dcaf42f22cf49d7209c6b64e34546e4d92ef552991e9fef

  • \Windows\system\jJUzQiG.exe

    Filesize

    5.9MB

    MD5

    6685d421d092a7a788847e5950a9b119

    SHA1

    a0c75fa5a360e367d512e0bc3ebede2855f19d71

    SHA256

    536597a4f6ea4ae7d8b9665b2f24ebc5b3fc9971bf9bbc6e9c8518160bac2daa

    SHA512

    af3e831f6dc4e8ea0b4099ac5793c151179be92ed9502c8df03deaa4b4c0587a02bfda2bb26415d9571898304c04293608bc6a1a76e8e132c945030f2a801a92

  • memory/1984-124-0x000000013F400000-0x000000013F754000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-134-0x000000013F6D0000-0x000000013FA24000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-36-0x0000000002400000-0x0000000002754000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-131-0x000000013F750000-0x000000013FAA4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-130-0x000000013F1E0000-0x000000013F534000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-129-0x000000013F060000-0x000000013F3B4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-128-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-127-0x000000013FCD0000-0x0000000140024000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-126-0x0000000002400000-0x0000000002754000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-1-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/1984-0-0x000000013FCD0000-0x0000000140024000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-68-0x000000013F110000-0x000000013F464000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-41-0x000000013F810000-0x000000013FB64000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-6-0x000000013F6D0000-0x000000013FA24000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-114-0x000000013F730000-0x000000013FA84000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-14-0x000000013F190000-0x000000013F4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-111-0x000000013F1D0000-0x000000013F524000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-110-0x000000013F840000-0x000000013FB94000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-28-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-19-0x0000000002400000-0x0000000002754000-memory.dmp

    Filesize

    3.3MB

  • memory/2172-15-0x000000013F190000-0x000000013F4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2172-140-0x000000013F190000-0x000000013F4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2172-136-0x000000013F190000-0x000000013F4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2448-147-0x000000013FFE0000-0x0000000140334000-memory.dmp

    Filesize

    3.3MB

  • memory/2448-125-0x000000013FFE0000-0x0000000140334000-memory.dmp

    Filesize

    3.3MB

  • memory/2480-146-0x000000013F6F0000-0x000000013FA44000-memory.dmp

    Filesize

    3.3MB

  • memory/2480-117-0x000000013F6F0000-0x000000013FA44000-memory.dmp

    Filesize

    3.3MB

  • memory/2484-138-0x000000013F810000-0x000000013FB64000-memory.dmp

    Filesize

    3.3MB

  • memory/2484-43-0x000000013F810000-0x000000013FB64000-memory.dmp

    Filesize

    3.3MB

  • memory/2484-144-0x000000013F810000-0x000000013FB64000-memory.dmp

    Filesize

    3.3MB

  • memory/2496-145-0x000000013F110000-0x000000013F464000-memory.dmp

    Filesize

    3.3MB

  • memory/2496-80-0x000000013F110000-0x000000013F464000-memory.dmp

    Filesize

    3.3MB

  • memory/2560-22-0x000000013FD20000-0x0000000140074000-memory.dmp

    Filesize

    3.3MB

  • memory/2560-137-0x000000013FD20000-0x0000000140074000-memory.dmp

    Filesize

    3.3MB

  • memory/2560-142-0x000000013FD20000-0x0000000140074000-memory.dmp

    Filesize

    3.3MB

  • memory/2668-143-0x000000013FB60000-0x000000013FEB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2668-37-0x000000013FB60000-0x000000013FEB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2724-141-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2724-29-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2728-139-0x000000013F6D0000-0x000000013FA24000-memory.dmp

    Filesize

    3.3MB

  • memory/2728-135-0x000000013F6D0000-0x000000013FA24000-memory.dmp

    Filesize

    3.3MB

  • memory/2728-8-0x000000013F6D0000-0x000000013FA24000-memory.dmp

    Filesize

    3.3MB

  • memory/2864-123-0x000000013F1D0000-0x000000013F524000-memory.dmp

    Filesize

    3.3MB

  • memory/2864-148-0x000000013F1D0000-0x000000013F524000-memory.dmp

    Filesize

    3.3MB