Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 23:41

General

  • Target

    2024-05-29_0996a57566f58de0a621e6f615273317_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    0996a57566f58de0a621e6f615273317

  • SHA1

    3c9653fc301419735cc56814444ecd4f0a94ac2f

  • SHA256

    a7c8008564bb4286f520a565d952d41a349b5ff3f39adac472d45e38c470960d

  • SHA512

    8284d83f0154d9c12058c7f4b9e57c8d0b82ec141889953516cdbfc0204535352f6be8582ba02eff9a809b96286bcd9383e3dcf480c9d26f9cf096d5b3f26ff2

  • SSDEEP

    98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUP:E+b56utgpPF8u/7P

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 52 IoCs
  • XMRig Miner payload 54 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 52 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_0996a57566f58de0a621e6f615273317_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_0996a57566f58de0a621e6f615273317_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\System\NRUkWSQ.exe
      C:\Windows\System\NRUkWSQ.exe
      2⤵
      • Executes dropped EXE
      PID:2588
    • C:\Windows\System\CWpwCVp.exe
      C:\Windows\System\CWpwCVp.exe
      2⤵
      • Executes dropped EXE
      PID:2940
    • C:\Windows\System\PPacOcK.exe
      C:\Windows\System\PPacOcK.exe
      2⤵
      • Executes dropped EXE
      PID:2540
    • C:\Windows\System\xrPTFuI.exe
      C:\Windows\System\xrPTFuI.exe
      2⤵
      • Executes dropped EXE
      PID:2748
    • C:\Windows\System\IAMduhO.exe
      C:\Windows\System\IAMduhO.exe
      2⤵
      • Executes dropped EXE
      PID:2156
    • C:\Windows\System\WyReCqB.exe
      C:\Windows\System\WyReCqB.exe
      2⤵
      • Executes dropped EXE
      PID:2604
    • C:\Windows\System\KOsURqk.exe
      C:\Windows\System\KOsURqk.exe
      2⤵
      • Executes dropped EXE
      PID:2484
    • C:\Windows\System\GxUFVvx.exe
      C:\Windows\System\GxUFVvx.exe
      2⤵
      • Executes dropped EXE
      PID:2420
    • C:\Windows\System\fyqnKTN.exe
      C:\Windows\System\fyqnKTN.exe
      2⤵
      • Executes dropped EXE
      PID:1724
    • C:\Windows\System\bopxnLf.exe
      C:\Windows\System\bopxnLf.exe
      2⤵
      • Executes dropped EXE
      PID:2392
    • C:\Windows\System\IXMwGSX.exe
      C:\Windows\System\IXMwGSX.exe
      2⤵
      • Executes dropped EXE
      PID:1712
    • C:\Windows\System\VpCZPyD.exe
      C:\Windows\System\VpCZPyD.exe
      2⤵
      • Executes dropped EXE
      PID:3044
    • C:\Windows\System\rgznPxV.exe
      C:\Windows\System\rgznPxV.exe
      2⤵
      • Executes dropped EXE
      PID:836
    • C:\Windows\System\WEgYIkP.exe
      C:\Windows\System\WEgYIkP.exe
      2⤵
      • Executes dropped EXE
      PID:1344
    • C:\Windows\System\XHMGPJM.exe
      C:\Windows\System\XHMGPJM.exe
      2⤵
      • Executes dropped EXE
      PID:1636
    • C:\Windows\System\dxWiOgi.exe
      C:\Windows\System\dxWiOgi.exe
      2⤵
      • Executes dropped EXE
      PID:1176
    • C:\Windows\System\fFjFSsA.exe
      C:\Windows\System\fFjFSsA.exe
      2⤵
      • Executes dropped EXE
      PID:2596
    • C:\Windows\System\ZREhdTH.exe
      C:\Windows\System\ZREhdTH.exe
      2⤵
      • Executes dropped EXE
      PID:2660
    • C:\Windows\System\ccszpOj.exe
      C:\Windows\System\ccszpOj.exe
      2⤵
      • Executes dropped EXE
      PID:2708
    • C:\Windows\System\ckGlFgi.exe
      C:\Windows\System\ckGlFgi.exe
      2⤵
      • Executes dropped EXE
      PID:2724
    • C:\Windows\System\qsarLDS.exe
      C:\Windows\System\qsarLDS.exe
      2⤵
      • Executes dropped EXE
      PID:1836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\GxUFVvx.exe

    Filesize

    3.5MB

    MD5

    5ab4899127bf72f25886c832ba63ce37

    SHA1

    6e39866f7a59dc33cc4e9c0ad90f889315a5f67a

    SHA256

    59f3b97a006b1e80b709c1778a13a9bcf7a615bdf3e15f4294d5e9f593dca7a7

    SHA512

    ec7beb7d3b11de9af7845fc93b02096176665d373cf6bb463a4cc649a9000b1d8fec80df3d27965ef82a39c82e63ead14a6b680e447e054ec78cba56f427995a

  • C:\Windows\system\IAMduhO.exe

    Filesize

    5.9MB

    MD5

    21c8b8727e5a564bc6d4759abee5fa36

    SHA1

    d51139a03e5af66ef3a5459e71b10de3b4c62366

    SHA256

    d51397c1547faf53277f4ca24337a80c8b139859aa0cd22769ae4f379eaf3ef1

    SHA512

    da6bff63afe8c1d458389dad34c4a1ca5c8a326cdf7e56013cf72af9fbc968e8ddfd68d299d354f80125183178d67a04ff053d8e03ecdec994f5f7d37e984f96

  • C:\Windows\system\IXMwGSX.exe

    Filesize

    5.9MB

    MD5

    0fdee688fb3de7031ed889b3ddc7585f

    SHA1

    cfc0b09c68a80be93a09dd3be2492a932b771b9e

    SHA256

    f4c57253db8e812781cb7ac1be712599d77acf1be358e0f556cb08989b28e257

    SHA512

    6d297ca34af83a35427b2b8ffcf7a634f80d3d83414ed5f0879fd6ac616982324ec5dbeab0fd57cb01386e09574fd0f86366518714034a48de4bf2a6b7c375de

  • C:\Windows\system\KOsURqk.exe

    Filesize

    5.9MB

    MD5

    13f6c687bfe96f23b9a954ee9b23a0bc

    SHA1

    3e533973c306bb6f5d978fb3a265de8b494517ab

    SHA256

    47243ae985b9fd47d1dde5b3a737ee684aedbb7f056f8dfcb077ecc77a7c561a

    SHA512

    6ed7aafcad12f2fb60869b2b8e29a3e0c990e7c92f224f616852292744616c335fb65d3c66e79c97cde9f48a257ee6c8eabd7a38da90292c4e02719deb9fb3aa

  • C:\Windows\system\PPacOcK.exe

    Filesize

    5.9MB

    MD5

    f6723f917b0074566fa027f020d18018

    SHA1

    f932edc872ab6881a3487a062ac3f54d5497da34

    SHA256

    64e22a9e2baeccca4c113ffa3128aab37203fcab25a4523ab75c56b2bdc62c1d

    SHA512

    579290869c34dc5d41d0c79f49751cf281216747f90e11f2bbc1d077cc5d44b4fbcd6ec96a67d790d9ec041fe1bcec40b0bd63930a2ac6ebdc5d4c1c03c09ddd

  • C:\Windows\system\VpCZPyD.exe

    Filesize

    5.9MB

    MD5

    0f41fd8f5f3c20f6871e76615e7ee64a

    SHA1

    4f617a2fc9492973efd9d75ecffaf642a47a1aac

    SHA256

    23abdcccb4517432d57f8fbb12e4e9903978f09827b784a33c7620b0704c368a

    SHA512

    73c1574094b2bc8fe98ddd6d4a426b8de68b3c59de69a6186f8c16aad3061d6dadc0afbde8a631648ae3c75780b3471ba8f566988e22e33513408e3c5a882695

  • C:\Windows\system\WyReCqB.exe

    Filesize

    1.2MB

    MD5

    61ce43e3431058c919f7d3034f22d7d6

    SHA1

    c5338737111dffc7be51059652b03b5c8dbbcede

    SHA256

    a1cfdb2d626cc6f765769949d14f3f40ef948da407ace77cf96ed53c63b38b12

    SHA512

    d855ce8920664848a78b376b697aa9a16ab839b166f035136435663bda3f63bd5b56ad8937fb849a6af312994057ebe549eb37e016d4a782f148c91f54e8254a

  • C:\Windows\system\XHMGPJM.exe

    Filesize

    5.9MB

    MD5

    525313a39cbc8d3a8087b4bd629760dd

    SHA1

    9de23c3de55c3fbeda7c071fccf2a37be7c72bea

    SHA256

    e14fc0f0f1723eae8b754f9eed7ac03d70bf8535f96e00a0a3e6fe54ce667063

    SHA512

    22664704a1890bf8ae9a116d11b6d80d8e1a00e0b2caecd0bc9ffd14bbdadd98ca515c6a65fc4f0b7d5d320db791dbd9887cccbf44215568549a0fe358087c85

  • C:\Windows\system\ccszpOj.exe

    Filesize

    5.9MB

    MD5

    53f98f71e894a0eca962be0732011265

    SHA1

    a636e5dcbb7458098cc799fdb4ca761745c8f937

    SHA256

    73577874dcac8bcdba9d8a40ecf3e05ed2bf2c0e1355b3252e19aa0fd22f911d

    SHA512

    bd09bec9af5619392b3a0a0ccdde5a4694296492b4501d82d87dbf788b6c17550332a31bf63dca6c83491949c97ff1ce74246eba3d82bb174757d52f80999f72

  • C:\Windows\system\fFjFSsA.exe

    Filesize

    5.9MB

    MD5

    5ac47eca39656b2b5f7d888317945451

    SHA1

    7184313ff2d5c740dd19fadbf380e84d9016f590

    SHA256

    3143e779ee11cd3c69defdcd7fe69924dd759cca209f2329e2945c6663a7106f

    SHA512

    4c0f92c9fbdad66aef7719b4e0065a11768062727345a57ea9dd76f42d83bdb1cf9b4dc5a3a7f787cb6b464315fd9e5f594f461ed7e9322b3e60150e12356cc9

  • C:\Windows\system\fyqnKTN.exe

    Filesize

    5.9MB

    MD5

    4b4ad39a03e4d795ed7a9836ad3b9032

    SHA1

    5f19014623061bc6ad4229efe5f543f6336ae64c

    SHA256

    7893aa121a0c9aac22803bdcd9d5593f2f20c233a556a7bed3af3fa1ce4a129d

    SHA512

    4b8f5ded45e853e74a5a207c29f929f3e93a801f98ab3f3ebe3e845fb7e3e37cb51df8bc6d187d1671982a1dfdf20a00f56bddd80113af90c7ec0d3e8b661c14

  • C:\Windows\system\qsarLDS.exe

    Filesize

    5.9MB

    MD5

    32f48e96c7b4eda0f73a6d50063f081e

    SHA1

    9f623b5690e3750c45785c12e734f1fc0124593b

    SHA256

    68cbcc0ff548e8b074fb33b54ba9bcfd7f3a762d9e1ab1ee98fd857bef507e19

    SHA512

    3b8650ec0fcc77a397a82debda8c0b3ab403623a379cf69ba30672f5fe7decd7c3689c87d43cf3644b42b297e44d9597a4ff943d262a00d5cd0bc4252ffbdaff

  • C:\Windows\system\rgznPxV.exe

    Filesize

    5.9MB

    MD5

    8cdcef3a576f06f6fb41325787589771

    SHA1

    54ac587bafe55d99ec0d7e30db976f7f5dfabe5c

    SHA256

    c0178dbf9827621172fd5c1faf3c8754035987648339901149cb4326ba11cccc

    SHA512

    2025dae13e492996baffcf45d4c5a54fa9761428238cd5cee14019ead04bf891d33a4626272b423ccfd80e7af8da7df9dad7438fef3fb34c6057de1c6188b335

  • C:\Windows\system\xrPTFuI.exe

    Filesize

    5.9MB

    MD5

    8ef060d20912971e1ca2a64098f2a477

    SHA1

    07d78539d89f98e4c566a6651da1c6facba3a477

    SHA256

    05d08e6205b23f5e2cb594cdba47c1014e2ada67ff02efa3259035020b586997

    SHA512

    d432c4528e5f2216abd4a7bde411ebd134fdedff3d02e5e42ee5584d7046f06b630a98bc614116fdacdce5ad238ad2c30bb1271ad55ec17085a8aa00dbbf417d

  • \Windows\system\CWpwCVp.exe

    Filesize

    5.9MB

    MD5

    e1c4778b6da9accb86d0bb9f64575df7

    SHA1

    99787bf8d56841200eb9a56d3717fbd89659f171

    SHA256

    f5d2066d586a3f559dbc0c7f290709dd6854ee98c825a8d2ddd4e72b5cf3acf9

    SHA512

    6f6407e18e617f4db96e178bac1f39add932c752eae3fe5efa8880f4d15dcf20ffe974acdb00e46cbce55526686f7c273cd172d53a8f948908df6651b86feca2

  • \Windows\system\GxUFVvx.exe

    Filesize

    5.9MB

    MD5

    245025aee6dd8e352f1947871977f66b

    SHA1

    294fa3a83b0bb00c918d7a0b5d8ca7bed3c24948

    SHA256

    41b3ac7143fe9071702417c2703d358d82cccfd59484f32c5606654d4e089c2c

    SHA512

    454aeb023a977c01ecafa3cf1eae31d52298f30cf26c751fccfc0d16e8e23bebb2cb8ba7f7a589d68ebf5711558f4e8eaf940e6fb6e0aa1511821aef9391db44

  • \Windows\system\NRUkWSQ.exe

    Filesize

    5.9MB

    MD5

    42d4947a564ba3e1f9aee024574933bd

    SHA1

    96ac4bd0956e50eeaec98d41dec6e19f9b8bbe9a

    SHA256

    70bbd6f0bb7559f61d42c262058d95bacbfdfba40da5c557207bfa7ae8a5d4a2

    SHA512

    d975b8c257d8ab7c14d7459872038e363e71685805a14cb9962369802b3f275de8723f4829fecb0539ca326aa402ddca99d9094962a2540b0d604e7887992b85

  • \Windows\system\WEgYIkP.exe

    Filesize

    5.9MB

    MD5

    6e7d35b364f1319a56f54790bece7e5a

    SHA1

    2899f9873521991d8479668810e7ccdb1c00846d

    SHA256

    135a46cce1aebe159d74978f24332a4e448d24408c5f193e2e7da4052230eead

    SHA512

    ddded9a78521e71796873e32aa558ae3c9ea3378407a4d92a1ca4cc3d3b0c44f7540fa81958d3311e76efd0f20e300eed0117f01298695d6667a3ad0647b320d

  • \Windows\system\WyReCqB.exe

    Filesize

    5.9MB

    MD5

    b3b377556cd207ff64bff468421fdbfb

    SHA1

    50fff6f8821c91e2669e2ae7cfa25cc22802fa6b

    SHA256

    5246fb7502c3ad62b55c19be7d20e4dc8167ae36f0e9e5b293c4f81310d95efe

    SHA512

    0c5b578eff6c4edd06795a44064c542b41f6101d468b709743be8a5e80c80c8a12a781cfdd8acc8a56747bf12e727c4eda4009db65c9bfaa0c5ae40ca84ea8a6

  • \Windows\system\ZREhdTH.exe

    Filesize

    5.9MB

    MD5

    8a267198bbafb96b3e168d4577b32874

    SHA1

    4ed4dc4f74923cf3f0c08a10c46f1c0430bb1431

    SHA256

    09e5ad09519ed466d8574a8835d386d9b684c9deab732872e3ac1025c03e3478

    SHA512

    301972a074227d091a4c1815394adcfd93dfa62b3de988798a580ee47cb5aad066694f7b4bffe30e5d133b60e3ec1ed748c9689840234af25be046bcc5de978b

  • \Windows\system\bopxnLf.exe

    Filesize

    5.9MB

    MD5

    d1cef47701d002decd9cf599130489d0

    SHA1

    d5e72275ea9410530ee4b42192a4665f2737273f

    SHA256

    a96792828cc187a6d7f011af80424dcc646d9b0e3bd311097f66958c537cb8a6

    SHA512

    c2c353ab6b63a65aa877d00ac8da8334833e539bb4febc79203e7e40733a7b148dfdbd2ab6caac969eb68c66a34d6f12daf11a87c91bf79ceda1312a924b3b2d

  • \Windows\system\ckGlFgi.exe

    Filesize

    5.9MB

    MD5

    471f21caa5f8efc675f006412309f265

    SHA1

    fa599a586b16dcdd92afcb7fdf106fa7fb3d3df0

    SHA256

    af11696308682a452d436ed29521cfa510e91f3fe8ba86cf89c8ad648ae74bd1

    SHA512

    0667cd2e05c466426dfa87d33b7abd7418d15dc7de24dde611ca823e1fb79dd5653555c78c246571121f434a6d953b004fc7fc203befba85475e4534687c243f

  • \Windows\system\dxWiOgi.exe

    Filesize

    5.9MB

    MD5

    1a14d98d85ebd98c56574201134a0f40

    SHA1

    1aa2b2a753d50b7dbed1f7fd6552eb57786b84e0

    SHA256

    342a459c8562e63d1d25484712f6b13c3e812564c16f0275883f8d15d45c0458

    SHA512

    49375694ac041374ec1267676bf877944e060f629d856546b24960a7a9173c98e5af61503cfdd59788ca555062bb45a84b97224952cd9480260f7d2194b9635d

  • memory/836-126-0x000000013FF50000-0x00000001402A4000-memory.dmp

    Filesize

    3.3MB

  • memory/836-150-0x000000013FF50000-0x00000001402A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1636-149-0x000000013F5B0000-0x000000013F904000-memory.dmp

    Filesize

    3.3MB

  • memory/1636-122-0x000000013F5B0000-0x000000013F904000-memory.dmp

    Filesize

    3.3MB

  • memory/1712-116-0x000000013F960000-0x000000013FCB4000-memory.dmp

    Filesize

    3.3MB

  • memory/1712-146-0x000000013F960000-0x000000013FCB4000-memory.dmp

    Filesize

    3.3MB

  • memory/1724-144-0x000000013F190000-0x000000013F4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1724-114-0x000000013F190000-0x000000013F4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2156-123-0x000000013F810000-0x000000013FB64000-memory.dmp

    Filesize

    3.3MB

  • memory/2156-142-0x000000013F810000-0x000000013FB64000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-127-0x000000013FA20000-0x000000013FD74000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-8-0x000000013F0E0000-0x000000013F434000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-117-0x00000000024F0000-0x0000000002844000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-115-0x000000013F2E0000-0x000000013F634000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-125-0x000000013F960000-0x000000013FCB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-87-0x000000013F190000-0x000000013F4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-124-0x000000013F410000-0x000000013F764000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-0-0x000000013FEA0000-0x00000001401F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-121-0x000000013F5B0000-0x000000013F904000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-56-0x000000013FEA0000-0x00000001401F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-101-0x000000013F800000-0x000000013FB54000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-76-0x000000013F600000-0x000000013F954000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-120-0x000000013F230000-0x000000013F584000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-22-0x000000013F5E0000-0x000000013F934000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-14-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-137-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-36-0x000000013F810000-0x000000013FB64000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-27-0x000000013F1C0000-0x000000013F514000-memory.dmp

    Filesize

    3.3MB

  • memory/2248-1-0x00000000000F0000-0x0000000000100000-memory.dmp

    Filesize

    64KB

  • memory/2392-119-0x000000013F800000-0x000000013FB54000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-148-0x000000013F800000-0x000000013FB54000-memory.dmp

    Filesize

    3.3MB

  • memory/2420-118-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2420-147-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2484-145-0x000000013F410000-0x000000013F764000-memory.dmp

    Filesize

    3.3MB

  • memory/2484-110-0x000000013F410000-0x000000013F764000-memory.dmp

    Filesize

    3.3MB

  • memory/2540-139-0x000000013F5E0000-0x000000013F934000-memory.dmp

    Filesize

    3.3MB

  • memory/2540-26-0x000000013F5E0000-0x000000013F934000-memory.dmp

    Filesize

    3.3MB

  • memory/2588-138-0x000000013F0E0000-0x000000013F434000-memory.dmp

    Filesize

    3.3MB

  • memory/2588-12-0x000000013F0E0000-0x000000013F434000-memory.dmp

    Filesize

    3.3MB

  • memory/2604-108-0x000000013F600000-0x000000013F954000-memory.dmp

    Filesize

    3.3MB

  • memory/2604-143-0x000000013F600000-0x000000013F954000-memory.dmp

    Filesize

    3.3MB

  • memory/2748-141-0x000000013F1C0000-0x000000013F514000-memory.dmp

    Filesize

    3.3MB

  • memory/2748-30-0x000000013F1C0000-0x000000013F514000-memory.dmp

    Filesize

    3.3MB

  • memory/2940-140-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2940-132-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2940-19-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB