Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 19:04

General

  • Target

    2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    a57aa1d47623736a56fe43aa50a9ac67

  • SHA1

    7cde9e097cca94b23922652042d623bc85d31b8b

  • SHA256

    fb053700c8e22da1f55e71ee2c0037319850e7396b579c795ab4c74525268737

  • SHA512

    fb6cc55ce44ef01e168b83d158bc89ba7a3955ff5d8d26c16c8ca8049e7847db221b8c2b9914a2a64ac67e95d8f186d8c9d3401c3cfbfa47f1771cfb9443a66a

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUR:Q+856utgpPF8u/7R

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 53 IoCs
  • XMRig Miner payload 58 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 53 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_a57aa1d47623736a56fe43aa50a9ac67_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\System\kiWnGSI.exe
      C:\Windows\System\kiWnGSI.exe
      2⤵
      • Executes dropped EXE
      PID:2228
    • C:\Windows\System\DSUDzUm.exe
      C:\Windows\System\DSUDzUm.exe
      2⤵
      • Executes dropped EXE
      PID:2480
    • C:\Windows\System\nkvRATi.exe
      C:\Windows\System\nkvRATi.exe
      2⤵
      • Executes dropped EXE
      PID:2532
    • C:\Windows\System\kyWQHYX.exe
      C:\Windows\System\kyWQHYX.exe
      2⤵
      • Executes dropped EXE
      PID:2612
    • C:\Windows\System\VhxtMAr.exe
      C:\Windows\System\VhxtMAr.exe
      2⤵
      • Executes dropped EXE
      PID:2492
    • C:\Windows\System\rPRbOHn.exe
      C:\Windows\System\rPRbOHn.exe
      2⤵
      • Executes dropped EXE
      PID:1208
    • C:\Windows\System\CjqOQnp.exe
      C:\Windows\System\CjqOQnp.exe
      2⤵
      • Executes dropped EXE
      PID:2660
    • C:\Windows\System\CqbHoMa.exe
      C:\Windows\System\CqbHoMa.exe
      2⤵
      • Executes dropped EXE
      PID:2412
    • C:\Windows\System\WAQbBHw.exe
      C:\Windows\System\WAQbBHw.exe
      2⤵
      • Executes dropped EXE
      PID:2496
    • C:\Windows\System\ZwUzSPc.exe
      C:\Windows\System\ZwUzSPc.exe
      2⤵
      • Executes dropped EXE
      PID:2388
    • C:\Windows\System\KadOLwo.exe
      C:\Windows\System\KadOLwo.exe
      2⤵
      • Executes dropped EXE
      PID:2440
    • C:\Windows\System\ppAuObW.exe
      C:\Windows\System\ppAuObW.exe
      2⤵
      • Executes dropped EXE
      PID:2852
    • C:\Windows\System\avpFmpk.exe
      C:\Windows\System\avpFmpk.exe
      2⤵
      • Executes dropped EXE
      PID:3048
    • C:\Windows\System\ldfgeyY.exe
      C:\Windows\System\ldfgeyY.exe
      2⤵
      • Executes dropped EXE
      PID:1436
    • C:\Windows\System\pAvtuID.exe
      C:\Windows\System\pAvtuID.exe
      2⤵
      • Executes dropped EXE
      PID:1256
    • C:\Windows\System\fauNMFf.exe
      C:\Windows\System\fauNMFf.exe
      2⤵
      • Executes dropped EXE
      PID:1360
    • C:\Windows\System\lKyVBSN.exe
      C:\Windows\System\lKyVBSN.exe
      2⤵
      • Executes dropped EXE
      PID:1264
    • C:\Windows\System\JVRgqNz.exe
      C:\Windows\System\JVRgqNz.exe
      2⤵
      • Executes dropped EXE
      PID:1568
    • C:\Windows\System\FEOzMbF.exe
      C:\Windows\System\FEOzMbF.exe
      2⤵
      • Executes dropped EXE
      PID:2692
    • C:\Windows\System\DVdZYma.exe
      C:\Windows\System\DVdZYma.exe
      2⤵
      • Executes dropped EXE
      PID:1548
    • C:\Windows\System\KnQvsHO.exe
      C:\Windows\System\KnQvsHO.exe
      2⤵
      • Executes dropped EXE
      PID:1588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\CjqOQnp.exe

    Filesize

    5.9MB

    MD5

    a37051daa1e26e2fdc5f3c18a994a290

    SHA1

    6754ac79d2e97d96e013d521e1570afe4bc20d76

    SHA256

    fcbfe7b55feb08e8f71b3dfa6a8a57b61ea55f62071804bc94b02c11e582f48b

    SHA512

    d1391a68ba9851e2acd92f05c81c67cb925edcefba6b9ad8854dfd6fbe6a047489f29652e4ff8a73e6b1cf4db1603eec76bf7d6438c93dee1db52bd1fdf23c15

  • C:\Windows\system\CqbHoMa.exe

    Filesize

    5.9MB

    MD5

    056058903a9d4d0f01079c7860516940

    SHA1

    10cb11a049e642f6104e5afffdac2372bcf945c8

    SHA256

    973ade447d9a89dd16663ed58bf001654ee827577de31d626b58f47661555ea1

    SHA512

    baf8b02610db8dd8e9e501229509a0a5e5e94e04b5869fa1defa849b68e9d13df3581c57e4a346af3a0915a4186076f9f9efda3a7a106e99c001e229cf55f752

  • C:\Windows\system\DSUDzUm.exe

    Filesize

    5.9MB

    MD5

    bc69747e351d7ce386e8c3b64a9381bd

    SHA1

    ecca9714f1ac43d74ce9da34807ce9eebd860486

    SHA256

    3dabe4528231c523a991f3636329a8a178e73ae191815877a481f7690ce70ae2

    SHA512

    57e395389ce25ea1d0e2a5030307fb5a8bae3d49442b6f48f3ad3add1b158304fb098bae0c094935e061a28f65107982792aaf206b5b3c8acb3acd64531823c2

  • C:\Windows\system\DVdZYma.exe

    Filesize

    5.9MB

    MD5

    ed160aaf55237ba49cd940eac59593a4

    SHA1

    bd4a22c2d73be22c927cca58f8ea036fc34f61e0

    SHA256

    0c8f19cdfed2ab157210b9d787294674e15d5a9c4797aeaf1f4e29aea1f5fbe8

    SHA512

    0485f89b2fa277dec257b081c558c4ef2d8163a0a330bc497ff76ee188dc4b8ca1d462a89d8b5266d5190302e7b7095cc3789b7764aca10f7232e45e40279e22

  • C:\Windows\system\FEOzMbF.exe

    Filesize

    5.9MB

    MD5

    52c0e89dd609f74b768fe63cf19622d9

    SHA1

    133f6c668be43d8e3cbdf0e746b384038fb5ddae

    SHA256

    dd85a8385ef577d171bb4dd79ff4a314fb97be621965051f9c5bca64b85b9c08

    SHA512

    3b2e1bcd9825586e6a12d934cc14e5dad6dc66e35e51bdb5f78126c335202e2d8c89f197801caac7cac24e472c6ce5f80fd3fae7ac1801b0b4d1238018b8d36d

  • C:\Windows\system\JVRgqNz.exe

    Filesize

    5.9MB

    MD5

    f95aac0f59a9fce5534e93686c9198aa

    SHA1

    56d6d3dc959371db7a4afebfefc045b2ffeae149

    SHA256

    46d4ab3ef0a85289922d1569168e4983d99d258bd8b53ee16b9c123eaf66a1d3

    SHA512

    09ddf52750f97853b60397e321fec73a320e6c9651205a0e494f7a4a86598f040d3a6f54f8e430c329f8dadb8b318623ceb5ec3e70327c925f596b2992e065c3

  • C:\Windows\system\KadOLwo.exe

    Filesize

    5.9MB

    MD5

    fbc0032cccc4435e4ed1d299a3e655fb

    SHA1

    636cb9802dd21637e79967f2c078ab2551339ff2

    SHA256

    de58efa57ea0e9fc85540ca32aa4e54d563e745c855080dd1237b78adc349ce9

    SHA512

    9f22bb770aceeb89963fdf9fc11d80f736d1245b881be6f98e4bc927f45305ba50551bb7085e948ce4ade660e11eace4b40cc7667faa133adadcfb69cf113ab8

  • C:\Windows\system\WAQbBHw.exe

    Filesize

    5.9MB

    MD5

    a9e608bfabeb1a5a9f0fe315c6e58082

    SHA1

    b2d0afe43fc9d4de1a15f584cf41c8e4e8cabf16

    SHA256

    1d13f1c2114e1b5b2137d5d05265e33205f04923aff4473b266890cb73b43600

    SHA512

    26215c448fad2822d71f956ea07524d326dd29e1e3d928d368bcc034d6206770da51baf7740135395ad651b78140cebbf66d49abf3077219661b80a7d290b586

  • C:\Windows\system\ZwUzSPc.exe

    Filesize

    5.9MB

    MD5

    7b421f14f8c3aa873b77b481a66e7f10

    SHA1

    aaa96aaab8342c16722062cab8e585555e4e8e69

    SHA256

    3c11c3ae018b16dd85491d959a3b9e4d29d9ad9d7657e361e521ecb7b071c416

    SHA512

    d7ccbb7b5a6021b46bb504c007707ff5c44603eca25c5f6795b3901d4b3fa2e2a112e116074ac03a5799e3540d1b8598b53a511336516f633c35b54689c5b35a

  • C:\Windows\system\avpFmpk.exe

    Filesize

    5.9MB

    MD5

    9ddc862ec57dbdd11492be4b0e415d5c

    SHA1

    3f4ee259a14cf6c4dce108a10cd3c53d28fd17fc

    SHA256

    c4635f9c0ed4ff7aa5b2bafdba508ed7612006cb5e1918283e19eab965dfd1a3

    SHA512

    2f600a4d461370fff49ad06f7212a55d1a00b890e071c2da06bf1e47e8b92454ef15cb52b14702898665906fdd25310d21bfba8e32b517e86b624299fabdd8e5

  • C:\Windows\system\fauNMFf.exe

    Filesize

    5.9MB

    MD5

    18346f21c29b828398fac1af581d7253

    SHA1

    793215a6938128c3fcfd35fc43962b9687f126bc

    SHA256

    a4649ca0492d60611fad5a19552919dd05b51b5e0559568820dd6ba5f409899f

    SHA512

    1ebeebfb3a7250d78b08085ef860d0a48689278c4774b76888580f7b996368ac09a2cf0196a6671912db0ec7dda8d93a209083c4a43ea9e915464e2104b321ac

  • C:\Windows\system\kiWnGSI.exe

    Filesize

    5.9MB

    MD5

    7314b8ee3d03920b0f92c9748334ee36

    SHA1

    542bf86d7d6aafe90a3de3c13b07afca810c1fa4

    SHA256

    b5aaafe267ca341ad22eed32305f80fba87358642255b5398890cc5f717abfa2

    SHA512

    f8901c172531a481159f0b3ec0b83545ab6b6774224c0aa1e40c435e6b42de05c1c4b9f5562d5bdc93b8f8eccf36c3d8060b55ed543db0d466fcd7202f0aa819

  • C:\Windows\system\kyWQHYX.exe

    Filesize

    5.9MB

    MD5

    713eb06b68e6edb9c2d27008fb2cb1ba

    SHA1

    cffe1fdbf79e736b3842256307ec40536d4c554f

    SHA256

    733e727a2cf192c65836281cec8e61cc3c8958359eacf0d568fc319e3ca17c3f

    SHA512

    4dd49d5479a3c7971a550f36002225cc02c6332aaf911e648d9d9da2864a8fae33d564cc207d93d276ea7cc246b4ab16b4da8ef8db89f455a3bc15e959580ee1

  • C:\Windows\system\lKyVBSN.exe

    Filesize

    5.9MB

    MD5

    dba1e268b3d98d3a5be16f8ec263f4c7

    SHA1

    5c2948da21e7743a55e7496e90ee728a062183d6

    SHA256

    a71cd1ff0c3417895bf868a98b322779d46c28b25174ad44fa341f6bcac16f5a

    SHA512

    33fc3dbe13deeff66cb5b01fe6dd5c2ff71235a9662f1986e4b6c6214aafc1e052197d5eed747293060858b67670d2767b0848d0a11fb60ef1681cc53f8cdb8b

  • C:\Windows\system\ldfgeyY.exe

    Filesize

    5.9MB

    MD5

    fefb75647526efa3772446e2ae9af5a4

    SHA1

    1b20adcd303b0e6df0338c4420cd78eef7a01eb9

    SHA256

    72ed8a65461f3412bf8f262645435ac3563a2a5ecaa3c9d2dea08e491d18f48b

    SHA512

    25ec3badb0e5324e441da3379c1a1947f36e738b8953a4a4a92beae51e493bcecb69562c44a2986595e0ba1b5b840e22c186526349b2ae4f324f3585e0172fdd

  • C:\Windows\system\nkvRATi.exe

    Filesize

    5.9MB

    MD5

    cb2f3c86cffb5aaf50088258cd646a5f

    SHA1

    2ccc8b2f7e3354a6a98067ebdd56597341914596

    SHA256

    7ec7f642e6db593574fe2ed5d796710078a237a4523493eab84fff2bcb5f8a96

    SHA512

    c9af1c12a9520d0dbc6adec36e83f41e5c313d5f98133b48b194e8279b3b29a29c92d22256451073c3e5c31f25b3f856faa2cfe0387022b8a665585827214d7e

  • C:\Windows\system\pAvtuID.exe

    Filesize

    5.9MB

    MD5

    33f3122a8f88ef4b91c3e98150e63b4c

    SHA1

    b5280fb7c43f00c41eb515cca779dc7638d0b514

    SHA256

    8ad79ef5c0d32657344c046a663941ca5640f371cc435f49cb577e440ac5677f

    SHA512

    553a9b98cbff9bdf6e076cbf01f4ecf5fd785cd695f491f38c6e090d422590e151badea8a4255f0676a565051f371a25ec335efb7128fa1eacb49783d7f7e625

  • C:\Windows\system\ppAuObW.exe

    Filesize

    5.9MB

    MD5

    3ad865ca45fb6fbc6a7555aa47c28452

    SHA1

    1839a9e3d3e35c71f0242e8f52f3f6c85b505606

    SHA256

    07562b3694730a14613eb4fd1df04cf1ee307ff4732d3b3fe6602580e25293a2

    SHA512

    1ec7689c4a0f9f04fc7f6391e11ec5fca7a985cba30cbae14b297e38adfb2f5920dc20844411c2ebabf37576524b345f459ac120a9442e07dbecce6d9b13fe25

  • C:\Windows\system\rPRbOHn.exe

    Filesize

    5.9MB

    MD5

    25cdbd1c99aaee2568bd82effd170611

    SHA1

    0ac6282b6be78816342fd00d9ef94c95a39a22ce

    SHA256

    680f547a54ce5d6148b3f2f06370397662369635186db44a43251ef2bb1766a2

    SHA512

    bb72d36cf045a1d5ae26ac42b74a3be9a99339d40dd803235881439f5ffb5f4cc971f8a5bab28846866511f54ea0bf9282d8974872102868f00429462e826a94

  • \Windows\system\KnQvsHO.exe

    Filesize

    5.9MB

    MD5

    e83273e490364a5843cdd43f29f1f69e

    SHA1

    14f409f085a6cea586c787124e0bb5ae56e2ec86

    SHA256

    de49a3fbeca5ad4168b98b3dbc9dbd4d07ea8ac4b263f12fe23d9a0304e48aa0

    SHA512

    fd50b8a44b3bb5883eec498a709b133d7b091fce33aa917f5d3490d7302a1704ea85281cdea9e62597f65ce86f7bfcf1b2ae4e960f74c4c8c7b0d0c237e5e92a

  • \Windows\system\VhxtMAr.exe

    Filesize

    5.9MB

    MD5

    7b9e21708fb625ebaf34325e1f365348

    SHA1

    ffa4f6b30de8ff8d526f9078d0df8021e129a6fe

    SHA256

    208a162916e7b09816376e79af9a3992c3f717f4a8ce437fb38bba7b69d14834

    SHA512

    31d5cdaec3c0cdc015d881590c1d95c4d47d3e3b21b2c432b0ef057ef222844247c4d1d1f6983fc53c2d4ae8301d9ff869ff199400488a02841bf1df96816b6a

  • memory/1208-116-0x000000013FC80000-0x000000013FFD4000-memory.dmp

    Filesize

    3.3MB

  • memory/1208-140-0x000000013FC80000-0x000000013FFD4000-memory.dmp

    Filesize

    3.3MB

  • memory/1436-130-0x000000013F720000-0x000000013FA74000-memory.dmp

    Filesize

    3.3MB

  • memory/1436-149-0x000000013F720000-0x000000013FA74000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-133-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-124-0x000000013FF70000-0x00000001402C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-1-0x000000013F8F0000-0x000000013FC44000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-115-0x000000013FC80000-0x000000013FFD4000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-117-0x0000000002560000-0x00000000028B4000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-121-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-0-0x00000000000F0000-0x0000000000100000-memory.dmp

    Filesize

    64KB

  • memory/1948-119-0x000000013FE30000-0x0000000140184000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-132-0x000000013F8F0000-0x000000013FC44000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-128-0x000000013F050000-0x000000013F3A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-26-0x0000000002560000-0x00000000028B4000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-15-0x0000000002560000-0x00000000028B4000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-8-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-131-0x000000013F3F0000-0x000000013F744000-memory.dmp

    Filesize

    3.3MB

  • memory/1948-126-0x000000013FDC0000-0x0000000140114000-memory.dmp

    Filesize

    3.3MB

  • memory/2228-136-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2228-9-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2388-145-0x000000013F860000-0x000000013FBB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2388-123-0x000000013F860000-0x000000013FBB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2412-143-0x000000013FE30000-0x0000000140184000-memory.dmp

    Filesize

    3.3MB

  • memory/2412-120-0x000000013FE30000-0x0000000140184000-memory.dmp

    Filesize

    3.3MB

  • memory/2440-146-0x000000013FF70000-0x00000001402C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2440-125-0x000000013FF70000-0x00000001402C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2480-137-0x000000013F5B0000-0x000000013F904000-memory.dmp

    Filesize

    3.3MB

  • memory/2480-16-0x000000013F5B0000-0x000000013F904000-memory.dmp

    Filesize

    3.3MB

  • memory/2492-114-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/2492-141-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/2496-122-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2496-144-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2532-134-0x000000013F900000-0x000000013FC54000-memory.dmp

    Filesize

    3.3MB

  • memory/2532-24-0x000000013F900000-0x000000013FC54000-memory.dmp

    Filesize

    3.3MB

  • memory/2532-138-0x000000013F900000-0x000000013FC54000-memory.dmp

    Filesize

    3.3MB

  • memory/2612-113-0x000000013F6E0000-0x000000013FA34000-memory.dmp

    Filesize

    3.3MB

  • memory/2612-139-0x000000013F6E0000-0x000000013FA34000-memory.dmp

    Filesize

    3.3MB

  • memory/2612-135-0x000000013F6E0000-0x000000013FA34000-memory.dmp

    Filesize

    3.3MB

  • memory/2660-142-0x000000013FA90000-0x000000013FDE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2660-118-0x000000013FA90000-0x000000013FDE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2852-147-0x000000013FDC0000-0x0000000140114000-memory.dmp

    Filesize

    3.3MB

  • memory/2852-127-0x000000013FDC0000-0x0000000140114000-memory.dmp

    Filesize

    3.3MB

  • memory/3048-129-0x000000013F050000-0x000000013F3A4000-memory.dmp

    Filesize

    3.3MB

  • memory/3048-148-0x000000013F050000-0x000000013F3A4000-memory.dmp

    Filesize

    3.3MB