Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    137s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2024, 19:12

General

  • Target

    2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    ff49e3fd83ff3e08dd7b63877d754e33

  • SHA1

    0f8db6129513d1e3b2bc7c536b6b5e600a6e9bb5

  • SHA256

    60656031502c4feeedcd375ac611cdad0c6dccd8c245a35efeef82a08d8860e5

  • SHA512

    f7f46d8487173d2260c3aa786044cd6ba9c4b808999ebeebca83f6b044133266dbfec00fbd19e25c36c9b53d04b3c8cf61f16eddedd54adc29d915f85097165f

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUm:Q+856utgpPF8u/7m

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 57 IoCs
  • XMRig Miner payload 60 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 57 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-29_ff49e3fd83ff3e08dd7b63877d754e33_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\System\GPoTZwZ.exe
      C:\Windows\System\GPoTZwZ.exe
      2⤵
      • Executes dropped EXE
      PID:2256
    • C:\Windows\System\OzRomeW.exe
      C:\Windows\System\OzRomeW.exe
      2⤵
      • Executes dropped EXE
      PID:1112
    • C:\Windows\System\FdldROP.exe
      C:\Windows\System\FdldROP.exe
      2⤵
      • Executes dropped EXE
      PID:2576
    • C:\Windows\System\kZZsRnS.exe
      C:\Windows\System\kZZsRnS.exe
      2⤵
      • Executes dropped EXE
      PID:2640
    • C:\Windows\System\ebgLSRe.exe
      C:\Windows\System\ebgLSRe.exe
      2⤵
      • Executes dropped EXE
      PID:2580
    • C:\Windows\System\kRBfHhT.exe
      C:\Windows\System\kRBfHhT.exe
      2⤵
      • Executes dropped EXE
      PID:2552
    • C:\Windows\System\emRbESm.exe
      C:\Windows\System\emRbESm.exe
      2⤵
      • Executes dropped EXE
      PID:2536
    • C:\Windows\System\BxRIfXz.exe
      C:\Windows\System\BxRIfXz.exe
      2⤵
      • Executes dropped EXE
      PID:2428
    • C:\Windows\System\ytCLAla.exe
      C:\Windows\System\ytCLAla.exe
      2⤵
      • Executes dropped EXE
      PID:2500
    • C:\Windows\System\YfTsrgf.exe
      C:\Windows\System\YfTsrgf.exe
      2⤵
      • Executes dropped EXE
      PID:1232
    • C:\Windows\System\JHWveGt.exe
      C:\Windows\System\JHWveGt.exe
      2⤵
      • Executes dropped EXE
      PID:888
    • C:\Windows\System\MjrUzNr.exe
      C:\Windows\System\MjrUzNr.exe
      2⤵
      • Executes dropped EXE
      PID:1568
    • C:\Windows\System\DRYJXVf.exe
      C:\Windows\System\DRYJXVf.exe
      2⤵
      • Executes dropped EXE
      PID:2492
    • C:\Windows\System\tAmUKhK.exe
      C:\Windows\System\tAmUKhK.exe
      2⤵
      • Executes dropped EXE
      PID:2160
    • C:\Windows\System\XrYASWo.exe
      C:\Windows\System\XrYASWo.exe
      2⤵
      • Executes dropped EXE
      PID:2960
    • C:\Windows\System\CdKMVAM.exe
      C:\Windows\System\CdKMVAM.exe
      2⤵
      • Executes dropped EXE
      PID:2352
    • C:\Windows\System\YxwRsqs.exe
      C:\Windows\System\YxwRsqs.exe
      2⤵
      • Executes dropped EXE
      PID:1952
    • C:\Windows\System\TTRSbes.exe
      C:\Windows\System\TTRSbes.exe
      2⤵
      • Executes dropped EXE
      PID:1648
    • C:\Windows\System\HcLDNVt.exe
      C:\Windows\System\HcLDNVt.exe
      2⤵
      • Executes dropped EXE
      PID:1936
    • C:\Windows\System\lqOLpBZ.exe
      C:\Windows\System\lqOLpBZ.exe
      2⤵
      • Executes dropped EXE
      PID:2168
    • C:\Windows\System\jHgbosR.exe
      C:\Windows\System\jHgbosR.exe
      2⤵
      • Executes dropped EXE
      PID:2324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\DRYJXVf.exe

    Filesize

    5.9MB

    MD5

    444fe516735e3a07d22a1cfa5c38842d

    SHA1

    980f0f770a845ad1d38e2a43f98e9b53aea97ab2

    SHA256

    25ee02b576153020e5a46e3c55ef5f478b26b38ffa65cae2898c95fb62cebf99

    SHA512

    1f1a27fc4880112b521c2087b0a86636091b386b3263e8126455e967bfa7287909b2f1de1d36d1197b86ef7f3c7b4fec69e5e14b6ec219dd504defb3b40e760a

  • C:\Windows\system\FdldROP.exe

    Filesize

    5.9MB

    MD5

    cd14a1a278013b2fb62e3ce49639545f

    SHA1

    f3b644815b92b688f9f78404d2f32da714922e05

    SHA256

    fd13f80b42254103fc9cc1be36c83abf27eef9e003355fdc8f58c38cddd77328

    SHA512

    ac143a55426e47e178430d759b1f418ff8fe5603e919e20506a09433971c59d64aab37623da01050eb22f76910226a6f875db6d9df1d7008e0080be8c7cc570f

  • C:\Windows\system\HcLDNVt.exe

    Filesize

    5.9MB

    MD5

    ffcad429098f9a28a9f298bb171d201d

    SHA1

    8ed5291d5e6972d9d882ee7821ff3e7bbe673e24

    SHA256

    1fd5e970bfbb817af6d224c9b377416d7570a2b70d3e49d8f5746573773d8371

    SHA512

    fa9826332cddb4885f75f562cc26a2978b7b9e2bcbd308d7f014f498372ea4a52e77b694c185903fa3016ddc7eef6e66370bd3195236232472554aa7d9098a8c

  • C:\Windows\system\OzRomeW.exe

    Filesize

    5.9MB

    MD5

    380db07920cfb69bd37cc94581b6c8a3

    SHA1

    3305bb54e7bfeb4bea733a885b556427874d19ff

    SHA256

    bfe9455491209d22589b7a44de2893b82a19219b6378168ec5a3ba8137585651

    SHA512

    0142a73bf6d860d1fa1a98601a9139e7a193be32500367d0fd4f0169c06a247e37fc36b97adcb6f7e14851b8bdc76e313203c1477ef621fd9a5370bbde94ac76

  • C:\Windows\system\TTRSbes.exe

    Filesize

    5.9MB

    MD5

    9c78e335eee14f22cb224a9073c59e72

    SHA1

    212450672bbce09ac19aad30b06bd9324ae73719

    SHA256

    6586474d5d8ad14c4aa896b8a3de70367804ea0b64aa2a3cc4617d2e96b3bd7a

    SHA512

    10a2cf3bafcb3dcc626a565d05ed99e752b674cf8cb5844dea092b45d029eacd1fbee41c317f37dd7d1e8a5836296b76d80a41c277e07a4597bb4c9b8ade3746

  • C:\Windows\system\XrYASWo.exe

    Filesize

    5.9MB

    MD5

    16f6d7e642750c32dd5a3d1584bee400

    SHA1

    434bc0114c1f349f9975fbf00bfb97e6af028f37

    SHA256

    e523d1c1aa920dd3b0a8324b5056e3a64c72fc2fefd477b330eccc1f735b4de2

    SHA512

    ac209d7871d20f5d8050c36f3f35147c86b4bf951b923791965b3abf2a7c96a51f266280758ba8097c6b1a2a9cd5fc9bda872a24d18d8e46df10a72ec29acde6

  • C:\Windows\system\YfTsrgf.exe

    Filesize

    5.9MB

    MD5

    f4a59af062573c3fd8cbb042ca90cdfb

    SHA1

    87ab5c93c3250c975342e94c506eb57f6df2b6a8

    SHA256

    875f449fe096ee8d947ca804a2729341f5c27b8187cf85efdfa3742602655851

    SHA512

    892e4d52c686d8d1adc7eec89211431cb6ded42a3437013f54ed387b759253139ae44d5f795df315266a668c0e8b932869836b6bca149f683fb105bcd1e07c1d

  • C:\Windows\system\YxwRsqs.exe

    Filesize

    5.9MB

    MD5

    0ff6a831f510b16bcb0de173469dfc6f

    SHA1

    e80d9f954f8d100d90a59ace14a0a1551f33e120

    SHA256

    0fb388b67e3f56bc43ac6eaf9ac35dfffd6220f69ee9da2da31186f901a3d027

    SHA512

    0f61928f1e47c328aaa0b12ff58a73401d5f3d5b34a9bd571090fbd7356800dbc860b06ca10f9e864234cf2ab122a441af5169925a332b70af0f9f1be993c05a

  • C:\Windows\system\ebgLSRe.exe

    Filesize

    5.9MB

    MD5

    16ff9866bb4230c01d610ce84e46b8a5

    SHA1

    9f78a690c0144fac6660aaf1de9ae02a64142a1b

    SHA256

    d3946e477b88391271e36cda46c140087f16c9f79021db8294f7bb4f24bd0421

    SHA512

    7a24b789e3f27208d2679bd7d41cdf0a6134763b1babac8775234c391b2120fb7d2b2f89513d3b8032caf4953887c4b80e4c18d42abce790c0802e5ae26855d7

  • C:\Windows\system\emRbESm.exe

    Filesize

    5.9MB

    MD5

    e265057478a7f7b35dd78ebc3a47ceaa

    SHA1

    a7d6500a9cb83f531aebc8a39187630d7cd22a12

    SHA256

    cd3c20e797f5b3deb0b42d315b7330004b9433ff8ba488d0f93f1855658a5a69

    SHA512

    b6fe635fc24c44a325c0ba2c1bd8e1d531fcaa0517e0c117cb4e7044507e93fe962f2493b530c7cc7d0fc7c5359f66ba41394acdf221079bd15549a590067e2d

  • C:\Windows\system\kRBfHhT.exe

    Filesize

    5.9MB

    MD5

    06e33224405ce8605bf64f2e679bb697

    SHA1

    72d4be68c3eb705f5abaff3b58d0bca758b46d12

    SHA256

    a14558806e1653a4915ebcfe779b804bdee45c5673b0690130e7e97abcc6a2bf

    SHA512

    c0c81f7b0758740d33e2d7bd91c6496a6a811fed21f522611d40600fe32c3cdf180cb1cd6580f9538a22caafb544aed57005b3e5d817149d6bd01bf7634d59d1

  • C:\Windows\system\kZZsRnS.exe

    Filesize

    5.9MB

    MD5

    d6bbc1dac5f9b8de213fb2904f18577d

    SHA1

    8716be35f68bd3345d151c541bc44c1aa6e949da

    SHA256

    87585fcd1e93e0a64d3e691b4696ad66d33d67167c11ba2fb112287cda34091f

    SHA512

    b92deaa70f08956114b0bd4551cf62803ffd4ed60048f74b08c235dbf3ae323ef813bf5a04c30f91c904eb2bfe628185fc64a4f82f2084852c6f309b10a12416

  • C:\Windows\system\lqOLpBZ.exe

    Filesize

    5.9MB

    MD5

    0a4f618a0440795fdea56904ce85dd6f

    SHA1

    065585ea31c07de423c82af4ed112cedd925fb3a

    SHA256

    7208ef0fb1e60cbb11e29d08c60439c2b6936a55b31eaa8f8670d91ba3e38a55

    SHA512

    23bace17201bb084f42a8b3bb9f94e54c20c9ac7be129386868fc3f3e41ce49ea20387986eddfbeb2a477763b6afe365c3702ad29dfe5951528a2023efc544e0

  • C:\Windows\system\tAmUKhK.exe

    Filesize

    5.9MB

    MD5

    d8096d49dd45b06cd973dcc01dea3643

    SHA1

    3fa6e7da62f386a2db0981bf608d999b30da0a30

    SHA256

    c6a62d760fe9a4ac3cabd7a54dbbb938a13a4a7290d3dcd8edd0cfd0c6439b39

    SHA512

    ad3d37d695b2948c59da755a757336f58974db2e92eb6a238893a0f2499c1b07b26e0d40150f025548c9be4ecd6df4e54dd287b18b1953a34ef63fc3393dcc71

  • \Windows\system\BxRIfXz.exe

    Filesize

    5.9MB

    MD5

    fa97fe678a0e25a59f94d4ebc3c02b99

    SHA1

    2da139a12e328652825511894b0cfd59f716e0f1

    SHA256

    0b229033f6689c3f50214392457142d1ca8fa7348c128114c63333b89c829543

    SHA512

    0ffef361f53ad767b87ea64095d5fa636767e0e14c627aaf7c49c63a08a57877e78cc65c3c6f947815ff0723e3f83dc74e9e3ce93cd20aecb35954fac96294cc

  • \Windows\system\CdKMVAM.exe

    Filesize

    5.9MB

    MD5

    cf7e65957db0f5c4d548f0cf1cb8f804

    SHA1

    c53ea581e25439b15c82b9b9df7744c11aae07c9

    SHA256

    3d28a380fb5a32849180541d96bfc2e34cdbb712f802b79353e4f5a19efe8578

    SHA512

    9f84376288651bdcc0bef5420b7c88608f48cb7ea21111222a980476cb7a9cf71b696344e2e5ec3e6f4ea8041a15194dcc7d370d6cf00a3ce697017914949fdf

  • \Windows\system\GPoTZwZ.exe

    Filesize

    5.9MB

    MD5

    c200ea265e277303742dd41a6ab45743

    SHA1

    c30320750b02187ccdba341b26810647a460cb92

    SHA256

    d3cce61f793417a1feefc0ddec91fea17d37c674fa1a9de28ab4d016b2e5206d

    SHA512

    dee0655b23b3e6c58b197d414876b0f39b7c802ecf32a2deed16623d398a6d88796ba76d241b25bde97824e2432a17b39e80f0d5cf559cd0ab6313e926447117

  • \Windows\system\JHWveGt.exe

    Filesize

    5.9MB

    MD5

    e6f620fb3e944a925081d7165fd05a91

    SHA1

    7532830aebb190922e065fa62982df57b7b640ed

    SHA256

    367ea63f76e4da729fcf1ca9935845aacc2615afdfa827c669db1e15f1a497a3

    SHA512

    086d2f6786212d37a21d5a27a2ca2dc3eaeb94addad4a6820a1e57cb943f6da55661ba9610d9820a8fec50c70111dbd75752ce06855c297f9647cda64a1573bd

  • \Windows\system\MjrUzNr.exe

    Filesize

    5.9MB

    MD5

    682b9184d5ee2ff0120a18e84cabb6c4

    SHA1

    f834055d1f9a71ded59136916415355931a32384

    SHA256

    d4417ca2304fe995818a37aa785b5c03b5c5d62b406f118f90e0bd953d55e4db

    SHA512

    93bcbec1cb17b7ce669eee207246044384de33373da0029fc171b6e30c26b7ed26e82b8102da99f8f282b927a12a78111b058aecf63c60a870076950156078ce

  • \Windows\system\jHgbosR.exe

    Filesize

    5.9MB

    MD5

    b3f347b285ae59e6195f4297680d9aae

    SHA1

    f300d097473437ce0d5b4d197a4f9dac50887adb

    SHA256

    c0d5855bb44f8f6c11d643feec2a78b424c060aeec8ae5136ec83f5f99748070

    SHA512

    bd54e66dc5fe3090a58c8c99ecd2327f01359c7489438e8ecabe73a9b75123abeb1d8d117c3012a02a8364d932c5177d800b6da460837c89d069e1bc7a280803

  • \Windows\system\ytCLAla.exe

    Filesize

    5.9MB

    MD5

    91eb3e93720e193024ccd31c483bd1d9

    SHA1

    09ee8b8681ac82eadad6fbe62671d234843c2c29

    SHA256

    50004630db95e032e7cbde689b026ce4350f1d74a5a4284beba352d4d6f59ba5

    SHA512

    0248c586cb686fff8f992b09c9a8c4feba6eb2313b9b4268d92fcac9ef5fdee4884928e276ba695c059de318326b19e21306c6e09e2b0bd616f23c9e64b3324b

  • memory/888-156-0x000000013F370000-0x000000013F6C4000-memory.dmp

    Filesize

    3.3MB

  • memory/888-84-0x000000013F370000-0x000000013F6C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1112-14-0x000000013FCE0000-0x0000000140034000-memory.dmp

    Filesize

    3.3MB

  • memory/1112-149-0x000000013FCE0000-0x0000000140034000-memory.dmp

    Filesize

    3.3MB

  • memory/1112-78-0x000000013FCE0000-0x0000000140034000-memory.dmp

    Filesize

    3.3MB

  • memory/1232-155-0x000000013F860000-0x000000013FBB4000-memory.dmp

    Filesize

    3.3MB

  • memory/1232-71-0x000000013F860000-0x000000013FBB4000-memory.dmp

    Filesize

    3.3MB

  • memory/1568-85-0x000000013F6E0000-0x000000013FA34000-memory.dmp

    Filesize

    3.3MB

  • memory/1568-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp

    Filesize

    3.3MB

  • memory/1568-157-0x000000013F6E0000-0x000000013FA34000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-90-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-8-0x000000013F100000-0x000000013F454000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-70-0x000000013F860000-0x000000013FBB4000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-55-0x000000013F890000-0x000000013FBE4000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-145-0x000000013F840000-0x000000013FB94000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-63-0x000000013F340000-0x000000013F694000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-144-0x000000013F760000-0x000000013FAB4000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-0-0x000000013FEA0000-0x00000001401F4000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-142-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-60-0x000000013FEA0000-0x00000001401F4000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-140-0x000000013F370000-0x000000013F6C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-47-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-81-0x000000013F370000-0x000000013F6C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-34-0x000000013F5C0000-0x000000013F914000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-139-0x000000013F860000-0x000000013FBB4000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-1-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/1808-27-0x000000013FAC0000-0x000000013FE14000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-111-0x000000013F840000-0x000000013FB94000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-40-0x000000013F5C0000-0x000000013F914000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-100-0x000000013F760000-0x000000013FAB4000-memory.dmp

    Filesize

    3.3MB

  • memory/1808-89-0x000000013F6E0000-0x000000013FA34000-memory.dmp

    Filesize

    3.3MB

  • memory/2160-104-0x000000013F760000-0x000000013FAB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2160-159-0x000000013F760000-0x000000013FAB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2256-9-0x000000013F100000-0x000000013F454000-memory.dmp

    Filesize

    3.3MB

  • memory/2256-146-0x000000013F100000-0x000000013F454000-memory.dmp

    Filesize

    3.3MB

  • memory/2428-56-0x000000013F890000-0x000000013FBE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2428-153-0x000000013F890000-0x000000013FBE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2492-158-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/2492-143-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/2492-94-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/2500-154-0x000000013F340000-0x000000013F694000-memory.dmp

    Filesize

    3.3MB

  • memory/2500-64-0x000000013F340000-0x000000013F694000-memory.dmp

    Filesize

    3.3MB

  • memory/2536-48-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2536-152-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2536-138-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2552-151-0x000000013F5C0000-0x000000013F914000-memory.dmp

    Filesize

    3.3MB

  • memory/2552-109-0x000000013F5C0000-0x000000013F914000-memory.dmp

    Filesize

    3.3MB

  • memory/2552-42-0x000000013F5C0000-0x000000013F914000-memory.dmp

    Filesize

    3.3MB

  • memory/2576-147-0x000000013FF00000-0x0000000140254000-memory.dmp

    Filesize

    3.3MB

  • memory/2576-26-0x000000013FF00000-0x0000000140254000-memory.dmp

    Filesize

    3.3MB

  • memory/2576-92-0x000000013FF00000-0x0000000140254000-memory.dmp

    Filesize

    3.3MB

  • memory/2580-150-0x000000013F5C0000-0x000000013F914000-memory.dmp

    Filesize

    3.3MB

  • memory/2580-35-0x000000013F5C0000-0x000000013F914000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-148-0x000000013FAC0000-0x000000013FE14000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-28-0x000000013FAC0000-0x000000013FE14000-memory.dmp

    Filesize

    3.3MB