Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30/05/2024, 00:57

General

  • Target

    2024-05-30_8abf68c9d0fa2133975bca27b79b0ade_cobalt-strike_cobaltstrike.exe

  • Size

    5.2MB

  • MD5

    8abf68c9d0fa2133975bca27b79b0ade

  • SHA1

    46c536eb4f9e3d74c9612e846cdb85ebf3106c46

  • SHA256

    897001ba457ed85b85496249e81287cfdd49e002fac630ffbcec46dc3e9ab5e5

  • SHA512

    8e7ab5abcbc4c51c9c9dcf9718b8d80120a999cf96a9303b5412afde7776b1daff63bf49098b41d8effcdecce68874f3265793c34dc2114d6abe6864d1be3932

  • SSDEEP

    49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lB:RWWBibf56utgpPFotBER/mQ32lU1

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 22 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 22 IoCs
  • UPX dump on OEP (original entry point) 64 IoCs
  • XMRig Miner payload 41 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-30_8abf68c9d0fa2133975bca27b79b0ade_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-30_8abf68c9d0fa2133975bca27b79b0ade_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\System\rDWHOCD.exe
      C:\Windows\System\rDWHOCD.exe
      2⤵
      • Executes dropped EXE
      PID:2636
    • C:\Windows\System\aYgbrVq.exe
      C:\Windows\System\aYgbrVq.exe
      2⤵
      • Executes dropped EXE
      PID:2896
    • C:\Windows\System\BxiYnLo.exe
      C:\Windows\System\BxiYnLo.exe
      2⤵
      • Executes dropped EXE
      PID:3068
    • C:\Windows\System\azAHkdm.exe
      C:\Windows\System\azAHkdm.exe
      2⤵
      • Executes dropped EXE
      PID:2056
    • C:\Windows\System\JalRnNw.exe
      C:\Windows\System\JalRnNw.exe
      2⤵
      • Executes dropped EXE
      PID:2488
    • C:\Windows\System\gzNpSaL.exe
      C:\Windows\System\gzNpSaL.exe
      2⤵
      • Executes dropped EXE
      PID:2588
    • C:\Windows\System\PuOqCRr.exe
      C:\Windows\System\PuOqCRr.exe
      2⤵
      • Executes dropped EXE
      PID:2492
    • C:\Windows\System\TsurtFV.exe
      C:\Windows\System\TsurtFV.exe
      2⤵
      • Executes dropped EXE
      PID:2700
    • C:\Windows\System\zTIbWKc.exe
      C:\Windows\System\zTIbWKc.exe
      2⤵
      • Executes dropped EXE
      PID:2424
    • C:\Windows\System\utIKTmv.exe
      C:\Windows\System\utIKTmv.exe
      2⤵
      • Executes dropped EXE
      PID:2372
    • C:\Windows\System\kGWVqro.exe
      C:\Windows\System\kGWVqro.exe
      2⤵
      • Executes dropped EXE
      PID:2480
    • C:\Windows\System\BFxGski.exe
      C:\Windows\System\BFxGski.exe
      2⤵
      • Executes dropped EXE
      PID:588
    • C:\Windows\System\kuGcGCR.exe
      C:\Windows\System\kuGcGCR.exe
      2⤵
      • Executes dropped EXE
      PID:1032
    • C:\Windows\System\NrLftqY.exe
      C:\Windows\System\NrLftqY.exe
      2⤵
      • Executes dropped EXE
      PID:840
    • C:\Windows\System\FLJdaPp.exe
      C:\Windows\System\FLJdaPp.exe
      2⤵
      • Executes dropped EXE
      PID:2552
    • C:\Windows\System\PAFTPMG.exe
      C:\Windows\System\PAFTPMG.exe
      2⤵
      • Executes dropped EXE
      PID:1040
    • C:\Windows\System\UVTTSTV.exe
      C:\Windows\System\UVTTSTV.exe
      2⤵
      • Executes dropped EXE
      PID:3008
    • C:\Windows\System\HfpiCOx.exe
      C:\Windows\System\HfpiCOx.exe
      2⤵
      • Executes dropped EXE
      PID:2100
    • C:\Windows\System\hECJFbE.exe
      C:\Windows\System\hECJFbE.exe
      2⤵
      • Executes dropped EXE
      PID:2084
    • C:\Windows\System\wSNkQDR.exe
      C:\Windows\System\wSNkQDR.exe
      2⤵
      • Executes dropped EXE
      PID:908
    • C:\Windows\System\LdFtdbE.exe
      C:\Windows\System\LdFtdbE.exe
      2⤵
      • Executes dropped EXE
      PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\BFxGski.exe

    Filesize

    5.2MB

    MD5

    1b4520116174fa45f8711ffdc0b97aac

    SHA1

    0baa3f282a5d43b90cb024d9dc30c4764e0e611d

    SHA256

    05ed07fc780d4be290cdc8974a01b36fd46b1ffc1567cabe7087ff4899fb6c64

    SHA512

    be0fccb2115e7d008a79a71aa18ff3bc5fa2990cc329bd75d6d310e8874e66b0a24daf02d264f93549161dcaca007a4ab462f7a5cbd386110861f6836b17c474

  • C:\Windows\system\FLJdaPp.exe

    Filesize

    5.2MB

    MD5

    47a9261cb3c81c7ff770518c0b0bc263

    SHA1

    70c4f519744e30c2ed7c30c27b82087a15d63810

    SHA256

    9b7ea7dfa5a2ad2d5c9f03f1a65c9bdd6fef2cfcaf1cdeb1ed00b4b4ffeedbbb

    SHA512

    728ff5c35e8e9a776360e81555315d8bb5ddd1128b1a2754655f23f93a43d8ad254ae5fb5a6c871dfbf4126c7f21ecd9d9e235bbd8fdd20573b98606d4dc0c6b

  • C:\Windows\system\HfpiCOx.exe

    Filesize

    5.2MB

    MD5

    532645e17977018c2bfc141f35a4ef64

    SHA1

    9cb372963ec31ef933c237006d78e8ac9614c47d

    SHA256

    30936746e424ba6876651cbc446672a639aa83eb71cded5ff74227cfec33691f

    SHA512

    8ec74cf1170c03796e6f0e5903a746f59ba19b590ff69584f50bf31a489163dfd6174c19af57d393751e24ef6baaf6a43a5a889f87bd6b41c7bb40806e249c49

  • C:\Windows\system\JalRnNw.exe

    Filesize

    5.2MB

    MD5

    daa1e37483fad854e9fa252c39a2b1be

    SHA1

    62950c378fea51beaed8d47b5bcc4dae47eb42da

    SHA256

    abf6e1010d7066e8abdedf790190bb0fd4ab97d75bc6eaeacb8ec926fc3bb092

    SHA512

    5da53fc35865154779b8bb4050683a175bdfdfc58d0d924a1820984520b13d34e4bc57f6a5248d24ff5e2ba9140cfd36758c0dcd8f208558803a394c8ba1749a

  • C:\Windows\system\LdFtdbE.exe

    Filesize

    5.2MB

    MD5

    97e9e836dcea7b4c2e116e4dc5c1e2d9

    SHA1

    7e2ca0e7c17dd5d7b33ad3850c17fa26a9226eff

    SHA256

    7183c8282a419168229eabe4e4c70bf86b701e11c4fca9d07884d5629e1ae44f

    SHA512

    9181d912320ec906c006b988923b75c91ee8cbac660ba9ec700889251f61dc9c2015704e7125c15ba866be9d394aea59087f8441a8a7cef4fc75b2be9d6e8a57

  • C:\Windows\system\PAFTPMG.exe

    Filesize

    5.2MB

    MD5

    45bca07186ad984f538c2b0f2bb68992

    SHA1

    91c67cd5444c1430d416725fa0775be786fc81a6

    SHA256

    8fc5d7e3e3d2caaf28a7c0b99753f9ad81b8fab5c812c283a0cf090d8b563fa0

    SHA512

    f1c18d597c8ad2f76d26df9c05867398821deb56e54753cb01fa1c7149aa7737a5ba18a584fb6615f17e5db9dd367502b927b479ffa50fe32ec77b45d3d5d1e1

  • C:\Windows\system\TsurtFV.exe

    Filesize

    5.2MB

    MD5

    ee98e7b048297904a835566bf511fb31

    SHA1

    8f21c54a0f137146458850c255363870e29606d5

    SHA256

    349b56dacfeae049a36a64db6ea93e2e5610ddce5f5f2196cfde2ae11a690516

    SHA512

    25dd43df655973d97b228a7048ad565f21bf86fcf578ff3e346127bff01a7d625ecc8cd20c37ba3fceaeef8fd37bad8a492f0bfd3106a5303ec5e2f794f60ef1

  • C:\Windows\system\UVTTSTV.exe

    Filesize

    5.2MB

    MD5

    017b6a3bf7a8724d4aa744416e3df5e5

    SHA1

    c30afe7d0166df842c87ff02aae5a0e99c9e7ccb

    SHA256

    219c49ccc846dc4958320c47df7fc590e5a66e73c27fddefdaeb2165b51095f9

    SHA512

    339d579ab0a00d8def5ca07fcd8868343bc05b394d668893f7d4837c67d8de1e79e1ab92d7e24abb462a439cf6a6d68509aa410877012661aee8c56440a98d3a

  • C:\Windows\system\hECJFbE.exe

    Filesize

    5.2MB

    MD5

    2d5b37e614ebfd766f15820fbea26008

    SHA1

    d10940d01e9c49a3ebb8e809e1315159d0dd12b2

    SHA256

    aa62d11775464247fb886a38f422aa5c863dd31ce0a9ebec33c072391fdce3cf

    SHA512

    e8f158e5f9b1e040cac19f73f1ad47bbde5bc97de075060dede1550f601486730e65222141c184615d650c03c67f7ae4d11e67cf91daa48256c685eed627b3bb

  • C:\Windows\system\kGWVqro.exe

    Filesize

    5.2MB

    MD5

    3f8e3cf93aa29a0c54d3161ed57ffbe5

    SHA1

    9975f4994a82ed82c22e507ebb70a6cdb37d414d

    SHA256

    5624745832d380d1c54cb27f1e806257fb1e40be3d10379bbbb847bd4534ced8

    SHA512

    ef8bbc6b6b07de56030ee0ec5ceefd065bf52738d9ffe8a33400b97730f27073ce81887f93afb9b39cd27898fb3ba6f209b0262667f6e6fe42fd9e6694efd09a

  • C:\Windows\system\utIKTmv.exe

    Filesize

    5.2MB

    MD5

    e6b288c4d297a690b6744a77dd7f1ad5

    SHA1

    5dc7b02ac5921d59f6dfd6f8c39b38d9222d29ad

    SHA256

    18221a5e00f1967b7231d7dc74eec635c67ad9984297b4a1e8d06ccaee1a798d

    SHA512

    85378282c56f2ddf77d6474535624b87160f08ed24050022b4bb419a52faaaadb8b66a9b177123c575f7e82c019a54cbce03fea00d6a201f0101dc6470992471

  • \Windows\system\BxiYnLo.exe

    Filesize

    5.2MB

    MD5

    b057a8733edca30e18fb1ed9fe295f30

    SHA1

    2a53ee87f76d1fffb2e7f1d5349bb7b03b8a3d90

    SHA256

    4e53b7006626aa3629485565b477f1794919cecca4c0ece0ee1f0065d7497f20

    SHA512

    07dff85d5d58f0562cf144c2b4fa0f566594ae0d893caf5986f695e6d9d3ca6a08b362cbc1d8d448fe89af818b5f70f3e5e2fde96cb4ee4f0092c60408f3a8a9

  • \Windows\system\FLJdaPp.exe

    Filesize

    5.2MB

    MD5

    f969c407b448be8c1d20105ff4abe855

    SHA1

    0c417553ebe246624fa3a6e2195011dffd77f0fc

    SHA256

    f3d66333057e2838b78ebeec39efa2af04fde3e9eabefc4cb8694cb9c96a517f

    SHA512

    b5740f87b40e833bb4c9429414685721da4ea88d12662905cba44f214b55cc54e41e26b93da4d1368022e802e52bd7644ec3d8623f0c4fb2e4acc68c900aaf74

  • \Windows\system\NrLftqY.exe

    Filesize

    5.2MB

    MD5

    a7d77ecb685fa27c7fc7f0e4c6bceac8

    SHA1

    35d4101d80cf39653d10a267f8f456ee61fa4d5e

    SHA256

    76a8ef8b6cf3eb1dfaad8e93c2ecd20b5edc6b6996d49efcfb084018cf2a925c

    SHA512

    5f23d35233a7662290f47fa396112890606f52c9206812065e7ae1097af039e626d3b73d21070f90b068049c56c751dc4c8fbd536120bdf20cfaae9971b0cadf

  • \Windows\system\PuOqCRr.exe

    Filesize

    5.2MB

    MD5

    972ec8a226aa6dae49e4f9b5f933f021

    SHA1

    4d8ded08c08ecc6fb2e4eda228b762f1e351fffa

    SHA256

    f2a9fa418f6269d3026cd606aca755e9c5a37fea66db695ed559abf32a6a7664

    SHA512

    e2c7dda4b37c13200495188f55a67664a1a526536846ca124313aee0c7c299ee5ce4117160ba31e2cdb0c9f94846823a9876880cab751c6dc8798f9aeebd116b

  • \Windows\system\aYgbrVq.exe

    Filesize

    5.2MB

    MD5

    b84841ec72eaabb1da666679fbf71369

    SHA1

    7aa20bf9483fa252b6d1d4f9410e0f06bfbe22b2

    SHA256

    d8ad97fa49d682dd4c93459187b7c5c29fd8eac1c313d0ec0c5a2e829c7a33d7

    SHA512

    611aa65804eb6379e6338818f167c036ad0c0596fcbe592adafcdf8273cabae168ce5c5ed531426bd417fe2bee73cceeae802ee0de488f42b85ab2add1eeb60b

  • \Windows\system\azAHkdm.exe

    Filesize

    5.2MB

    MD5

    e07cb5f8a165ad6251c4d507c7958732

    SHA1

    5724e419c63876fe33248a798cad52da8ef1d747

    SHA256

    c4e3b76b4b376e4e76c71ec4f4e65c6614f378eb44344dd5397b5926710d45d2

    SHA512

    3123602abf1daa06138c4c3b4ba109707de9be898eb996dda77d118522f454b8eb5923cc6a97d957b8a6947933eeffe1d6a8ed85ce02d394b83222bbef7d458f

  • \Windows\system\gzNpSaL.exe

    Filesize

    5.2MB

    MD5

    c14fc1928d231c4a007ef3b43c022791

    SHA1

    457135724e5f69ea82f1366d42dc639be9db0c28

    SHA256

    7da5ce0de33a2b57cf77e9f3e851b5230323df29297261fde6afc817a9f39542

    SHA512

    f63223ce0c82ae80e2d4892f8c43f46591d9ab9c12746f09889799d58dcbeb3bd675f06571b022276d39a3a2428ba926c901d3a88855f6503831105566851ab6

  • \Windows\system\kuGcGCR.exe

    Filesize

    5.2MB

    MD5

    e16623d519223ecbd1682469e235d6e1

    SHA1

    f2d1e49ad537155aba3b3943d65ba7c01a45ad30

    SHA256

    4ffcc75536aa47a6ccd117e55a171009925ce0cdfe6035735a862f570031b86e

    SHA512

    f6fd07e37ff640d1e7d05a3cdc5ad7170bc64472668bd38c769f3186d26a304c072d6eb889428ef7756a2c0e7e4c6f14cdbe198d5947ec33ff96c52abb8a3285

  • \Windows\system\rDWHOCD.exe

    Filesize

    5.2MB

    MD5

    18a1be0eebcd926d551173a32e739285

    SHA1

    9c24e4bc146ccd76a477f28899558c31b0a8fcab

    SHA256

    d0f12ceebe8fe411e0c65e752d7e91f32648cfd0372bc79f7eb31e408c59e249

    SHA512

    c242fa94db285acb9106716a6f6cf8bc869ff994311d2beb9064563546db46f37c1bef0d96d5d68aeec6b3c48266098a719d4a0a1a3dcf1639435e35d7aaf2a2

  • \Windows\system\wSNkQDR.exe

    Filesize

    5.2MB

    MD5

    ad51bd3b23b6a9d674b62f5ad2a4202c

    SHA1

    1adba0d0e6b3c81c85f3476a944666aa1b705c61

    SHA256

    3dc7b2e3a8f4a9675e5a71b9af0e009daf4e135d110b6bb37344a9063656cf02

    SHA512

    4d5adf44d428622ff15c7acc572cc5637db33e54fbc5640ad4622a8078276fba4e4386886cd11b8af71d96b9b2c74b14795278e2a2d52beb688af117c437e450

  • \Windows\system\zTIbWKc.exe

    Filesize

    5.2MB

    MD5

    d061eeb1cdc0bc46b900e4fa56751126

    SHA1

    8d3abff5725799570a81752e5aa22932a64005ef

    SHA256

    323ffc660c571decfe17c9c79f90e4fffbd16faf71262a40cc354e2d8515bdc4

    SHA512

    fb7b70c0ff3f19d2c4d0fa6ad68ca1b7ffa0fff3379ca3f6240c9220fb6e8514bb97174078d0b930f75a49f165ce1106976e7ba6aa0f0efeba1325843339572c

  • memory/588-244-0x000000013FE00000-0x0000000140151000-memory.dmp

    Filesize

    3.3MB

  • memory/588-95-0x000000013FE00000-0x0000000140151000-memory.dmp

    Filesize

    3.3MB

  • memory/840-102-0x000000013FB60000-0x000000013FEB1000-memory.dmp

    Filesize

    3.3MB

  • memory/840-254-0x000000013FB60000-0x000000013FEB1000-memory.dmp

    Filesize

    3.3MB

  • memory/840-159-0x000000013FB60000-0x000000013FEB1000-memory.dmp

    Filesize

    3.3MB

  • memory/908-165-0x000000013F4F0000-0x000000013F841000-memory.dmp

    Filesize

    3.3MB

  • memory/1032-256-0x000000013F740000-0x000000013FA91000-memory.dmp

    Filesize

    3.3MB

  • memory/1032-158-0x000000013F740000-0x000000013FA91000-memory.dmp

    Filesize

    3.3MB

  • memory/1032-101-0x000000013F740000-0x000000013FA91000-memory.dmp

    Filesize

    3.3MB

  • memory/1040-161-0x000000013FDD0000-0x0000000140121000-memory.dmp

    Filesize

    3.3MB

  • memory/2016-166-0x000000013FB60000-0x000000013FEB1000-memory.dmp

    Filesize

    3.3MB

  • memory/2056-228-0x000000013FD40000-0x0000000140091000-memory.dmp

    Filesize

    3.3MB

  • memory/2056-33-0x000000013FD40000-0x0000000140091000-memory.dmp

    Filesize

    3.3MB

  • memory/2084-164-0x000000013F6E0000-0x000000013FA31000-memory.dmp

    Filesize

    3.3MB

  • memory/2100-163-0x000000013F8E0000-0x000000013FC31000-memory.dmp

    Filesize

    3.3MB

  • memory/2372-238-0x000000013FC30000-0x000000013FF81000-memory.dmp

    Filesize

    3.3MB

  • memory/2372-155-0x000000013FC30000-0x000000013FF81000-memory.dmp

    Filesize

    3.3MB

  • memory/2372-76-0x000000013FC30000-0x000000013FF81000-memory.dmp

    Filesize

    3.3MB

  • memory/2424-71-0x000000013F8E0000-0x000000013FC31000-memory.dmp

    Filesize

    3.3MB

  • memory/2424-240-0x000000013F8E0000-0x000000013FC31000-memory.dmp

    Filesize

    3.3MB

  • memory/2424-154-0x000000013F8E0000-0x000000013FC31000-memory.dmp

    Filesize

    3.3MB

  • memory/2480-243-0x000000013F840000-0x000000013FB91000-memory.dmp

    Filesize

    3.3MB

  • memory/2480-156-0x000000013F840000-0x000000013FB91000-memory.dmp

    Filesize

    3.3MB

  • memory/2480-83-0x000000013F840000-0x000000013FB91000-memory.dmp

    Filesize

    3.3MB

  • memory/2488-100-0x000000013F2B0000-0x000000013F601000-memory.dmp

    Filesize

    3.3MB

  • memory/2488-232-0x000000013F2B0000-0x000000013F601000-memory.dmp

    Filesize

    3.3MB

  • memory/2488-39-0x000000013F2B0000-0x000000013F601000-memory.dmp

    Filesize

    3.3MB

  • memory/2492-51-0x000000013F5E0000-0x000000013F931000-memory.dmp

    Filesize

    3.3MB

  • memory/2492-142-0x000000013F5E0000-0x000000013F931000-memory.dmp

    Filesize

    3.3MB

  • memory/2492-235-0x000000013F5E0000-0x000000013F931000-memory.dmp

    Filesize

    3.3MB

  • memory/2552-160-0x000000013FF60000-0x00000001402B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2588-230-0x000000013FC60000-0x000000013FFB1000-memory.dmp

    Filesize

    3.3MB

  • memory/2588-109-0x000000013FC60000-0x000000013FFB1000-memory.dmp

    Filesize

    3.3MB

  • memory/2588-42-0x000000013FC60000-0x000000013FFB1000-memory.dmp

    Filesize

    3.3MB

  • memory/2636-62-0x000000013F300000-0x000000013F651000-memory.dmp

    Filesize

    3.3MB

  • memory/2636-215-0x000000013F300000-0x000000013F651000-memory.dmp

    Filesize

    3.3MB

  • memory/2636-8-0x000000013F300000-0x000000013F651000-memory.dmp

    Filesize

    3.3MB

  • memory/2700-151-0x000000013F0D0000-0x000000013F421000-memory.dmp

    Filesize

    3.3MB

  • memory/2700-57-0x000000013F0D0000-0x000000013F421000-memory.dmp

    Filesize

    3.3MB

  • memory/2700-236-0x000000013F0D0000-0x000000013F421000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-91-0x0000000002250000-0x00000000025A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-167-0x000000013F4C0000-0x000000013F811000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-45-0x0000000002250000-0x00000000025A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-34-0x0000000002250000-0x00000000025A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-29-0x000000013FD40000-0x0000000140091000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-150-0x000000013F0D0000-0x000000013F421000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-143-0x000000013F4C0000-0x000000013F811000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-22-0x000000013FA70000-0x000000013FDC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-0-0x000000013F4C0000-0x000000013F811000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-56-0x000000013F0D0000-0x000000013F421000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-110-0x000000013FF60000-0x00000001402B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-40-0x000000013FC60000-0x000000013FFB1000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-16-0x000000013F890000-0x000000013FBE1000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-50-0x000000013F4C0000-0x000000013F811000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-189-0x0000000002250000-0x00000000025A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-190-0x000000013FE00000-0x0000000140151000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-211-0x000000013FF60000-0x00000001402B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-6-0x0000000002250000-0x00000000025A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-70-0x000000013FD40000-0x0000000140091000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-78-0x000000013F840000-0x000000013FB91000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-55-0x0000000002250000-0x00000000025A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-94-0x000000013FB60000-0x000000013FEB1000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-1-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/2752-77-0x000000013FC30000-0x000000013FF81000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-96-0x000000013FE00000-0x0000000140151000-memory.dmp

    Filesize

    3.3MB

  • memory/2896-20-0x000000013F890000-0x000000013FBE1000-memory.dmp

    Filesize

    3.3MB

  • memory/2896-224-0x000000013F890000-0x000000013FBE1000-memory.dmp

    Filesize

    3.3MB

  • memory/3008-162-0x000000013FF10000-0x0000000140261000-memory.dmp

    Filesize

    3.3MB

  • memory/3068-226-0x000000013FA70000-0x000000013FDC1000-memory.dmp

    Filesize

    3.3MB

  • memory/3068-26-0x000000013FA70000-0x000000013FDC1000-memory.dmp

    Filesize

    3.3MB

  • memory/3068-65-0x000000013FA70000-0x000000013FDC1000-memory.dmp

    Filesize

    3.3MB