Analysis

  • max time kernel
    137s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 03:41

General

  • Target

    2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    f00200d632c1950d7cf9e7652d1305fa

  • SHA1

    fa385e0ff00d506c7db967e491ecfaf5c88b8546

  • SHA256

    1f9909a3a2f29fbfa912809ab13d5a7caf2556e1fd53516e819947a94cbb4e25

  • SHA512

    fcaefd0dbee3b7350fcb48a9cb59fd8e5d24d04b1ee43abbc5dae0d263e8be087359ac74c50cd5132093e2637064dd2ec66b6aadb8a34277856b6e531e55626c

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUW:Q+856utgpPF8u/7W

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 52 IoCs
  • XMRig Miner payload 57 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 52 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\System\LnkPzPw.exe
      C:\Windows\System\LnkPzPw.exe
      2⤵
      • Executes dropped EXE
      PID:2392
    • C:\Windows\System\sjASYCb.exe
      C:\Windows\System\sjASYCb.exe
      2⤵
      • Executes dropped EXE
      PID:2252
    • C:\Windows\System\nqdWEBv.exe
      C:\Windows\System\nqdWEBv.exe
      2⤵
      • Executes dropped EXE
      PID:2568
    • C:\Windows\System\SpFEpLI.exe
      C:\Windows\System\SpFEpLI.exe
      2⤵
      • Executes dropped EXE
      PID:2652
    • C:\Windows\System\ndJPLgn.exe
      C:\Windows\System\ndJPLgn.exe
      2⤵
      • Executes dropped EXE
      PID:2580
    • C:\Windows\System\hrzaQqS.exe
      C:\Windows\System\hrzaQqS.exe
      2⤵
      • Executes dropped EXE
      PID:2744
    • C:\Windows\System\LgyNIwO.exe
      C:\Windows\System\LgyNIwO.exe
      2⤵
      • Executes dropped EXE
      PID:2752
    • C:\Windows\System\GsaLehY.exe
      C:\Windows\System\GsaLehY.exe
      2⤵
      • Executes dropped EXE
      PID:2444
    • C:\Windows\System\FzAOeWh.exe
      C:\Windows\System\FzAOeWh.exe
      2⤵
      • Executes dropped EXE
      PID:2516
    • C:\Windows\System\cxffbOG.exe
      C:\Windows\System\cxffbOG.exe
      2⤵
      • Executes dropped EXE
      PID:1736
    • C:\Windows\System\DeCxccn.exe
      C:\Windows\System\DeCxccn.exe
      2⤵
      • Executes dropped EXE
      PID:772
    • C:\Windows\System\pJRwQQq.exe
      C:\Windows\System\pJRwQQq.exe
      2⤵
      • Executes dropped EXE
      PID:2848
    • C:\Windows\System\jQfQtzn.exe
      C:\Windows\System\jQfQtzn.exe
      2⤵
      • Executes dropped EXE
      PID:2820
    • C:\Windows\System\xgqBBRe.exe
      C:\Windows\System\xgqBBRe.exe
      2⤵
      • Executes dropped EXE
      PID:2860
    • C:\Windows\System\ZlVmkPT.exe
      C:\Windows\System\ZlVmkPT.exe
      2⤵
      • Executes dropped EXE
      PID:2728
    • C:\Windows\System\XPsCwEl.exe
      C:\Windows\System\XPsCwEl.exe
      2⤵
      • Executes dropped EXE
      PID:2696
    • C:\Windows\System\rXJnuZg.exe
      C:\Windows\System\rXJnuZg.exe
      2⤵
      • Executes dropped EXE
      PID:2332
    • C:\Windows\System\bYzYFew.exe
      C:\Windows\System\bYzYFew.exe
      2⤵
      • Executes dropped EXE
      PID:2416
    • C:\Windows\System\xDmgDMO.exe
      C:\Windows\System\xDmgDMO.exe
      2⤵
      • Executes dropped EXE
      PID:1908
    • C:\Windows\System\AcqjjYg.exe
      C:\Windows\System\AcqjjYg.exe
      2⤵
      • Executes dropped EXE
      PID:2680
    • C:\Windows\System\oYjrtom.exe
      C:\Windows\System\oYjrtom.exe
      2⤵
      • Executes dropped EXE
      PID:2776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\AcqjjYg.exe

    Filesize

    5.9MB

    MD5

    79873bd949eac9c6d14565c7d6bf3fb1

    SHA1

    8a9f6c9c7975e46bcfb4ae3f8ecc6a102aaf2098

    SHA256

    431368d4f20e56ec06046e7375d184657fd2badda7c3068c2a68fc58f5587df8

    SHA512

    daa934eb9c942a3ed397b63b960459a6c21ebeabe190ca992ef0fbf54ea4c1c1b784f6cec1d518c9e1b92569dbeab79642b89c5ec320b1fc1978fe90eec6cc0c

  • C:\Windows\system\DeCxccn.exe

    Filesize

    5.9MB

    MD5

    0cb6af21a5f423932f1ff57c12ada6ac

    SHA1

    6cc7e9060b23b07c1aa87b231b0902422dd11d49

    SHA256

    c90d11ead7d2801b7b562eb2a137cbc086feb016fc2637250e65ee29a03a431d

    SHA512

    9644b6795d9d14776a5ee6b51d6b67d2bef3126753e5f8f1ba08acdd17bb63eeccb7ecf64490c946d0b19b46eee163f49eb75361090372794eddcbb66eb1aba0

  • C:\Windows\system\GsaLehY.exe

    Filesize

    5.9MB

    MD5

    1f54b943f35fd1a9bb3cb74a9cc2d083

    SHA1

    c971326f83f3aaf8d4707b13b3ea32d378e6a1ef

    SHA256

    78b30ff1ff8ae2812e76a6eb2a769c8f75489976b6a6f9aa66c6cbb98123a5bc

    SHA512

    adb6c7ed389152575a2b8d47da590aa4ddf052c8bd173a6b64a08130c8b51cc4bfff3b81aa08b64bc4eb950d6b7a5e1a508b98a39c73370f1e4dbad5e8a46391

  • C:\Windows\system\LgyNIwO.exe

    Filesize

    5.9MB

    MD5

    13bd02d9e40ee6137db45786c04ccf7a

    SHA1

    e6abeed7e8c3da13a78b7ecbbe76f575d536526f

    SHA256

    ee2918bdacf82cc76aa02c06f8beea72e748cbd61d7f1a67819fedb4740607b5

    SHA512

    0dc4d8e18d7269eb78808a5b5fc1c1312f0c7bd2c639da7e3f2c7c909e08424d982e16f4885eb9249c920e8810c279434d89659acf160d0bc30cfbbf61974f00

  • C:\Windows\system\XPsCwEl.exe

    Filesize

    5.9MB

    MD5

    030f75f48414a785d16c187fff86ac06

    SHA1

    a10a886350f3599b9c1a43c0596f3ebde0402f10

    SHA256

    cf393277d4b4cb1f9559bfcb7e6eb8b87687dddb9615e7e2d1eef7ec19571446

    SHA512

    67908d192478389821ae7f5807f3036b765cfabb47333c383bfd0d95de1647631c6f0c74933f7965b326c9eec6a6da9a1252cbb3695f3b82b456d40308562eac

  • C:\Windows\system\bYzYFew.exe

    Filesize

    5.9MB

    MD5

    5e7c6c28a06bde81187bd5ed99cc76fe

    SHA1

    de8dcb1cb18833165519e762829cfbbdb8bd72fe

    SHA256

    959eb434bebfcc94021e8733e2ba05bc00a3fa656b564f0044e9c98f751ec565

    SHA512

    2b40db68e61ed4ac7b6753c1371391e53763e41ed12d027c2a90e5c8aa3e667671249c819b3207a9dfc948d7d150bf3488347b05a3091797b4916913f92ba148

  • C:\Windows\system\cxffbOG.exe

    Filesize

    5.9MB

    MD5

    db99a1b782d4de3add291bf5123447d7

    SHA1

    4dad3dc28966d2eb329c3190698b88740b90ec60

    SHA256

    51200d3408d7c761d6fca143ef063c3c6e312abdb68f6f5c52aff8302029b9fa

    SHA512

    a8a54fd768cb2704cf7109fd1dd4a7b2be212081db68001120981969f7931896ddaaab8f8d3d32bd3d8fdd5c0a5dc4b1ec9b501b9252491ddf79e6ff9666011a

  • C:\Windows\system\hrzaQqS.exe

    Filesize

    5.9MB

    MD5

    f21d87e611ae25c08addf5815832a78f

    SHA1

    c322014ea000a45620d3ce64449e76f6831e810e

    SHA256

    e078ec7779d17b29481f8b2469626f82536f6c427e79655f01c9363f01e5a998

    SHA512

    2292d2f39ac287835bf1da1f69a7121b7eea01f21e976ec4cbc892cd36049c45c1e30e99a734b991216d9be082b2063179eb4c6d09a3a71a62888d3a3b50bca9

  • C:\Windows\system\jQfQtzn.exe

    Filesize

    5.9MB

    MD5

    9c313195b971c371e285fcbf1effee23

    SHA1

    5c4ae6f62cd5c20776c9780949c8db2248cbbf0b

    SHA256

    8f3880338bea72efbba654129f83227c5fda6ff6492fc90bfa6dddb6883f5090

    SHA512

    96f276e4b75e97aceff40a6b95ff98be0a47e33f2614efa69fa852b866e4e0d7a9af148a5af385bd748c4f51a72aae05b64c007a80e3886d61624aa1272e465e

  • C:\Windows\system\nqdWEBv.exe

    Filesize

    5.9MB

    MD5

    40529dbeb86399e7c1a473669e8e901a

    SHA1

    26e1933821cbe3c1061a73e566b6f400eaae50f0

    SHA256

    f640322e0a55b34a5a73a8cfcf048c3f2e810edbdad2bcd4d9fd1a775ba909cc

    SHA512

    43a142d6eb5037601f65ba4834d98c9c8621edd6c008095f7456d5f1e1a229ed6e51ff7e0d44edc276949e001ae9cbbff435252a59f38bbc72c19a94f05012e3

  • C:\Windows\system\oYjrtom.exe

    Filesize

    5.9MB

    MD5

    b9d7aa6ddf652ec3495b2901d7797ce6

    SHA1

    1c77562230d1d02425c4d5f1ae362938c9becec4

    SHA256

    0177371624571e5c51415820c617a8754ed5dbe5a5156cabc46eed137812ad36

    SHA512

    217c1beb0d962aac2ec0434ab379b07c6cd411a4b1e84ff6d3b0aac9efbf0946cd675e8c357184ed54f0b1eb8ce593a840614d56b6a056a9c14cef70ba743cca

  • C:\Windows\system\pJRwQQq.exe

    Filesize

    5.9MB

    MD5

    85d20d8d8f7a69843ceba02e47160755

    SHA1

    4df0d2c33484b6dc2da547887e60dbb637a7a2d8

    SHA256

    69ede140877abe5f72c373d4077aa2c7dab95b14d8a6b8a38ede26370d937217

    SHA512

    7b592ced19e40b74e90450de44952f6455afb059067bfcae2db0c9fb7abc9221e41d4b115f04f37eed21bc83666720af3b3ad3f742848bd3e4fe4fd0d931e39f

  • C:\Windows\system\sjASYCb.exe

    Filesize

    5.9MB

    MD5

    662e382b553fa02fc43e3066633daf96

    SHA1

    3510c9f8d1e098bb75ad9d9cc934c2369832a733

    SHA256

    65e3cdae711fc09cc8fd3df9fcd036096d09450499b847ccaa5edea03661dec4

    SHA512

    232b301094795770d06ec79c88bf045176664333150c9424d7a597eeb1d3e1f91560f9b93ed69a37b83ec88f495be33667eccb99362ff6caf7bd417317a9c49e

  • C:\Windows\system\xDmgDMO.exe

    Filesize

    5.9MB

    MD5

    aaee8fa38867db9df89778dec487a630

    SHA1

    8abc387b1326e3d37e574aac186ed969428ede2e

    SHA256

    8d722ace2d7e37963e2326721354606679c2cbe853494c533a21bf2c87224f0f

    SHA512

    5e8c66117c1b9045e1e1b3d2021700c3d298470314fc50606b0de747a0583819e45249c2fb3a9efc9dd833f219edb728efa2d5b7df127ce2d4774e46080890e4

  • C:\Windows\system\xgqBBRe.exe

    Filesize

    5.9MB

    MD5

    46bf8c59265e48a0c10cddf80850b3db

    SHA1

    ee5fc316eb4f493e76fa6b246f8a70106ce0a95d

    SHA256

    bc540eb8ff45339b07228321019c2547259041bd1646eda3cfb9f561aea90806

    SHA512

    287d92cb051ea324c100c0b8137a2b830437ac8700108db86dc4f365ca614f79626aea37f87f1e854c4f09880a852919cef3fd2e3280d2e12dbf413614212541

  • \Windows\system\FzAOeWh.exe

    Filesize

    5.9MB

    MD5

    c7376725f442f42b7772ce2c76024886

    SHA1

    beea8ca615db5f601749ad5e2976d998fa10b32d

    SHA256

    d49544e625bb02126e92b565ed0f07facc072c4ff85ad6ee08be77a6292627ef

    SHA512

    7832562d9296f4bf087ec42393c0ccda7fabf08483679d14a3881f779485d96c323ab481f46539dcccc75f9a3b589a372fcd4962537043b298acd8d7335afd96

  • \Windows\system\LnkPzPw.exe

    Filesize

    5.9MB

    MD5

    0b1a450a816c241743ccf8cd82e46c12

    SHA1

    6890203b82c54abf497bb8d9b314e60d038273f3

    SHA256

    a99f1285372f4cfef4b396ddc33309ff5cef770518e49ba3d3ceafbc522b27d1

    SHA512

    94c9cd423ccad71c2a5dda3f988bc40782b60facbd59eaa60d0f897d0b9012cb81b84575b899cd6a5a684ba68c4384ed921492b0a67fe28759fe02201debf37e

  • \Windows\system\SpFEpLI.exe

    Filesize

    5.9MB

    MD5

    d9353505f693e6f5abc464f5ec680e97

    SHA1

    f4cf3345461082e10c7e758be9661a40fe391a70

    SHA256

    9f3479add24ee252245cd52ddac0bd2e4f1d612da343f3b22e37b8309a40dea3

    SHA512

    d649e3785a863bc361a5a9c1f15218a5a5e4cb7a8872d391be0d41d8557ada9f09504166896d53d5dcd115d668c47feb0d62d13edd79eb3395198acbd346cd9b

  • \Windows\system\ZlVmkPT.exe

    Filesize

    5.9MB

    MD5

    66ea8b85a375006a05c3b289c42c4c28

    SHA1

    c75e549cd7efe9f1ffd113841f7c458e9033675b

    SHA256

    597aabe7972e9da113af5059071e5746dceb9d9a6548912129319aa068324922

    SHA512

    861704487e61919eca4b4f67041bad523dfc8f1e4fbf3fd3342d1975b19c674e582277f93588ebfad5ca5e2d9077723f36c11e50368a270df9dfe7df518b52f6

  • \Windows\system\ndJPLgn.exe

    Filesize

    5.9MB

    MD5

    5ed6278c03bced2ec22ca0064d2a5c52

    SHA1

    375e9342f4a0ff1e5cb89ae6f358bd814411c91e

    SHA256

    f7b73b52e51654da2b6b2c4aa079a0a4c02bee1c14307690148871f2b7c89f9b

    SHA512

    c738301f9284959f573ebaf531c25a53d5d32ce295feecdc3f2303ca062eb85de4f8f30249fcf4a264a99f30145fc8d1fb10a00067bd2602b848ed2f918ed8ae

  • \Windows\system\rXJnuZg.exe

    Filesize

    5.9MB

    MD5

    20300dcaaae701a4aaf7a2dda1de39f3

    SHA1

    b75d52172a8e8852165ad1f52902f6445260ba4e

    SHA256

    af3f7560bab3f4a67c3d21ea190187927019d8f4c34e4a09c96ec4295e598385

    SHA512

    9aeea2a1f8ee5d670154bce37f1522b1488530d20c0760e485ca3819095aa693da15359baff83acd1f59a04376f1097c355df8a25892152e2283c27d33c6135c

  • memory/772-87-0x000000013F5E0000-0x000000013F934000-memory.dmp

    Filesize

    3.3MB

  • memory/772-154-0x000000013F5E0000-0x000000013F934000-memory.dmp

    Filesize

    3.3MB

  • memory/1736-152-0x000000013F1E0000-0x000000013F534000-memory.dmp

    Filesize

    3.3MB

  • memory/1736-71-0x000000013F1E0000-0x000000013F534000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-41-0x000000013FCE0000-0x0000000140034000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-143-0x000000013F5C0000-0x000000013F914000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-67-0x0000000002290000-0x00000000025E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-1-0x0000000000300000-0x0000000000310000-memory.dmp

    Filesize

    64KB

  • memory/2028-55-0x000000013F480000-0x000000013F7D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-142-0x000000013F300000-0x000000013F654000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-141-0x0000000002290000-0x00000000025E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-114-0x000000013F440000-0x000000013F794000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-48-0x000000013F850000-0x000000013FBA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-0-0x000000013FCE0000-0x0000000140034000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-140-0x000000013F5E0000-0x000000013F934000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-139-0x000000013F1E0000-0x000000013F534000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-137-0x000000013F480000-0x000000013F7D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-102-0x0000000002290000-0x00000000025E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-70-0x000000013F1E0000-0x000000013F534000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-80-0x000000013F610000-0x000000013F964000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-26-0x000000013F610000-0x000000013F964000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-118-0x0000000002290000-0x00000000025E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-8-0x000000013F140000-0x000000013F494000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-113-0x000000013F5C0000-0x000000013F914000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-86-0x000000013F5E0000-0x000000013F934000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-110-0x000000013F300000-0x000000013F654000-memory.dmp

    Filesize

    3.3MB

  • memory/2028-21-0x0000000002290000-0x00000000025E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2252-145-0x000000013FD70000-0x00000001400C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2252-15-0x000000013FD70000-0x00000001400C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2252-61-0x000000013FD70000-0x00000001400C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-13-0x000000013F140000-0x000000013F494000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-144-0x000000013F140000-0x000000013F494000-memory.dmp

    Filesize

    3.3MB

  • memory/2444-56-0x000000013F480000-0x000000013F7D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2444-151-0x000000013F480000-0x000000013F7D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2516-138-0x000000013F500000-0x000000013F854000-memory.dmp

    Filesize

    3.3MB

  • memory/2516-62-0x000000013F500000-0x000000013F854000-memory.dmp

    Filesize

    3.3MB

  • memory/2516-153-0x000000013F500000-0x000000013F854000-memory.dmp

    Filesize

    3.3MB

  • memory/2568-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2568-22-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2580-148-0x000000013F270000-0x000000013F5C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2580-40-0x000000013F270000-0x000000013F5C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2652-29-0x000000013F610000-0x000000013F964000-memory.dmp

    Filesize

    3.3MB

  • memory/2652-147-0x000000013F610000-0x000000013F964000-memory.dmp

    Filesize

    3.3MB

  • memory/2652-105-0x000000013F610000-0x000000013F964000-memory.dmp

    Filesize

    3.3MB

  • memory/2744-42-0x000000013FA70000-0x000000013FDC4000-memory.dmp

    Filesize

    3.3MB

  • memory/2744-149-0x000000013FA70000-0x000000013FDC4000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-150-0x000000013F850000-0x000000013FBA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2752-49-0x000000013F850000-0x000000013FBA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2848-94-0x000000013FCC0000-0x0000000140014000-memory.dmp

    Filesize

    3.3MB

  • memory/2848-155-0x000000013FCC0000-0x0000000140014000-memory.dmp

    Filesize

    3.3MB

  • memory/2860-117-0x000000013F5C0000-0x000000013F914000-memory.dmp

    Filesize

    3.3MB

  • memory/2860-156-0x000000013F5C0000-0x000000013F914000-memory.dmp

    Filesize

    3.3MB