Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 03:06

General

  • Target

    2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    1390e76f89e60ebf02cbedbf282ad067

  • SHA1

    fbd2705fde7ff3a7a5bdb3c8555ce937bbb3a52a

  • SHA256

    00d8bb9a84840cace6185c5bffeaef6bd426057ed5cd428d4c0b9fbfe67f1003

  • SHA512

    8d02f1ab2f1371d29b3d361b4658a83558407a1fefb6b2927b22ac2506fdd570f501b56f104742126cae208277acf1e5d1c50e23546cb1cf4beb1998ad791cd4

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUT:Q+856utgpPF8u/7T

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 59 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 59 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-01_1390e76f89e60ebf02cbedbf282ad067_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\System\LxxIuUf.exe
      C:\Windows\System\LxxIuUf.exe
      2⤵
      • Executes dropped EXE
      PID:1632
    • C:\Windows\System\vFTjfuH.exe
      C:\Windows\System\vFTjfuH.exe
      2⤵
      • Executes dropped EXE
      PID:2740
    • C:\Windows\System\wfUdkJU.exe
      C:\Windows\System\wfUdkJU.exe
      2⤵
      • Executes dropped EXE
      PID:2124
    • C:\Windows\System\wnrVlzq.exe
      C:\Windows\System\wnrVlzq.exe
      2⤵
      • Executes dropped EXE
      PID:2712
    • C:\Windows\System\mVUoviE.exe
      C:\Windows\System\mVUoviE.exe
      2⤵
      • Executes dropped EXE
      PID:2732
    • C:\Windows\System\gPCQbMD.exe
      C:\Windows\System\gPCQbMD.exe
      2⤵
      • Executes dropped EXE
      PID:2640
    • C:\Windows\System\LnSXVCr.exe
      C:\Windows\System\LnSXVCr.exe
      2⤵
      • Executes dropped EXE
      PID:2680
    • C:\Windows\System\essdRrN.exe
      C:\Windows\System\essdRrN.exe
      2⤵
      • Executes dropped EXE
      PID:2520
    • C:\Windows\System\IZwfwNO.exe
      C:\Windows\System\IZwfwNO.exe
      2⤵
      • Executes dropped EXE
      PID:2516
    • C:\Windows\System\UMcFDEt.exe
      C:\Windows\System\UMcFDEt.exe
      2⤵
      • Executes dropped EXE
      PID:2508
    • C:\Windows\System\JKpmpDx.exe
      C:\Windows\System\JKpmpDx.exe
      2⤵
      • Executes dropped EXE
      PID:3056
    • C:\Windows\System\TtVXBOb.exe
      C:\Windows\System\TtVXBOb.exe
      2⤵
      • Executes dropped EXE
      PID:2184
    • C:\Windows\System\TAcZEzp.exe
      C:\Windows\System\TAcZEzp.exe
      2⤵
      • Executes dropped EXE
      PID:2792
    • C:\Windows\System\isNZLof.exe
      C:\Windows\System\isNZLof.exe
      2⤵
      • Executes dropped EXE
      PID:2824
    • C:\Windows\System\SfRbcsa.exe
      C:\Windows\System\SfRbcsa.exe
      2⤵
      • Executes dropped EXE
      PID:2960
    • C:\Windows\System\btAeHbR.exe
      C:\Windows\System\btAeHbR.exe
      2⤵
      • Executes dropped EXE
      PID:760
    • C:\Windows\System\LSGJrdH.exe
      C:\Windows\System\LSGJrdH.exe
      2⤵
      • Executes dropped EXE
      PID:1864
    • C:\Windows\System\vgwyGAW.exe
      C:\Windows\System\vgwyGAW.exe
      2⤵
      • Executes dropped EXE
      PID:344
    • C:\Windows\System\lLmViHT.exe
      C:\Windows\System\lLmViHT.exe
      2⤵
      • Executes dropped EXE
      PID:544
    • C:\Windows\System\VZMRYVu.exe
      C:\Windows\System\VZMRYVu.exe
      2⤵
      • Executes dropped EXE
      PID:1680
    • C:\Windows\System\BTGywOC.exe
      C:\Windows\System\BTGywOC.exe
      2⤵
      • Executes dropped EXE
      PID:624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\BTGywOC.exe

    Filesize

    5.9MB

    MD5

    8981bac019b50d40fa77ed9d72e632e3

    SHA1

    ef33c0597f35e0783793b4d7d925866caee4fa59

    SHA256

    fedb164b6eb65858a36997ad742bd5feb943418b665ff2e31d605fc29fded8c6

    SHA512

    88ab65afa519845047458f77f135b775a02f78c82522e3235c665c50a7df0c5db823ada375ece92ed581310c8d9d35c57d5070d58447f2b57a96d38af4987fe1

  • C:\Windows\system\IZwfwNO.exe

    Filesize

    5.9MB

    MD5

    431a116b95425136068081d44bb076f4

    SHA1

    69fc758f23906f48fb7f0fe846fa7d5b1104adf9

    SHA256

    b71f282b744671b190dc433e1cf9f9a6b3915e842b1c02d15b5ede7aea818349

    SHA512

    85f3c118d632f1895cf019b18f7b7a0aea3610fecc14a3f2adfd0a4a502fd521d00d233a99daa64d2884440afb355d71d60824d13f8617cf9f9d12c40457a212

  • C:\Windows\system\JKpmpDx.exe

    Filesize

    5.9MB

    MD5

    9c7d08578e1c11a7cfee47cb73ed694b

    SHA1

    81a45d4cb57749588aacfacb962c55611cfd1c53

    SHA256

    aaa690427b72164f9e5710a07d5446aa0aeb70ed113ab546e8eab4c00935fe87

    SHA512

    7e90911658091535e337185f0dc0d85013ff76ff6699c267d5e7fed261365a00d3fd015153613643787b7c5761aad777bda2ba4c0eb5e1db88fd190d5b62ca4a

  • C:\Windows\system\LSGJrdH.exe

    Filesize

    5.9MB

    MD5

    d9570b373fe74bab4ac14c6fabe32a45

    SHA1

    c9e8d5332e7bf590e921d415e7afceb033d65b62

    SHA256

    d769908cbc46f13d5d057deccdc821142cc5e680c07699092af1b0f1e9a1cb81

    SHA512

    0166773eb2a374c225b02a6494096a0674967e3b69ef7ecde6bf575c8180a86b07218b4edac9be758b9cb9b8109050ce7512c7516651d9696c5163ca643122c9

  • C:\Windows\system\LnSXVCr.exe

    Filesize

    5.9MB

    MD5

    72d7a6daf470b861a7759138b2bf51ae

    SHA1

    ed125024e172ee2eb541805d4e7267cbc19e2830

    SHA256

    2fff3f6733c6d31debd0233654b04a827b71e16061c76ce2192c31667ce5ba52

    SHA512

    4316fbd522f2cb3e88163afc1f39fbf94fc0629b4de77a7f392588e7b4dbb15619a4fc6420fd44f4fa8e30129eb6dd8f4f85ba9fb4d58a3395fe46a275579ae4

  • C:\Windows\system\LxxIuUf.exe

    Filesize

    5.9MB

    MD5

    82e5e2f6129c2d3cb1dd2e28a844528c

    SHA1

    d0299cc2517ced85bf3e594bb35e47aef6c9ef34

    SHA256

    cdeb64a71bb7c8378d4899630dc1154c026f9f0600e016065ed9c45854e85296

    SHA512

    2746fc22501cea636cebb7b3da8c7da1569b2a3a5edc2e8bc049dc0587a2c9d8fd0bc041caed78d4802bd228be6cb992bb44286c4a05149ecb75338aa71507b1

  • C:\Windows\system\SfRbcsa.exe

    Filesize

    5.9MB

    MD5

    5a10aa292e8ef8099b07422e0eef3a02

    SHA1

    254e87a82b06603bd56a15b63b0e7523e545ceaa

    SHA256

    7021b0a29a3c415344022225622109b064e9cef4da217a29b564bcadfba6e4d3

    SHA512

    11d46c4b9e9cad9bdac956438d0f9f166e0e7a7d1193b400c0382ed1b9b8d0ecca110760a1f6e425eabb8964ce7dd76d941563fb7d749c097de5efe82dd63e87

  • C:\Windows\system\TAcZEzp.exe

    Filesize

    5.9MB

    MD5

    b44f848de160ef59dc7e4ab7dc5ce3e9

    SHA1

    a318399d10f502c7636234b9ef68fff2dfc2e0f5

    SHA256

    5d22c6b151137565bd7b999e36959306b6643bf3fc1df2bb3610c5d2b01eb279

    SHA512

    65910e25d267e8375df44965580177678d361bfb6278e1862d3ddaf0048a511f597ac30214277ce06bad7c16f70f78436a2cfb18aac945c0ec92d7129260c359

  • C:\Windows\system\TtVXBOb.exe

    Filesize

    5.9MB

    MD5

    ec3cc6260f45389cc678342c1fd481d1

    SHA1

    9c63eb070356591ebaa504e3a02991098267d925

    SHA256

    3e4617be33eef58105ec0750a2efea3a25cda14723492ec8d60106bfda2502d4

    SHA512

    8e9af4df4f77794a5397ee9cf2bff030870d7cee37d98c7824a69724d94458ebc98de64875df5c5d49accce022e4b12845d9f217b05106b21216dbc4b01adcbc

  • C:\Windows\system\UMcFDEt.exe

    Filesize

    5.9MB

    MD5

    5144fcdd9dacc6d1c6016d189dd617a8

    SHA1

    796f437d6a05fb106fea7d21fcbb40413e786394

    SHA256

    e5e14f959083717548ef5b7c61601c4e353791510dac31f5ac07d66b095fb01e

    SHA512

    d9f772dd009922508438356412cb65a9be5cf12dc6c2ada4a7cfc1532f3dd4722c4d51adce93cdd1e13b975ef97881e741195e9165d5c35e091563455eb45b98

  • C:\Windows\system\VZMRYVu.exe

    Filesize

    5.9MB

    MD5

    6c2dc849dbf6e904571d84951434ad8f

    SHA1

    f06c4e89a2bd69dc5e94ec5fb4d2b1e3de36e168

    SHA256

    2789ad0b02912a1e62760ac3e992a8f8f7e7c06869bb3ab3b055756113d8e874

    SHA512

    adeabf2f21e5d2b235a519b2ec18487c25de78743d041c17a5a891d8552140d99e22028a938e2cdb42154c2a1abeedb3a45e28a012fb96725c3a0ebd357540c1

  • C:\Windows\system\btAeHbR.exe

    Filesize

    5.9MB

    MD5

    d5c68413b9a4b7a6538efce31302ae49

    SHA1

    cba45677ec976c359a163644b7749cd8c9494681

    SHA256

    d86d220752f1755ec5992f2e03f554c2076cd42c0f773c84fc68dfc9795014df

    SHA512

    bac70940d3f0853d402cfd2dbb520e9e98509de6f13846cc4c499b94ba2e346815744a2c114de3e21ea8fce93b390ae4274c63a2c5832a15f63d5f23628b3379

  • C:\Windows\system\gPCQbMD.exe

    Filesize

    5.9MB

    MD5

    9dc086d478be277e38b96fb164ab3b03

    SHA1

    035746ad1e3761b4bdb7c5939458b009dd84cdc6

    SHA256

    d7fab474b34bd09829692fc24350e19f33f7dc18653c02fee63879bf290ef540

    SHA512

    caa043cdba450aeda0e4819a6e7fd763d7ffdccba1976635997221e32f6da2130deed69a360cb57f0bec19ea5d238eeb6ac9b69229b1adc21e08b86ec8bffaee

  • C:\Windows\system\isNZLof.exe

    Filesize

    5.9MB

    MD5

    9342e07a4495bebaa790b557e323d4d1

    SHA1

    cddc99456f9b99f7caca53482ae2a354a2f144a8

    SHA256

    a794d21ebc28a551d70621dd3b702f516b9113e7fc3cd82bf58f4c82eda5c9c6

    SHA512

    f83f091bc9b56d479d8e8c1e86df9fd2cc3faa9c3401e20a5a572b0da938c4de3d35a93887952e092cd9f8105af86e1353b96e54c305e1a0b8e6a5fe1e3d1ad7

  • C:\Windows\system\lLmViHT.exe

    Filesize

    5.9MB

    MD5

    5dda2ff659193f20ef728013d10a57b6

    SHA1

    f05b8c00a61b447b26c551158eea70984fb50640

    SHA256

    141b522bd53ab7ed9be4b11175fc0500871156240a0cdc6d5584064451ccde3f

    SHA512

    37a7c947e44b050ad97de00896397260969b4b94302f8a67955ea00f926c777a491d00a7a92868b56756892fea2158b0d14985df11eff06db640f3d42d2c2851

  • C:\Windows\system\vFTjfuH.exe

    Filesize

    5.9MB

    MD5

    0db32164f1cba09b2a44c1b50880adb5

    SHA1

    9bde13ec38ee281041e94619d95dac570f0ddc87

    SHA256

    02c9d841d077094a7126b2b0a5675b623a54cec4f7972f0fae78c2f51f3ff3ce

    SHA512

    a9075ec195063549a95230d28b8bd6f97548bc081f1e66ce8ff0ba7d3270ce996e48ac1e7ebe1188ebb8da1bad307fe8ea9f9f0026ace07d79ed6c3814c27710

  • C:\Windows\system\vgwyGAW.exe

    Filesize

    5.9MB

    MD5

    1e0f800c59643e385261ee47b5781e25

    SHA1

    cf21c3a37346343f92b4cf4e6c2c0ee7e4648c13

    SHA256

    de26ee92b88cf6e097809f8e1256cd1c8cf76b22fcf3a38f597166304f84cc6a

    SHA512

    f3d6de6e46d88b9126c3b9b2d48b9154cafacf52e480185d7a1134218c93c20aeda62ebab7fb9cff749d23783991f7b143a8655266154bc2c953ee1b5efc8972

  • C:\Windows\system\wfUdkJU.exe

    Filesize

    5.9MB

    MD5

    d4c0c02bd1f95044d05abe1c2d364272

    SHA1

    d3e2b33cf6a22e007787569dfce26cf9e9a48cc2

    SHA256

    fae0f822cc2da3a0606d2ab8e18102d95f39d7809d37e802a7ab80264a61958a

    SHA512

    38de08a4f4575e7a105d8051faf68db3a1d754fd87663a01b0b044dd125aab3e59503a170c8f24b7d8fb5653c09787533117f62ce0b440ba89c2143c935fef6b

  • C:\Windows\system\wnrVlzq.exe

    Filesize

    5.9MB

    MD5

    d0fb58bc9e12c04c298715c9bddad32b

    SHA1

    3deb10cebaf09546f08e49e3dad86b9648098c75

    SHA256

    6592c2eb3f6e53426a899d46c67960d37e9e000f1fe2bf712ce0eeaba8010e98

    SHA512

    05045eaff83500f473f6f867a23e686bb2d5ba4efe5fb940175749aa114a6acfc1c1bde0d78c85832990b3b1ddad2813d0a23355c540e92e544d8fd5e7a8c0c2

  • \Windows\system\essdRrN.exe

    Filesize

    5.9MB

    MD5

    2c11b7d43c4e1eacb1868faf674660cf

    SHA1

    de5ea6436a576f2437eef059cfebea859814613e

    SHA256

    e67c0244ac9126c87d17c911c95abd2377a0dacf8f49249d0afcbf950b75ee83

    SHA512

    81843086be4952ae3701cc95df11de28f9a8a59ca25f412db388b0d8af1dd97d269bda9e10ea85ba36d3065b9e078356b14a5c7d84306d1e9e8ea91c788e1a6e

  • \Windows\system\mVUoviE.exe

    Filesize

    5.9MB

    MD5

    7614c7ac00f1b83591d7b820974780a7

    SHA1

    9d40173dabd00286dd895bec97dee0adf20d3299

    SHA256

    ee71c71e9c4252a6af21bbf3a4625376289b5f4bff0bf6ed0bfe989ee9a3ce08

    SHA512

    af347a08a2b2bd59a36a36c3e44a48f326bfc40c4bfa8555d3697ed501fa7859ac78773a6a27edc477907cf3449e8ea441aaafef06fc770bc188bae027d2a4be

  • memory/1632-9-0x000000013F330000-0x000000013F684000-memory.dmp

    Filesize

    3.3MB

  • memory/1632-147-0x000000013F330000-0x000000013F684000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-112-0x000000013FF90000-0x00000001402E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-91-0x0000000002370000-0x00000000026C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-20-0x000000013FFF0000-0x0000000140344000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-146-0x000000013FF90000-0x00000001402E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-99-0x000000013FFD0000-0x0000000140324000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-144-0x0000000002370000-0x00000000026C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-13-0x000000013FB60000-0x000000013FEB4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-43-0x000000013FCC0000-0x0000000140014000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-50-0x000000013F400000-0x000000013F754000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-0-0x00000000002F0000-0x0000000000300000-memory.dmp

    Filesize

    64KB

  • memory/1984-145-0x000000013FFD0000-0x0000000140324000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-8-0x0000000002370000-0x00000000026C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-84-0x000000013FEA0000-0x00000001401F4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-141-0x000000013FD50000-0x00000001400A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-57-0x000000013FA40000-0x000000013FD94000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-77-0x0000000002370000-0x00000000026C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-58-0x000000013FBC0000-0x000000013FF14000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-67-0x000000013FD50000-0x00000001400A4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-1-0x000000013F400000-0x000000013F754000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-143-0x0000000002370000-0x00000000026C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2124-23-0x000000013FFF0000-0x0000000140344000-memory.dmp

    Filesize

    3.3MB

  • memory/2124-148-0x000000013FFF0000-0x0000000140344000-memory.dmp

    Filesize

    3.3MB

  • memory/2184-158-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2184-85-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2508-68-0x000000013FD50000-0x00000001400A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2508-142-0x000000013FD50000-0x00000001400A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2508-156-0x000000013FD50000-0x00000001400A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2516-154-0x000000013FBC0000-0x000000013FF14000-memory.dmp

    Filesize

    3.3MB

  • memory/2516-60-0x000000013FBC0000-0x000000013FF14000-memory.dmp

    Filesize

    3.3MB

  • memory/2516-139-0x000000013FBC0000-0x000000013FF14000-memory.dmp

    Filesize

    3.3MB

  • memory/2520-62-0x000000013FA40000-0x000000013FD94000-memory.dmp

    Filesize

    3.3MB

  • memory/2520-155-0x000000013FA40000-0x000000013FD94000-memory.dmp

    Filesize

    3.3MB

  • memory/2520-140-0x000000013FA40000-0x000000013FD94000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-152-0x000000013FEA0000-0x00000001401F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-107-0x000000013FEA0000-0x00000001401F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2640-37-0x000000013FEA0000-0x00000001401F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2680-44-0x000000013FCC0000-0x0000000140014000-memory.dmp

    Filesize

    3.3MB

  • memory/2680-108-0x000000013FCC0000-0x0000000140014000-memory.dmp

    Filesize

    3.3MB

  • memory/2680-150-0x000000013FCC0000-0x0000000140014000-memory.dmp

    Filesize

    3.3MB

  • memory/2712-36-0x000000013FDE0000-0x0000000140134000-memory.dmp

    Filesize

    3.3MB

  • memory/2712-106-0x000000013FDE0000-0x0000000140134000-memory.dmp

    Filesize

    3.3MB

  • memory/2712-153-0x000000013FDE0000-0x0000000140134000-memory.dmp

    Filesize

    3.3MB

  • memory/2732-151-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2732-33-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2732-98-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2740-149-0x000000013FB60000-0x000000013FEB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2740-15-0x000000013FB60000-0x000000013FEB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2740-66-0x000000013FB60000-0x000000013FEB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2792-92-0x000000013F330000-0x000000013F684000-memory.dmp

    Filesize

    3.3MB

  • memory/2792-159-0x000000013F330000-0x000000013F684000-memory.dmp

    Filesize

    3.3MB

  • memory/2824-100-0x000000013FFD0000-0x0000000140324000-memory.dmp

    Filesize

    3.3MB

  • memory/2824-160-0x000000013FFD0000-0x0000000140324000-memory.dmp

    Filesize

    3.3MB

  • memory/3056-78-0x000000013F510000-0x000000013F864000-memory.dmp

    Filesize

    3.3MB

  • memory/3056-157-0x000000013F510000-0x000000013F864000-memory.dmp

    Filesize

    3.3MB