Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-06-2024 12:32

General

  • Target

    2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    576323a61567ad3b8c8e3b2c1291ebe6

  • SHA1

    09b74863493f60b2f13f8c74df9be5fb2827959f

  • SHA256

    6f6057c04cd85dfb29863ed15cd66d2a6100f782f112725f6bada081205bf223

  • SHA512

    bac1680c2ad3b48772a16feecc3f0cb1e98919f94717d33d88b269b9d25674f1737b80c32268ff9d24800c67d89107c8e63ca78a54e8242015f298988ef74cc6

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUV:Q+856utgpPF8u/7V

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 60 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 61 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-06_576323a61567ad3b8c8e3b2c1291ebe6_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\System\WNPfmgp.exe
      C:\Windows\System\WNPfmgp.exe
      2⤵
      • Executes dropped EXE
      PID:2228
    • C:\Windows\System\BsVBgbg.exe
      C:\Windows\System\BsVBgbg.exe
      2⤵
      • Executes dropped EXE
      PID:2236
    • C:\Windows\System\NhQlQDM.exe
      C:\Windows\System\NhQlQDM.exe
      2⤵
      • Executes dropped EXE
      PID:2824
    • C:\Windows\System\fQwrjUV.exe
      C:\Windows\System\fQwrjUV.exe
      2⤵
      • Executes dropped EXE
      PID:1704
    • C:\Windows\System\tEkHrYg.exe
      C:\Windows\System\tEkHrYg.exe
      2⤵
      • Executes dropped EXE
      PID:1744
    • C:\Windows\System\uUqupNF.exe
      C:\Windows\System\uUqupNF.exe
      2⤵
      • Executes dropped EXE
      PID:3000
    • C:\Windows\System\bKnIcIL.exe
      C:\Windows\System\bKnIcIL.exe
      2⤵
      • Executes dropped EXE
      PID:2908
    • C:\Windows\System\oCvrJZR.exe
      C:\Windows\System\oCvrJZR.exe
      2⤵
      • Executes dropped EXE
      PID:2508
    • C:\Windows\System\NnXnYLN.exe
      C:\Windows\System\NnXnYLN.exe
      2⤵
      • Executes dropped EXE
      PID:2644
    • C:\Windows\System\FQwoNMK.exe
      C:\Windows\System\FQwoNMK.exe
      2⤵
      • Executes dropped EXE
      PID:2636
    • C:\Windows\System\MEYimLq.exe
      C:\Windows\System\MEYimLq.exe
      2⤵
      • Executes dropped EXE
      PID:2540
    • C:\Windows\System\cIExyMK.exe
      C:\Windows\System\cIExyMK.exe
      2⤵
      • Executes dropped EXE
      PID:2480
    • C:\Windows\System\vfapkHh.exe
      C:\Windows\System\vfapkHh.exe
      2⤵
      • Executes dropped EXE
      PID:2376
    • C:\Windows\System\TsmUOCw.exe
      C:\Windows\System\TsmUOCw.exe
      2⤵
      • Executes dropped EXE
      PID:2848
    • C:\Windows\System\ynFooWL.exe
      C:\Windows\System\ynFooWL.exe
      2⤵
      • Executes dropped EXE
      PID:2864
    • C:\Windows\System\qkruryb.exe
      C:\Windows\System\qkruryb.exe
      2⤵
      • Executes dropped EXE
      PID:2356
    • C:\Windows\System\NauGehs.exe
      C:\Windows\System\NauGehs.exe
      2⤵
      • Executes dropped EXE
      PID:2080
    • C:\Windows\System\bObNrGU.exe
      C:\Windows\System\bObNrGU.exe
      2⤵
      • Executes dropped EXE
      PID:1112
    • C:\Windows\System\XnGOrxn.exe
      C:\Windows\System\XnGOrxn.exe
      2⤵
      • Executes dropped EXE
      PID:1292
    • C:\Windows\System\AsswDPL.exe
      C:\Windows\System\AsswDPL.exe
      2⤵
      • Executes dropped EXE
      PID:2180
    • C:\Windows\System\nooleCK.exe
      C:\Windows\System\nooleCK.exe
      2⤵
      • Executes dropped EXE
      PID:2168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\AsswDPL.exe

    Filesize

    5.9MB

    MD5

    0609fab9c695eb18e501461fcdd7fd5b

    SHA1

    c4432e2288496c803cf1974e7226b4a7f1878a62

    SHA256

    64efbb391992c4cad0ce8ff3b969d83fb90bda9d127e19f4929ec7e9a6a13a36

    SHA512

    6dab5fd426e6f6914d8ff9c817b4e98a347b9fcc286371aa4b295968509f1f489601c76b5f211d024d93be3da098bf42931d9d8f7154aa6dfb2963b86457e31c

  • C:\Windows\system\FQwoNMK.exe

    Filesize

    5.9MB

    MD5

    6e00893f49a13d3ca604073671c04f6a

    SHA1

    941d19b5a5824260b4ebdc4085c87c9900655f5c

    SHA256

    23a9378ffe9de4a1349c1ae9426bb2bfda57fe9a9ebb65e20e8faf83a0d347ac

    SHA512

    dc088b8d0254a01ab4c3febf8e9edb3ecba57758767059a821d15bd5aba086a0ce5bbdb5f0ff6624e5a41f324516f5b43d6cbcc279b2fff89151b011ce3b530c

  • C:\Windows\system\MEYimLq.exe

    Filesize

    5.9MB

    MD5

    c127e49e2c95bb5a192e0942639914e3

    SHA1

    c85315b5dc672bfb1b57079832957303bca93408

    SHA256

    f99a4599b6d16ce2ad48787d3f77e2676226e13a408f75617ce7168dd308ee7c

    SHA512

    0070b7eb0393d338c9b81ad7db672a8be507c63bd0b78d184196e82e1e36983ae52543f04b4aa0ede6124cdd38387f00a250461a1ab317e97c14b6b0baeea8c4

  • C:\Windows\system\NhQlQDM.exe

    Filesize

    5.9MB

    MD5

    328a92ba49457b65ef0bb14872325016

    SHA1

    c0b80f3c243d95a328c90ebc716b486599fbe9ec

    SHA256

    9fe79c4a391cc0c9c2ef4c2607c08c1c2abad986ded942007933468ba605418f

    SHA512

    bda0311d4d09b84b34a5cc70ec542a7a4cae9025c4a0e0d4156449e06dc15df73c61c6e295efcbd576125d48f56182be033953b5115d8f75b6d5932e830d2ed5

  • C:\Windows\system\XnGOrxn.exe

    Filesize

    5.9MB

    MD5

    cb042f2fbb042e25d4c462a318bbc00f

    SHA1

    403694ee324a1577a05973bc2b5a79c27b24b7f0

    SHA256

    237ecc918d5bf4726e7ee6f1c5928d2d7d0f24b0a651e84e8e70ac661fb0409d

    SHA512

    c26bcd051a70755aaa3ef5bdd4ed46c8823718a420ca71dca91b416653f8a8c15668289c6099aeed556546621376ee4615dd8b6c33377902334ce94623ec7569

  • C:\Windows\system\bObNrGU.exe

    Filesize

    5.9MB

    MD5

    f0b29fdf636876b882108cd662c12019

    SHA1

    c91c739380772a30c94816387a4e27834678c9b3

    SHA256

    1c939acc3e46560a689d1a15e5ecb43ab330d96cdaabd51a8310d089b8ea4357

    SHA512

    d711939384cdba94a7303247505875607d787782e288ea5030f375418171de9a7f69223f00f374321a84f0bce4e3116c1ec4c0a65d73beba033962988db94e70

  • C:\Windows\system\cIExyMK.exe

    Filesize

    5.9MB

    MD5

    fd37c645b8712e0b77d1b45ed0ffa396

    SHA1

    9ebdb304922adad9586fc2f62b234b3a858325e5

    SHA256

    de1c6734590022d9a6cfbc6586f1af38e29bccf5530f3945fd70b21137f54628

    SHA512

    c93a1c64170ed474a5d0383b48fd625943056e9a5a0a8972bf926b913960ab05755cf0b0517d43b19712cdb32d7f5678c7ad33630245072b8e0ba458428902f3

  • C:\Windows\system\fQwrjUV.exe

    Filesize

    5.9MB

    MD5

    45f822d6ec91d3553fb9400d446d0d38

    SHA1

    e629229565e0fe80c2c5144993fa13dcaf097d2c

    SHA256

    b3ec9c86e357e0c45c989134a25e2ec0a89e036b2a3a88b1a327da0d9ef8c8a7

    SHA512

    192b41b3c26ea2e401efee1954c2c715edb6acfa6e4171d61a4a22a219d7b5c28e3b969ff7ea36b966ea35a7f6a95feb6f8be294ea4c282a0d827c55ddc879d9

  • C:\Windows\system\uUqupNF.exe

    Filesize

    5.9MB

    MD5

    4072b2722dbdbe570270bfeadb687843

    SHA1

    c9d3e5200ff09561d70b384ae8af814790661da1

    SHA256

    5c9931db5fdf67dcd4eb9894387f63d28853cb868e10d778b260d356d59f09fe

    SHA512

    94140072e8cc88f4e0def3be8c652529856dedaaa5b82f202d0b8ba932cc45f9426014b59caff2099ffc33aa5496f1a787dd5960d8f957e9a0f848cc88c2138e

  • C:\Windows\system\ynFooWL.exe

    Filesize

    5.9MB

    MD5

    9c59a74c603aaffaa840242242d0a8b9

    SHA1

    765dd9571bc6d2dda9c276e651182745fdf2dd01

    SHA256

    1ec3ae2f2dde71128b5951b47b7f14c2b24e2de56756af6e93b301d550625120

    SHA512

    bc4984c7bbcaa7ffa1088055a4ac56afe2e90c767795896a7462d0b048c466e277b780f5ebed5d9f603326d1db3fb4738826d62d6ae8e0897c8309b38ffb7517

  • \Windows\system\BsVBgbg.exe

    Filesize

    5.9MB

    MD5

    9b40f6a112b19fbb6f704f1c53e90131

    SHA1

    a614a8fc93f63ee5da20b23bbda9791fb8cc6163

    SHA256

    bfbdb0a042283833be5ec1b0b2719a25b563e010647da8cdf55dbff13b62df1d

    SHA512

    dc255a65fb43adbfe0e5b179f8e71d01d70ef848212450e5076c8485946dc2e28da51d3b8d435d069e69fc21930c5f9c17bb5a85388935b1d578401177163545

  • \Windows\system\NauGehs.exe

    Filesize

    5.9MB

    MD5

    0d123aab921caaaa6a6e0d6d55810a2b

    SHA1

    ba2122b0818af4ad8803ea3e2e60fff90d85b966

    SHA256

    c227093c69de2a053decbd8d32f8884f58f2cbb12b2d09c83fd806f411f6b55b

    SHA512

    59f360180b95c3b0a7a3a74ef1d568c05d00814fcccdae8ca1aa0f65c82db8180a8194be17ea9925568b99c8ca9cb572b7cc8a25a047d4e750366717a4d53cec

  • \Windows\system\NnXnYLN.exe

    Filesize

    5.9MB

    MD5

    eb16ca9547e0ffd436dd572f93ef0b23

    SHA1

    c350ebd05aad6bffcf7c4f8a8160070eaacb26a2

    SHA256

    627b5ae722eef39f3b1990a0dc02d971a63918fa58534012b55eede8981a5a6e

    SHA512

    e2ec5fdf7c1af81f6882d115e95a6ed02d02453d0ba1a646f16fdead3725bb405bddd7b6506ccd0d4b5a0be3a01fb867b1c56e72a30335f108d7cd1a2c01529c

  • \Windows\system\TsmUOCw.exe

    Filesize

    5.9MB

    MD5

    8764008bc634101d27d021a827c56ffd

    SHA1

    4b323694d65a01b91bb698aa00b3a078049295e6

    SHA256

    eb5c0e258558c7ae680bf6939486dc680168a05bc059ce2025ffbae323666a95

    SHA512

    a6165d832a1f6d848195a5b71273da80499dce33c655d40a1259d2bc7217da6278cf55c8dc45e6ef9c714778bf17e517af39e8dad3030e5bbea2231ab6f918ba

  • \Windows\system\WNPfmgp.exe

    Filesize

    5.9MB

    MD5

    d92fa9bcbaedcbfded5783fc4bdfbc2e

    SHA1

    05ef28d4c60e81ceaf4d131e20272b9cc25420c9

    SHA256

    bb6fa71e0c2e3ce539682c212d960bb541199b86fde22b486e234f6dee6935e6

    SHA512

    68e472c4a1d6d878bd7ff3ddf1edf7570ef639120c26248b381664d3b4b5f67b6fcb2d701c9dd00346138ae180e579bb3eaf01331e4511d7cddb89bc7466268c

  • \Windows\system\bKnIcIL.exe

    Filesize

    5.9MB

    MD5

    9ce0cf392d9b20526655f5f46ab32a6c

    SHA1

    717b7192a7032c96e276074d7d046567d03113fe

    SHA256

    022b2ccd27d0277e101f9124e4378fe691998eb42acfd0bb808d88e78b7ada44

    SHA512

    7efdd1649d23539b37c07065a5c084466ad0351ead2dbff205b3496dee871fea09c0389156757a2c4b78946ea54f3d67035567266cc371838081de61d2b849cd

  • \Windows\system\nooleCK.exe

    Filesize

    5.9MB

    MD5

    6859c00ce6523af6efb69de2f42d30a9

    SHA1

    a3e61a3d3692889c44ebe4b524e1351d375ada33

    SHA256

    4aa2f50fdad802530876abf60c56eb0ec844f09106c25b6c1dc0a6a38d558ac5

    SHA512

    8f21986ba3b865bc5420b944f666788760af1ce1f7b241af06758c36fb871a0d042920a1bd4610c73e76347f1096059389631256362725a402b420c87f150ac3

  • \Windows\system\oCvrJZR.exe

    Filesize

    5.9MB

    MD5

    fd9a69cc7a173ad45c07375c985e1312

    SHA1

    aa31a8335edccad3bfcb51e7b590561c8205c6a4

    SHA256

    c52459493704014669ecd7c0b0ba143ec4b845032f26d1a5420f90a16d55f29c

    SHA512

    1a280e06dce28cb814a222af10b0be35dff56fc51af7a47c3d980febe41bcf1085fa63c0a9e24ce617937ea2a1401fcafde426d9a54a00d33570a296a42a8df2

  • \Windows\system\qkruryb.exe

    Filesize

    5.9MB

    MD5

    8ff5f30cf3e9b62cccab561f5d931683

    SHA1

    998673c496a4bbb1f6addf55e1f226b8a8bf78f1

    SHA256

    95fcbf4fee3259603f8876f55f424d89c8db514f5ac6aa76efc96ef1244a1954

    SHA512

    964716b8549c90299951473cbc54b7f2e418072a392df54aa978c65e4626b0a8dac1e5388d4018a77b1ee5ed70fc528bc787db5a741e4d9acba147ca3b15a73d

  • \Windows\system\tEkHrYg.exe

    Filesize

    5.9MB

    MD5

    114f59a9f1b9eadc83d66f62fa57813b

    SHA1

    54aa2e1f2fac300a619fc32fe3d8692c081fa867

    SHA256

    60f53ed3d77bbb33e25c08f1eea6808e543e1ce1fb4edb87b99541b72fac9b0d

    SHA512

    05ae925bed4979f9b69ac483c47ce41fe462f2f84782cc3c3672db880340530a8c0a45a03c3bac8e6027604ccb3ee673b810bda8004120db8504b6b99f08733e

  • \Windows\system\vfapkHh.exe

    Filesize

    5.9MB

    MD5

    5ac8ef9a4bde56328bd60c6b7ad817b8

    SHA1

    89928c568f378ac9ade10289d8342924ff8031cc

    SHA256

    a52fde297510c91312b431257918f98af451c6760e286497d55cc2fd81292a06

    SHA512

    579bb04deef102434dcd2e70800b3a1dded8631fc40d8d7b519f5f8537170ef4ccddaacec3a90342bdc2639c5756dffa6834015b92e92450b4b66a106129a67f

  • memory/1152-121-0x0000000002340000-0x0000000002694000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-86-0x0000000002340000-0x0000000002694000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-57-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-52-0x000000013F9E0000-0x000000013FD34000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-47-0x000000013F410000-0x000000013F764000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-96-0x0000000002340000-0x0000000002694000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-147-0x0000000002340000-0x0000000002694000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-69-0x000000013FE10000-0x0000000140164000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-38-0x0000000002340000-0x0000000002694000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-145-0x0000000002340000-0x0000000002694000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-144-0x000000013F850000-0x000000013FBA4000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-20-0x0000000002340000-0x0000000002694000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-1-0x0000000000180000-0x0000000000190000-memory.dmp

    Filesize

    64KB

  • memory/1152-0-0x000000013F410000-0x000000013F764000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-125-0x000000013F9E0000-0x000000013FD34000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-13-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-93-0x0000000002340000-0x0000000002694000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-76-0x000000013F850000-0x000000013FBA4000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-26-0x0000000002340000-0x0000000002694000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-123-0x000000013FE90000-0x00000001401E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1152-78-0x000000013FF60000-0x00000001402B4000-memory.dmp

    Filesize

    3.3MB

  • memory/1704-92-0x000000013F5F0000-0x000000013F944000-memory.dmp

    Filesize

    3.3MB

  • memory/1704-27-0x000000013F5F0000-0x000000013F944000-memory.dmp

    Filesize

    3.3MB

  • memory/1704-150-0x000000013F5F0000-0x000000013F944000-memory.dmp

    Filesize

    3.3MB

  • memory/1744-37-0x000000013F790000-0x000000013FAE4000-memory.dmp

    Filesize

    3.3MB

  • memory/1744-153-0x000000013F790000-0x000000013FAE4000-memory.dmp

    Filesize

    3.3MB

  • memory/1744-98-0x000000013F790000-0x000000013FAE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2228-55-0x000000013FDF0000-0x0000000140144000-memory.dmp

    Filesize

    3.3MB

  • memory/2228-148-0x000000013FDF0000-0x0000000140144000-memory.dmp

    Filesize

    3.3MB

  • memory/2228-7-0x000000013FDF0000-0x0000000140144000-memory.dmp

    Filesize

    3.3MB

  • memory/2236-80-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

    Filesize

    3.3MB

  • memory/2236-149-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

    Filesize

    3.3MB

  • memory/2236-15-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

    Filesize

    3.3MB

  • memory/2376-146-0x000000013F630000-0x000000013F984000-memory.dmp

    Filesize

    3.3MB

  • memory/2376-160-0x000000013F630000-0x000000013F984000-memory.dmp

    Filesize

    3.3MB

  • memory/2376-95-0x000000013F630000-0x000000013F984000-memory.dmp

    Filesize

    3.3MB

  • memory/2480-87-0x000000013F3D0000-0x000000013F724000-memory.dmp

    Filesize

    3.3MB

  • memory/2480-159-0x000000013F3D0000-0x000000013F724000-memory.dmp

    Filesize

    3.3MB

  • memory/2508-68-0x000000013F9E0000-0x000000013FD34000-memory.dmp

    Filesize

    3.3MB

  • memory/2508-154-0x000000013F9E0000-0x000000013FD34000-memory.dmp

    Filesize

    3.3MB

  • memory/2540-83-0x000000013FF60000-0x00000001402B4000-memory.dmp

    Filesize

    3.3MB

  • memory/2540-158-0x000000013FF60000-0x00000001402B4000-memory.dmp

    Filesize

    3.3MB

  • memory/2636-156-0x000000013FE10000-0x0000000140164000-memory.dmp

    Filesize

    3.3MB

  • memory/2636-73-0x000000013FE10000-0x0000000140164000-memory.dmp

    Filesize

    3.3MB

  • memory/2644-77-0x000000013F850000-0x000000013FBA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2644-157-0x000000013F850000-0x000000013FBA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2824-21-0x000000013F2B0000-0x000000013F604000-memory.dmp

    Filesize

    3.3MB

  • memory/2824-88-0x000000013F2B0000-0x000000013F604000-memory.dmp

    Filesize

    3.3MB

  • memory/2824-151-0x000000013F2B0000-0x000000013F604000-memory.dmp

    Filesize

    3.3MB

  • memory/2848-124-0x000000013FE90000-0x00000001401E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2848-161-0x000000013FE90000-0x00000001401E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2908-155-0x000000013F5F0000-0x000000013F944000-memory.dmp

    Filesize

    3.3MB

  • memory/2908-49-0x000000013F5F0000-0x000000013F944000-memory.dmp

    Filesize

    3.3MB

  • memory/2908-115-0x000000013F5F0000-0x000000013F944000-memory.dmp

    Filesize

    3.3MB

  • memory/3000-152-0x000000013F500000-0x000000013F854000-memory.dmp

    Filesize

    3.3MB

  • memory/3000-39-0x000000013F500000-0x000000013F854000-memory.dmp

    Filesize

    3.3MB

  • memory/3000-102-0x000000013F500000-0x000000013F854000-memory.dmp

    Filesize

    3.3MB