Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2024 09:23

General

  • Target

    2024-06-08_44232025fe1cf7b1133884013145f509_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    44232025fe1cf7b1133884013145f509

  • SHA1

    0738ca723031ceadf12c033df728074b85015cd1

  • SHA256

    f30a992b2dfd53e2b8283141dd6948853bace5acaa6fad73a563aed6c4f88fd4

  • SHA512

    dad9b4909777807fddd7d20cb8b6af5841689c78e7fcf9bd0316e459dfb49323c02afbe5a1f0fe2dfbb17c6146900779d2503d99c7f2c76685b7209d671e62e1

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUt:Q+856utgpPF8u/7t

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 58 IoCs
  • XMRig Miner payload 61 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 58 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-08_44232025fe1cf7b1133884013145f509_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-08_44232025fe1cf7b1133884013145f509_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Windows\System\FFzMrIx.exe
      C:\Windows\System\FFzMrIx.exe
      2⤵
      • Executes dropped EXE
      PID:1936
    • C:\Windows\System\tAjBhEW.exe
      C:\Windows\System\tAjBhEW.exe
      2⤵
      • Executes dropped EXE
      PID:2152
    • C:\Windows\System\DffThYN.exe
      C:\Windows\System\DffThYN.exe
      2⤵
      • Executes dropped EXE
      PID:2584
    • C:\Windows\System\eJVFrKx.exe
      C:\Windows\System\eJVFrKx.exe
      2⤵
      • Executes dropped EXE
      PID:2632
    • C:\Windows\System\GwTnymd.exe
      C:\Windows\System\GwTnymd.exe
      2⤵
      • Executes dropped EXE
      PID:2712
    • C:\Windows\System\kYbTNks.exe
      C:\Windows\System\kYbTNks.exe
      2⤵
      • Executes dropped EXE
      PID:2776
    • C:\Windows\System\zKyrkmV.exe
      C:\Windows\System\zKyrkmV.exe
      2⤵
      • Executes dropped EXE
      PID:2680
    • C:\Windows\System\fMnXMLA.exe
      C:\Windows\System\fMnXMLA.exe
      2⤵
      • Executes dropped EXE
      PID:2836
    • C:\Windows\System\bZomZVC.exe
      C:\Windows\System\bZomZVC.exe
      2⤵
      • Executes dropped EXE
      PID:2624
    • C:\Windows\System\UwMgqTI.exe
      C:\Windows\System\UwMgqTI.exe
      2⤵
      • Executes dropped EXE
      PID:2504
    • C:\Windows\System\UYiVmDc.exe
      C:\Windows\System\UYiVmDc.exe
      2⤵
      • Executes dropped EXE
      PID:2192
    • C:\Windows\System\HRTWnde.exe
      C:\Windows\System\HRTWnde.exe
      2⤵
      • Executes dropped EXE
      PID:2988
    • C:\Windows\System\JfUjjzr.exe
      C:\Windows\System\JfUjjzr.exe
      2⤵
      • Executes dropped EXE
      PID:2756
    • C:\Windows\System\imcgoWi.exe
      C:\Windows\System\imcgoWi.exe
      2⤵
      • Executes dropped EXE
      PID:2808
    • C:\Windows\System\lbPFAiC.exe
      C:\Windows\System\lbPFAiC.exe
      2⤵
      • Executes dropped EXE
      PID:2928
    • C:\Windows\System\KjoTmaY.exe
      C:\Windows\System\KjoTmaY.exe
      2⤵
      • Executes dropped EXE
      PID:1504
    • C:\Windows\System\iybKgZg.exe
      C:\Windows\System\iybKgZg.exe
      2⤵
      • Executes dropped EXE
      PID:2372
    • C:\Windows\System\JyUrpSg.exe
      C:\Windows\System\JyUrpSg.exe
      2⤵
      • Executes dropped EXE
      PID:372
    • C:\Windows\System\HyNCNPP.exe
      C:\Windows\System\HyNCNPP.exe
      2⤵
      • Executes dropped EXE
      PID:2400
    • C:\Windows\System\uzMFuFU.exe
      C:\Windows\System\uzMFuFU.exe
      2⤵
      • Executes dropped EXE
      PID:464
    • C:\Windows\System\NQAkhAM.exe
      C:\Windows\System\NQAkhAM.exe
      2⤵
      • Executes dropped EXE
      PID:888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\DffThYN.exe

    Filesize

    5.9MB

    MD5

    2d19173a663cd568a192f6ae8c127ef7

    SHA1

    12c38a62ae0e9c2c0697887ff39f2b27a006deca

    SHA256

    409258380f7cff40b4bc7d793c24e02b45526f5ca6fdc17937a527f9e0e5e1e2

    SHA512

    742c79edff0a877da630bf43452c90f48bc0f58caf663db0b46b306363676c64e16db60ba27c100f8bdcbfae065ec64f8a7ad6065e26c44a78820fd133fce83a

  • C:\Windows\system\FFzMrIx.exe

    Filesize

    5.9MB

    MD5

    c0eaf59e0768e50406a8c847ac06e9ab

    SHA1

    7f444f3f8121d6191ef06b530397b546d6ee584a

    SHA256

    4b8e990a33f816dc75292f139d08f78c7af3c8783471ae5f5ec8b8940747ca73

    SHA512

    bc2f43482cd156cea4a1c8c86d51970155a670211cbde8459c3d7531703623495001e92f612f9ca9b3898ed83439044574db93fb365c561493360daaaaa805c8

  • C:\Windows\system\GwTnymd.exe

    Filesize

    5.9MB

    MD5

    6d0ca8f274113e124ab721c313ad5460

    SHA1

    df92becbe918c826c48c0fde3f0f1ea517999b0f

    SHA256

    6bf920929a8e3563b099090969e015508f9273f6fd3a51da407eabbbc577f310

    SHA512

    e3ca084a1685b071272e5ab07de7325a9d0ec4fc6dff193767a32f52fa0696b18fe955155dc2df7ea3d9431e59d06867a9502e90a04f9d7ceedb4c22bd5cf66b

  • C:\Windows\system\HRTWnde.exe

    Filesize

    5.9MB

    MD5

    0277b5ee4824705c1324e81f67ffedf6

    SHA1

    4a6faeafea979263452a301d2c76fef7ba599053

    SHA256

    a78d9493c80048c3e5c47b0454c9d9d4b5a54e5e37a01d5325a8b467213a230d

    SHA512

    cb959b92ec98c2de8e53be815ce0dd3f60ffb24e97af9589b501a1f0a962dc2cd1ec5991d13fba93c33a145a1394c9d0fddbe7169de5c3eb6fd34dbd8495c98f

  • C:\Windows\system\HyNCNPP.exe

    Filesize

    5.9MB

    MD5

    d97113c312dc45e47163a5bc6af2a2db

    SHA1

    99563b14cc61b25c6bb421df08ba493b1c664c28

    SHA256

    23f2926260d67d6edd4d67915d1618fb0cb37349f7feacef7244cfc5005ff910

    SHA512

    4aed344debd1dba00c86caa7cd2a3c771ebb0c5f80f53e9b7852617182b08c985f47232879cc2be853a63141ac93ccbf6e3310cc2a5c78f865d4bd83f57f7d43

  • C:\Windows\system\JfUjjzr.exe

    Filesize

    5.9MB

    MD5

    4651a43eb1eb9380bac1418baa01678d

    SHA1

    af5a02d85ecf2cea5d9cf2d2e7377658fb821069

    SHA256

    f21ff1476f39cae0ff4e5ef70a10d582224a08a1a7f5c24079d6061db8224cf7

    SHA512

    232c50526c02e132ca61aa01af5d82b3f4d59bbbd356213a048d237a85c97c6915ce45426041d6a1cc279988cba6b169aaf4cad998dad6033263fc3db5ee7522

  • C:\Windows\system\JyUrpSg.exe

    Filesize

    5.9MB

    MD5

    74df90baa3281959efb7f229b1d98df5

    SHA1

    15a299c26ad11f8125953a55fc6ff5d9a3177309

    SHA256

    59e8997561f822e502f5960d45c13ce36eaacbe0030fc2574b3fcbffcd554e06

    SHA512

    f1c3ab10e9f91767560711f53ef14b74bfa643cdcb0b2b004607099471befcebf57958cb17082b255ba82115b0078fcbcb065b86d1cb77334b6e4443dc1c54cd

  • C:\Windows\system\KjoTmaY.exe

    Filesize

    5.9MB

    MD5

    ccd445465e31404dd634e231e4d772b2

    SHA1

    87c34a1e2e4e735ed170ac6cac38cc199b129229

    SHA256

    98a36ab6852d7f6309bdd5d1b65a7b9cbebf47bffa60043c7677815facdf967f

    SHA512

    61073b0f76234e9d117ab98bd3a9a2de034dd5949ac0c86e7e1d64635dbee6db239f38870f0ee3fa1580cdaafdee406f5081f99b3889db2734a2d1b131c6f909

  • C:\Windows\system\NQAkhAM.exe

    Filesize

    5.9MB

    MD5

    4144caf6ae823072b2c3406ff9f8d402

    SHA1

    4390d7bbd7b923e95705ef4df1c5220f39f968ce

    SHA256

    3dbfa13c619f6be6be124f0079f9edc5be235c2d64c4058f8b7d65dba09580b7

    SHA512

    0cc8c9f12849ea0aca56bc5243bf045ab4839173ea222755ffc9fba733248105bf647b12fd597d9cf7c3b0aa544f7394cb53680c99cf861c32ea3fa15947e9a4

  • C:\Windows\system\UYiVmDc.exe

    Filesize

    5.9MB

    MD5

    b4ec5771973072c0803c38a82f98fe5e

    SHA1

    a9fbe9934f07b517419356b3dc8c84f2b20ff6ae

    SHA256

    6bce01db8b365501622e07a6a585bf69ea474fbc4445bfebff6511d7339a7acd

    SHA512

    855f30f2cf19477d7f0dcc8fd8201f66fc76c6bf97e84285546ee2ed8f648a9693cb8b5c39cbf8611df7e45845acd1609bd57a0543dce29aa360caa89846b14a

  • C:\Windows\system\UwMgqTI.exe

    Filesize

    5.9MB

    MD5

    e47ec0e0becb6b6a64754282ea7171ab

    SHA1

    a9beaa2b5769c11714795a3d2a459dd38ec41ec0

    SHA256

    2e15b0ddcc39bf3d5cca90918c75e65e9e2f59f427b0b70f69a3365eb9c74eb6

    SHA512

    503d53650fcc900b9ce30a986e139d34e420d2eeedd673c97ba47ab637da8806fc4fca412f85a73c0ea38635e7575000061146cca4f02fc8e9d250e4bde227da

  • C:\Windows\system\bZomZVC.exe

    Filesize

    5.9MB

    MD5

    333e7b59a3c080899c25642bbeca5dec

    SHA1

    b3d7ad59cddcdda23df1bb05c0a98fe41d93698f

    SHA256

    278416471684c414c6199e6b52bd165ed2e38c9ea9ce70ad867399d8c65f252f

    SHA512

    452583f01e9b95f25c38388f40f8dd49526ac2a112f1212d01c9eadd0eba3e52ce1f4846785a003471709cbf4e9b80a29ca2a943143d686ee16a06a2d787b63f

  • C:\Windows\system\eJVFrKx.exe

    Filesize

    5.9MB

    MD5

    a5070c5ea9718a2f6e768845ad48a760

    SHA1

    c0d0fd76628d30eb543e20f16b3e048c9d5f19ca

    SHA256

    021fc64d3794c27d57f30e2ecde52b23d55448e8e8774912698cf82a24dda911

    SHA512

    817971aeda75a1b26655ca8bf7b2948a2d375acb2a3499932e4cdfb8d1bde553bf428201d4d84a7d816fe96faea73cf77233f01ac648fdf6276b61cc7707cb3e

  • C:\Windows\system\fMnXMLA.exe

    Filesize

    5.9MB

    MD5

    54a2ed50b414aa5f916622f5b105ef0b

    SHA1

    69250975ab8f0f143671e8b781f91ccfa866e21c

    SHA256

    02d925e4def0dc18811d8d9ff51c9c6bd356cd49e2a1dbfca0c3687e20eae748

    SHA512

    a70c39aae6aca081709701cfbf61d26c1c70ee3c591537b6db8094ab74ec311ca53a9cc725d6f727c510dbe837c7c0779a689634c2619bf36950df67619f741f

  • C:\Windows\system\imcgoWi.exe

    Filesize

    5.9MB

    MD5

    b1898123e3b92a3dbdebce4684fe610f

    SHA1

    98592dec2fb1362124147c4d4f3b49f041b42745

    SHA256

    4c233c981842a86bb52fce662a4f94f4a0ef5abacfaee95f113b604a6daf3df8

    SHA512

    38ff8b2582011b8cd5d823a9181783551bd90158e5600c387a6cd1e99a7e897cda72dccc93e568f5f26c5e4913356f4943b5b7d97ce2fc5c1a062234ff0418eb

  • C:\Windows\system\iybKgZg.exe

    Filesize

    5.9MB

    MD5

    758a9e7656db1b21c8cfe5b98cf47074

    SHA1

    2d909f13e3c997d569fce3c343a0ed985fd31f29

    SHA256

    0704657022a44fb56abe9a5d442fec6ca6b792b39ca90a91995ddd330f2b5378

    SHA512

    47c41149f282a22a0f80b1f634a7c4d534a30fc9ee8d19aed92dd7acb1190b9e58bacde54b6e4b18e80d72a051cfdb8d4f9978f65f6c8e0b80fc02dc47c4beef

  • C:\Windows\system\lbPFAiC.exe

    Filesize

    5.9MB

    MD5

    e946bd367e16384c6de2c1bd02f4bad1

    SHA1

    7784a1dd95e1c4c72b9a916a7b5d22d44313f059

    SHA256

    2e774dc15b8f1b8736a3e3d33a96e288077db2efd6ef9ad098cc66e0ba9e62eb

    SHA512

    1fecbdccc8c9aaa7acb28d269e6cd66c77b816886bc457723569d9987f16f787e01b51543e3bf78a59b35678ba4d931a37a489d26fd980b36dd3bf41ac1167aa

  • C:\Windows\system\tAjBhEW.exe

    Filesize

    5.9MB

    MD5

    b103ae2d5826cded07768920f982d4bc

    SHA1

    066c831982d06d24f96fbcc1812cdc8e2820a340

    SHA256

    374b99dfbd04234db593f62dd37bff2449622081596754b0f0dd9a1e6eecdc8f

    SHA512

    413a63b16f9bb0b94b3416ca4867de7491dfd386b9d5fcabd4063089c3a33f54bbbe0522ce065f551cca6f6c8355111e2213e7b2350a7f8d4122ffdb6a844b21

  • C:\Windows\system\uzMFuFU.exe

    Filesize

    5.9MB

    MD5

    ae59852c74b030b43b911390a37ea5c0

    SHA1

    7d5c151de3b4e143298982d72db9fa7321e09426

    SHA256

    7ca02e29756c5e23061bbecd46b5ba7e883f65e7f76d5466db3e52eae8dc029a

    SHA512

    0812acbc7a31218ac3f911bb2200c6a745174a1b5bfb258c4d7219ea3a85f9e57eb37cb0f49515c9b238f22dd0e040be3ae938db20ff10ee82b879c23e896dea

  • C:\Windows\system\zKyrkmV.exe

    Filesize

    5.9MB

    MD5

    34a6004bda27c2999eec9f1437b21036

    SHA1

    83abd51ff4141ea55aa46e9cf935dc53e4877534

    SHA256

    8c4012f5413ffc6a571e903a5dbbdc000b805d5fab43cdee0835493816dade10

    SHA512

    cb04a47b97fb3c187f0eb3faf570b6b8c380b8d31714075eb35256fe0f731fed6d2cc6a7ace15b6a14af553868cd864e629000ca879ef68f67e8488a340162cd

  • \Windows\system\kYbTNks.exe

    Filesize

    5.9MB

    MD5

    341a79f7d6c5107681939dc1caf4fcde

    SHA1

    2fcf78d3558b5fb051ff1e131c3d36ef51c0cae0

    SHA256

    6fdaf6d427e5d1158065e24ff39695acdf8e529061be99b4b3c447f8c8d87f17

    SHA512

    6fc753a23602e846553e6b481abe0b644e1193dbc833446efe82ee22a155d3be7939f726a599888f5fff8ca5344173f2a387d1aa6aef7f32c9ea6642fc985cf8

  • memory/1936-13-0x000000013F030000-0x000000013F384000-memory.dmp

    Filesize

    3.3MB

  • memory/1936-145-0x000000013F030000-0x000000013F384000-memory.dmp

    Filesize

    3.3MB

  • memory/2152-14-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/2152-70-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/2152-146-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/2192-155-0x000000013FC30000-0x000000013FF84000-memory.dmp

    Filesize

    3.3MB

  • memory/2192-81-0x000000013FC30000-0x000000013FF84000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-1-0x0000000000300000-0x0000000000310000-memory.dmp

    Filesize

    64KB

  • memory/2392-141-0x000000013F3E0000-0x000000013F734000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-114-0x000000013F4C0000-0x000000013F814000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-80-0x0000000002310000-0x0000000002664000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-85-0x0000000002310000-0x0000000002664000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-101-0x0000000002310000-0x0000000002664000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-30-0x0000000002310000-0x0000000002664000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-143-0x0000000002310000-0x0000000002664000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-64-0x000000013FF00000-0x0000000140254000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-35-0x000000013F3C0000-0x000000013F714000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-57-0x0000000002310000-0x0000000002664000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-63-0x000000013FB60000-0x000000013FEB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-8-0x000000013F030000-0x000000013F384000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-21-0x0000000002310000-0x0000000002664000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-50-0x000000013F580000-0x000000013F8D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-16-0x0000000002310000-0x0000000002664000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-94-0x0000000002310000-0x0000000002664000-memory.dmp

    Filesize

    3.3MB

  • memory/2392-34-0x0000000002310000-0x0000000002664000-memory.dmp

    Filesize

    3.3MB

  • memory/2504-154-0x000000013F3E0000-0x000000013F734000-memory.dmp

    Filesize

    3.3MB

  • memory/2504-71-0x000000013F3E0000-0x000000013F734000-memory.dmp

    Filesize

    3.3MB

  • memory/2504-142-0x000000013F3E0000-0x000000013F734000-memory.dmp

    Filesize

    3.3MB

  • memory/2584-25-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2584-79-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2584-147-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2624-153-0x000000013FF00000-0x0000000140254000-memory.dmp

    Filesize

    3.3MB

  • memory/2624-140-0x000000013FF00000-0x0000000140254000-memory.dmp

    Filesize

    3.3MB

  • memory/2624-65-0x000000013FF00000-0x0000000140254000-memory.dmp

    Filesize

    3.3MB

  • memory/2632-149-0x000000013FB70000-0x000000013FEC4000-memory.dmp

    Filesize

    3.3MB

  • memory/2632-42-0x000000013FB70000-0x000000013FEC4000-memory.dmp

    Filesize

    3.3MB

  • memory/2680-51-0x000000013F580000-0x000000013F8D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2680-150-0x000000013F580000-0x000000013F8D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2712-36-0x000000013F910000-0x000000013FC64000-memory.dmp

    Filesize

    3.3MB

  • memory/2712-148-0x000000013F910000-0x000000013FC64000-memory.dmp

    Filesize

    3.3MB

  • memory/2712-109-0x000000013F910000-0x000000013FC64000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-95-0x000000013FDB0000-0x0000000140104000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-157-0x000000013FDB0000-0x0000000140104000-memory.dmp

    Filesize

    3.3MB

  • memory/2776-43-0x000000013F3C0000-0x000000013F714000-memory.dmp

    Filesize

    3.3MB

  • memory/2776-151-0x000000013F3C0000-0x000000013F714000-memory.dmp

    Filesize

    3.3MB

  • memory/2776-139-0x000000013F3C0000-0x000000013F714000-memory.dmp

    Filesize

    3.3MB

  • memory/2808-102-0x000000013F940000-0x000000013FC94000-memory.dmp

    Filesize

    3.3MB

  • memory/2808-158-0x000000013F940000-0x000000013FC94000-memory.dmp

    Filesize

    3.3MB

  • memory/2836-152-0x000000013FE80000-0x00000001401D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2836-58-0x000000013FE80000-0x00000001401D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2988-144-0x000000013FD80000-0x00000001400D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2988-86-0x000000013FD80000-0x00000001400D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2988-156-0x000000013FD80000-0x00000001400D4000-memory.dmp

    Filesize

    3.3MB