Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2024 11:25

General

  • Target

    2024-06-08_20d7d63e9e90012c575da3d39f08861f_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    20d7d63e9e90012c575da3d39f08861f

  • SHA1

    138d2566a6e5e9685fb620dd1ab088d1a62f0289

  • SHA256

    57c501cb95104b1d038195f4431802be7d344be26274097e7248f7dd2ec710d6

  • SHA512

    722588841ee423298df2619c508ba3df2025091271458346f27c32bead99d3145577f318f364690cf95b91145ed6c047a7829911fcd6e38ed57188741151990b

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUQ:Q+856utgpPF8u/7Q

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 54 IoCs
  • XMRig Miner payload 55 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 54 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-08_20d7d63e9e90012c575da3d39f08861f_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-08_20d7d63e9e90012c575da3d39f08861f_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\System\WqotNfu.exe
      C:\Windows\System\WqotNfu.exe
      2⤵
      • Executes dropped EXE
      PID:2300
    • C:\Windows\System\vdtaNlf.exe
      C:\Windows\System\vdtaNlf.exe
      2⤵
      • Executes dropped EXE
      PID:2900
    • C:\Windows\System\WPDyhKC.exe
      C:\Windows\System\WPDyhKC.exe
      2⤵
      • Executes dropped EXE
      PID:2896
    • C:\Windows\System\lfEfIni.exe
      C:\Windows\System\lfEfIni.exe
      2⤵
      • Executes dropped EXE
      PID:2628
    • C:\Windows\System\xvOYJFZ.exe
      C:\Windows\System\xvOYJFZ.exe
      2⤵
      • Executes dropped EXE
      PID:2404
    • C:\Windows\System\GsNgUAg.exe
      C:\Windows\System\GsNgUAg.exe
      2⤵
      • Executes dropped EXE
      PID:2732
    • C:\Windows\System\LKYtQAp.exe
      C:\Windows\System\LKYtQAp.exe
      2⤵
      • Executes dropped EXE
      PID:3040
    • C:\Windows\System\nzfPutX.exe
      C:\Windows\System\nzfPutX.exe
      2⤵
      • Executes dropped EXE
      PID:2396
    • C:\Windows\System\jcePZeU.exe
      C:\Windows\System\jcePZeU.exe
      2⤵
      • Executes dropped EXE
      PID:2428
    • C:\Windows\System\fWXpBbV.exe
      C:\Windows\System\fWXpBbV.exe
      2⤵
      • Executes dropped EXE
      PID:2516
    • C:\Windows\System\BVAYXGJ.exe
      C:\Windows\System\BVAYXGJ.exe
      2⤵
      • Executes dropped EXE
      PID:2904
    • C:\Windows\System\ZFnSgMg.exe
      C:\Windows\System\ZFnSgMg.exe
      2⤵
      • Executes dropped EXE
      PID:1492
    • C:\Windows\System\hJLHSJP.exe
      C:\Windows\System\hJLHSJP.exe
      2⤵
      • Executes dropped EXE
      PID:2376
    • C:\Windows\System\bdxApnf.exe
      C:\Windows\System\bdxApnf.exe
      2⤵
      • Executes dropped EXE
      PID:1888
    • C:\Windows\System\zjrrdip.exe
      C:\Windows\System\zjrrdip.exe
      2⤵
      • Executes dropped EXE
      PID:844
    • C:\Windows\System\aZePIMr.exe
      C:\Windows\System\aZePIMr.exe
      2⤵
      • Executes dropped EXE
      PID:904
    • C:\Windows\System\jXqtdJv.exe
      C:\Windows\System\jXqtdJv.exe
      2⤵
      • Executes dropped EXE
      PID:2456
    • C:\Windows\System\wgNAIGU.exe
      C:\Windows\System\wgNAIGU.exe
      2⤵
      • Executes dropped EXE
      PID:2604
    • C:\Windows\System\VYScpaD.exe
      C:\Windows\System\VYScpaD.exe
      2⤵
      • Executes dropped EXE
      PID:1184
    • C:\Windows\System\HwMTgYl.exe
      C:\Windows\System\HwMTgYl.exe
      2⤵
      • Executes dropped EXE
      PID:292
    • C:\Windows\System\bsJMGlq.exe
      C:\Windows\System\bsJMGlq.exe
      2⤵
      • Executes dropped EXE
      PID:1204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\BVAYXGJ.exe

    Filesize

    5.9MB

    MD5

    2480216a710cb53fe131b647db46cb33

    SHA1

    7e340d3230fc4da3d5dda536ba92669c9e4b611d

    SHA256

    14821fd8b37d7810a5a30b130e6595ccbd14179e9a81c67b6fce1d0bd53cc76b

    SHA512

    b5ffb622b7f777208bd26013c01cc3ef2b89a32660a7893959847d0456c1c03bb59cd8b40274036d9d9fa976322120529ee4d19832d1f0a56ff7bffa98011a61

  • C:\Windows\system\GsNgUAg.exe

    Filesize

    5.9MB

    MD5

    50ff78c48be6839c1ed8c89d8e691304

    SHA1

    2d9c314bab598cc33060e059761921ddc1072653

    SHA256

    4e629e3d1170160e84e9e5fadf53fb93a6e85f96bc3aa5273bba43817bfd3579

    SHA512

    2bdc330a02279413fd4d05a991d60e8e48d6d540b45f26b0c29f7d8f25daf9c87159a20b06de7e29714741ba39e365f376494bfc906bfb6de488a2e74c1c8061

  • C:\Windows\system\VYScpaD.exe

    Filesize

    5.9MB

    MD5

    a973196241383a273d68d9230d2f39f8

    SHA1

    7862476635ed15201fb11f605ae4a5a09411483c

    SHA256

    2e6e5b3203ce027c2addafd68ab0d425e0ed1c3471e72451a6b2976cb8ca4207

    SHA512

    929b25e7ed62555b8056ca077d06dbdbd19e14a24f8387f996f21f8a8155260b466a773331a5ec4bd381235044cd7948f06cb51596ddf4696090bcce3cc73106

  • C:\Windows\system\WPDyhKC.exe

    Filesize

    5.9MB

    MD5

    95e22a2367da9506c3f0db58b2cbaa59

    SHA1

    1cb1193ef1fa9c39e9ac45a5c4b03d01084c70f4

    SHA256

    81e375da6e56465b44f70ce0b4ec2a9987efb2c107398d0acc39de04352ef1d0

    SHA512

    4a7e2a8fe274ca3990741b1140d907e1f41015a2557604916ea290f05c0485130de9d2be04d50e6b5868ff9bf93f1263e492cda9a461c40cf6d881cde3173175

  • C:\Windows\system\WqotNfu.exe

    Filesize

    5.9MB

    MD5

    3ee82894cbcf64cd1790fb2b6fd37250

    SHA1

    21ae0cd0fed73bad1dc2029eb2a2a0162fe9cd83

    SHA256

    7f4bdc1e40f1324ea6e18960e576a9cc04a509718efac2f956ed08270d86a3e7

    SHA512

    d8eec143f9f89f021e4745f303e8eacb0671e005da4ef00ecfe2fa5dd381197da62dc6e4cba911baea72f308706b44616ad69df083429988c29423439b01801b

  • C:\Windows\system\hJLHSJP.exe

    Filesize

    5.9MB

    MD5

    73dd36936d7cc54081fd9a5e987a00be

    SHA1

    01b67ed038c815eaa237c72f8dabde671b37fafd

    SHA256

    e66d2388a96efc62b2848bd8635df3ae5b075244aa3a2c87c8b910ac72dfb9d6

    SHA512

    8e9313d82659450c5667d2c872369a0ea2fcd741903d200867f692613f21148e251cb3c1051df63e222d79c44c7ca5e34194bef0d326a103a381d4b93b2e8c6a

  • C:\Windows\system\jXqtdJv.exe

    Filesize

    5.9MB

    MD5

    8c55eac1bd5bb8aa0d38abe3bb7d761e

    SHA1

    ac9dde5bdb59d4a6fe137fc43b05627065835547

    SHA256

    71e457c94069e62eaa4c8b47e3d15a73384a3421cadd4fe6a0ab27c62258231b

    SHA512

    641f6d34ef64a227e99449fab9ceb71c7d7ddc9c3e3846818435fe4b7a10660d3ef1ad0d7248ce4690cf0892d8c6df3c21e027351975e9e3e27e590299a22536

  • C:\Windows\system\lfEfIni.exe

    Filesize

    5.9MB

    MD5

    cc80f943b4cce0eb932c46232eb7a349

    SHA1

    2e8f549de17e0b4d5090958d729801574ca3571c

    SHA256

    93541a5fef64dd30f00cbf2270a791fd4b465292629180c93f1b24cbefc4c42a

    SHA512

    8c9736da37bb1449fd5d25e2e1ab6cb670175b15224de6fbb4db0ce228155d365224e2c2ab583c72b66b62dc33ebce9205bd2f101dfdf6d9f0ad4f478842b114

  • C:\Windows\system\nzfPutX.exe

    Filesize

    5.9MB

    MD5

    5f60b8883e19b2df964fc227ef037e42

    SHA1

    69d2e7a2cf752f81e4b303c7659331e37985d67e

    SHA256

    19d9d2a424714f6a4c822e17ecdd9e9442e2cabc6ec2fc079747822013e77201

    SHA512

    f0a40680e2a0e689d5f37de90be6a52a0d654eb6c8f647f6bbebd6fbef5a3d48e5bcbda2e2b1d2ca2fc2a906fbe332b6ef70d68c89d79c9ec69d6431eafd766c

  • C:\Windows\system\vdtaNlf.exe

    Filesize

    5.9MB

    MD5

    51ef747c77f9a39c5f5a87a9c8cbe488

    SHA1

    746a644a5e558355993e263aac3ddb7981c03419

    SHA256

    825f977b90861c0afeeecdc70896c559f8ae6c9ffc61c390e20fe2a54178e089

    SHA512

    a17b89205c82a1a54bfb69a7802974dbe0624d8c63415742bd850773390d59c8965bdaaf322d4921cdbb64255f9806d11495c7952be2bd99452e7e4c4f64df21

  • C:\Windows\system\xvOYJFZ.exe

    Filesize

    5.9MB

    MD5

    e1430998f11048704ac95cd7030bd8e6

    SHA1

    d5298d6ae7cb7b617ea059b4959a6ae9553d6748

    SHA256

    c628bc62fc4a6884ed33291791ab8170780d1e49b4341368ac0b20395da16bea

    SHA512

    b472979f96222c07499593da54ff20d4ea91f19d87f71a40b0c308e9142e8577015ec34074bffd63eb9d3cd126ce50af8b273ebba5840849ba614a1bf6d5da42

  • C:\Windows\system\zjrrdip.exe

    Filesize

    5.9MB

    MD5

    ac33b1ecd802b014f7fa15c2a3cec742

    SHA1

    678c72ad5030ba1dc9983632e8ccfab85ca385ac

    SHA256

    05e4e944b36c7a663592fa79cc5a9b363584d271b3fb7d9c49e1b9f6bcac50f9

    SHA512

    d1f0842f740feab573c515360c0c9280f9eb227dc192df65e79466d55e4b56240aae6ef65088bab202496a33786010d8f212fe0d57ead3970b4503b6df5bb047

  • \Windows\system\HwMTgYl.exe

    Filesize

    5.9MB

    MD5

    c1d055c4708407dc326e2769178a675a

    SHA1

    52a2451f9ca3e513db81bea97fb180651717bd97

    SHA256

    ca96326073bd24851f436b55437439c18777e87e75678adee33e14ac6489f609

    SHA512

    48910c1e0b62b393ffd74b8da5463969f4058ddaa03a86e453c60062154d3c8984da97353f8ac57addaae7fb74357edb82368b2732403fb15f91284c12e361b4

  • \Windows\system\LKYtQAp.exe

    Filesize

    5.9MB

    MD5

    f79ff1f8c94c6672b2762d21ad755b95

    SHA1

    23645587d097eb873f560e22800f409fdbd69d80

    SHA256

    81b78896e9d0cf09ab3e06af981ada40fd61c9ab32223c2f263b35cf38ebd4ab

    SHA512

    99cd5f75edbacea17eae660d4c29fe62ae51a77e8b7afa8d5bacf737a3f01bb6ead8a44545d7ee168fe820f13441a7c5be184d05d8eda45c3d1b717129eed400

  • \Windows\system\ZFnSgMg.exe

    Filesize

    5.9MB

    MD5

    0cbe2b55c1cca1c28de9a9d062211ce5

    SHA1

    d25064ce9219cc7e93b9410b5e5ce8e5861f4c55

    SHA256

    b8606428f9dd7b1208d16ab2a75938f0739fe6ba2a11fa6378336a2499587dba

    SHA512

    95a93694ca9d7d8314b1ed71540be3362ff48fff6e9f91ddf438a4903865550f0a7309a4b8080166db5337dbec708dafa91d1807876763bcd7c6f8d17dafff54

  • \Windows\system\aZePIMr.exe

    Filesize

    5.9MB

    MD5

    d12b647aa52790e982f9b969426e08af

    SHA1

    648cc91cbd80daf8197d6d48808e15a1215206d9

    SHA256

    12fb84ce5655585202ea3d1908fd69c2947952b34d13f4ad196ab4da0a112c26

    SHA512

    7905de672b35c4a124badd47989f74cb44e906f5eb0325c02937e85b35a59a82f837aef3cb6119043d62037456c3affe41f0c87f38d21976bbed5e607791147d

  • \Windows\system\bdxApnf.exe

    Filesize

    5.9MB

    MD5

    bcac6f630e5324ce78cd12647e76eef9

    SHA1

    0e76cf15f78e4a19a64acfdea8a63d58b0bfdb21

    SHA256

    a855f82dc6271bcd79754b28cb2fc45801905c227128437386a55e2c9034294f

    SHA512

    3e73f1c2be4754cc605392f261644445ebd9de6ce630bf4510ec23083b31e45eecf00e4aaf147ed6bddf81c4b328d9601072f2a079dfb900c68698f555c84e71

  • \Windows\system\bsJMGlq.exe

    Filesize

    5.9MB

    MD5

    b27fe693d0c8f0aaa9755f6b9b844b04

    SHA1

    b2a08dac1f35be3e4aa408cfdea18e2724abfef6

    SHA256

    eb082097ad7483e2484f55654d90bc8962c87489c242314ad8dd88398b65b42a

    SHA512

    bb370c68b400132f05c361dc9067de2363556104995dee63b88923f3a92c9a237b81d2ec1ce74adbf083b862d8e6cc2bd73f5f12b9451dada05ecbe2c6594f54

  • \Windows\system\fWXpBbV.exe

    Filesize

    5.9MB

    MD5

    e41e6b6c0f5dc22063ad3c6d0358e685

    SHA1

    3aea1c49b63f8b7a97c26dc82530a8237877f4e2

    SHA256

    b113fd86677e3ff7bc5fd03af57fc7b7ecbd398a41c4971357138062be0bbe4c

    SHA512

    c03e83307b6355800bbf2b8a873f8b1952bbcf66a7094026ff1f88fff3d9663973df3c503ff06190c5ece710f8fca27ec3bdbde5c6b274423d00da141a36e551

  • \Windows\system\jcePZeU.exe

    Filesize

    5.9MB

    MD5

    3cbfe46e3882937d75d627f9c8c9b2df

    SHA1

    8b8170d2649a9592ac153cbf5943e516c910dd31

    SHA256

    c3fae2e99fea247835a1618acc150876fb102adea4e5c50788d7673f798413f0

    SHA512

    c2a01c3961ff0a4c02c32d1a3845ea2ae86cb640dca8b663220a25bab4f0cd0aba5310618da63145cba3d0994aed795445d7ad4008e5d7c2b794cdc35df4a05a

  • \Windows\system\wgNAIGU.exe

    Filesize

    5.9MB

    MD5

    a94e54c5f7bd590aa0a120e008344347

    SHA1

    418423a9e0690ed47b9afbe0b2179058be3b5850

    SHA256

    787eb2991fab107983eb63b6175a74a5f8d460e4be2971aa064ae8c1c8013ec3

    SHA512

    f805d60fdb56c73f3dd9e05f6715c7cf8c83f6823c925710d9c0b75b3ab475889c0ee5ef4395542c970a878f053e6785e689904f68783abddb060cadfcc5c3fd

  • memory/844-113-0x000000013F210000-0x000000013F564000-memory.dmp

    Filesize

    3.3MB

  • memory/844-142-0x000000013F210000-0x000000013F564000-memory.dmp

    Filesize

    3.3MB

  • memory/844-156-0x000000013F210000-0x000000013F564000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-136-0x000000013FF80000-0x00000001402D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-68-0x000000013FA80000-0x000000013FDD4000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-116-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-115-0x000000013FA30000-0x000000013FD84000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-114-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-1-0x00000000000F0000-0x0000000000100000-memory.dmp

    Filesize

    64KB

  • memory/1500-143-0x000000013FA30000-0x000000013FD84000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-24-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-25-0x000000013FDA0000-0x00000001400F4000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-140-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-22-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-40-0x000000013F0B0000-0x000000013F404000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-0-0x000000013F460000-0x000000013F7B4000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-135-0x000000013F460000-0x000000013F7B4000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-34-0x000000013FC30000-0x000000013FF84000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-86-0x000000013F8F0000-0x000000013FC44000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-85-0x000000013F7E0000-0x000000013FB34000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-117-0x000000013FB00000-0x000000013FE54000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-44-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-76-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

    Filesize

    3.3MB

  • memory/1500-105-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2300-144-0x000000013FF80000-0x00000001402D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2300-18-0x000000013FF80000-0x00000001402D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2376-155-0x000000013F4F0000-0x000000013F844000-memory.dmp

    Filesize

    3.3MB

  • memory/2376-112-0x000000013F4F0000-0x000000013F844000-memory.dmp

    Filesize

    3.3MB

  • memory/2396-80-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

    Filesize

    3.3MB

  • memory/2396-151-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

    Filesize

    3.3MB

  • memory/2404-36-0x000000013FC30000-0x000000013FF84000-memory.dmp

    Filesize

    3.3MB

  • memory/2404-148-0x000000013FC30000-0x000000013FF84000-memory.dmp

    Filesize

    3.3MB

  • memory/2404-138-0x000000013FC30000-0x000000013FF84000-memory.dmp

    Filesize

    3.3MB

  • memory/2428-87-0x000000013F7E0000-0x000000013FB34000-memory.dmp

    Filesize

    3.3MB

  • memory/2428-152-0x000000013F7E0000-0x000000013FB34000-memory.dmp

    Filesize

    3.3MB

  • memory/2516-141-0x000000013F8F0000-0x000000013FC44000-memory.dmp

    Filesize

    3.3MB

  • memory/2516-154-0x000000013F8F0000-0x000000013FC44000-memory.dmp

    Filesize

    3.3MB

  • memory/2516-73-0x000000013F8F0000-0x000000013FC44000-memory.dmp

    Filesize

    3.3MB

  • memory/2628-137-0x000000013F4E0000-0x000000013F834000-memory.dmp

    Filesize

    3.3MB

  • memory/2628-28-0x000000013F4E0000-0x000000013F834000-memory.dmp

    Filesize

    3.3MB

  • memory/2628-147-0x000000013F4E0000-0x000000013F834000-memory.dmp

    Filesize

    3.3MB

  • memory/2732-139-0x000000013F0B0000-0x000000013F404000-memory.dmp

    Filesize

    3.3MB

  • memory/2732-42-0x000000013F0B0000-0x000000013F404000-memory.dmp

    Filesize

    3.3MB

  • memory/2732-149-0x000000013F0B0000-0x000000013F404000-memory.dmp

    Filesize

    3.3MB

  • memory/2896-23-0x000000013F150000-0x000000013F4A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2896-146-0x000000013F150000-0x000000013F4A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2900-26-0x000000013FDA0000-0x00000001400F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2900-145-0x000000013FDA0000-0x00000001400F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2904-153-0x000000013FA80000-0x000000013FDD4000-memory.dmp

    Filesize

    3.3MB

  • memory/2904-96-0x000000013FA80000-0x000000013FDD4000-memory.dmp

    Filesize

    3.3MB

  • memory/3040-150-0x000000013F780000-0x000000013FAD4000-memory.dmp

    Filesize

    3.3MB

  • memory/3040-66-0x000000013F780000-0x000000013FAD4000-memory.dmp

    Filesize

    3.3MB