Analysis

  • max time kernel
    135s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2024 13:43

General

  • Target

    2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    d64ee4e18e5f0fa7730d630670886087

  • SHA1

    0cc811f512ac5d79b87f3cc052702ffb03323c8e

  • SHA256

    15efae55ad58f40a11baa92251e2b1e6d120af513c4b3a747e1d7da5d9b7b3fd

  • SHA512

    bf18e625544c96b4b2955d4426601c36cc298707aeccc87bf91f819258bd674c91471bea47cf8c157aa9acf29b3f2ddb91a4cef5ae6468c25b16b9e86f7ece34

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUU:Q+856utgpPF8u/7U

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 52 IoCs
  • XMRig Miner payload 57 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 52 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-08_d64ee4e18e5f0fa7730d630670886087_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\System\fCfiDJN.exe
      C:\Windows\System\fCfiDJN.exe
      2⤵
      • Executes dropped EXE
      PID:2936
    • C:\Windows\System\PmEygvH.exe
      C:\Windows\System\PmEygvH.exe
      2⤵
      • Executes dropped EXE
      PID:2548
    • C:\Windows\System\HktMgIM.exe
      C:\Windows\System\HktMgIM.exe
      2⤵
      • Executes dropped EXE
      PID:2620
    • C:\Windows\System\NiLgiYa.exe
      C:\Windows\System\NiLgiYa.exe
      2⤵
      • Executes dropped EXE
      PID:2616
    • C:\Windows\System\gFjAUbs.exe
      C:\Windows\System\gFjAUbs.exe
      2⤵
      • Executes dropped EXE
      PID:2688
    • C:\Windows\System\QQiQqfb.exe
      C:\Windows\System\QQiQqfb.exe
      2⤵
      • Executes dropped EXE
      PID:2520
    • C:\Windows\System\aqTxCVq.exe
      C:\Windows\System\aqTxCVq.exe
      2⤵
      • Executes dropped EXE
      PID:2584
    • C:\Windows\System\aFnhkeO.exe
      C:\Windows\System\aFnhkeO.exe
      2⤵
      • Executes dropped EXE
      PID:2684
    • C:\Windows\System\TIVlKMH.exe
      C:\Windows\System\TIVlKMH.exe
      2⤵
      • Executes dropped EXE
      PID:2436
    • C:\Windows\System\RjprfLn.exe
      C:\Windows\System\RjprfLn.exe
      2⤵
      • Executes dropped EXE
      PID:2540
    • C:\Windows\System\nmFTJHp.exe
      C:\Windows\System\nmFTJHp.exe
      2⤵
      • Executes dropped EXE
      PID:2836
    • C:\Windows\System\yMTEKPL.exe
      C:\Windows\System\yMTEKPL.exe
      2⤵
      • Executes dropped EXE
      PID:1996
    • C:\Windows\System\YNdEHNH.exe
      C:\Windows\System\YNdEHNH.exe
      2⤵
      • Executes dropped EXE
      PID:2212
    • C:\Windows\System\klZDBYc.exe
      C:\Windows\System\klZDBYc.exe
      2⤵
      • Executes dropped EXE
      PID:1552
    • C:\Windows\System\nnTmGHG.exe
      C:\Windows\System\nnTmGHG.exe
      2⤵
      • Executes dropped EXE
      PID:2304
    • C:\Windows\System\dImZMoT.exe
      C:\Windows\System\dImZMoT.exe
      2⤵
      • Executes dropped EXE
      PID:1180
    • C:\Windows\System\nuXyOtT.exe
      C:\Windows\System\nuXyOtT.exe
      2⤵
      • Executes dropped EXE
      PID:1436
    • C:\Windows\System\pehMZtc.exe
      C:\Windows\System\pehMZtc.exe
      2⤵
      • Executes dropped EXE
      PID:1568
    • C:\Windows\System\sqwvTkK.exe
      C:\Windows\System\sqwvTkK.exe
      2⤵
      • Executes dropped EXE
      PID:1748
    • C:\Windows\System\ppkpORd.exe
      C:\Windows\System\ppkpORd.exe
      2⤵
      • Executes dropped EXE
      PID:1660
    • C:\Windows\System\hSjGMDN.exe
      C:\Windows\System\hSjGMDN.exe
      2⤵
      • Executes dropped EXE
      PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\HktMgIM.exe

    Filesize

    5.9MB

    MD5

    fd1570b6a5ced0b794c82ec12b904580

    SHA1

    c56b51b789d4738b011171526989dd55e1863073

    SHA256

    c65eee30befd284d627988f542dc34405113c4c5dceae46e12e0aac2cc3d5299

    SHA512

    cfd8eea827b7ffa7bf0763f33d443ddbfc92585a6b662e2913876884448cc62c1c07a758660304ea52c47637ee2d1ba46b76efa745f9680a69769be73cfff9d6

  • C:\Windows\system\NiLgiYa.exe

    Filesize

    5.9MB

    MD5

    33e660d057f51cac72486d96e1c364f0

    SHA1

    c39307b49778dbdb2e8417e8459768734746f861

    SHA256

    eab13820bd4233145b4f9d9a4b81ef548ef985b7219929828972b64a2c624374

    SHA512

    609930e77104f6d852cc7c196a234e2b07313f8f3c55469fd524a2d354d503fc219bffd606511ca3ad5442bd744a6ea0a9619a3b0937c7ecd96432f123dafdb2

  • C:\Windows\system\QQiQqfb.exe

    Filesize

    5.9MB

    MD5

    7f05ce4f1d36fd2e6c778fb33bb3dfd3

    SHA1

    569ba89d8adb798f14ebe403e341b028fc335bc3

    SHA256

    bddebb8facf2bf809f50c5b2a1db82f986664f71db4a7f5d86355aacee9af34f

    SHA512

    2639937707ee665562fcc5ca5b59cb3c1b714e7b789f0cf293ca236221fa5c1e01cd906ee43f99e0dc06c00f94cb2a0d92d461d28bdde96c4f44f75c8d658fea

  • C:\Windows\system\RjprfLn.exe

    Filesize

    5.9MB

    MD5

    33a0448f5b13a982431e1a690befa50e

    SHA1

    b6da075d1fcba48bd63f5e22e28ea1d1f0905ac8

    SHA256

    c142281faab1981584fcfbac475ddefad0cdcdfe0937bd3dcdeb568c5c9fcb3f

    SHA512

    dcb613883d6849a68b2fcff06194a6a1f2211ac40e48b68f4b92892226cacc66006a7b558d0fdb3843becc038c1359cf49f5227738dccaad418e8b9d056a2641

  • C:\Windows\system\TIVlKMH.exe

    Filesize

    5.9MB

    MD5

    ee11a1334a8c41e13c50edca8c901d6b

    SHA1

    3ae7ca66c2f47535333a802b3e07e473150cbea2

    SHA256

    a7ac8437fae23ebf871da384079d181f4196ca5873036ca2706f7379858eecef

    SHA512

    904e5fef86835f9d19b924a6373a90536351edd545ea2ff0333ded6b7f53fcec075bcd1bf24a42894bf1f1429797c8aa6e44dc8904c154c864f171a65166b9dd

  • C:\Windows\system\YNdEHNH.exe

    Filesize

    5.9MB

    MD5

    4b176c79be3b6d1762c8c340a13cae7a

    SHA1

    a4ebe346907e650cb6d29937ea1501a15c2483f5

    SHA256

    2152de735a09564c6456d2cc0e8a30a0995a5c4cab51fa3f279a31f0279cd49c

    SHA512

    505dc0e340192f84a350ad6c090d88dd3d84e95c91923a6b03ab0b5fad2e9dac1076b956337b593e8127682f9f7274cbf03b319a8190073914e4242dd9e484af

  • C:\Windows\system\aFnhkeO.exe

    Filesize

    5.9MB

    MD5

    bc00853350ea8a2acccf9dc4cfa1ffbf

    SHA1

    30269a17ba3d1b351e4aa68717cce18ea3d7a10c

    SHA256

    9292333617d32af52808bd253350d2279653235ef10b371da07203763820cb93

    SHA512

    bd066ff188e1e1b22e66255578932460122e0b4b60cb8866ac1af633fae2036fe4689182690747a973b0d80506f80c1caadfc6a6723e4d1a0cf48f31ab3b6c16

  • C:\Windows\system\aqTxCVq.exe

    Filesize

    5.9MB

    MD5

    965ebeeb894bc8f45afe4bdf8246ea91

    SHA1

    77d8f8e709eb3ff2e0ae681d71953ded4b6e626d

    SHA256

    d4f5e8d9b175225e9b2661483806fec53013a7bcfea9885e4b901124c5ba83e7

    SHA512

    2272efb0bef7f7b27922e7679892c08e604b9e6b34da4470ec884398ec81c0604ceff48588efd5c01355716f546d86fa2044e7b7c052a37daa2abc7dd3fee3d7

  • C:\Windows\system\dImZMoT.exe

    Filesize

    5.9MB

    MD5

    33c6bcf162fb3544238d01fe76088702

    SHA1

    e35797cff31f09410c545109f79f536f85b66c06

    SHA256

    16e2f7eacd94d3be57f58f488cf438b24fa0b465b48d6a7ca7dd9bc0ce51a85d

    SHA512

    b0d7919b69454868c9b913fb9b9ba3cf7d2efda83f47667ef91385ef16c4dfc3e760de46674431d0a348209ba7c0a912444d214a8c3e113cf9953ade3c80730d

  • C:\Windows\system\fCfiDJN.exe

    Filesize

    5.9MB

    MD5

    2f4a204d264c02e44aac95eca3903cf1

    SHA1

    c4ec6126570e6576ffdf8fde8e14a0a2b446bc6f

    SHA256

    ec3a30bb6a41e2720c13c7583eef47db0242bb9c015c967b53c4f41b28c50dad

    SHA512

    00d6056adcce3f384a43ccd1fceee953205cc9a4656e5fbccdba2ac300974701409861dbb6c85de4f3e9409e3f82d4505c40ee13f9b5e1ba13f1f664aaa4581e

  • C:\Windows\system\gFjAUbs.exe

    Filesize

    5.9MB

    MD5

    784ffe2ee1d3594a18f1ade09536f5c1

    SHA1

    5217d6bda2f04e8ef9140527365a9cc637dd949e

    SHA256

    3d75b2de3433ab272883600cb2f13bbf88119c741acdf5f95ab6b4a8f21f312e

    SHA512

    06d46ecf5a0067d2a258a76a50db61025ee02c833b6992b971660456b92ca46a8cc0277fc705f0a603cd7677468dc5ae3b88c32fa0f1afb125f9389e0a7739b5

  • C:\Windows\system\klZDBYc.exe

    Filesize

    5.9MB

    MD5

    281ebb28fbedc87a1117a0577616fee0

    SHA1

    a92355366821cdf7e3780268de76becff8f18b0b

    SHA256

    36af5ef3ac9fe90721a4148f3ac3d267d26a8ee032f359adb56df057b02e2c7c

    SHA512

    332f50958cb0c27ad55f159f08dbea4b33ddc396e1da9f4afe3d8295a49287e5ffb05d8b96c9f68380ad08d76c883f5cc828a068e54d9f491ee1264d84bbd4d0

  • C:\Windows\system\nmFTJHp.exe

    Filesize

    5.9MB

    MD5

    7226df8fac04b0049197c4d8e057a6ac

    SHA1

    6f794600cf37adabb84a0bb1449408948a8e996f

    SHA256

    4ff0b104d8a8e6007f8775272ea029088a2366d64c5381a9e912a919a761e99a

    SHA512

    6fcfd0278308eaddba9f215c9e3150433162e3e21e51151fb616a38561cdab5eb6b8bea19219be648179fc2f98360ed304af3cf674c73875e5a97f9c2c3fb5fc

  • C:\Windows\system\nnTmGHG.exe

    Filesize

    5.9MB

    MD5

    cbbcc21874fc2182b9e8ec9491061f5a

    SHA1

    3a712500bc9236b5fcb83215fbd58d2c91769dcd

    SHA256

    b85df1b62255cb55a049e145c87eb678416fe37d5c1e8e1097b77f3581d1e583

    SHA512

    cdb210d4d338e62017fcbe38826791f7386d674f6e0ec7ba7f29983f2b4f54a5a60f832f7620b729f44e5b6520ca9048b2e7085720d6c81b1a4cdb2103e1f541

  • C:\Windows\system\nuXyOtT.exe

    Filesize

    5.9MB

    MD5

    215f2abb009f123802624084f30a7533

    SHA1

    c27f4d62922d5e55c78165794e6b38fd499d369a

    SHA256

    e4752a92540a794bec9ce8579d2a85630fecb7ff060f1ac2e1870b126f7a2e46

    SHA512

    bff2451f54e33932cf41ddc5cd37593e71a736f03426d9dca2d14d0360da2750999254cab4e6369ac37c87de16827916c7db17e9aa258f2076e2b0d5f2bddbfb

  • C:\Windows\system\pehMZtc.exe

    Filesize

    5.9MB

    MD5

    4a1988f39ceb99af58bc95d06638f322

    SHA1

    4dd89ae5a26d34b3ca1261fc51a6bd88205259f5

    SHA256

    06abb96430bc179bf67f1b20b231fb76565b519fd728f86fc61cfc99a347fb37

    SHA512

    a3509691db49257b7f6f0341854d965e376111ff9f2ed131cba8fcd9f33d89d06fd684a3e99921b21552692312bf3ba65d342a3db09dfa4db6595b5f5c7c8f31

  • C:\Windows\system\ppkpORd.exe

    Filesize

    5.9MB

    MD5

    08bbb24dfd9180418f683df304137397

    SHA1

    ea4317af138ab315e6faf71aee4f7207f88f78d9

    SHA256

    b3308fff7174b3cde6427ba310f771aad99ccde8fe99313ecab273d1f12d3ab9

    SHA512

    89a6658b2194ac377330427d90ae84f8f75afd576534584c160e78d25c526a6c8d54135038826acf801129b1e142c27c4954e4cd268dec215c4d49a6d438f758

  • C:\Windows\system\sqwvTkK.exe

    Filesize

    5.9MB

    MD5

    86bc6566badd0f3e93dac5e6b8108b4c

    SHA1

    0e1238d5a88f09923fdbfd568e81c670b9732149

    SHA256

    0bca74c1888edc20839f6a70075493985f7af24e51381f253c82c22e40203381

    SHA512

    5815d6914c48f63e2399645586ba893b63647ab81254871815e39e6aafcd75b7e0ffdd2da39b24145f97a8076f36a760a95999e61805e2d9ac644e5331ee8ab2

  • C:\Windows\system\yMTEKPL.exe

    Filesize

    5.9MB

    MD5

    3ecbf30965117082b1420763c13be72a

    SHA1

    1df7b7b2d530f7cdd153fe7a80f1a3ce4196d929

    SHA256

    1bba64f786673a2ec212d8609a2d872905e01c4b8e2d6c3ec3f59237c4e17cc3

    SHA512

    b8db5c37fe60518b1eeea3907861fe0d7a2f38d037a81099b279227792d9eb2a93f3104a84f5fef03fb2a6227991acdf0d86c3e36456c702187ad135dd6d0714

  • \Windows\system\PmEygvH.exe

    Filesize

    5.9MB

    MD5

    fada61fc9948175a56bf39b490ef7c72

    SHA1

    fbc013ae5bb71e45e77409b0cb93d497dd98b3d0

    SHA256

    2f57e4101d580b2a866bb0aaa432b070784b60f7623fe82f4531f60362c9ade4

    SHA512

    26b442612aef830950a7c8f77d806e06f97317300f829864a32ccf68983afd9d8d5c5936c46a569ae73384b745babd956cae8039a489814fc4cac128e0a37250

  • \Windows\system\hSjGMDN.exe

    Filesize

    5.9MB

    MD5

    b6d6019b4d04ddc4d0891891ce9251a9

    SHA1

    3074578802488a69b88a618fcaef7cf00b41545e

    SHA256

    c6db8aabf5f75f4cf87b979dc89a741ff4fa747ecc5a7cf03c73f4bce16df4af

    SHA512

    fd296a49e0938c37ce1ca452c79e6a660bd1d78a4c4649c2fc743231d2f835ce0d02cce3319f0f3927e0f5ba907c26759097f44daace460ccfd4f0486c819ef9

  • memory/1552-132-0x000000013F190000-0x000000013F4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1552-153-0x000000013F190000-0x000000013F4E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-135-0x000000013F130000-0x000000013F484000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-124-0x000000013F500000-0x000000013F854000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-17-0x0000000002320000-0x0000000002674000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-126-0x000000013F6E0000-0x000000013FA34000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-26-0x000000013F570000-0x000000013F8C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-28-0x000000013FD40000-0x0000000140094000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-133-0x000000013FE80000-0x00000001401D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-134-0x000000013F830000-0x000000013FB84000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-136-0x000000013FCC0000-0x0000000140014000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-130-0x000000013F9D0000-0x000000013FD24000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-128-0x0000000002320000-0x0000000002674000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-29-0x000000013FC50000-0x000000013FFA4000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-120-0x000000013FFB0000-0x0000000140304000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-0-0x000000013F130000-0x000000013F484000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-122-0x000000013F4F0000-0x000000013F844000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-138-0x000000013FFB0000-0x0000000140304000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-1-0x00000000000F0000-0x0000000000100000-memory.dmp

    Filesize

    64KB

  • memory/1908-139-0x000000013F500000-0x000000013F854000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-117-0x0000000002320000-0x0000000002674000-memory.dmp

    Filesize

    3.3MB

  • memory/1908-35-0x000000013FCC0000-0x0000000140014000-memory.dmp

    Filesize

    3.3MB

  • memory/1996-151-0x000000013F2B0000-0x000000013F604000-memory.dmp

    Filesize

    3.3MB

  • memory/1996-129-0x000000013F2B0000-0x000000013F604000-memory.dmp

    Filesize

    3.3MB

  • memory/2212-152-0x000000013F9D0000-0x000000013FD24000-memory.dmp

    Filesize

    3.3MB

  • memory/2212-131-0x000000013F9D0000-0x000000013FD24000-memory.dmp

    Filesize

    3.3MB

  • memory/2436-148-0x000000013F4F0000-0x000000013F844000-memory.dmp

    Filesize

    3.3MB

  • memory/2436-123-0x000000013F4F0000-0x000000013F844000-memory.dmp

    Filesize

    3.3MB

  • memory/2520-145-0x000000013F450000-0x000000013F7A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2520-118-0x000000013F450000-0x000000013F7A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2540-125-0x000000013F500000-0x000000013F854000-memory.dmp

    Filesize

    3.3MB

  • memory/2540-149-0x000000013F500000-0x000000013F854000-memory.dmp

    Filesize

    3.3MB

  • memory/2548-25-0x000000013FC50000-0x000000013FFA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2548-140-0x000000013FC50000-0x000000013FFA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2584-147-0x000000013F830000-0x000000013FB84000-memory.dmp

    Filesize

    3.3MB

  • memory/2584-119-0x000000013F830000-0x000000013FB84000-memory.dmp

    Filesize

    3.3MB

  • memory/2616-143-0x000000013FD40000-0x0000000140094000-memory.dmp

    Filesize

    3.3MB

  • memory/2616-30-0x000000013FD40000-0x0000000140094000-memory.dmp

    Filesize

    3.3MB

  • memory/2620-27-0x000000013F570000-0x000000013F8C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2620-142-0x000000013F570000-0x000000013F8C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2684-121-0x000000013FFB0000-0x0000000140304000-memory.dmp

    Filesize

    3.3MB

  • memory/2684-146-0x000000013FFB0000-0x0000000140304000-memory.dmp

    Filesize

    3.3MB

  • memory/2688-144-0x000000013FCC0000-0x0000000140014000-memory.dmp

    Filesize

    3.3MB

  • memory/2688-37-0x000000013FCC0000-0x0000000140014000-memory.dmp

    Filesize

    3.3MB

  • memory/2688-137-0x000000013FCC0000-0x0000000140014000-memory.dmp

    Filesize

    3.3MB

  • memory/2836-127-0x000000013F6E0000-0x000000013FA34000-memory.dmp

    Filesize

    3.3MB

  • memory/2836-150-0x000000013F6E0000-0x000000013FA34000-memory.dmp

    Filesize

    3.3MB

  • memory/2936-22-0x000000013F120000-0x000000013F474000-memory.dmp

    Filesize

    3.3MB

  • memory/2936-141-0x000000013F120000-0x000000013F474000-memory.dmp

    Filesize

    3.3MB