Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    06-06-2024 13:38

General

  • Target

    2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    461d66f0c7bc5054bdda0bc236311357

  • SHA1

    cd931cc6e4df3cfc16ec093f7214b66a1853ee4c

  • SHA256

    13c8a79a22d5034b55634ca96fa57030388a098a60dfc92e86a0613ed36f2206

  • SHA512

    ad87d022037e20cd16387e2c9b493238107878151a0f1ee311ae7f00aa1a9867df57a2f247a668b90674c71b08fdf697cc33e8b3e539b2b57eb63aac79846c91

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUv:Q+856utgpPF8u/7v

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 60 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 61 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-06_461d66f0c7bc5054bdda0bc236311357_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\System\mmXxoOd.exe
      C:\Windows\System\mmXxoOd.exe
      2⤵
      • Executes dropped EXE
      PID:2448
    • C:\Windows\System\sxdqqKL.exe
      C:\Windows\System\sxdqqKL.exe
      2⤵
      • Executes dropped EXE
      PID:3060
    • C:\Windows\System\UKqzrIy.exe
      C:\Windows\System\UKqzrIy.exe
      2⤵
      • Executes dropped EXE
      PID:2364
    • C:\Windows\System\tgHrTVp.exe
      C:\Windows\System\tgHrTVp.exe
      2⤵
      • Executes dropped EXE
      PID:2688
    • C:\Windows\System\cxQjHyC.exe
      C:\Windows\System\cxQjHyC.exe
      2⤵
      • Executes dropped EXE
      PID:1984
    • C:\Windows\System\EiVsqMF.exe
      C:\Windows\System\EiVsqMF.exe
      2⤵
      • Executes dropped EXE
      PID:2772
    • C:\Windows\System\WUWUxgI.exe
      C:\Windows\System\WUWUxgI.exe
      2⤵
      • Executes dropped EXE
      PID:2700
    • C:\Windows\System\THbRIZu.exe
      C:\Windows\System\THbRIZu.exe
      2⤵
      • Executes dropped EXE
      PID:2528
    • C:\Windows\System\bosoYWn.exe
      C:\Windows\System\bosoYWn.exe
      2⤵
      • Executes dropped EXE
      PID:3024
    • C:\Windows\System\hmQgHgq.exe
      C:\Windows\System\hmQgHgq.exe
      2⤵
      • Executes dropped EXE
      PID:2580
    • C:\Windows\System\cgxIHfA.exe
      C:\Windows\System\cgxIHfA.exe
      2⤵
      • Executes dropped EXE
      PID:2860
    • C:\Windows\System\BFSNONv.exe
      C:\Windows\System\BFSNONv.exe
      2⤵
      • Executes dropped EXE
      PID:2880
    • C:\Windows\System\NMGPfjJ.exe
      C:\Windows\System\NMGPfjJ.exe
      2⤵
      • Executes dropped EXE
      PID:2888
    • C:\Windows\System\pbugCEb.exe
      C:\Windows\System\pbugCEb.exe
      2⤵
      • Executes dropped EXE
      PID:2332
    • C:\Windows\System\tAZwzJE.exe
      C:\Windows\System\tAZwzJE.exe
      2⤵
      • Executes dropped EXE
      PID:1636
    • C:\Windows\System\rqHiGAa.exe
      C:\Windows\System\rqHiGAa.exe
      2⤵
      • Executes dropped EXE
      PID:768
    • C:\Windows\System\mEMcfVE.exe
      C:\Windows\System\mEMcfVE.exe
      2⤵
      • Executes dropped EXE
      PID:1576
    • C:\Windows\System\zfwUdqt.exe
      C:\Windows\System\zfwUdqt.exe
      2⤵
      • Executes dropped EXE
      PID:1460
    • C:\Windows\System\OtRjcdf.exe
      C:\Windows\System\OtRjcdf.exe
      2⤵
      • Executes dropped EXE
      PID:2520
    • C:\Windows\System\NjjZRYU.exe
      C:\Windows\System\NjjZRYU.exe
      2⤵
      • Executes dropped EXE
      PID:1824
    • C:\Windows\System\pOBsdCn.exe
      C:\Windows\System\pOBsdCn.exe
      2⤵
      • Executes dropped EXE
      PID:1308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\BFSNONv.exe

    Filesize

    5.9MB

    MD5

    79ad6eb0a524978d654bd7c073fa38e0

    SHA1

    07b096aaa76f7353aff74f1a59b524e0e87e832c

    SHA256

    269a8110647986e202e18d1493d9713abe3290af0d6cef13b4cf050ff54f76cf

    SHA512

    7ae5c188db73aee50b1122baef7ad5a1afa8a5e7aa15cd8bad5daa10c52fc4b1bc186807bd0a6ac611101fb56ad7da640f7c156155caacf3dfa798bd832188e0

  • C:\Windows\system\EiVsqMF.exe

    Filesize

    5.9MB

    MD5

    8770f865993e770f6a0032d4d2c046d2

    SHA1

    3714c50780c44f6a1e0e5d3399b5c3dfcd59a52e

    SHA256

    449b4a4189013e400b3c1de3a378ce2fb737a87eb781daf067df60c03f36211a

    SHA512

    0d93ce923ffdacaa8715af1ad481814ed380e308105f824bc2ef7056f27fb5fad079c6d6d836a844b757e970f9b479c9506894ace42ed54b261fa74a357c0b7e

  • C:\Windows\system\NjjZRYU.exe

    Filesize

    5.9MB

    MD5

    601bd8af8556b58d660db6a412767eb7

    SHA1

    b56a9f6b0f077a739709b9c4cf7d2b76bb5dfbdd

    SHA256

    154102f0f567b569dee145eb22c5f187f3ed2b227a0e30a0ae78cbd9eb3af4a1

    SHA512

    23242c14381262369052d13a97aab9994f6defcd967f219568b5452222f5e695683a41df8513cd50cdfd66288b0a4d39bed487d7e7c7a67514a05212ec3b5bac

  • C:\Windows\system\OtRjcdf.exe

    Filesize

    5.9MB

    MD5

    09b890779c3e886465f58b4f2686aa02

    SHA1

    8c680badbb6187e04ed08b3f19c5dc7bcac9463e

    SHA256

    b813551b8ed7d3c5c5213a7245012636c31fb954509fb1bee7364d4f80cf4a95

    SHA512

    09797f6fc560d136a08ff4bd0f49ea420fb98768dff13e25ebe4eb0fd4183f9a6306a41b86d75cf26e34cd56ee2efd457bc8aaafbab53e93b7a1f29f8a50b4e2

  • C:\Windows\system\UKqzrIy.exe

    Filesize

    5.9MB

    MD5

    524754471568355b633a3cd50c159417

    SHA1

    92e1f964986e1277d393c4ad2fe56125a2d886f2

    SHA256

    2389a471635e69e04ea0bde4e0f9f8a16149f458d7d7a1ad11352d9145b93fb4

    SHA512

    00617201262780056a908613f173a647ab4013d5d329ee097cfeea0d9bf33910d95dbacf285ea3aa38c283879b6710cd6673a26babce73496954f92cee1eef37

  • C:\Windows\system\cgxIHfA.exe

    Filesize

    5.9MB

    MD5

    5ff243d7cf8d120136360278ad83d710

    SHA1

    1a33b5f2105b1377a24a991e89aa635edada5acb

    SHA256

    6770c3773ba71103ebfab626fb1c2c49e27f6ef3e57fece645f656d14c6172f5

    SHA512

    605242c16e92749cb515da3c4dfa05b908dbdee9e1ee8c2eec0ee23d8bd07414f2228947e7bf5cde0824bb8a3548397bf3216593845a67e88c52cd829bcf0d2d

  • C:\Windows\system\mEMcfVE.exe

    Filesize

    5.9MB

    MD5

    37676825c1a194d99b5d0d1efee9ff9e

    SHA1

    3a14c4306d92797a3568b6733e8027191d73cbf1

    SHA256

    be6075318c75f25b0cd5e22e9d704152c088d4ab70d0d28c7effd29ba03fb16c

    SHA512

    0eb059c63ab1f862106db4faab589eaa64263888000c6675239b98c762444ec29a5fd64dc5f38989efc4e6dbaebdd7bb347093d8682f23e4edcd679e9c9f9409

  • C:\Windows\system\rqHiGAa.exe

    Filesize

    5.9MB

    MD5

    47aac041121e45327b9c259717454351

    SHA1

    b9fd0155751cce7237735a7fa21b5674cc97dcb6

    SHA256

    d3f32c59d305aaec13519e65e27e99092491456acd0a56728a88f91b0861d195

    SHA512

    6cd528693ffc1af48a04c3bcbb50edf6fe422a657e96dc313d68306dd8a4a69318a15566005f9e2eb43971526e37f9ad76dca0248ec539703255ace5c5cd91e8

  • C:\Windows\system\sxdqqKL.exe

    Filesize

    5.9MB

    MD5

    875defcc01609e8f936139baec22b0d3

    SHA1

    ed0650b5f4b24bb50d12a8bd4c7bd69ff62631a6

    SHA256

    74d4741833b1ded0a1053bf96675434d4fb9f563ef087ec25bbff6a890a6be64

    SHA512

    8d898749b07e78273395cd97ac67f928cd4987f1775eb1e73a10c90281bfe56920eb19f9b6f9b7d8b1fe5ff59d38e8a6fb997f8fd67485fd0e8ec81fe60d11ea

  • C:\Windows\system\tAZwzJE.exe

    Filesize

    5.9MB

    MD5

    9ec4c9ee325a8f81071fe859720afd41

    SHA1

    8109c34bf4b1566b9d8b24e8adf6adea7aa2d46a

    SHA256

    fa241e6097043def421b1be17bd0b92ef149056e50aa25d0d7887924743a6853

    SHA512

    93ec0f5f0ca7a7a7690c9e99209fa601334e08db7f9e906d68c6a22789eac1f26e7ec38f3feb3b09e20e13284d476e3301b2244b938285ef49e67f2b60fe00ab

  • C:\Windows\system\zfwUdqt.exe

    Filesize

    5.9MB

    MD5

    c485a447107b603bcc0f0dfb794b01d1

    SHA1

    e9352c708756828f8facafb34a47e052180ebf63

    SHA256

    3bbf70b4347a5cb6a8807e68b28515071aabba559ca6a81138134203e0d016b6

    SHA512

    d59c59da14c6dc55c0c46af19379d4f020172ee8087a43b4c0ed0bccd2a5ff188a0c6b3ab0347e78178dcf414c43f18ca151956e477042be772510439e4b4a8c

  • \Windows\system\NMGPfjJ.exe

    Filesize

    5.9MB

    MD5

    39b74d3a200f8f65e8f54aadb0911795

    SHA1

    bc6575b306e2472ba1a1619909d60bf09056e71b

    SHA256

    78382c9caa12b7fb683285bbf20ce788b151a229805dc353930b2c6da4c46ef1

    SHA512

    c259212d9328eeae1791b77f4dded11bd46e9881ef1fa2d9f36f15cbb995e9545ec101a1519d28a6e6a30758b92afafcce0859a2de521f5404b76192bb1e79a3

  • \Windows\system\THbRIZu.exe

    Filesize

    5.9MB

    MD5

    bd02c2d6bda6a5ee110124755e322aea

    SHA1

    0e490e4a9aed352decfc9cd3980239040df28257

    SHA256

    c4043e97aebdcecccb110b220a9d484bdb57f3addff2592fc5f1799bcff1506a

    SHA512

    83996caad3f3bb139b663b0dce1fef8726ea56427f86624266776c98e22c570ea8335c027b5b6977dce73e2f5131fe201b1b8f8e582030b7cdc002dfe54738e7

  • \Windows\system\WUWUxgI.exe

    Filesize

    5.9MB

    MD5

    296cc3b069cd30558ecac19c339353a5

    SHA1

    03545075c30c7d8cc7ac62b31366dc76aa1c42eb

    SHA256

    af5d5db2d5b79622bf4ca92c23537d10bcf7e096323fc335f5b0426364d0b11a

    SHA512

    7a9d2e4047a63c9eb60f7329c0316f9c016e6ac7ef6c5d6392b022393cad13f7a02d0dba7bf1da6603b535f1c75973005a928e1c4a2cc831f4dcd4ca04f401eb

  • \Windows\system\bosoYWn.exe

    Filesize

    5.9MB

    MD5

    ebfd2887dd669b6616b8c95cb9ee89ea

    SHA1

    9d4d75b430e388c3abd72787df5da40a2e34b770

    SHA256

    021f8a98c19b550e3fd0850fc041391440f18b3dac4b23e558e49ddf870110bd

    SHA512

    6fd16115dfa75a35edb1d51b3708bd8247da760fe11e27fddc0692c5dc7c5dda1802f38a7df5ccda5b67a714fbdea1126dbdb27454bf06793f0ea7be3e2b62ad

  • \Windows\system\cxQjHyC.exe

    Filesize

    5.9MB

    MD5

    6cbd0278b47db5232bbf8e0fa4db72b8

    SHA1

    050d8f4416732a34757be8981581cd6b7c39ee28

    SHA256

    13350f331d5cc3208336eb598848de370a674bbc4ace33281153f2fd1d308d1b

    SHA512

    09fdb783f21ffe1ee2ba8901e82286f57db331bf852db6912858b38068993c07a1c023e8d47c1a8c1396255e996c1ad8f89338c7c9d365a689b50939ba1e83e3

  • \Windows\system\hmQgHgq.exe

    Filesize

    5.9MB

    MD5

    895db499307793bcd16bb18b3cf3ad3a

    SHA1

    7a4300e4cb012c62ae0146a3ebfe602070d54b49

    SHA256

    e300efb613eca10f6e224a91961dca728f6aaff62cd1ff6a9098a9c3fb44f501

    SHA512

    ae4ff04c75df24c84bb1926aa4404c0ec11733a908e96e0804303940cbd7141f985babf884501a1ca40e2ca53458e220052ee98f52f6b971bea565dec2167415

  • \Windows\system\mmXxoOd.exe

    Filesize

    5.9MB

    MD5

    67fccfc30c4c0ce5505b4c060f97c91c

    SHA1

    d0f14133036f3b8c2ca41033d45012dee43622eb

    SHA256

    7eb9f2d0f616082045deb593d181a4bcb6fc9ffe41d92b10374dfd2bdbb1eeaa

    SHA512

    ab0664aa9ea877fa45c94834c9e6394fef901cff4b4c42eb51fad2aa45765e651a9f94e6088b025904cec386b89d97cc58bbec099e877403c903db5018b2c403

  • \Windows\system\pOBsdCn.exe

    Filesize

    5.9MB

    MD5

    ef5a7d4aef4f689f6012c92784cf16b3

    SHA1

    dc1b9ff2f7623829d579842dfffc55766bdfc417

    SHA256

    0fdbdb5e57920b5b0b12e81e666082335789f79f603111c530f5589f071a77f6

    SHA512

    8abee50f2490274aa52226cd34e466790fd51a7f3465acce666525e77c432dc15807778568345ad4f825716f020cdbef44e4d79404ca5a1bc9c955f8aeff5bc9

  • \Windows\system\pbugCEb.exe

    Filesize

    5.9MB

    MD5

    b4ba6844c27b86d934c0be43b0ddd311

    SHA1

    8bf1a5653618596d963171907e577c4ab898fb43

    SHA256

    6ce90a6bc1d9b1d1e9aef4fb0e30e23498e9407d3ea39f7e99cd9e394fdbbbd6

    SHA512

    0bd09c411b8f4cb58e2967d7806a88249461587f9e13e1a4d1738f1442de8bdd6ecabe581b56d39c6b907dd1def270cdb66c530f368c0a2fb44f30a37b728545

  • \Windows\system\tgHrTVp.exe

    Filesize

    5.9MB

    MD5

    09fb6b8af24dc421117b4fb5b37bbfd8

    SHA1

    8964b42edcf76de2bf6f9ceb66e6c1cc7bceb00a

    SHA256

    bbebf15642223a07a88f0d5cbc4e49b474faed2d218c5891fe98e6296e154937

    SHA512

    719d5572396497f5179f066d08d8943d4f4cb835860a1435cef8a1c37d4b21f1a73360b40b3d41fadc520618ef4e2eabb80b2498ec526a03214379ddf2cffb07

  • memory/1984-90-0x000000013F080000-0x000000013F3D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-155-0x000000013F080000-0x000000013F3D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1984-40-0x000000013F080000-0x000000013F3D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-42-0x0000000002300000-0x0000000002654000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-112-0x000000013F790000-0x000000013FAE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-1-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/2052-60-0x000000013F790000-0x000000013FAE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-150-0x000000013FAF0000-0x000000013FE44000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-36-0x000000013FEF0000-0x0000000140244000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-148-0x000000013F050000-0x000000013F3A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-66-0x000000013F490000-0x000000013F7E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-146-0x000000013F180000-0x000000013F4D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-68-0x0000000002300000-0x0000000002654000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-41-0x0000000002300000-0x0000000002654000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-144-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-76-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-6-0x0000000002300000-0x0000000002654000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-0-0x000000013FEF0000-0x0000000140244000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-46-0x000000013F6C0000-0x000000013FA14000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-14-0x000000013F6C0000-0x000000013FA14000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-128-0x000000013F490000-0x000000013F7E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-19-0x0000000002300000-0x0000000002654000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-84-0x000000013F180000-0x000000013F4D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-113-0x000000013FAF0000-0x000000013FE44000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-31-0x000000013F080000-0x000000013F3D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-96-0x000000013F050000-0x000000013F3A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2052-95-0x0000000002300000-0x0000000002654000-memory.dmp

    Filesize

    3.3MB

  • memory/2364-153-0x000000013FC60000-0x000000013FFB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2364-21-0x000000013FC60000-0x000000013FFB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2364-65-0x000000013FC60000-0x000000013FFB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2448-43-0x000000013FBD0000-0x000000013FF24000-memory.dmp

    Filesize

    3.3MB

  • memory/2448-151-0x000000013FBD0000-0x000000013FF24000-memory.dmp

    Filesize

    3.3MB

  • memory/2448-11-0x000000013FBD0000-0x000000013FF24000-memory.dmp

    Filesize

    3.3MB

  • memory/2528-61-0x000000013F790000-0x000000013FAE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2528-158-0x000000013F790000-0x000000013FAE4000-memory.dmp

    Filesize

    3.3MB

  • memory/2580-78-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2580-145-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2580-160-0x000000013FAB0000-0x000000013FE04000-memory.dmp

    Filesize

    3.3MB

  • memory/2688-154-0x000000013FF80000-0x00000001402D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2688-75-0x000000013FF80000-0x00000001402D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2688-29-0x000000013FF80000-0x00000001402D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2700-54-0x000000013FEA0000-0x00000001401F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2700-157-0x000000013FEA0000-0x00000001401F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2772-47-0x000000013FD00000-0x0000000140054000-memory.dmp

    Filesize

    3.3MB

  • memory/2772-156-0x000000013FD00000-0x0000000140054000-memory.dmp

    Filesize

    3.3MB

  • memory/2860-161-0x000000013F180000-0x000000013F4D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2860-85-0x000000013F180000-0x000000013F4D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2880-147-0x000000013F770000-0x000000013FAC4000-memory.dmp

    Filesize

    3.3MB

  • memory/2880-162-0x000000013F770000-0x000000013FAC4000-memory.dmp

    Filesize

    3.3MB

  • memory/2880-91-0x000000013F770000-0x000000013FAC4000-memory.dmp

    Filesize

    3.3MB

  • memory/2888-97-0x000000013F050000-0x000000013F3A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2888-149-0x000000013F050000-0x000000013F3A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2888-163-0x000000013F050000-0x000000013F3A4000-memory.dmp

    Filesize

    3.3MB

  • memory/3024-143-0x000000013F490000-0x000000013F7E4000-memory.dmp

    Filesize

    3.3MB

  • memory/3024-159-0x000000013F490000-0x000000013F7E4000-memory.dmp

    Filesize

    3.3MB

  • memory/3024-70-0x000000013F490000-0x000000013F7E4000-memory.dmp

    Filesize

    3.3MB

  • memory/3060-15-0x000000013F6C0000-0x000000013FA14000-memory.dmp

    Filesize

    3.3MB

  • memory/3060-52-0x000000013F6C0000-0x000000013FA14000-memory.dmp

    Filesize

    3.3MB

  • memory/3060-152-0x000000013F6C0000-0x000000013FA14000-memory.dmp

    Filesize

    3.3MB