Analysis

  • max time kernel
    130s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-06-2024 06:07

General

  • Target

    2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    e58bd8cc272fe174ed8fefb56d78818b

  • SHA1

    1fa316d3b0e2e854ab03d2279783df59c07b65b7

  • SHA256

    cddc5acf3291117c12d2349ce4c57a42113ab968aee274303dda47fac483b5e8

  • SHA512

    045ef6163abc57dea6eeddf90332868386ea08bed4263cc64cbe12756cd5b4677d0f2ceacd1920aeb85625786850ed92da20ef80395fd44acf8b05e158d09b45

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUf:Q+856utgpPF8u/7f

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 53 IoCs
  • XMRig Miner payload 56 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 53 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-08_e58bd8cc272fe174ed8fefb56d78818b_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\System\YkorbGt.exe
      C:\Windows\System\YkorbGt.exe
      2⤵
      • Executes dropped EXE
      PID:2076
    • C:\Windows\System\cJtPjQz.exe
      C:\Windows\System\cJtPjQz.exe
      2⤵
      • Executes dropped EXE
      PID:2628
    • C:\Windows\System\qwwYMPf.exe
      C:\Windows\System\qwwYMPf.exe
      2⤵
      • Executes dropped EXE
      PID:2424
    • C:\Windows\System\ApigdBf.exe
      C:\Windows\System\ApigdBf.exe
      2⤵
      • Executes dropped EXE
      PID:3064
    • C:\Windows\System\zNuuOXM.exe
      C:\Windows\System\zNuuOXM.exe
      2⤵
      • Executes dropped EXE
      PID:2608
    • C:\Windows\System\WYXObMa.exe
      C:\Windows\System\WYXObMa.exe
      2⤵
      • Executes dropped EXE
      PID:2456
    • C:\Windows\System\Oryvgmj.exe
      C:\Windows\System\Oryvgmj.exe
      2⤵
      • Executes dropped EXE
      PID:2340
    • C:\Windows\System\mSVytSq.exe
      C:\Windows\System\mSVytSq.exe
      2⤵
      • Executes dropped EXE
      PID:1540
    • C:\Windows\System\YFedHVP.exe
      C:\Windows\System\YFedHVP.exe
      2⤵
      • Executes dropped EXE
      PID:2660
    • C:\Windows\System\OhYrskX.exe
      C:\Windows\System\OhYrskX.exe
      2⤵
      • Executes dropped EXE
      PID:2380
    • C:\Windows\System\iEaWjDk.exe
      C:\Windows\System\iEaWjDk.exe
      2⤵
      • Executes dropped EXE
      PID:2332
    • C:\Windows\System\TwDNkmv.exe
      C:\Windows\System\TwDNkmv.exe
      2⤵
      • Executes dropped EXE
      PID:2376
    • C:\Windows\System\CGdOlhL.exe
      C:\Windows\System\CGdOlhL.exe
      2⤵
      • Executes dropped EXE
      PID:2800
    • C:\Windows\System\tPPkXiN.exe
      C:\Windows\System\tPPkXiN.exe
      2⤵
      • Executes dropped EXE
      PID:2944
    • C:\Windows\System\jTYuDih.exe
      C:\Windows\System\jTYuDih.exe
      2⤵
      • Executes dropped EXE
      PID:528
    • C:\Windows\System\lEyKKie.exe
      C:\Windows\System\lEyKKie.exe
      2⤵
      • Executes dropped EXE
      PID:2316
    • C:\Windows\System\sDNewBY.exe
      C:\Windows\System\sDNewBY.exe
      2⤵
      • Executes dropped EXE
      PID:760
    • C:\Windows\System\WSvWXzB.exe
      C:\Windows\System\WSvWXzB.exe
      2⤵
      • Executes dropped EXE
      PID:1320
    • C:\Windows\System\GBJKDlo.exe
      C:\Windows\System\GBJKDlo.exe
      2⤵
      • Executes dropped EXE
      PID:904
    • C:\Windows\System\KtgeVJD.exe
      C:\Windows\System\KtgeVJD.exe
      2⤵
      • Executes dropped EXE
      PID:1212
    • C:\Windows\System\GurRoZY.exe
      C:\Windows\System\GurRoZY.exe
      2⤵
      • Executes dropped EXE
      PID:1488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\CGdOlhL.exe

    Filesize

    5.9MB

    MD5

    276785e568b844d82150d425eceb18da

    SHA1

    563112ada8b15e962c8a1ae61a2263afef6ca522

    SHA256

    6b9b71e16158e9f3010ba33f940b25c7733eaa4a4d8394c27ddab79000effb33

    SHA512

    8a4462abaf0f990c418f46a15d71a0f632dc13263c4bf512953dcf07c4c172563a4bc93d35d57bf04e0b701add44da742ebee03449d2d2817012c51ab54f5a20

  • C:\Windows\system\GBJKDlo.exe

    Filesize

    5.9MB

    MD5

    3108fed557071babf15a1973e3f56d5d

    SHA1

    0b3acbbf5026420fb0b27ece0c3f8c76f15ef72c

    SHA256

    67d64a31831e3862170117089fc34b788f15d14fd555b21109de87b0e07a1ab1

    SHA512

    4760a487da110b2d93a378202ff5e9981c80833a38807e8c1616fec83c48701c9f89fb6b022d44709ce80a0de9e11ba6a6155939ac37a7183967dbf18e840b07

  • C:\Windows\system\GurRoZY.exe

    Filesize

    5.9MB

    MD5

    b88f79ee613302e97079eea6c4035f6b

    SHA1

    8ff33c43c86eb8c95175037bb5d146a7d106fd12

    SHA256

    70378b72a88300801d498b3499922a9ab841a55da5e71bbbd12f2e58773fb6ec

    SHA512

    e446ccbd2a6560b82fa572ae7e54322b7331e46235a6306834eb56e13dc5f6360ea285dabd69972f77b05678f70d21b8bb805b703c96232d26662d737bd78449

  • C:\Windows\system\KtgeVJD.exe

    Filesize

    5.9MB

    MD5

    7d1166941b20222674bb4ad14b70c655

    SHA1

    fccde62356efd30216042d9cc8e97114a259111c

    SHA256

    5b19e3f9b5ad2cb34de1da57334cdfe1c68ebf461f6bf1a38a484a15269490ea

    SHA512

    c1f8baaa3c33cfec26008841b8e71478eedee41d07ad7f1d9d8d882d8a982ab4b2be50ac9020537d1ce5704a1a4a0ed31a280e369d14f1a5c5bf7c31b859fb4c

  • C:\Windows\system\Oryvgmj.exe

    Filesize

    5.9MB

    MD5

    777e7656c5656f074379a6fbf57e5fcd

    SHA1

    2fd2caaca2a824bec386f7c640207ac9552c5648

    SHA256

    64431f64a554b9316c50c4ad5e344ab7a929fdd9006269d165c466c930530b4a

    SHA512

    05e77a9415c134b0f43dea7e10d3f386b1091143f9099956d3383f37cb50afd21d7201b0d3e401b96378f71642bf5e2db128dcfaa8d0d71fd4707ffc41ab820b

  • C:\Windows\system\WYXObMa.exe

    Filesize

    5.9MB

    MD5

    428f0d7edf6f6ed798d59f75b158cbcd

    SHA1

    2c3a826ac12140658b38a67fec550cad53cda311

    SHA256

    a0de8e02f5e661cc587ff9992c37b0f1db77889e44b07c14cb61f36cdf00fa33

    SHA512

    1c48d9235f72d27d7ba8500998e9dc61ab248acbb280e0cde5fc5425e174b9d9e1f9378f9a9888f9ae74b5d5fb982752d3f2593a1583b2a448b38a2f889d0b79

  • C:\Windows\system\YFedHVP.exe

    Filesize

    5.9MB

    MD5

    f063072dd34d2122e22eca3ba1475ecc

    SHA1

    c21eb731b430c31791edb87a0d243b754e0d5c11

    SHA256

    8298e62a19ecb06bac706a27fd12857b1f27e3ed25a1d2d3c9db52a058935b8c

    SHA512

    81d7dc1898436a61c766b02895dc9406f56694b0548f61177967bb779152a1603c167b58220bb3189df27d292f80a77e52e97bfc41200d6df60624661ba7e716

  • C:\Windows\system\YkorbGt.exe

    Filesize

    5.9MB

    MD5

    646f16b26ea9eca4f4afce3133d19778

    SHA1

    06d3ec494ceb53790110c0b35ee19baa57003152

    SHA256

    337c3dd73fcea860d8b04097c3ae08b22029857a4fd338e751a0477f6aa7d871

    SHA512

    f46a769c9410703d67bff46be530301cfcaf126868a15889dd403ebf126f3d5c32fc8b6fe5bbd1da13b380085f210a461b6b5d2b119a72b121127f66ced97ff3

  • C:\Windows\system\cJtPjQz.exe

    Filesize

    5.9MB

    MD5

    a2900bbd2cc238f6248d1af2aa048702

    SHA1

    a9b7b31cca27479222d8e35a2f8fa19a91713943

    SHA256

    981bd95330372cc41563896aa6d48a1b399e34783cd2ad8a4d1ee7d667e2bc84

    SHA512

    7770e4d6b0e648b190f0dc177fbcf67ab48c9acc3be9b8222b713e48071cf23a0e7bb89e922ff3d2ee507dca26327dc42cc913a1effb1338aacf7fe87ff02541

  • C:\Windows\system\iEaWjDk.exe

    Filesize

    5.9MB

    MD5

    8e38e2599c957f624dc72cc2594a9fc9

    SHA1

    9e64104bec2306057333719f92f6fe701e3d1c13

    SHA256

    a124fe55446bf4a6eedcae62ffdadb34b5903f8755e3c8627db4a83ee41b35e2

    SHA512

    f0adc49b6c6f4a4e27f8c4f8bcd64dea7823d32e25c622705c670c80b4708c43076a43c78d5bdd193749ba5b5c12e1e62babe8e9391e9568adac14f028fe31a9

  • C:\Windows\system\jTYuDih.exe

    Filesize

    5.9MB

    MD5

    b5bd43b896a26ec72b8ee4297c426a12

    SHA1

    b14b1b820e0a5ddcbbb9a5eca9ea9973f86da148

    SHA256

    32bba546ed66fc9723b4d24603e3355992c05403fc5085bc0d132cdd83c47f98

    SHA512

    44e66aab0752c7451c8e6df09d2de83dfd6d924e75683360f3ec6339275a60672cd9cd7887f710776809220c3cd84bae436e802d822f9acfc00af4f8a375e7f5

  • C:\Windows\system\qwwYMPf.exe

    Filesize

    5.9MB

    MD5

    54043bbe9d01fc2953739ac561d5f13d

    SHA1

    14c8cd8dbd940b082772afebc2afc54521db3a04

    SHA256

    ca00d5018836c1860de24947b34b72f0d7fb4843c4ee07bbb88b9602afbeeca6

    SHA512

    e781510d3cda8bd74cbf4a9326b2f4dec807ce5c45107e72f3107ec5d405b5ed61d9078854319606c687fb2c300d86cbf9c66d4a2249717098c05d2efda51ede

  • C:\Windows\system\sDNewBY.exe

    Filesize

    5.9MB

    MD5

    48f5815f0a41668972ce1edb5123bb37

    SHA1

    2c1a08124c5794ea58fccd8a97cd7b929fb9b1d6

    SHA256

    2c0326b0c03b0026c25fe03ab3ba97832154a775b092e465daef39ff21a008ac

    SHA512

    763dcc0c1fc9f4ebe38ea904ee1d79914dcf075aab617a1dd714241d4dabb491abb6e10cc46be9a8e9bf43609bbf3ae8ddb215d989902463e1c08288379c11f0

  • C:\Windows\system\zNuuOXM.exe

    Filesize

    5.9MB

    MD5

    d6a250463a155a60c95a7d7adb9504fd

    SHA1

    30901294a03f14fa7f085a4d3e6945a255312fe6

    SHA256

    f7e5b476aec10a14684a651b5a9d99b3687cbf24708790193301499dcb99894d

    SHA512

    5f57e34282addcf0d1b9b165f53bf4d7984f0f369a52da313bb58ea414eb9afa67e4c2637b134c123d11cd644951e08d581ce9c07ab1ee465040867c53e2d7ab

  • \Windows\system\ApigdBf.exe

    Filesize

    5.9MB

    MD5

    83e3a8bf4d41651c7a5d6408dfcd22d8

    SHA1

    d1aaa7e090b72c84c825e7efc291427498b20f2e

    SHA256

    b70e56832fe7e39da4f8c0791c2c7c6eeeddc874d0c07288df0d8e39c2d987f4

    SHA512

    80b28d48b0134ffc1c9fd49f3f6f43083ab2ace0e8f70e90cc9a111c5f4e5b6c5cafd62ecdb592e61cee9b080949ac87217ddf39590e01b5cf97b9b1d595efe4

  • \Windows\system\OhYrskX.exe

    Filesize

    5.9MB

    MD5

    747086e78209f05943bf3910ff579dda

    SHA1

    087e1a813b9efc38e1aa67870f668472f745fa2c

    SHA256

    3806fbcf55c2556b529ab1e15ee9d8d2614f070bf728df237bd667b8de17bb55

    SHA512

    6207532ac3e0797840e0f2d7a4512b5e95d3031bd2fb095904dfb7432ee04f4f61c41d8a703d83115f479e4459d2442003344b2c0a9fd5ed55151b8e7727668d

  • \Windows\system\TwDNkmv.exe

    Filesize

    5.9MB

    MD5

    6b487c5d8301816f994156859cbcc918

    SHA1

    e4ec67171a68c8d2865fc7cb5d231437e2dc0dc1

    SHA256

    71e0e2d45cea6b5a9198bb6b6a55a7b42eb4640036bfc6deb31fc64432bb1663

    SHA512

    aec0d9a4e68aa0c94b5c9a57d992af29e17309c5fc34cee3943025e291d70cf2571af954e3a989b6ce35c59441fa51116605cb3b4943be9b3a7f8ccd2a474216

  • \Windows\system\WSvWXzB.exe

    Filesize

    5.9MB

    MD5

    cecc25eeabe773e63b558a690deb3209

    SHA1

    f63f1186b8c9eee571f2359a458670338ea8f983

    SHA256

    54f0f5486c0d920a737fba3f69d384d38049fe17580ddc97028f0fe81482df26

    SHA512

    534fad44e5fdcbfdd63c3f7100c7cb12fc912c13bf578c47cb1796bdb3d8dfc6d915caea6b3d9dfe0b1d251dab3e999dc926753078d1cb6f6f315e0f99c54d7b

  • \Windows\system\lEyKKie.exe

    Filesize

    5.9MB

    MD5

    09459679c80159947bc92016e3a1f5c8

    SHA1

    a023e474f3a51d057f2ce999375a9eff9776df0d

    SHA256

    b204431d57adfa2d50135c187c2b5f1cea72c0b2301f3657bdea7bf9e62ad453

    SHA512

    ecc951139b846441352e4ff8dd8b20a1277df77896b7e5b7876fff9f71c16f5124d42dd4455f9362d85902482c18a7dadb2672858cec9ec7bceabb8bd1b0f85a

  • \Windows\system\mSVytSq.exe

    Filesize

    5.9MB

    MD5

    a64e1b62c39beabc23a06dceaa3b8ff0

    SHA1

    68eb70a7d56b54be3c456063c8187a0681305604

    SHA256

    44236950283c421872b013aca49e6cad3151b841607fb3e476dae0dc5605afb5

    SHA512

    9835983a414a4038ca85d91964d6a400b09dad20b4bd91b31ef734adc6010998d79f52829e7dbc95d1ed87d233d8ab3f07de73e7fdc17b7b8c26ab6bce6bbea1

  • \Windows\system\tPPkXiN.exe

    Filesize

    5.9MB

    MD5

    89477a9ffee171680181c9af5c77f216

    SHA1

    fffb9c70357d871ed7b32e49b0dd067ff1923407

    SHA256

    39d9c2e01a9ad0b299dffb0549ed9041afcaec78cb3810a49413ac2b51538836

    SHA512

    dcb63469c67149b8dd4e9f97db16233362875e4b33898bbdc2cb6e8e04e47957a8e500df068942b91ce336359e2afff07948add2826b6d2f43ecb31e9b6b048c

  • memory/528-93-0x000000013FBF0000-0x000000013FF44000-memory.dmp

    Filesize

    3.3MB

  • memory/528-151-0x000000013FBF0000-0x000000013FF44000-memory.dmp

    Filesize

    3.3MB

  • memory/528-139-0x000000013FBF0000-0x000000013FF44000-memory.dmp

    Filesize

    3.3MB

  • memory/760-152-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

    Filesize

    3.3MB

  • memory/760-114-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

    Filesize

    3.3MB

  • memory/760-142-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-80-0x000000013F140000-0x000000013F494000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-75-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-89-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-12-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-95-0x000000013FD80000-0x00000001400D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-109-0x000000013FA30000-0x000000013FD84000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-105-0x000000013FBF0000-0x000000013FF44000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-113-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-84-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-104-0x000000013FF60000-0x00000001402B4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-38-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-140-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-14-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-0-0x000000013F510000-0x000000013F864000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-22-0x000000013F0E0000-0x000000013F434000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-55-0x000000013F510000-0x000000013F864000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-1-0x00000000001F0000-0x0000000000200000-memory.dmp

    Filesize

    64KB

  • memory/1056-43-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-42-0x000000013F1B0000-0x000000013F504000-memory.dmp

    Filesize

    3.3MB

  • memory/1056-25-0x0000000002270000-0x00000000025C4000-memory.dmp

    Filesize

    3.3MB

  • memory/2076-21-0x000000013F600000-0x000000013F954000-memory.dmp

    Filesize

    3.3MB

  • memory/2076-143-0x000000013F600000-0x000000013F954000-memory.dmp

    Filesize

    3.3MB

  • memory/2332-70-0x000000013F740000-0x000000013FA94000-memory.dmp

    Filesize

    3.3MB

  • memory/2332-153-0x000000013F740000-0x000000013FA94000-memory.dmp

    Filesize

    3.3MB

  • memory/2332-137-0x000000013F740000-0x000000013FA94000-memory.dmp

    Filesize

    3.3MB

  • memory/2340-58-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2340-148-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

    Filesize

    3.3MB

  • memory/2424-23-0x000000013F0E0000-0x000000013F434000-memory.dmp

    Filesize

    3.3MB

  • memory/2424-145-0x000000013F0E0000-0x000000013F434000-memory.dmp

    Filesize

    3.3MB

  • memory/2456-66-0x000000013F1B0000-0x000000013F504000-memory.dmp

    Filesize

    3.3MB

  • memory/2456-149-0x000000013F1B0000-0x000000013F504000-memory.dmp

    Filesize

    3.3MB

  • memory/2608-147-0x000000013F5B0000-0x000000013F904000-memory.dmp

    Filesize

    3.3MB

  • memory/2608-40-0x000000013F5B0000-0x000000013F904000-memory.dmp

    Filesize

    3.3MB

  • memory/2628-144-0x000000013F250000-0x000000013F5A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2628-18-0x000000013F250000-0x000000013F5A4000-memory.dmp

    Filesize

    3.3MB

  • memory/2660-138-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2660-79-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2660-150-0x000000013F090000-0x000000013F3E4000-memory.dmp

    Filesize

    3.3MB

  • memory/2800-141-0x000000013FD80000-0x00000001400D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2800-101-0x000000013FD80000-0x00000001400D4000-memory.dmp

    Filesize

    3.3MB

  • memory/2800-154-0x000000013FD80000-0x00000001400D4000-memory.dmp

    Filesize

    3.3MB

  • memory/3064-146-0x000000013F4B0000-0x000000013F804000-memory.dmp

    Filesize

    3.3MB

  • memory/3064-136-0x000000013F4B0000-0x000000013F804000-memory.dmp

    Filesize

    3.3MB

  • memory/3064-29-0x000000013F4B0000-0x000000013F804000-memory.dmp

    Filesize

    3.3MB