Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    28-06-2024 00:04

General

  • Target

    2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.9MB

  • MD5

    3afcde20958797e27d30b301afbb9dd9

  • SHA1

    3629e1e51a5af395ec54f83ddcda9fc7d44f04dc

  • SHA256

    7e0ad8c2d8110217e8130a8d6cba6fcd287672fb11fda49a0508d5cddde68777

  • SHA512

    bc3a4da74f20819b4c1518e38ded53bb122a9f2768f58a6a8bca20236f1b83ccf3113f39a4ff8fd1ed1411751a5c02b425faa8231794bbdb649408dc53270e3d

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUr:Q+856utgpPF8u/7r

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 21 IoCs
  • UPX dump on OEP (original entry point) 58 IoCs
  • XMRig Miner payload 63 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 58 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-27_3afcde20958797e27d30b301afbb9dd9_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Windows\System\AfIKQkq.exe
      C:\Windows\System\AfIKQkq.exe
      2⤵
      • Executes dropped EXE
      PID:2812
    • C:\Windows\System\lSkkmgx.exe
      C:\Windows\System\lSkkmgx.exe
      2⤵
      • Executes dropped EXE
      PID:2588
    • C:\Windows\System\rTlZodY.exe
      C:\Windows\System\rTlZodY.exe
      2⤵
      • Executes dropped EXE
      PID:2596
    • C:\Windows\System\RJpBvDA.exe
      C:\Windows\System\RJpBvDA.exe
      2⤵
      • Executes dropped EXE
      PID:2700
    • C:\Windows\System\ORJJRxU.exe
      C:\Windows\System\ORJJRxU.exe
      2⤵
      • Executes dropped EXE
      PID:2648
    • C:\Windows\System\SYqRnmI.exe
      C:\Windows\System\SYqRnmI.exe
      2⤵
      • Executes dropped EXE
      PID:2504
    • C:\Windows\System\YkPibec.exe
      C:\Windows\System\YkPibec.exe
      2⤵
      • Executes dropped EXE
      PID:2532
    • C:\Windows\System\DVUzMfy.exe
      C:\Windows\System\DVUzMfy.exe
      2⤵
      • Executes dropped EXE
      PID:2200
    • C:\Windows\System\UtJfWal.exe
      C:\Windows\System\UtJfWal.exe
      2⤵
      • Executes dropped EXE
      PID:2568
    • C:\Windows\System\DVwUCzH.exe
      C:\Windows\System\DVwUCzH.exe
      2⤵
      • Executes dropped EXE
      PID:2964
    • C:\Windows\System\vltasxn.exe
      C:\Windows\System\vltasxn.exe
      2⤵
      • Executes dropped EXE
      PID:1916
    • C:\Windows\System\ZTVtEEm.exe
      C:\Windows\System\ZTVtEEm.exe
      2⤵
      • Executes dropped EXE
      PID:1956
    • C:\Windows\System\LdnpXhe.exe
      C:\Windows\System\LdnpXhe.exe
      2⤵
      • Executes dropped EXE
      PID:2804
    • C:\Windows\System\NDCJOrc.exe
      C:\Windows\System\NDCJOrc.exe
      2⤵
      • Executes dropped EXE
      PID:2992
    • C:\Windows\System\BmsBCoH.exe
      C:\Windows\System\BmsBCoH.exe
      2⤵
      • Executes dropped EXE
      PID:3024
    • C:\Windows\System\HiwCTjN.exe
      C:\Windows\System\HiwCTjN.exe
      2⤵
      • Executes dropped EXE
      PID:1584
    • C:\Windows\System\UqQajjJ.exe
      C:\Windows\System\UqQajjJ.exe
      2⤵
      • Executes dropped EXE
      PID:1908
    • C:\Windows\System\xhskZQj.exe
      C:\Windows\System\xhskZQj.exe
      2⤵
      • Executes dropped EXE
      PID:2240
    • C:\Windows\System\qtQyqvo.exe
      C:\Windows\System\qtQyqvo.exe
      2⤵
      • Executes dropped EXE
      PID:276
    • C:\Windows\System\kauFuMH.exe
      C:\Windows\System\kauFuMH.exe
      2⤵
      • Executes dropped EXE
      PID:2780
    • C:\Windows\System\bmGZnOz.exe
      C:\Windows\System\bmGZnOz.exe
      2⤵
      • Executes dropped EXE
      PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\BmsBCoH.exe

    Filesize

    5.9MB

    MD5

    b517fbd02688684f67f164568452c3a8

    SHA1

    09a65321e4bac58b6183b3d49b1d71d28ecf9134

    SHA256

    86b97b11d1dfd069bc4ffdb211f7d4868fb1fb265767f01f7e908cb330eb0275

    SHA512

    f1f9c2327ff3fb0439b9eb4d79ab605868100f26b651b5ed6a2ae31e14d10e21aaf32205f2fa894c40180f21209c7e4b767e7045579fda29f7404a2736531e77

  • C:\Windows\system\DVUzMfy.exe

    Filesize

    5.9MB

    MD5

    2f31bfef7e3f4565e11e5298f68121fd

    SHA1

    c0680c23e6491d318afa44a8732b68c1e8b94e0e

    SHA256

    9a16d0ba26431c001d9e5a8fde1690359819e841e1c24a5551df956864b6e94b

    SHA512

    f39796bbe5b971cea200310d0192b63618232e5bb85a8b1abe87088acb3eb017f6fb760b112fce918ec0c15674aee9afaf80c7f440705f1587b5b85000e2a0d8

  • C:\Windows\system\DVwUCzH.exe

    Filesize

    5.9MB

    MD5

    aae1c3ad9ac20a1d1175a9ac586bc132

    SHA1

    6e53449e618869c75fbcd8e4cc34665c4442e680

    SHA256

    68083322c961fc026e0f23807dfff6aec5999c94cd7e0a7b261225c732d63b41

    SHA512

    8a8f95380cf083003aa1c1ed66a3f3c53901626aa0201420d248f83607bf78de74bbd81b8378bdb74f34a182f43957936f989f7fc4938e2469705b3d85c7e51a

  • C:\Windows\system\HiwCTjN.exe

    Filesize

    5.9MB

    MD5

    ddffddf3da95900c6d5f9c930fb0fb19

    SHA1

    cb1a527f0bb7b683537e72924e07368fb1762df9

    SHA256

    83c73eb0c3cef536f28333791b155a6c5af4c855d324ed8564d1cc1b78368050

    SHA512

    eb0e34e5e2e5c3617c28d6d7d32ff56607060493cb7a50042bd371019559edcfd61af2d98807218c267e9d7bd0ae54fbe86058feb900b5ffdd4232ba043bfe29

  • C:\Windows\system\NDCJOrc.exe

    Filesize

    5.9MB

    MD5

    4e86821d63c2a82491ae97921d40dc8f

    SHA1

    d087402e72b6fab9ed747f4eb7c2eaf39923404b

    SHA256

    5be8f78eb40817419fa1fb331dac4af871a6c7b2025cfb9c3b6c47f93c20c03d

    SHA512

    65c28f4008013eb57c8f77b833d05af7ec291fa1a8f67bb3c9f612a328f9745fe8d65d6a09e2eef31f666a8c7e00d3263f03178895c4141236b20c0e3cee2f37

  • C:\Windows\system\ORJJRxU.exe

    Filesize

    5.9MB

    MD5

    6ef5865916026df5ad8820ae718756d0

    SHA1

    322ee2e91ce2d41ee3df592b47656229eafe73e2

    SHA256

    1b62b9ca0d42d00988bb117918af8b7e6820cd16d4fb7b493932e61a7c98731b

    SHA512

    0afc94453bf8ac16e914aae856564cbbad4ff6c055830daddc9c8118e70b343989cc64606802ea6a6806303d40cec53d73f0e495246aeae1af07e06287057109

  • C:\Windows\system\RJpBvDA.exe

    Filesize

    5.9MB

    MD5

    d002aaba2bbec53adc84f44de2a67901

    SHA1

    3ce90c916f3aa2c69450d9b3915ef4a32278854a

    SHA256

    5d47ecd2b40e5f91b5c5edfcbdcf4019028fa5cdca31cfa4dd91fa22d28b9b01

    SHA512

    cd5e8d419e9a7d77057a247450fb56d560dd05516a6b31ae0fbdb49ef6d83f9e7f3af16f4645eface6d0b0feb0a51fd43ebf38fb89703154752961fb653fe767

  • C:\Windows\system\SYqRnmI.exe

    Filesize

    5.9MB

    MD5

    50680a4a5bf72d57aee49761c563b2ce

    SHA1

    fe43416f4e36903105a2e0746332599fd40e008a

    SHA256

    3ee0e56deb91617402a06510b706745e676355f34abba9eb772ef2d9aa3633d5

    SHA512

    1e0ee0943a34a1c8181e3ccb66dc8b8ff90d4a71f73ef372c7559e79205cf3e0957d892a31b56a5a93556651def0a55e44eb49516edbee8e1435270562198cac

  • C:\Windows\system\UqQajjJ.exe

    Filesize

    5.9MB

    MD5

    a9e767f35ea616867a204a767c9b8a5e

    SHA1

    0ba6e0b1d3c3a43ef75c6221337a4b9fb4cdc761

    SHA256

    f6dbbcf9010aeea7fd6186dc9a037ee8cd18849facba1968f3a048bd6d9838df

    SHA512

    05f40d0ed5ad2df3783a58a4d7ab55b65e6d545fba52640c9a1210dd6075ec64f23e46d40d7fd1eb25b0c4bccafb68d91114bec2743618ae7eb0d6504e497d4d

  • C:\Windows\system\UtJfWal.exe

    Filesize

    5.9MB

    MD5

    68cb329837d9525850082335e7b12e33

    SHA1

    ad692cccb2330f1a56602f20777de157c332cc15

    SHA256

    f6f6f67a7a4b6e4df7666fffc8adcd178849250a73d2be0d6c2fda6a9dee9915

    SHA512

    d809d99fb87dba1d97152c8745e3fb2dbd5ba5d97d666d256e304093865a3ed8cc799bf1c536cb901610dfabf5fed6bc607ef3bdc2a75d4274a85fee2d160c12

  • C:\Windows\system\YkPibec.exe

    Filesize

    5.9MB

    MD5

    03b27faaeeaec5e5f82efb616b9a6687

    SHA1

    00aebd9848719008e22416e3601040d1aba1fbca

    SHA256

    51434632f3b376b555ecfda8488dde7cb73a4dadd67092478306e93ba0323e17

    SHA512

    6223c3b699da528b07937d49cfc0732d109516a0604922a3667e41c32273472b6bc85e19b291510c8676885ec2c6067549c84ee928400a8d695362d41f37e19c

  • C:\Windows\system\kauFuMH.exe

    Filesize

    5.9MB

    MD5

    4088a1f998edd0e5fc004e1db9086375

    SHA1

    987e3c1d87d83b0cdf9b0701aa6896e91fe00f24

    SHA256

    c3e81740b0380276d18169ae866290eb70a677bd048706fa6dd6e6e9fdcda5cc

    SHA512

    109f533f4545c95bac0239acf45c80d8ae6dd46418ef66a2f1a67b705c7da02553279c1387572f18d05bc86e0de97b9177fce64c6dd4dc34e7a838ecb6402463

  • C:\Windows\system\qtQyqvo.exe

    Filesize

    5.9MB

    MD5

    367819c068575f8025139111563376d8

    SHA1

    602b45b0719ef99c07195b16bbd87c907df06b0d

    SHA256

    4125453cde213f0e39179b274002deeb450193014e5546e2792c556804bc7574

    SHA512

    1b8b4561baec060ae0bdc7ec657198b6e0e942db636e4bc8a0ea4cabe84e6adb1c0a9f7f6f6f0556e356f8b97d0810349bd43fea142f417723778ba693998b76

  • C:\Windows\system\xhskZQj.exe

    Filesize

    5.9MB

    MD5

    a9bf57423792668f10d9d046b2f11b65

    SHA1

    8476cdfb8496f796c5e2d37e7cee9214ad331855

    SHA256

    bd1859e326dc2ce8d5ede56adff2dc57f8e7bb15b9896d084f84fe70e24ef47a

    SHA512

    5d9953ef8f8bf12c42c809a10581a4536ac65965f9770e51b075489a8ea5a3aa5c5aa4ed579c8e0ec6cd786146ed1ca2e4a5ff9c3b0439b3ff20cc1e3b970ba9

  • \Windows\system\AfIKQkq.exe

    Filesize

    5.9MB

    MD5

    a6db5eb50ed8d24cb71292a6f2732398

    SHA1

    f65db97485c59d03277a229b957c99a84b6a8f93

    SHA256

    7ff7cdaa1f7ec5836328ad155558aac47e9821d4736e7b93aed71c6650913608

    SHA512

    af160d40a059c10f64dba978b1f4953dd7b001dff88377bda7224741ad874dd0d1a25301eff5299abb7e2d52151d4121f457dd4d1adae41c31adddcd7a148bc0

  • \Windows\system\LdnpXhe.exe

    Filesize

    5.9MB

    MD5

    be15b94b14e1fc6937d84ee4c9fc6fae

    SHA1

    29186b16ec020cfb18b3304247e3f1ddc4b2baf5

    SHA256

    07b350e44b12ee5e59b398426aa0bbf4547690710058d18af6ec0093a876772f

    SHA512

    e62295c5395c9d42ec7d7a7e3755f201b5b692ec01a6f2d6350f88add9c7b3031d37bd01a1bac6319c02075a476ac24ad818e4840de364ea095aedf229004918

  • \Windows\system\ZTVtEEm.exe

    Filesize

    5.9MB

    MD5

    c70332dd94b180e57b9ed632bc99f399

    SHA1

    218dba45d147e03cfbd3116c265d67edb778e6c6

    SHA256

    9b9fe60b4340d83ac622c7d3b4c057029e050159ee59446c4f1aaad11f717d3b

    SHA512

    816908c25fc848dca5056fe382b3ecacc6471e8bfe29ae1ba7aaab0583dca064986dd6131648c9e6cace076c0baa02168d2f3776ea060fe597c955cdfde54816

  • \Windows\system\bmGZnOz.exe

    Filesize

    5.9MB

    MD5

    625da2864aed8ffd76644ebcd8d4962a

    SHA1

    7acf60deea254c7d6b4432fc9610bbd1bc12d448

    SHA256

    ce29005612d42f6f4d912686cb938bdbbc122a10ab691efb6b975ea0d35d8317

    SHA512

    0512943e5933743fb0755c095977daf12df23ffe9506aa6d4ba7102bca1ff2d1e5ccc8c892c68981a0dc551919a4d82f6eaaa7d5ecaefe6a3d8a2d0cc5e4852c

  • \Windows\system\lSkkmgx.exe

    Filesize

    5.9MB

    MD5

    4b15ab14a5e348a227fd941223980dc1

    SHA1

    60613033e4848839ca4df24431c3eaac4dd43e89

    SHA256

    c970cc52e895ff624f42326938bb1ed3cd7d69a54bee0f351fcd8288fdbaa153

    SHA512

    da162a12d7375c6af6137a5c75ba4019c122bd121dda6fe2056a861bc952ff80ce452ca5c05b49a99ddc6502168a33c2e4b3ea3687a348f5ea3386f45de1a0b8

  • \Windows\system\rTlZodY.exe

    Filesize

    5.9MB

    MD5

    868ad2d6810b1ec16d62f3634b75d341

    SHA1

    469e5e3384b3a49cca4b63050009f08fc079bfb4

    SHA256

    914dfa62c57c36d4a64446df01fc20c75cec9a8b52534520031040c1b8868512

    SHA512

    b512bda4a5c4921a8544add35c22110a50402da7220fc211037307cf5b68af652ca6c7521cda3547ca852fae833b0c694acadb7437b1c68ba69ee380159cb7f8

  • \Windows\system\vltasxn.exe

    Filesize

    5.9MB

    MD5

    a4c23c7837c24f386b64c7a9338c76cc

    SHA1

    bcf132a27fe049d8de37575fd4a9b8397c6aa873

    SHA256

    e6dc0b948d32ee1c72b2d38696da178106c7385132e540204425c382463a0a4e

    SHA512

    ef9bdf093c2f264ee111ca3ebe9e5a783206ef8c58f4941d8520f847623fcefe15e192d6c8b9e7385a87be8485c6c4062c2371bb930d9c45f0fab5b3f986a510

  • memory/1380-38-0x0000000002230000-0x0000000002584000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-98-0x000000013F780000-0x000000013FAD4000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-138-0x0000000002230000-0x0000000002584000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-49-0x000000013F3C0000-0x000000013F714000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-0-0x000000013FE80000-0x00000001401D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-55-0x0000000002230000-0x0000000002584000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-141-0x000000013F780000-0x000000013FAD4000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-73-0x000000013FE80000-0x00000001401D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-31-0x000000013F9F0000-0x000000013FD44000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-15-0x000000013F220000-0x000000013F574000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-89-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-1-0x00000000003F0000-0x0000000000400000-memory.dmp

    Filesize

    64KB

  • memory/1380-142-0x000000013FAE0000-0x000000013FE34000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-6-0x0000000002230000-0x0000000002584000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-85-0x000000013F6B0000-0x000000013FA04000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-84-0x0000000002230000-0x0000000002584000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-20-0x000000013FA50000-0x000000013FDA4000-memory.dmp

    Filesize

    3.3MB

  • memory/1380-103-0x000000013FAE0000-0x000000013FE34000-memory.dmp

    Filesize

    3.3MB

  • memory/1916-153-0x000000013F6B0000-0x000000013FA04000-memory.dmp

    Filesize

    3.3MB

  • memory/1916-86-0x000000013F6B0000-0x000000013FA04000-memory.dmp

    Filesize

    3.3MB

  • memory/1956-154-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/1956-88-0x000000013F930000-0x000000013FC84000-memory.dmp

    Filesize

    3.3MB

  • memory/2200-139-0x000000013FE20000-0x0000000140174000-memory.dmp

    Filesize

    3.3MB

  • memory/2200-150-0x000000013FE20000-0x0000000140174000-memory.dmp

    Filesize

    3.3MB

  • memory/2200-56-0x000000013FE20000-0x0000000140174000-memory.dmp

    Filesize

    3.3MB

  • memory/2504-136-0x000000013FD20000-0x0000000140074000-memory.dmp

    Filesize

    3.3MB

  • memory/2504-147-0x000000013FD20000-0x0000000140074000-memory.dmp

    Filesize

    3.3MB

  • memory/2504-39-0x000000013FD20000-0x0000000140074000-memory.dmp

    Filesize

    3.3MB

  • memory/2532-149-0x000000013F3C0000-0x000000013F714000-memory.dmp

    Filesize

    3.3MB

  • memory/2532-50-0x000000013F3C0000-0x000000013F714000-memory.dmp

    Filesize

    3.3MB

  • memory/2568-82-0x000000013F260000-0x000000013F5B4000-memory.dmp

    Filesize

    3.3MB

  • memory/2568-151-0x000000013F260000-0x000000013F5B4000-memory.dmp

    Filesize

    3.3MB

  • memory/2588-143-0x000000013F220000-0x000000013F574000-memory.dmp

    Filesize

    3.3MB

  • memory/2588-17-0x000000013F220000-0x000000013F574000-memory.dmp

    Filesize

    3.3MB

  • memory/2596-27-0x000000013FA50000-0x000000013FDA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2596-146-0x000000013FA50000-0x000000013FDA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2596-135-0x000000013FA50000-0x000000013FDA4000-memory.dmp

    Filesize

    3.3MB

  • memory/2648-42-0x000000013FD60000-0x00000001400B4000-memory.dmp

    Filesize

    3.3MB

  • memory/2648-137-0x000000013FD60000-0x00000001400B4000-memory.dmp

    Filesize

    3.3MB

  • memory/2648-148-0x000000013FD60000-0x00000001400B4000-memory.dmp

    Filesize

    3.3MB

  • memory/2700-145-0x000000013F9F0000-0x000000013FD44000-memory.dmp

    Filesize

    3.3MB

  • memory/2700-35-0x000000013F9F0000-0x000000013FD44000-memory.dmp

    Filesize

    3.3MB

  • memory/2804-87-0x000000013FF00000-0x0000000140254000-memory.dmp

    Filesize

    3.3MB

  • memory/2804-155-0x000000013FF00000-0x0000000140254000-memory.dmp

    Filesize

    3.3MB

  • memory/2804-140-0x000000013FF00000-0x0000000140254000-memory.dmp

    Filesize

    3.3MB

  • memory/2812-144-0x000000013FD10000-0x0000000140064000-memory.dmp

    Filesize

    3.3MB

  • memory/2812-97-0x000000013FD10000-0x0000000140064000-memory.dmp

    Filesize

    3.3MB

  • memory/2812-14-0x000000013FD10000-0x0000000140064000-memory.dmp

    Filesize

    3.3MB

  • memory/2964-152-0x000000013FC60000-0x000000013FFB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2964-90-0x000000013FC60000-0x000000013FFB4000-memory.dmp

    Filesize

    3.3MB

  • memory/2992-99-0x000000013F780000-0x000000013FAD4000-memory.dmp

    Filesize

    3.3MB

  • memory/2992-156-0x000000013F780000-0x000000013FAD4000-memory.dmp

    Filesize

    3.3MB