Analysis

  • max time kernel
    142s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07-08-2024 21:47

General

  • Target

    2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    fba34cf4973da0b771605f9dd845a1d3

  • SHA1

    a739a3d2e47c9154670e5b76ca2f27a2abd30fcf

  • SHA256

    de9bad680e02891cedcc3fbd0cd11d8bb088f17481020dd52b4d5d6af58bf6cd

  • SHA512

    61e61bb42dbbbd8500547e8e6e4ab3a3cf811e2f4681d72ad1ab114e9d891334750079eb5fdc0d19cd32fc5acd2c04043a4c27764d54004b4d494e90a5d6fe29

  • SSDEEP

    49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lE:RWWBibf56utgpPFotBER/mQ32lU4

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 37 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 60 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\System\GCZPhhx.exe
      C:\Windows\System\GCZPhhx.exe
      2⤵
      • Executes dropped EXE
      PID:2664
    • C:\Windows\System\asJxJsN.exe
      C:\Windows\System\asJxJsN.exe
      2⤵
      • Executes dropped EXE
      PID:2808
    • C:\Windows\System\Ulouvvt.exe
      C:\Windows\System\Ulouvvt.exe
      2⤵
      • Executes dropped EXE
      PID:2708
    • C:\Windows\System\tlnylwz.exe
      C:\Windows\System\tlnylwz.exe
      2⤵
      • Executes dropped EXE
      PID:2764
    • C:\Windows\System\DjemAUK.exe
      C:\Windows\System\DjemAUK.exe
      2⤵
      • Executes dropped EXE
      PID:2872
    • C:\Windows\System\bPwgeWz.exe
      C:\Windows\System\bPwgeWz.exe
      2⤵
      • Executes dropped EXE
      PID:2172
    • C:\Windows\System\KZnJwtN.exe
      C:\Windows\System\KZnJwtN.exe
      2⤵
      • Executes dropped EXE
      PID:2556
    • C:\Windows\System\hwsoDlA.exe
      C:\Windows\System\hwsoDlA.exe
      2⤵
      • Executes dropped EXE
      PID:2604
    • C:\Windows\System\BLXYJgY.exe
      C:\Windows\System\BLXYJgY.exe
      2⤵
      • Executes dropped EXE
      PID:2532
    • C:\Windows\System\NJDvNsZ.exe
      C:\Windows\System\NJDvNsZ.exe
      2⤵
      • Executes dropped EXE
      PID:3036
    • C:\Windows\System\vPyMEIZ.exe
      C:\Windows\System\vPyMEIZ.exe
      2⤵
      • Executes dropped EXE
      PID:3056
    • C:\Windows\System\ipHImRk.exe
      C:\Windows\System\ipHImRk.exe
      2⤵
      • Executes dropped EXE
      PID:636
    • C:\Windows\System\SnAkFQI.exe
      C:\Windows\System\SnAkFQI.exe
      2⤵
      • Executes dropped EXE
      PID:2888
    • C:\Windows\System\loRsXEs.exe
      C:\Windows\System\loRsXEs.exe
      2⤵
      • Executes dropped EXE
      PID:2912
    • C:\Windows\System\EtlwrkE.exe
      C:\Windows\System\EtlwrkE.exe
      2⤵
      • Executes dropped EXE
      PID:3008
    • C:\Windows\System\wwoHycb.exe
      C:\Windows\System\wwoHycb.exe
      2⤵
      • Executes dropped EXE
      PID:2156
    • C:\Windows\System\OySaTXJ.exe
      C:\Windows\System\OySaTXJ.exe
      2⤵
      • Executes dropped EXE
      PID:2836
    • C:\Windows\System\VDAWoBo.exe
      C:\Windows\System\VDAWoBo.exe
      2⤵
      • Executes dropped EXE
      PID:2656
    • C:\Windows\System\oQOswPx.exe
      C:\Windows\System\oQOswPx.exe
      2⤵
      • Executes dropped EXE
      PID:1716
    • C:\Windows\System\faikVMY.exe
      C:\Windows\System\faikVMY.exe
      2⤵
      • Executes dropped EXE
      PID:1616
    • C:\Windows\System\cLIUFQt.exe
      C:\Windows\System\cLIUFQt.exe
      2⤵
      • Executes dropped EXE
      PID:2360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\DjemAUK.exe

    Filesize

    5.2MB

    MD5

    301deb742e25d53c1e4160bf758424ea

    SHA1

    1bd327f1b1fe4c625f93686b7f4a669ff5a98b7c

    SHA256

    fa6e10c6f7ba7910c8791a485caa79983c86b0640d0ac0203898fb094c605911

    SHA512

    74b2c88acc4bbb88ea6a4aefb1dcd36d6311e8bf83fd7e6f3c18233a3f3b4c9425a6d5b933e261c7e456068c55ce8dfc723b89bbc453fa11ae46af3aeaa8429f

  • C:\Windows\system\EtlwrkE.exe

    Filesize

    5.2MB

    MD5

    2d13e88985e10c6ad036908c6ae59b31

    SHA1

    002e1fbd8741ce5a1dd12f73f42f01e33e576a19

    SHA256

    f5e8c0a4eca72bdd09cd5c120741e6f4eef9d051da18cb34a525951e2315d75d

    SHA512

    916b3adebb2a5072e00a7a4d1d1012dce7e9a41b6552ab9b85d3c4d86820b0e1d8aba0662dd9b27d994b59cff8c25a45d9c04e2fe5c8df653eda32aa83e30954

  • C:\Windows\system\GCZPhhx.exe

    Filesize

    5.2MB

    MD5

    4b2d2eb532cfb0b879fb04ce0e3c5a75

    SHA1

    28c72391744f094e8e6affe381eb95824d189b66

    SHA256

    7af48cccdacf7e17ab88a4f7ed0b86470f2428d97c3460600b81be8959fc12fa

    SHA512

    a18bf4573919a97cacc23232c44e880ec5467efc47fc71dcc0ca8ad09920adbedbd3b7975385f2b57c7ca8ab5a8314b1e609ec35033d2a1847cb93000b351a1c

  • C:\Windows\system\KZnJwtN.exe

    Filesize

    5.2MB

    MD5

    fa35d567a4ee924b68aec4c2777d9516

    SHA1

    4469ac3ce8a546418faae4ab6a07862dd3bdb178

    SHA256

    f7652e6471c64c8434453854117a5b719141fff2d2d34bb986ffd3a2b1883c2a

    SHA512

    f42a130724e8a3fcf4a73f221878e4217672593c89390ee9c2b0b26d70d2a7cbcf48238a7e4b07367aeceb026904b5bf6b895a4af86b01c4efeafe7e886a384c

  • C:\Windows\system\OySaTXJ.exe

    Filesize

    5.2MB

    MD5

    dabc9787818df944141cf4eb490c24f6

    SHA1

    8c8577e84bb87ad3da88ceaee208a44c36f5c075

    SHA256

    f2283f372b62d8b59253f09eebefec127114074b70f0e11260c4f7e6b710bdfc

    SHA512

    7e02cb7a31339cd9767958e4bbfc33c9c2f0c841dfcaad51ee5087a36333087c8df35126d876bf88f316e9ab5f9706799311f9a752673a757486482b741e53ce

  • C:\Windows\system\Ulouvvt.exe

    Filesize

    5.2MB

    MD5

    952d498252f8b7f38947828cf86842ad

    SHA1

    d0c54d4636b04e245fd45916f3bc5ad7d99ee73c

    SHA256

    eda408c41d618fe570309ab0b5dbdc8130d0b73c746425f09d2a2fab64644cc7

    SHA512

    42e566d9de3b8cfbbbfd9cec5c3a2d153e6e238300cb20c95ebc95b8c9621e41b6c4df50f614bf30a3961f70fa4044436c61081d150209c98495f2959fa049a8

  • C:\Windows\system\asJxJsN.exe

    Filesize

    5.2MB

    MD5

    3a362e7a2b8694ce0d74174127d185f9

    SHA1

    cab16443d264ed5a1ee719c774b9dea00934be13

    SHA256

    4a8cbec33ebc8e9389f5ce85349418b2af51ad834c69af783deb4442d520ff13

    SHA512

    2475fba8fcce78586a8ffff271f1a4c8de6492802e1704780bc7c5b041559c8e79c81d278c543739b17294163559c32c7d7cf25a26a1c907d98aaa9c76fff6e7

  • C:\Windows\system\cLIUFQt.exe

    Filesize

    5.2MB

    MD5

    15752b24422404316c5020ad28004880

    SHA1

    2aefb465f5e3a2c89f14b5f12db46ba59fbac49a

    SHA256

    7635d32c161132fe9f9de33832f878942ba5f32a2480db7c064fd39d18d2ab2f

    SHA512

    22da87fdd2ce7a41f6e856b61c8547fec8aaf080617a0028521e5898106eb51570800e55f4f796ef80a71477f9e84bcbf698b9884fe563ef111edc28b4234195

  • C:\Windows\system\oQOswPx.exe

    Filesize

    5.2MB

    MD5

    66130f00482bac899b26a32bf837fbed

    SHA1

    5450fa305cdf2cfcf1d77d1b56fd11d4c6cdcaf4

    SHA256

    a625e8b3e835146eb67b260f8761e3b6a200bbcb1281f7a05575d778aa60462d

    SHA512

    6f098119147730cfe1c30b30701240922bf287ffcc886de881b24f6942d0da5d92777d12e35efb8f3ef11c3268938a188290f1836486546c72bafaf64bef50f9

  • C:\Windows\system\wwoHycb.exe

    Filesize

    5.2MB

    MD5

    bf580d2d1a9f128c49b8ff69ea7c47b8

    SHA1

    69397f7c5936c2d58be955900747c1c79bb16b10

    SHA256

    5929ea534f7ad4a3ece2f746693a3b46811e2a3a262ac3fb39d7dd6bc3c95275

    SHA512

    08c8335e7476e19707e6e441c7e717630fcc986dbe0ab9c4bdd14a0acc9b21525c2d3e4ca613d0abf4c3c916da47fdfe28f179ccdfff03569ab84f068345c75e

  • \Windows\system\BLXYJgY.exe

    Filesize

    5.2MB

    MD5

    afc553fa36742eccadc61ba14feefc86

    SHA1

    228253f2b44d48387c6b3c83f607f561438af528

    SHA256

    0d54ff0ce37ebc17911debd00296754cec1fe3f7b8b82c3f92b3a947f93a581a

    SHA512

    80221d57f215bb028eed3b630e50f9aa83be68f39632e6433358df3ec1923274867629ac7bff014c20ef61c7097b61f3bde3219938a8e4cfefee9440a195ce28

  • \Windows\system\NJDvNsZ.exe

    Filesize

    5.2MB

    MD5

    015549dd36644c335a25f28a81538498

    SHA1

    6514b7ae8901354fd1d70090f0b093525b449408

    SHA256

    9769232965e2e217be6d214220e7849126e064f99eec5b32475de74dd13c8939

    SHA512

    d1d37c735b254e97cf932581f7b850d70174a5654d11ef20ef256f09d6ae6d9cd74818e8d479b55edef0146c65d6cf940b51ebb2c4944938067aa5c88bd34d0b

  • \Windows\system\SnAkFQI.exe

    Filesize

    5.2MB

    MD5

    a779c7db743a653ce9d638beba72f1c3

    SHA1

    9c32c4c13b8eb1ab6534a814d86e7265378308e3

    SHA256

    4a0d3198b667377d1b6f472aaa336885ea7e16b1ea335f4162b2134a32dbf113

    SHA512

    dc84327e305a4991c7dc21b2359166b4056a3c7ea60bc96935371804049171ab2784a00623398b002ee7cec44dcbb48b950a8615cf1d851a7c35e279d264a01b

  • \Windows\system\VDAWoBo.exe

    Filesize

    5.2MB

    MD5

    14502f6d55f55de1af0415ae88325930

    SHA1

    8fcb1c549e2a8ec644ec9614b75727ce923c9890

    SHA256

    f7b1491fef69a1489ec69e25dde850aac5be41a30223b61cb62c3cb800a0edf2

    SHA512

    c77919835a30f5d8ae3dce5ea8c6a37f997347915b659f53cdc0c98b26383800955f09f407f730b36e4f9b5c8637ee7ac5a569138faba4a1fc9079a8b3d4cdbf

  • \Windows\system\bPwgeWz.exe

    Filesize

    5.2MB

    MD5

    158e66c64bc3b83df73aa9acb7f6a7bb

    SHA1

    3396626c611981dbf30c6b34f100eb419550e1ae

    SHA256

    5d175114be87f8201368290f297f0f9ceeb633c76e0b1b28e360dfda3d20279a

    SHA512

    c82cd5180457c6816330862ff8d0b40b1107e202d17463745d4f7f54ee89929832baf4fab9eb431c22d9627c2706b7173d9fed7ba1a1a8adc2e579df0ca57799

  • \Windows\system\faikVMY.exe

    Filesize

    5.2MB

    MD5

    46c374c1f296339623dd0cf3a4322bca

    SHA1

    9a7c6278027ad82cfc41de2016f4f92fe448c88f

    SHA256

    65856e86a90616e0d954cd4e2e1f72e238609b2a18c80df25414fad23a4c8d79

    SHA512

    deee64d2ce955473d2f7d93b852b8777884a8a7845beb04ad7210c8172282bd28ad5107b06f28a9d39a3377aedb0badc4e4fcebedbc9122773bd6636ae181b6d

  • \Windows\system\hwsoDlA.exe

    Filesize

    5.2MB

    MD5

    bbf54077c1eabf314b0359998f1036ad

    SHA1

    213a81e48bf7d0f429b6dfb944377cab1a712406

    SHA256

    5ebe07808f329d2a4632210a3738c2239ffc0b56dc89d5e3b0830448bd6ed2da

    SHA512

    dc27cf17973a11f483c0e3beb2cc38c4279385df5252a3b2bc40ce778b14db8050d72e67e6044fbd0a356d9d774afcc37f5a0bf45665ae28a9842682b4ed5466

  • \Windows\system\ipHImRk.exe

    Filesize

    5.2MB

    MD5

    d24a3ca7bbaee238f4a5cf737fa9ba5a

    SHA1

    1c3187b27cc4d6a69562ee1f396920618e95b0f3

    SHA256

    5e1d889e54d7480d08e65897e019202f92493d8710d41aaf23230285b15e37f7

    SHA512

    d13dd7d39b62021f00c612885d9dde28cdc34410d00c3a6d9cc996e06e392b16497867e339549e5fffbd924a51f21f87ea53d0626ebc57336b3972e3813c8aec

  • \Windows\system\loRsXEs.exe

    Filesize

    5.2MB

    MD5

    066346c9857ca5214ef81a9c66747deb

    SHA1

    ad0144021c8818d2d3a13ccc0ab15beec11a5bed

    SHA256

    5da5a1849871e98c7ca32b0da36eee87098506d7b66149fc6a991fe2821528f6

    SHA512

    40af8bddc6ce20e4aa103507d7e71b1deb36fea9679cb49a06299049b03e14b71523941baf332d18ca49c25717d6278d227b8074213e946595367de89664d58c

  • \Windows\system\tlnylwz.exe

    Filesize

    5.2MB

    MD5

    d07763b570bec0f346b373a0ad75603d

    SHA1

    33e097080582f17d2725cc2b0bc27493d9474b37

    SHA256

    b51b11d1911ecf3ec714a18c04f83816c07cab6f2b1f2baa03ff9e6455a1ceb1

    SHA512

    1e48eef3517691f52a4dbbb2b7e9dcd706e7d1c8a37bdba7f8ccc02a8f75285911e8150a8855728f9895450cc1b61108c619ce55d0804b09fdb78fdfb5738bd2

  • \Windows\system\vPyMEIZ.exe

    Filesize

    5.2MB

    MD5

    d6ea440092951505619205c7b039b0ad

    SHA1

    bf64c2ed7eea3f43a7782f3040586e036a0d8aa9

    SHA256

    e46dafb0174832e48e892b9a4a76a643ae880a8d5cba9f51d0122cc3c754d2fe

    SHA512

    6714131f56621b5d2d521bff33e79a96526275cbe768e3fa65acf2217acb008b5e0e255787417e09194fd75e52f0e26dbe37c3a27791af451a442ec1500cfc35

  • memory/636-146-0x000000013FA40000-0x000000013FD91000-memory.dmp

    Filesize

    3.3MB

  • memory/1616-154-0x000000013F4F0000-0x000000013F841000-memory.dmp

    Filesize

    3.3MB

  • memory/1716-153-0x000000013FF90000-0x00000001402E1000-memory.dmp

    Filesize

    3.3MB

  • memory/2156-150-0x000000013F0D0000-0x000000013F421000-memory.dmp

    Filesize

    3.3MB

  • memory/2172-140-0x000000013F580000-0x000000013F8D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2172-46-0x000000013F580000-0x000000013F8D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2172-232-0x000000013F580000-0x000000013F8D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-114-0x00000000021B0000-0x0000000002501000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-111-0x000000013FAF0000-0x000000013FE41000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-75-0x000000013FFC0000-0x0000000140311000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-58-0x000000013FC50000-0x000000013FFA1000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-47-0x000000013F3F0000-0x000000013F741000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-25-0x00000000021B0000-0x0000000002501000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-118-0x000000013FA60000-0x000000013FDB1000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-117-0x000000013F640000-0x000000013F991000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-116-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-115-0x000000013F790000-0x000000013FAE1000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-0-0x000000013FFC0000-0x0000000140311000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-113-0x000000013F0D0000-0x000000013F421000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-21-0x00000000021B0000-0x0000000002501000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-23-0x000000013F0C0000-0x000000013F411000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-1-0x0000000000080000-0x0000000000090000-memory.dmp

    Filesize

    64KB

  • memory/2308-38-0x000000013F630000-0x000000013F981000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-156-0x000000013FFC0000-0x0000000140311000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-134-0x000000013FFC0000-0x0000000140311000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-7-0x000000013F2F0000-0x000000013F641000-memory.dmp

    Filesize

    3.3MB

  • memory/2308-40-0x000000013F580000-0x000000013F8D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2360-155-0x000000013F1F0000-0x000000013F541000-memory.dmp

    Filesize

    3.3MB

  • memory/2532-100-0x000000013F790000-0x000000013FAE1000-memory.dmp

    Filesize

    3.3MB

  • memory/2532-234-0x000000013F790000-0x000000013FAE1000-memory.dmp

    Filesize

    3.3MB

  • memory/2532-143-0x000000013F790000-0x000000013FAE1000-memory.dmp

    Filesize

    3.3MB

  • memory/2556-141-0x000000013F3F0000-0x000000013F741000-memory.dmp

    Filesize

    3.3MB

  • memory/2556-65-0x000000013F3F0000-0x000000013F741000-memory.dmp

    Filesize

    3.3MB

  • memory/2556-238-0x000000013F3F0000-0x000000013F741000-memory.dmp

    Filesize

    3.3MB

  • memory/2604-142-0x000000013FC50000-0x000000013FFA1000-memory.dmp

    Filesize

    3.3MB

  • memory/2656-152-0x000000013FC90000-0x000000013FFE1000-memory.dmp

    Filesize

    3.3MB

  • memory/2664-19-0x000000013F2F0000-0x000000013F641000-memory.dmp

    Filesize

    3.3MB

  • memory/2664-133-0x000000013F2F0000-0x000000013F641000-memory.dmp

    Filesize

    3.3MB

  • memory/2664-201-0x000000013F2F0000-0x000000013F641000-memory.dmp

    Filesize

    3.3MB

  • memory/2708-22-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

    Filesize

    3.3MB

  • memory/2708-203-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

    Filesize

    3.3MB

  • memory/2764-37-0x000000013FD20000-0x0000000140071000-memory.dmp

    Filesize

    3.3MB

  • memory/2764-226-0x000000013FD20000-0x0000000140071000-memory.dmp

    Filesize

    3.3MB

  • memory/2808-205-0x000000013F0C0000-0x000000013F411000-memory.dmp

    Filesize

    3.3MB

  • memory/2808-20-0x000000013F0C0000-0x000000013F411000-memory.dmp

    Filesize

    3.3MB

  • memory/2836-151-0x000000013FEF0000-0x0000000140241000-memory.dmp

    Filesize

    3.3MB

  • memory/2872-39-0x000000013F630000-0x000000013F981000-memory.dmp

    Filesize

    3.3MB

  • memory/2872-228-0x000000013F630000-0x000000013F981000-memory.dmp

    Filesize

    3.3MB

  • memory/2888-236-0x000000013F640000-0x000000013F991000-memory.dmp

    Filesize

    3.3MB

  • memory/2888-112-0x000000013F640000-0x000000013F991000-memory.dmp

    Filesize

    3.3MB

  • memory/2912-148-0x000000013FAF0000-0x000000013FE41000-memory.dmp

    Filesize

    3.3MB

  • memory/3008-149-0x000000013FA60000-0x000000013FDB1000-memory.dmp

    Filesize

    3.3MB

  • memory/3036-144-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

    Filesize

    3.3MB

  • memory/3056-231-0x000000013FD00000-0x0000000140051000-memory.dmp

    Filesize

    3.3MB

  • memory/3056-110-0x000000013FD00000-0x0000000140051000-memory.dmp

    Filesize

    3.3MB