Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 11:54

General

  • Target

    2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    f356f53568f3fe623d3db7149a57d2f0

  • SHA1

    fe01d01c441b805681d655ca6b88af5c87a7b66a

  • SHA256

    ec0342c224d1a630bac0247fcd10a2300d53d93c16cf8e30604a7fda933131b7

  • SHA512

    ec0c8034273ec13e2e80aec79fcc76d2bd1cbf81e8779774e227539fc4c0ed9c45a4b1a462434acb88446996ea44e56979512aa0b97f73f30dc6c91950a0bc3f

  • SSDEEP

    49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lm:RWWBibd56utgpPFotBER/mQ32lUa

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 40 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:292
    • C:\Windows\System\uopnPaT.exe
      C:\Windows\System\uopnPaT.exe
      2⤵
      • Executes dropped EXE
      PID:1720
    • C:\Windows\System\tVHcKMP.exe
      C:\Windows\System\tVHcKMP.exe
      2⤵
      • Executes dropped EXE
      PID:3068
    • C:\Windows\System\BytHjrL.exe
      C:\Windows\System\BytHjrL.exe
      2⤵
      • Executes dropped EXE
      PID:1516
    • C:\Windows\System\QuRPZQm.exe
      C:\Windows\System\QuRPZQm.exe
      2⤵
      • Executes dropped EXE
      PID:2480
    • C:\Windows\System\EbjHOXJ.exe
      C:\Windows\System\EbjHOXJ.exe
      2⤵
      • Executes dropped EXE
      PID:2268
    • C:\Windows\System\NoZxtwd.exe
      C:\Windows\System\NoZxtwd.exe
      2⤵
      • Executes dropped EXE
      PID:3028
    • C:\Windows\System\SAYbfNI.exe
      C:\Windows\System\SAYbfNI.exe
      2⤵
      • Executes dropped EXE
      PID:2928
    • C:\Windows\System\JboAAAe.exe
      C:\Windows\System\JboAAAe.exe
      2⤵
      • Executes dropped EXE
      PID:2728
    • C:\Windows\System\LduQRtn.exe
      C:\Windows\System\LduQRtn.exe
      2⤵
      • Executes dropped EXE
      PID:2640
    • C:\Windows\System\KJWWyLq.exe
      C:\Windows\System\KJWWyLq.exe
      2⤵
      • Executes dropped EXE
      PID:2636
    • C:\Windows\System\ISCWzMh.exe
      C:\Windows\System\ISCWzMh.exe
      2⤵
      • Executes dropped EXE
      PID:2784
    • C:\Windows\System\aIwWGhH.exe
      C:\Windows\System\aIwWGhH.exe
      2⤵
      • Executes dropped EXE
      PID:2724
    • C:\Windows\System\lOLSMhD.exe
      C:\Windows\System\lOLSMhD.exe
      2⤵
      • Executes dropped EXE
      PID:2628
    • C:\Windows\System\EihacFP.exe
      C:\Windows\System\EihacFP.exe
      2⤵
      • Executes dropped EXE
      PID:2732
    • C:\Windows\System\ELahDtr.exe
      C:\Windows\System\ELahDtr.exe
      2⤵
      • Executes dropped EXE
      PID:1032
    • C:\Windows\System\vPliCSL.exe
      C:\Windows\System\vPliCSL.exe
      2⤵
      • Executes dropped EXE
      PID:2924
    • C:\Windows\System\qdYIpDh.exe
      C:\Windows\System\qdYIpDh.exe
      2⤵
      • Executes dropped EXE
      PID:1472
    • C:\Windows\System\wQkQiIA.exe
      C:\Windows\System\wQkQiIA.exe
      2⤵
      • Executes dropped EXE
      PID:1304
    • C:\Windows\System\jeQImhV.exe
      C:\Windows\System\jeQImhV.exe
      2⤵
      • Executes dropped EXE
      PID:1244
    • C:\Windows\System\bqEVcys.exe
      C:\Windows\System\bqEVcys.exe
      2⤵
      • Executes dropped EXE
      PID:2368
    • C:\Windows\System\MeLwrat.exe
      C:\Windows\System\MeLwrat.exe
      2⤵
      • Executes dropped EXE
      PID:636

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\system\BytHjrL.exe

          Filesize

          5.2MB

          MD5

          cc1e07fef40c026c81b672857e0061b4

          SHA1

          4032913c26b8baf27a8ee6c621d2b1f565e71269

          SHA256

          4e5bd6faf0a9406036393327c78480d491329c114988251b44e866aeadfaf03e

          SHA512

          cfae571cf82daa175996ff3013b2c49c6c890b2de860cdcab633f2d370d40620ba28d391aa6384cbd7a35ba7de59fc66c89b1871d78892e8c31d0d67832621f5

        • C:\Windows\system\ELahDtr.exe

          Filesize

          5.2MB

          MD5

          9557de245950a7931f123443a80c5dd1

          SHA1

          070214181e357b566502d99daeab491e2d940b3c

          SHA256

          5ee8451b7d379fca1472e5c94812b2059996fe28b1e11a08d0df4101a7d348e3

          SHA512

          17b4fe2ca64adf80d38ce810f3952fb2334fab7d0c599d6b8dd21d5f01b8d72ac538f39e1e6bd8f02823d3b9ad332a24a6dadae21c1750cb5e7222ac034ac6d1

        • C:\Windows\system\ISCWzMh.exe

          Filesize

          5.2MB

          MD5

          fb288315066c890d37a91bc644c6af76

          SHA1

          024a5c042638229987d53a006d350181ce04268d

          SHA256

          122ec1f1fa9dc6b5acee2f997ce326547a5ba8214ea3983a50176e133706c93f

          SHA512

          d81ef79aba5770d3861610d454fe092d2752d91642a78af364b899837b6fe2e258da3fa41ff7c89a1db810d7fbc98d3ad45678013fc8ea303263629f77d9cbba

        • C:\Windows\system\JboAAAe.exe

          Filesize

          5.2MB

          MD5

          1416fcd95e06587104a9ac9a2fe1e1f6

          SHA1

          1322de14f66fa0405f68221598d85caf50aeeed9

          SHA256

          5193c2ccc1dd52fafd0e4b838e877f261f37d80cdef8605ea2602fb20fabb1ce

          SHA512

          2bf75eb384a6ac5f9b6c5c6f2ae4fb86a467508f666082c937eed130b71ea75b8968376d8c7c71013a03dd2114e2ff18aacda3a33a2d4b3a64112b206324b040

        • C:\Windows\system\KJWWyLq.exe

          Filesize

          5.2MB

          MD5

          a4d1808246109627d507ded297a09413

          SHA1

          5d51e8adda0c77c0b34bfa24e4bd5b31c8c633d9

          SHA256

          7da72d5ec26585b03fcf87a5ba07ad14c4d9a3068b906adcd1b21c6acb47a002

          SHA512

          85fe715e78be8ded0cb364c17b1bb1750c2850e2829e45f4f6878d28be73fef9764b5e549e3be41a1675cef44ed2a20fa5943e000d146a434f685619323310e9

        • C:\Windows\system\LduQRtn.exe

          Filesize

          5.2MB

          MD5

          9c6aaec13d9ccebd67a2f1427cbae307

          SHA1

          127af0957c5ef9fe4525cbe47c45202c468b8916

          SHA256

          5972f9c49c27ed4c611c1a2136229144a2050408d36a5c8487934a4ac8b657a3

          SHA512

          aa9682e16f189100cfddd43e815c6c49d0dc27886805d6e98f1aa0889f37a62f9c31e9b34276d20ee97d1e46d674f9bf12cdcac8153190988709cba3b7caa94a

        • C:\Windows\system\MeLwrat.exe

          Filesize

          5.2MB

          MD5

          23e2b05e2a8f520c6f4bfc1a890844b7

          SHA1

          2c155b44229d784000872277fe662e124ee59171

          SHA256

          c4eb6160a685f4ce44b975c8345f779192d2eb73356c710093d66f23e6de735d

          SHA512

          b7ec885a5cc78c59bea16b1427a907a9eb50d38a4f2341d8a22ebca0774b6fd3e8d537ae49f6b8cfc11c6cc521769c775346508edf131f698766e55134bd76fa

        • C:\Windows\system\NoZxtwd.exe

          Filesize

          5.2MB

          MD5

          5951316e699f53c2a437c81d63aafab8

          SHA1

          b52ca8aca8b313f33685615fbc8e525ac1c774bb

          SHA256

          5be6ca348390ce2cc7f1ed679b176d98f12592dc0ee80af16f9209f7853e7c5e

          SHA512

          300ac210ebd527dbe1585337e70923075cceb766d05e3e18e163bac3103204b94ae16950952d1ee4ac82569ef7ccdfa606b682ff0881a2ff1c010df26a18b0fe

        • C:\Windows\system\QuRPZQm.exe

          Filesize

          5.2MB

          MD5

          4bb06c7ca9e040b371c3b93743ba9bea

          SHA1

          f260c921941a06287c61e9b0e68ba02cbc93ab26

          SHA256

          2e57b09758dab8214a39f63d36ce9412d3dff1bc76082d3892a53869af588a09

          SHA512

          786152181a7fc00efdfb6497cd947d62776a126596f713a145bca36eca641d6d2b814213966f92051475034dddec9b568d70f125614594fedc186ef61adb0279

        • C:\Windows\system\SAYbfNI.exe

          Filesize

          5.2MB

          MD5

          e1102971e54471ac10e009b3889662f6

          SHA1

          cc5b86bdda039518dabd9c49e61843221aa333f5

          SHA256

          ffaf153ded326e64a35a2e031dc4a23145ef689f8acf26631d4bc2f57ab49e3a

          SHA512

          90e97df6c3e61ce0451aa850d2b7b853a83c5eda1641f67c1d0f5dcf84686eeecd9cc6d1d09f4c2992c3672f050735ac675c8820737c84019aee8274c66fdab1

        • C:\Windows\system\bqEVcys.exe

          Filesize

          5.2MB

          MD5

          98ea70399574a2336093603a1933d205

          SHA1

          70b1508bf1a852abf9af55ade2b6203d969546f6

          SHA256

          69dfddcf922fc66bda0d3b281681c809dd838f4da4ee90ec81111b8363f1ecd5

          SHA512

          ce247ceed782dea5038862a8ed6978efbab8e2f52403c66aeba5e66251bdfb83adffd9d8e5f9990711b36a30376fa6b15c1d351fafead659cc1056889ee60a98

        • C:\Windows\system\jeQImhV.exe

          Filesize

          5.2MB

          MD5

          a2c3499eecc7c3254a40bd02024a0fcf

          SHA1

          82948a8814ac1c34a99f6661bed40152e3d85c9a

          SHA256

          6aba69cbdae8b18e1d0349bb89183dd91821fa4fd9e7b03ba1ebe3f381376f76

          SHA512

          bc780b4db49e29abffb2ee574f1c7c765236438114c5be26778c9d4002446118b5ca8334f5a894b75a7f4d04d8dcdedf74df866aeaf84ea6bf455d6f0a9f121f

        • C:\Windows\system\lOLSMhD.exe

          Filesize

          5.2MB

          MD5

          b3ccef4da09ae5cda7bf48b4430c64e7

          SHA1

          324f4034c0dc6c49b0db7d0ecbf38048b7a5bd8b

          SHA256

          983df2aa88178975061538b8ac336ce09014414ce14f0a138a6bbb1f0ef1b9ed

          SHA512

          b35d420b0fe24c2d3548e266c2545a9488143d246fb6f730fb7fad4c34a61ec294b9cd026ada0a976bfa8aabced5e3facc7af378e4479b43ec70e54cb5ef1456

        • C:\Windows\system\qdYIpDh.exe

          Filesize

          5.2MB

          MD5

          a701ec6312d960b7a0396323699d38e1

          SHA1

          8b02870de586b2531cc30c8defb2d4cf49921d4d

          SHA256

          6e1737a27b04119eb378db056dcc6e6b0fef5d45b3e1e314a6ae306ad2064b9b

          SHA512

          49d37b5eeb1feb282aebed1ef3e0683103815d02cb0eff4fcce085a4913ca93da36fd0939764bd46870f8e7ab1380f3cb6bf6ab3aca494514b538a433cd31d31

        • C:\Windows\system\uopnPaT.exe

          Filesize

          5.2MB

          MD5

          0e5ceb496e9a3c38d993cbd6e32c697a

          SHA1

          5b2c5302d12eddfdbc5fc1504d3a4a67f8059060

          SHA256

          90660d1886dc93acf0190a7c568ca02c6628b7e61bbbd151f94cdcb59c37d75d

          SHA512

          2c1dcf9976568bdbc989bbf37da5f28aaefc525409f7d73b98b4ca22e5412ddf6fd73c65f148bb0a0746ebcdbc26d84eca7c8bd838ef2f88f5b35c5ef7fa13b2

        • C:\Windows\system\vPliCSL.exe

          Filesize

          5.2MB

          MD5

          41b9263c2f73dcce1e7fc399af2f350a

          SHA1

          4ac04956e3abd65fb47c73246b23c76dac939e40

          SHA256

          42801e7fa760f60a5f8988834b22a7d7996f53e0dc60fab013081d8fece834ba

          SHA512

          0e47ec7fd563913faf45f51c2085d04f6658b47d8dfb8a2cff8c6c1bc5bede1fc8e575d93d70b8f2a65cee4691657d130732ff3058a73ef145e41aefdbc3d4b5

        • C:\Windows\system\wQkQiIA.exe

          Filesize

          5.2MB

          MD5

          f4c4945ed3c0b4f9e388a79770ab10fa

          SHA1

          93287f21925b810f5bde41010ce6d3341d78e014

          SHA256

          fc95bb3dccc1bd55c336d332403349567d503f8386f0af1f6d2f0cf098289d7a

          SHA512

          bd82da1b162856391605e06940538ab73e62c94c134e06274f3a0aa13fda42c1f54c6d3cdfb1de0c6af9986e416229b57e4d9e30708a661d071e8f3651dcf371

        • \Windows\system\EbjHOXJ.exe

          Filesize

          5.2MB

          MD5

          7deb020b9dda341b7622aec9e4c9a501

          SHA1

          b96cabda5ed4514c9700dbf1bf9ef7a1da15dacd

          SHA256

          23175bafc4e53944fe06d0cf0357e387c7b0ac3969661c3b0907c8ceb4fe941a

          SHA512

          e249ad010e7c6bcd61f48f925b858a2d5b504fbdee11f5e70c64f532e8c750f86780be35654f778a92a7eccfff49a3663072f9e252711ccc3e5eac303e7a54fd

        • \Windows\system\EihacFP.exe

          Filesize

          5.2MB

          MD5

          9760991c2814533f8223c88fa1e5426b

          SHA1

          0f487660697ee1c30c11c4d8d7cb38bd47d7bd86

          SHA256

          d0380f5260a864938c082a38e712c24526a2a0d4f8ea97ccb11b32d1944e1479

          SHA512

          0776843532351bd245f4c7c0420e8be68ab527edfa2d49b9c072b3e38099713fb4808d643e535e0df5b097e7a2f9fb74427e34d013270f062e86d63b6c91190d

        • \Windows\system\aIwWGhH.exe

          Filesize

          5.2MB

          MD5

          31149ce6cf527deff420cf6347534985

          SHA1

          9bf435bdd20d4a33d9bea9388d06382d9a13a08b

          SHA256

          abfa7a5c8c17d1db2430b28e20ebc7d0648bf6a2ac5f70f0a93a12440426afc2

          SHA512

          d5503eb35a12fc93c85b4c2c7d08b769a759191c088056b998bdfbda5e1bc657e2779ce29d5eb9130713abd893abe86bf47c7ded5f1786e777f1e2363c36981b

        • \Windows\system\tVHcKMP.exe

          Filesize

          5.2MB

          MD5

          4f524459545cf016503d2054d1c7959e

          SHA1

          0e463fc0652b90493e13ee98a248c7f73ef43088

          SHA256

          2755afff209b154379c02882c530992f37e3696a5ca05b3d48a05fd581940b8c

          SHA512

          bdffc09131b9132b1c3c29595e071043dd9a0cb0a2fcc35a64aa7ca74daf3995189e1df8e5f9d2997d1596716d037a14215bf1ccec90c90759890705369c7492

        • memory/292-25-0x000000013FE60000-0x00000001401B1000-memory.dmp

          Filesize

          3.3MB

        • memory/292-71-0x000000013FD70000-0x00000001400C1000-memory.dmp

          Filesize

          3.3MB

        • memory/292-46-0x000000013F820000-0x000000013FB71000-memory.dmp

          Filesize

          3.3MB

        • memory/292-0-0x000000013F060000-0x000000013F3B1000-memory.dmp

          Filesize

          3.3MB

        • memory/292-30-0x000000013FAC0000-0x000000013FE11000-memory.dmp

          Filesize

          3.3MB

        • memory/292-83-0x00000000022C0000-0x0000000002611000-memory.dmp

          Filesize

          3.3MB

        • memory/292-80-0x00000000022C0000-0x0000000002611000-memory.dmp

          Filesize

          3.3MB

        • memory/292-22-0x000000013F670000-0x000000013F9C1000-memory.dmp

          Filesize

          3.3MB

        • memory/292-161-0x000000013F060000-0x000000013F3B1000-memory.dmp

          Filesize

          3.3MB

        • memory/292-77-0x000000013FAD0000-0x000000013FE21000-memory.dmp

          Filesize

          3.3MB

        • memory/292-59-0x000000013F060000-0x000000013F3B1000-memory.dmp

          Filesize

          3.3MB

        • memory/292-139-0x000000013F060000-0x000000013F3B1000-memory.dmp

          Filesize

          3.3MB

        • memory/292-104-0x000000013F8E0000-0x000000013FC31000-memory.dmp

          Filesize

          3.3MB

        • memory/292-81-0x000000013FE90000-0x00000001401E1000-memory.dmp

          Filesize

          3.3MB

        • memory/292-26-0x00000000022C0000-0x0000000002611000-memory.dmp

          Filesize

          3.3MB

        • memory/292-1-0x0000000001B20000-0x0000000001B30000-memory.dmp

          Filesize

          64KB

        • memory/636-160-0x000000013FE10000-0x0000000140161000-memory.dmp

          Filesize

          3.3MB

        • memory/1032-105-0x000000013F8E0000-0x000000013FC31000-memory.dmp

          Filesize

          3.3MB

        • memory/1032-244-0x000000013F8E0000-0x000000013FC31000-memory.dmp

          Filesize

          3.3MB

        • memory/1244-158-0x000000013F920000-0x000000013FC71000-memory.dmp

          Filesize

          3.3MB

        • memory/1304-157-0x000000013F490000-0x000000013F7E1000-memory.dmp

          Filesize

          3.3MB

        • memory/1472-156-0x000000013F5C0000-0x000000013F911000-memory.dmp

          Filesize

          3.3MB

        • memory/1516-214-0x000000013F670000-0x000000013F9C1000-memory.dmp

          Filesize

          3.3MB

        • memory/1516-24-0x000000013F670000-0x000000013F9C1000-memory.dmp

          Filesize

          3.3MB

        • memory/1720-84-0x000000013FC20000-0x000000013FF71000-memory.dmp

          Filesize

          3.3MB

        • memory/1720-212-0x000000013FC20000-0x000000013FF71000-memory.dmp

          Filesize

          3.3MB

        • memory/1720-19-0x000000013FC20000-0x000000013FF71000-memory.dmp

          Filesize

          3.3MB

        • memory/2268-34-0x000000013FAC0000-0x000000013FE11000-memory.dmp

          Filesize

          3.3MB

        • memory/2268-230-0x000000013FAC0000-0x000000013FE11000-memory.dmp

          Filesize

          3.3MB

        • memory/2268-136-0x000000013FAC0000-0x000000013FE11000-memory.dmp

          Filesize

          3.3MB

        • memory/2368-159-0x000000013FCD0000-0x0000000140021000-memory.dmp

          Filesize

          3.3MB

        • memory/2480-228-0x000000013FE60000-0x00000001401B1000-memory.dmp

          Filesize

          3.3MB

        • memory/2480-107-0x000000013FE60000-0x00000001401B1000-memory.dmp

          Filesize

          3.3MB

        • memory/2480-28-0x000000013FE60000-0x00000001401B1000-memory.dmp

          Filesize

          3.3MB

        • memory/2628-87-0x000000013FAD0000-0x000000013FE21000-memory.dmp

          Filesize

          3.3MB

        • memory/2628-240-0x000000013FAD0000-0x000000013FE21000-memory.dmp

          Filesize

          3.3MB

        • memory/2636-103-0x000000013F980000-0x000000013FCD1000-memory.dmp

          Filesize

          3.3MB

        • memory/2636-242-0x000000013F980000-0x000000013FCD1000-memory.dmp

          Filesize

          3.3MB

        • memory/2640-85-0x000000013FD70000-0x00000001400C1000-memory.dmp

          Filesize

          3.3MB

        • memory/2640-238-0x000000013FD70000-0x00000001400C1000-memory.dmp

          Filesize

          3.3MB

        • memory/2724-254-0x000000013F390000-0x000000013F6E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2724-106-0x000000013F390000-0x000000013F6E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2728-101-0x000000013F1B0000-0x000000013F501000-memory.dmp

          Filesize

          3.3MB

        • memory/2728-246-0x000000013F1B0000-0x000000013F501000-memory.dmp

          Filesize

          3.3MB

        • memory/2732-153-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

          Filesize

          3.3MB

        • memory/2784-236-0x000000013FE90000-0x00000001401E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2784-78-0x000000013FE90000-0x00000001401E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2924-155-0x000000013FB90000-0x000000013FEE1000-memory.dmp

          Filesize

          3.3MB

        • memory/2928-232-0x000000013F820000-0x000000013FB71000-memory.dmp

          Filesize

          3.3MB

        • memory/2928-138-0x000000013F820000-0x000000013FB71000-memory.dmp

          Filesize

          3.3MB

        • memory/2928-47-0x000000013F820000-0x000000013FB71000-memory.dmp

          Filesize

          3.3MB

        • memory/3028-234-0x000000013F5C0000-0x000000013F911000-memory.dmp

          Filesize

          3.3MB

        • memory/3028-137-0x000000013F5C0000-0x000000013F911000-memory.dmp

          Filesize

          3.3MB

        • memory/3028-41-0x000000013F5C0000-0x000000013F911000-memory.dmp

          Filesize

          3.3MB

        • memory/3068-216-0x000000013F350000-0x000000013F6A1000-memory.dmp

          Filesize

          3.3MB

        • memory/3068-86-0x000000013F350000-0x000000013F6A1000-memory.dmp

          Filesize

          3.3MB

        • memory/3068-21-0x000000013F350000-0x000000013F6A1000-memory.dmp

          Filesize

          3.3MB