Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/10/2024, 11:48

General

  • Target

    2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    66512785f2fd362ce92ea065d9043361

  • SHA1

    7763bce6b65424196ed217710dda7681b72b153d

  • SHA256

    ad054e33da8cc51d62113c63a681aebc22d9f6fb6bad7f5d3ba9e169ccb14547

  • SHA512

    21b6e25bdd2518dd120875b5e936612d93c133b6eba43923339be2ea718a75a91b6388dbc1d26cb4f751da2620599fb0da35d97e23d67181d028dec37ba10e8e

  • SSDEEP

    49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lE:RWWBibd56utgpPFotBER/mQ32lUQ

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 38 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\System\lJqUJam.exe
      C:\Windows\System\lJqUJam.exe
      2⤵
      • Executes dropped EXE
      PID:1896
    • C:\Windows\System\XGfLbjT.exe
      C:\Windows\System\XGfLbjT.exe
      2⤵
      • Executes dropped EXE
      PID:1740
    • C:\Windows\System\nkdUTMS.exe
      C:\Windows\System\nkdUTMS.exe
      2⤵
      • Executes dropped EXE
      PID:2296
    • C:\Windows\System\mDiCSAb.exe
      C:\Windows\System\mDiCSAb.exe
      2⤵
      • Executes dropped EXE
      PID:2840
    • C:\Windows\System\pQnbZXX.exe
      C:\Windows\System\pQnbZXX.exe
      2⤵
      • Executes dropped EXE
      PID:2684
    • C:\Windows\System\TIVEZIg.exe
      C:\Windows\System\TIVEZIg.exe
      2⤵
      • Executes dropped EXE
      PID:2796
    • C:\Windows\System\eSUCTWn.exe
      C:\Windows\System\eSUCTWn.exe
      2⤵
      • Executes dropped EXE
      PID:2672
    • C:\Windows\System\LVHRhbf.exe
      C:\Windows\System\LVHRhbf.exe
      2⤵
      • Executes dropped EXE
      PID:2732
    • C:\Windows\System\pdnhsvY.exe
      C:\Windows\System\pdnhsvY.exe
      2⤵
      • Executes dropped EXE
      PID:2552
    • C:\Windows\System\jAKCSHX.exe
      C:\Windows\System\jAKCSHX.exe
      2⤵
      • Executes dropped EXE
      PID:2616
    • C:\Windows\System\geqRiEv.exe
      C:\Windows\System\geqRiEv.exe
      2⤵
      • Executes dropped EXE
      PID:3040
    • C:\Windows\System\aYfaJbS.exe
      C:\Windows\System\aYfaJbS.exe
      2⤵
      • Executes dropped EXE
      PID:2828
    • C:\Windows\System\eHsWQCG.exe
      C:\Windows\System\eHsWQCG.exe
      2⤵
      • Executes dropped EXE
      PID:536
    • C:\Windows\System\sMBdoIS.exe
      C:\Windows\System\sMBdoIS.exe
      2⤵
      • Executes dropped EXE
      PID:1440
    • C:\Windows\System\jjSTDYB.exe
      C:\Windows\System\jjSTDYB.exe
      2⤵
      • Executes dropped EXE
      PID:2876
    • C:\Windows\System\MSPrUnY.exe
      C:\Windows\System\MSPrUnY.exe
      2⤵
      • Executes dropped EXE
      PID:2280
    • C:\Windows\System\YturTBA.exe
      C:\Windows\System\YturTBA.exe
      2⤵
      • Executes dropped EXE
      PID:2772
    • C:\Windows\System\kKYxBfy.exe
      C:\Windows\System\kKYxBfy.exe
      2⤵
      • Executes dropped EXE
      PID:1232
    • C:\Windows\System\VovBvjq.exe
      C:\Windows\System\VovBvjq.exe
      2⤵
      • Executes dropped EXE
      PID:1984
    • C:\Windows\System\fJAwrrg.exe
      C:\Windows\System\fJAwrrg.exe
      2⤵
      • Executes dropped EXE
      PID:2016
    • C:\Windows\System\SsfrPvj.exe
      C:\Windows\System\SsfrPvj.exe
      2⤵
      • Executes dropped EXE
      PID:2856

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\system\LVHRhbf.exe

          Filesize

          5.2MB

          MD5

          8ac97163b1fcdc1ed1020abe7cdbecdc

          SHA1

          efbdfda7bb58ae66846a96b45356e556270b8ad1

          SHA256

          dea1408061660ac07ff4c5b6df9c0cb62bdc35f098a34bce91739eab396e0c65

          SHA512

          8fb3ba6482d35b11559f8739aa25eee949a98ee8b6d7d67ecaff46701f4db8d9e28346204746bc4c97e6c2ad5df0e1bb8ffe0ec282e6932defafc1e6638d810c

        • C:\Windows\system\MSPrUnY.exe

          Filesize

          5.2MB

          MD5

          e84c1e9ce955511f1df5f1fcf30cc60b

          SHA1

          ca357419a70e3c0bc93a7dde902f062b3ef589a7

          SHA256

          adee1480fa02648c4e0c42d27033e3bf91a7a0cfc1260a717eb3ca18339bee9e

          SHA512

          398b41a65fe364ef4d7fe7bbaedc3a84af3d23beef340d64d0aa3877778cd1119bbd769bac942afd0c7d7d87983be80cab31dfcb7b8b508e05d64d187e59f5ea

        • C:\Windows\system\XGfLbjT.exe

          Filesize

          5.2MB

          MD5

          035e0f3c76df22ff1726441672398d41

          SHA1

          d228fc26ded41082c4fbcf57c2cfce39f9273e53

          SHA256

          f37d82bcd0eede2200d7e23002dfb81e67bd06e13e7880ce829044e296f5e47b

          SHA512

          2b580154fac1f191a1d6ee3de870cfbc843cca2797d92b179064b44bf134efbabb382f247d0a09302c336d96356fa3b6cb1dd0a3727c5d056e16f70ffe577c7a

        • C:\Windows\system\YturTBA.exe

          Filesize

          5.2MB

          MD5

          c629f96ae55fce7a8af2878fdcbe7d6d

          SHA1

          04f1e969072833b296b15f7608e35e5d2c44ed94

          SHA256

          dbdcd3069fff0e0e043254d817ddf5775376eae322fb7a37545af98c1303e94c

          SHA512

          1277846740a2908fa4f864a67b6c06c329b3e5f1380f68f2d63046c8b69593329b63d821405f68d7a98d7a9447eacc506f1cf1d37651aceb00eb02823e765bac

        • C:\Windows\system\aYfaJbS.exe

          Filesize

          5.2MB

          MD5

          f3af4f9da05c5a8c010b707e8f237339

          SHA1

          94df784f38649f44aff9fe9820c3b3c8993e0f7b

          SHA256

          34f885408b35383caa214fb1407f23cd2c86aaafab17e92f8a1c201f4fb23f47

          SHA512

          840e29d4d874bb9f11c8c8e8459f573f93e9bb2a37d24ccadc32235c15773d261269627c481f0c04a802495dc710a8e8525f9e06e10a376a300944cea4198ce5

        • C:\Windows\system\eSUCTWn.exe

          Filesize

          5.2MB

          MD5

          f34a0786b0037bfe8c90e55ae6fe731c

          SHA1

          1493beb3786785b57ebfbb884ea6926c9b0d2a8e

          SHA256

          02fee98e1894d95a39a96f40b92e1518cbafdd741745e7bfe42f9fe6d520a74e

          SHA512

          248006ee5c3e5f2f1d8be524c82bb4cb89c339c1127cf4784d05c3c0c5439e9df17e8ef3c450a143adbb58f4029644d394d0e1222e0d7c60c7a978b116b91fbf

        • C:\Windows\system\fJAwrrg.exe

          Filesize

          5.2MB

          MD5

          2e39fc3a74f8712f6150c65983fc70f6

          SHA1

          c32de3271b681f8d205682b84371feda9b6059c6

          SHA256

          dbc445401cb8bb5b56a43bfa178ddb1a9af24dc3fa32ae32cbe0d03b10b8015e

          SHA512

          7b6e3d77c020717f7d67fbae74e91ec40b25385f0e62f9eb92347b51390a2eec33964e06301fa97800218522f4167b7d20816bd24cde3b0599131395d00f4b2f

        • C:\Windows\system\jAKCSHX.exe

          Filesize

          5.2MB

          MD5

          d17f3b77fcaf4e335142cc388b316e20

          SHA1

          9a4aeefea16d0bfa00ba6ad95796d076aa26cd7f

          SHA256

          2deb6a9fb02407621fd3dabc75bbaedaa2bad5d5293d4b8cae049f4be2fd049a

          SHA512

          afd6df0f33e4b82c60a89148b5a8d0143f3e5573081586d8235e50934afc023b5476c8834f9fe9bb7f8c11ccffd94c0189021686d77d8fa893e904634d3bfb15

        • C:\Windows\system\kKYxBfy.exe

          Filesize

          5.2MB

          MD5

          a8faf545966615446a3aeeff7f19d893

          SHA1

          32a1aeb1cdc296ab053ceb4252cd2ea6733cd5c9

          SHA256

          2103892727c1589b3884f893360dfe777ad8a720e55c016624570ae6487638b3

          SHA512

          7dbf2157d6633eb75e5693d3a46d3034324bef2fc017f06182c550bed478b67fa3b69713ee5699aa787a3ab9656313972b84fb4ac879ba84521850dfd2cdfcf7

        • C:\Windows\system\lJqUJam.exe

          Filesize

          5.2MB

          MD5

          f0e45977647a88c7ed72a55f6bc46c4e

          SHA1

          0b78b644aeca2b58c7a92e982fcbf52653cccd5d

          SHA256

          4e38e9fefc81d601be7645a27df8d30c94852045650b4c5ef5f4a3a177d15d3c

          SHA512

          dba765fc09783263cc9d2c81e69a303ced096b3b6bf4d2468047baf43ddab9367eef64592c58f85ddbf154e109ac7e06111661314ae9226246eb4094bce05ee9

        • C:\Windows\system\mDiCSAb.exe

          Filesize

          5.2MB

          MD5

          8688ec9fdef55a09ac16c6a1a7677a5f

          SHA1

          6d05830c7bbf86aee1a6d708f5d034ef643db627

          SHA256

          40f9952927f1add61dfe8beea252a867bc4e16a20722447fd6d3cb97f30bbf47

          SHA512

          cc7a4f7f795042f5547dae4d0fd8723a489e0ac3b4a30e05996cf276ef0a17f2f6bfd4f66c413cc2886aff52c3c368438136a201666b754f700a360473d50d79

        • C:\Windows\system\nkdUTMS.exe

          Filesize

          5.2MB

          MD5

          33556b07a50503467922f4d95a494497

          SHA1

          0088186ede7b5fce62d3ab5c411b1b2ca7e60b5e

          SHA256

          eb1517f474d3ffdfe3d98785c339667dd14e05d2a73e629bba494ab04e86e970

          SHA512

          4df64472cccb31ceadc2465ce1e1d56c26bbce2cce05d00c623f96039072e26e9cf2f3c40cecc3f644983beb2040a517897dbb7a220deddf7eb0a03719344462

        • C:\Windows\system\pQnbZXX.exe

          Filesize

          5.2MB

          MD5

          aea81937c63660acee9809e0805668b1

          SHA1

          fba948022ff79ead96bbdee3526aa725619c4d1f

          SHA256

          dee2e7f9402e014826152dd77523d288ff6bba798e17ae400353a0279f4230b6

          SHA512

          ad28ea62d847218c33226733277fe5b5c3ae24f06c2b19238da633e1ae94f5033ca5b9b65525668399433d6c75a6e06b91b8444c67b0d529c637d8945a4cd2ed

        • C:\Windows\system\pdnhsvY.exe

          Filesize

          5.2MB

          MD5

          c6dd4b3e67ade7ac7e0333a073dc40f1

          SHA1

          c5350bc5138d58506ab3e064699824068e0a7305

          SHA256

          06dac664d3ca18fa5b60d3943bb140767a2591da5d2e4be672ad3a296a2ae1f7

          SHA512

          f2b56e17276c54a259fb59d9002d4a1666ed85478ea6decb922cb8575910a32614fe8105d8dffbab37b54bf0c212daaa88c513344175115d731c010bfe31baff

        • C:\Windows\system\sMBdoIS.exe

          Filesize

          5.2MB

          MD5

          e761aaa557e601a176c9d2480146c04e

          SHA1

          32056fd56ca0b107e2917887e190bbe2ff86610d

          SHA256

          63640fc3a695bf653da2ef66f2548d5b88430fbc28fc6dd365cabecb7707e061

          SHA512

          2c6126dc896a05f18bd350d308ee92a788db25a30a3fe470301a5933cb23cd4447a93c60beff4f6b4326b89ec4c6a14b9cc4dc7b33b38a07194cbef097982e2d

        • \Windows\system\SsfrPvj.exe

          Filesize

          5.2MB

          MD5

          b2194f3b22f0e3c435b54baaf427f6e0

          SHA1

          146539d4a2f6a17680f36d41db4c173103f69dd5

          SHA256

          391931caa722628fc9dcc849639028be4c57a3fd82232d27e0ad81e943cbd9b2

          SHA512

          c7e30db9b545feec3a4de72d7f4c7229b3f8319500e31118c685a4a1c4c3a594ac1768e489d96925d2487bc59c6420d346975e6c16905ca46c55bfa2d2bea0e6

        • \Windows\system\TIVEZIg.exe

          Filesize

          5.2MB

          MD5

          88838683d9edf7a50d177eee3bc12d4f

          SHA1

          ebbb2579639f4152e906b64267d46903bb3434cb

          SHA256

          61b4c8d5f1f3681ada37347b10829acf5927a5026e76bd86d48720574d1f686e

          SHA512

          93242dc4abdab4856e2cb76b3e070d5340a718bfb5c2b106e1890b3da3b8fac85ec276177f07269edfc4e0b653b58a47bf334f7b28d780cb2feb2542ba94df7f

        • \Windows\system\VovBvjq.exe

          Filesize

          5.2MB

          MD5

          29382ef7177500e2a6d61d4d0e408357

          SHA1

          f8d98975ed68cfca5ede0decfd594941bad64f2e

          SHA256

          4a1161bb87038c4900b797f286c0251e56e494b47d7d6f1f8bc453508490c7cb

          SHA512

          4d5c0891ad19790e99c855daf62807dbbea23c9185b87ae1e7fb97cd6ad16496fab01e4108ff25ac6bff5e6c49a7d6ec3922493edab3b3deea1583b2c5751f51

        • \Windows\system\eHsWQCG.exe

          Filesize

          5.2MB

          MD5

          4be0d273b2c5ec12e8e2ca36e78c7b83

          SHA1

          92848e964719f02f027880322568f8a0cc5f41dd

          SHA256

          168046c457e8fbf42a887765dbbdc190ed5a2c8ec60deebd54218ab1334ca67e

          SHA512

          f27641a39002264ae1d1daa56ad4d82fb89747fc537df726443715db1e90d526a1689a4c850069402518e21992ab09c7b30a673b5a06dafb357ebba85b6d5106

        • \Windows\system\geqRiEv.exe

          Filesize

          5.2MB

          MD5

          1aa0b4416dd2289ca3668c0643ee8602

          SHA1

          4c12bdf9062d86f65b2e52a3d0ad7724513c0122

          SHA256

          84651f7c9490f044b67f8a4ee3e869b96043d39bcabe5dae9942310d6e5fb658

          SHA512

          c707b642eb12341376b30a809dfadb7de3754196ec03a788822c105070bec247b598ab39d1a90b39b5c16896d8ba727538b67dd8b8a2373c4688dbdf7ba9f611

        • \Windows\system\jjSTDYB.exe

          Filesize

          5.2MB

          MD5

          f941821966c92bcf0392e6e1c0432860

          SHA1

          160834ab524a10cf58472296ca351cda8bf04d5b

          SHA256

          e126cebafe98c7d335420f61b04a40ca65feb623eec1d604373a093d5f99f969

          SHA512

          7bb3849d5e706787a0a01d0b4f19ec05b275171d2ac2ca14fa80514d3d426ae18720718bda33bce638d784626666d5556f654932147783f0275a812817846da9

        • memory/536-156-0x000000013FC70000-0x000000013FFC1000-memory.dmp

          Filesize

          3.3MB

        • memory/1232-161-0x000000013F020000-0x000000013F371000-memory.dmp

          Filesize

          3.3MB

        • memory/1440-252-0x000000013FD60000-0x00000001400B1000-memory.dmp

          Filesize

          3.3MB

        • memory/1440-97-0x000000013FD60000-0x00000001400B1000-memory.dmp

          Filesize

          3.3MB

        • memory/1740-222-0x000000013F150000-0x000000013F4A1000-memory.dmp

          Filesize

          3.3MB

        • memory/1740-52-0x000000013F150000-0x000000013F4A1000-memory.dmp

          Filesize

          3.3MB

        • memory/1740-18-0x000000013F150000-0x000000013F4A1000-memory.dmp

          Filesize

          3.3MB

        • memory/1896-20-0x000000013F480000-0x000000013F7D1000-memory.dmp

          Filesize

          3.3MB

        • memory/1896-220-0x000000013F480000-0x000000013F7D1000-memory.dmp

          Filesize

          3.3MB

        • memory/1984-162-0x000000013F850000-0x000000013FBA1000-memory.dmp

          Filesize

          3.3MB

        • memory/2016-163-0x000000013F3F0000-0x000000013F741000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-0-0x000000013FE00000-0x0000000140151000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-165-0x000000013F3B0000-0x000000013F701000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-53-0x000000013F5E0000-0x000000013F931000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-48-0x000000013FE00000-0x0000000140151000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-166-0x000000013FE00000-0x0000000140151000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-38-0x000000013F880000-0x000000013FBD1000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-9-0x000000013F480000-0x000000013F7D1000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-124-0x00000000022B0000-0x0000000002601000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-126-0x000000013F2D0000-0x000000013F621000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-140-0x000000013FE00000-0x0000000140151000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-125-0x000000013F190000-0x000000013F4E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-30-0x000000013F030000-0x000000013F381000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-139-0x000000013F5E0000-0x000000013F931000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-119-0x000000013F3B0000-0x000000013F701000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-1-0x00000000000F0000-0x0000000000100000-memory.dmp

          Filesize

          64KB

        • memory/2276-14-0x000000013F150000-0x000000013F4A1000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-151-0x000000013FA00000-0x000000013FD51000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-21-0x000000013F120000-0x000000013F471000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-110-0x000000013F5F0000-0x000000013F941000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-82-0x000000013FA00000-0x000000013FD51000-memory.dmp

          Filesize

          3.3MB

        • memory/2276-22-0x00000000022B0000-0x0000000002601000-memory.dmp

          Filesize

          3.3MB

        • memory/2280-113-0x000000013F2D0000-0x000000013F621000-memory.dmp

          Filesize

          3.3MB

        • memory/2280-255-0x000000013F2D0000-0x000000013F621000-memory.dmp

          Filesize

          3.3MB

        • memory/2296-24-0x000000013F120000-0x000000013F471000-memory.dmp

          Filesize

          3.3MB

        • memory/2296-59-0x000000013F120000-0x000000013F471000-memory.dmp

          Filesize

          3.3MB

        • memory/2296-232-0x000000013F120000-0x000000013F471000-memory.dmp

          Filesize

          3.3MB

        • memory/2296-144-0x000000013F120000-0x000000013F471000-memory.dmp

          Filesize

          3.3MB

        • memory/2552-152-0x000000013FE10000-0x0000000140161000-memory.dmp

          Filesize

          3.3MB

        • memory/2616-150-0x000000013F390000-0x000000013F6E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2616-253-0x000000013F390000-0x000000013F6E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2616-90-0x000000013F390000-0x000000013F6E1000-memory.dmp

          Filesize

          3.3MB

        • memory/2672-138-0x000000013F650000-0x000000013F9A1000-memory.dmp

          Filesize

          3.3MB

        • memory/2672-230-0x000000013F650000-0x000000013F9A1000-memory.dmp

          Filesize

          3.3MB

        • memory/2672-49-0x000000013F650000-0x000000013F9A1000-memory.dmp

          Filesize

          3.3MB

        • memory/2684-224-0x000000013F030000-0x000000013F381000-memory.dmp

          Filesize

          3.3MB

        • memory/2684-121-0x000000013F030000-0x000000013F381000-memory.dmp

          Filesize

          3.3MB

        • memory/2684-34-0x000000013F030000-0x000000013F381000-memory.dmp

          Filesize

          3.3MB

        • memory/2732-234-0x000000013F5E0000-0x000000013F931000-memory.dmp

          Filesize

          3.3MB

        • memory/2732-56-0x000000013F5E0000-0x000000013F931000-memory.dmp

          Filesize

          3.3MB

        • memory/2732-141-0x000000013F5E0000-0x000000013F931000-memory.dmp

          Filesize

          3.3MB

        • memory/2772-160-0x000000013F5F0000-0x000000013F941000-memory.dmp

          Filesize

          3.3MB

        • memory/2796-137-0x000000013F880000-0x000000013FBD1000-memory.dmp

          Filesize

          3.3MB

        • memory/2796-228-0x000000013F880000-0x000000013FBD1000-memory.dmp

          Filesize

          3.3MB

        • memory/2796-41-0x000000013F880000-0x000000013FBD1000-memory.dmp

          Filesize

          3.3MB

        • memory/2828-94-0x000000013FA00000-0x000000013FD51000-memory.dmp

          Filesize

          3.3MB

        • memory/2828-249-0x000000013FA00000-0x000000013FD51000-memory.dmp

          Filesize

          3.3MB

        • memory/2840-226-0x000000013FBF0000-0x000000013FF41000-memory.dmp

          Filesize

          3.3MB

        • memory/2840-60-0x000000013FBF0000-0x000000013FF41000-memory.dmp

          Filesize

          3.3MB

        • memory/2840-28-0x000000013FBF0000-0x000000013FF41000-memory.dmp

          Filesize

          3.3MB

        • memory/2856-164-0x000000013F810000-0x000000013FB61000-memory.dmp

          Filesize

          3.3MB

        • memory/2876-158-0x000000013F190000-0x000000013F4E1000-memory.dmp

          Filesize

          3.3MB

        • memory/3040-154-0x000000013F3B0000-0x000000013F701000-memory.dmp

          Filesize

          3.3MB