Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-12-2024 02:53

General

  • Target

    2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe

  • Size

    5.2MB

  • MD5

    82fa350c690590840584042057e81c1d

  • SHA1

    9cfb41bebed8af62d09763a09f0c94beb793e1f9

  • SHA256

    2b211c1a61c5eaebddfde3cd16537ff85876c8ea517b00d07c96ef6648286a26

  • SHA512

    158a55f4e063b98febf3c25d5d018a2d61c3e34eb25fb533d11a6171a7a12267704be41b14e585690d914a08500d6b5172ea33b9c78ef9ed4f745359e39be5d2

  • SSDEEP

    49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibd56utgpPFotBER/mQ32lU3

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 21 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Cobaltstrike family
  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 36 IoCs
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 21 IoCs
  • UPX packed file 59 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-14_82fa350c690590840584042057e81c1d_cobalt-strike_cobaltstrike_poet-rat.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\System\DdqPTns.exe
      C:\Windows\System\DdqPTns.exe
      2⤵
      • Executes dropped EXE
      PID:2500
    • C:\Windows\System\EsngyQt.exe
      C:\Windows\System\EsngyQt.exe
      2⤵
      • Executes dropped EXE
      PID:2700
    • C:\Windows\System\aXXkbpu.exe
      C:\Windows\System\aXXkbpu.exe
      2⤵
      • Executes dropped EXE
      PID:2804
    • C:\Windows\System\xjQVXDz.exe
      C:\Windows\System\xjQVXDz.exe
      2⤵
      • Executes dropped EXE
      PID:2704
    • C:\Windows\System\kuZXwqZ.exe
      C:\Windows\System\kuZXwqZ.exe
      2⤵
      • Executes dropped EXE
      PID:2852
    • C:\Windows\System\jsnkRcF.exe
      C:\Windows\System\jsnkRcF.exe
      2⤵
      • Executes dropped EXE
      PID:2604
    • C:\Windows\System\bLIFKre.exe
      C:\Windows\System\bLIFKre.exe
      2⤵
      • Executes dropped EXE
      PID:2908
    • C:\Windows\System\oansrdv.exe
      C:\Windows\System\oansrdv.exe
      2⤵
      • Executes dropped EXE
      PID:2744
    • C:\Windows\System\WFjsTyl.exe
      C:\Windows\System\WFjsTyl.exe
      2⤵
      • Executes dropped EXE
      PID:2624
    • C:\Windows\System\EQUEuPp.exe
      C:\Windows\System\EQUEuPp.exe
      2⤵
      • Executes dropped EXE
      PID:2560
    • C:\Windows\System\CGMJAGE.exe
      C:\Windows\System\CGMJAGE.exe
      2⤵
      • Executes dropped EXE
      PID:2644
    • C:\Windows\System\zkdvMzC.exe
      C:\Windows\System\zkdvMzC.exe
      2⤵
      • Executes dropped EXE
      PID:2132
    • C:\Windows\System\OXvQnEI.exe
      C:\Windows\System\OXvQnEI.exe
      2⤵
      • Executes dropped EXE
      PID:2928
    • C:\Windows\System\PoQgpUM.exe
      C:\Windows\System\PoQgpUM.exe
      2⤵
      • Executes dropped EXE
      PID:2256
    • C:\Windows\System\XVbCyBG.exe
      C:\Windows\System\XVbCyBG.exe
      2⤵
      • Executes dropped EXE
      PID:2100
    • C:\Windows\System\yyfsmvw.exe
      C:\Windows\System\yyfsmvw.exe
      2⤵
      • Executes dropped EXE
      PID:2268
    • C:\Windows\System\dydADgW.exe
      C:\Windows\System\dydADgW.exe
      2⤵
      • Executes dropped EXE
      PID:868
    • C:\Windows\System\NSuaIQI.exe
      C:\Windows\System\NSuaIQI.exe
      2⤵
      • Executes dropped EXE
      PID:2872
    • C:\Windows\System\qbsBbzt.exe
      C:\Windows\System\qbsBbzt.exe
      2⤵
      • Executes dropped EXE
      PID:1028
    • C:\Windows\System\BwKPowm.exe
      C:\Windows\System\BwKPowm.exe
      2⤵
      • Executes dropped EXE
      PID:2996
    • C:\Windows\System\qRZCNsw.exe
      C:\Windows\System\qRZCNsw.exe
      2⤵
      • Executes dropped EXE
      PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\system\CGMJAGE.exe

    Filesize

    5.2MB

    MD5

    2613bf50cb15c3eeb4da2e24e1eb3cc1

    SHA1

    b2e91daae24d1c9d718fd331c7f40f8e0da8ebaa

    SHA256

    6c65fe25530b23993af5f08f361cf6f466af4465191f2bf813ef9f84a2de34aa

    SHA512

    b0c0611f14635a7fce479bd9e5a58723b14dad1df2926f649910633f4fc5c4358f837de7d48e0285fea3ba16e098022b992b1fc715158ac8ba8a5f2d5cf80fae

  • C:\Windows\system\DdqPTns.exe

    Filesize

    5.2MB

    MD5

    39105ce9f44b46c636f3fb21b6655150

    SHA1

    e560aa3be6641edf3c626ce142a7a85f50ad384c

    SHA256

    f82d64e31d800877c1e3c277d99b97ed713a83b4c1c3060697ef090036a2a39c

    SHA512

    a1303c0a7b461fa5dea4342a6cae7512fe83029e489868776d3d0ed4c61438aa69d12137e85abc1a12615fdbc5665aefccede8c5be2da5204e8be237420fea20

  • C:\Windows\system\EQUEuPp.exe

    Filesize

    5.2MB

    MD5

    3fcc1f2e68b05f5aca996002b3d36b31

    SHA1

    644348fb1612a5c62bad8937d62e5437fad59036

    SHA256

    e173f26868173cd396b38913a48bb46d3967db6e7814be335062e656502d4091

    SHA512

    de4e5d9300d358a2ba27416557e161e7c45c0a8aed9816fa5a1413b36197a7d2e649fbed495d44c417e15e9ca1188717255d6cbac815ead652a1ddac5503b36f

  • C:\Windows\system\EsngyQt.exe

    Filesize

    5.2MB

    MD5

    72f3c96f8f8e6f993d344bdce06c084a

    SHA1

    8c94d4f4a4546065f62fd864f1cf9bbcd2285a39

    SHA256

    570bfc590ef3280227998e9f8177af4700c5c7b62b04df870edb3fd648429d1d

    SHA512

    3525f02fdc848ccc8e417ad03274f8d658dc247ec5beecbf7017f931db183f916817b13d566e1b93573b7dc261a32ae0b0cea6c75317b3b95f6c1dedf301d7fc

  • C:\Windows\system\OXvQnEI.exe

    Filesize

    5.2MB

    MD5

    30f603ce1b666f9b0b265343ce469b7c

    SHA1

    eca89a33d404565a36d3f3f7812b6f62e8fba3dd

    SHA256

    35c03a3e5d42e1dc225f3ebed81718f0aeaf490ab0812c89d756245929d44aa4

    SHA512

    7db6bee657676daa4e87464fe616a8cdbcf2da64d0c780f160aaa26f41653d3d59a206782803b7b0db0cf77cedff4855ed2b7d39ec1ecb3aaf850eb37cf88bf0

  • C:\Windows\system\PoQgpUM.exe

    Filesize

    5.2MB

    MD5

    501ef7d551820b7d967fc2bab62ce88e

    SHA1

    1944aa603e983e6929d0f1ce7cfc869132bd2e5b

    SHA256

    3131a6dadc48b3309721dee9b176db735dea247120cad1551672e3704d3c8c80

    SHA512

    a43bfd4be8fffd391fe932cdf0715501a64d86051ad9dce9d5f66e9c4437c0890921bc663f9d06cdec3b554aa5d94a4f975d33cf8e4551953e8fdc7feacf2c7b

  • C:\Windows\system\WFjsTyl.exe

    Filesize

    5.2MB

    MD5

    55649486e4f3a05c8458c51721848da6

    SHA1

    98bd7fe1f580504e13fda62725e8e95258569ff6

    SHA256

    ee7a9c0f4cfc55c55d35decdcc7cfbba21c562223abda003e2bdf8c7aa61ebe5

    SHA512

    52728ee21792e921f595dd304d0cdd8abb0ca85df68a41339e21569818e14c0444a3251dc53e05507ee596b71d867e8434de3dc1349e0452ad2b178adfdbf9c7

  • C:\Windows\system\XVbCyBG.exe

    Filesize

    5.2MB

    MD5

    62f8633b8ded973c704f7d54066233b9

    SHA1

    82f0b47a110bb0ade12d78cdc71ca1e2d631b066

    SHA256

    7d31e17283eb1a29a657a5461b0e42046e091730493798e45aade8b91cbe22a4

    SHA512

    4a182213c756b88ea01fd3143c0010263bea701a9bd8e83f8182d825a4191c48a03e092e7a60bf931ebaf2ca0fba9d5f62c94b79480a0429605d704753ca7f21

  • C:\Windows\system\bLIFKre.exe

    Filesize

    5.2MB

    MD5

    78f5c6fd30fdfb43f3824d9c392e5434

    SHA1

    becc44c6a0250c4a65cad515adc7e82f07776a17

    SHA256

    12b25e93b33f6c47ef5acceca64dab4bbad3b3a130ce5b59bf30ed17340d5a9e

    SHA512

    e9f1469e550148eb241b467b0501b6a36c8c75c237ef13a670ecccea38d6dbaacb39054d9d9eb1855adc2cc74afc1eeb86562cc2faa6379906b283ca2615804d

  • C:\Windows\system\dydADgW.exe

    Filesize

    5.2MB

    MD5

    21699bc9f075ad448a9e2436e0495848

    SHA1

    a0885d43c2bfc84f411fd14d206316c3483cdf46

    SHA256

    fdc31f685fccc9415b5bb693d916d7caa6a08e18a23dd1cf779be9703bfebe30

    SHA512

    a97a2d44d6a94278d4fb04167b97f71b43642550cac77de1402515881b944134ad3e3b28a23e0fb99b8e4f6f87b63451450866350561e502258b183abd2f3d63

  • C:\Windows\system\jsnkRcF.exe

    Filesize

    5.2MB

    MD5

    ea7f5610c2f7edcb51eb03d8e827fb1a

    SHA1

    2a1fcbdcfc5341f3c04c4fe10f6aa90923d5989c

    SHA256

    03921e434eac869391a2e3a87b507aa623d58d1e0e35f0ae874652748a6375ee

    SHA512

    d0842768e28390fd8afee4b59588e57caa6806cc5265ed8cca80c0e566c290647cb1d819bf0ff11f7e35a8135fe2463561d8df72eb3023c9d0b642aeec87e05d

  • C:\Windows\system\kuZXwqZ.exe

    Filesize

    5.2MB

    MD5

    b67f7629e6991cd00b3fd0d1cc05ee8f

    SHA1

    f4b81fad0f67bb476ec6eb93853e4df878362ca3

    SHA256

    8f61dd2507a5c37069782fac01d73a48c672df31d54714164858014f379b5ae4

    SHA512

    59a0ca86421ff9e6666a204d87c9f991f4836c221384373a11974d5cb9c32110713cafaa088566661cbcd37592f54f0c5ff7d24e3f1a24d64e3d75e87c790a68

  • C:\Windows\system\oansrdv.exe

    Filesize

    5.2MB

    MD5

    ca41431c8488151c9b4c86e938580e3e

    SHA1

    847478c5a464efd63e02ba74b8781ee60b79415c

    SHA256

    cade0a526eca8fffda80e66c4f9d6f517950229f4f7801ffe9f8f3a052e65536

    SHA512

    870362b8912b97138059138216096463d44195b994e4d716d1dee29bd43e1beb9764945fb7bc4b7297b2dde68669db7be85a6036a24c1ff4f457337a4f254031

  • C:\Windows\system\qRZCNsw.exe

    Filesize

    5.2MB

    MD5

    484980b936ef492793655204c60ae864

    SHA1

    ea7bbd9ba454099f0524ffb4189c54859767f936

    SHA256

    1e9c12ecd453c4d54f1f4ef3030ab6895c18d9a8899c56b23fa06ba8ab861018

    SHA512

    4f4b10da92f2c7b3655e056b6bf244f464b3127b14f8b7a897c106406a5bdd6fd92105e99fa48d7882b7554aa825314307b0a27ed50cc65705b1a049875902ce

  • C:\Windows\system\qbsBbzt.exe

    Filesize

    5.2MB

    MD5

    525ae29d69015703f155d296ca119bda

    SHA1

    e44b896b27ee65b262cfe86b5347e3dcbe41d6bc

    SHA256

    f1cc2a773fd9de4233c694cb0ac52d05c0f9232fe04665b0aafe5d687b523170

    SHA512

    451ff4c00bbfa84e247c450dd725ee745f6f0ee7e6e85a80c4a4de853467ba179b27d1a11e3a9db4daa028db56256f793b915f414856e3eee0f2bff2066a858e

  • C:\Windows\system\xjQVXDz.exe

    Filesize

    5.2MB

    MD5

    4b93e74864d5d0da34c938b0f1386374

    SHA1

    8b1bebfde76dff379b72f976c68b70a86910a9d5

    SHA256

    85edcc256985ac2640f3eb8ea317a7f6b1fbeb45fb8faf7c8c4eb224992635cb

    SHA512

    1d0af930e667d250faa93d47a0af162b333f32f7bbbcfcc192b64a96d182394ba7f0d0ff30d02ea7533e6236b202b156e0c98a5282bf8d612d26b0818b8f9010

  • \Windows\system\BwKPowm.exe

    Filesize

    5.2MB

    MD5

    047e5374ddb7daebba98040ebaa54eb6

    SHA1

    30acc8ac6e42d0fc184c3071a6345950082b17c5

    SHA256

    06c915c10c749d53056df7c1f603ed45e832db9ce38402e03e86943ba5995df2

    SHA512

    4ee3a7ef304cfb79d2be3e485fb1633f2ab44b43285ed35651bd740ff26ee79a9a8c1a3ecd3fbd4bf325196c3c541f5c219a83f36e50588622417072a2bd565d

  • \Windows\system\NSuaIQI.exe

    Filesize

    5.2MB

    MD5

    20fae3cd0dd0332378adad8a0beb924d

    SHA1

    6e2694e2e5d97156e8966b0c4e84fc27891ce8c5

    SHA256

    3c3313ab3d9338f210c6999c7553e07abbd0d040fb03b23e5219cc20afa4ad27

    SHA512

    05197f9e30bfc32206bf488f0dcddba6fb9970b586f7090e5f8edc218303a9840bac791fda67b304015cbc0be674b3fdead29d93e5bd4373f0d6f77ad9073ed4

  • \Windows\system\aXXkbpu.exe

    Filesize

    5.2MB

    MD5

    dd73aaf2e5da78359ba429f649460781

    SHA1

    c7a7d90c59ebca0152001de78209d9a3056361cc

    SHA256

    ab519b7247ce31c7bc2e8823e6a8181f97224a900d867d52a84780d06dcef053

    SHA512

    83b39b38eaae0164dfe9cdf27b3fa0f1d58dea29724cceba1894df1d4be3212868c9d7d1396761de35f6c05d16fb0f49fe5bbab64576c10863f73966babb0950

  • \Windows\system\yyfsmvw.exe

    Filesize

    5.2MB

    MD5

    3bba1c78e76d613b89d087ced6c45f45

    SHA1

    48c45dca270101dc0057ab26af1ac193b3b3c056

    SHA256

    67c22d9c82629efe52b526a384eeec1d259e878fc2a8e6f1937e68c2373f862b

    SHA512

    d68a2e808cb6b9bd011b934c93c13a73ce01ee585347d3d9eb5a94d0e5cca2c4b6e27265c607eae97424ff3a498bf3f3dc1c7174c1757955f5f76e8b7927891d

  • \Windows\system\zkdvMzC.exe

    Filesize

    5.2MB

    MD5

    3ae69071e84e4b04bd60d9c85a6eafd1

    SHA1

    906892921bfdf8f201b8663a042c1ecca74cf228

    SHA256

    ea4564860bada687f00beabac7ed44871f5a814dc2b1b8f13629f82075c0def5

    SHA512

    46ec729f7962b4743f81c053ca5739f842de7a168241bf711885023dfe512799d48a51cf79bf05b325669fc7558b5f080fae21045a88d143c8b334737880adce

  • memory/868-154-0x000000013F800000-0x000000013FB51000-memory.dmp

    Filesize

    3.3MB

  • memory/1028-156-0x000000013FA70000-0x000000013FDC1000-memory.dmp

    Filesize

    3.3MB

  • memory/2100-152-0x000000013F4E0000-0x000000013F831000-memory.dmp

    Filesize

    3.3MB

  • memory/2132-149-0x000000013FCF0000-0x0000000140041000-memory.dmp

    Filesize

    3.3MB

  • memory/2256-151-0x000000013F820000-0x000000013FB71000-memory.dmp

    Filesize

    3.3MB

  • memory/2268-153-0x000000013FF60000-0x00000001402B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2500-20-0x000000013F5B0000-0x000000013F901000-memory.dmp

    Filesize

    3.3MB

  • memory/2500-224-0x000000013F5B0000-0x000000013F901000-memory.dmp

    Filesize

    3.3MB

  • memory/2560-250-0x000000013FF40000-0x0000000140291000-memory.dmp

    Filesize

    3.3MB

  • memory/2560-104-0x000000013FF40000-0x0000000140291000-memory.dmp

    Filesize

    3.3MB

  • memory/2604-72-0x000000013F680000-0x000000013F9D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2604-234-0x000000013F680000-0x000000013F9D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2624-240-0x000000013FD70000-0x00000001400C1000-memory.dmp

    Filesize

    3.3MB

  • memory/2624-93-0x000000013FD70000-0x00000001400C1000-memory.dmp

    Filesize

    3.3MB

  • memory/2644-99-0x000000013FC40000-0x000000013FF91000-memory.dmp

    Filesize

    3.3MB

  • memory/2644-238-0x000000013FC40000-0x000000013FF91000-memory.dmp

    Filesize

    3.3MB

  • memory/2700-28-0x000000013F3D0000-0x000000013F721000-memory.dmp

    Filesize

    3.3MB

  • memory/2700-228-0x000000013F3D0000-0x000000013F721000-memory.dmp

    Filesize

    3.3MB

  • memory/2704-69-0x000000013F940000-0x000000013FC91000-memory.dmp

    Filesize

    3.3MB

  • memory/2704-232-0x000000013F940000-0x000000013FC91000-memory.dmp

    Filesize

    3.3MB

  • memory/2744-246-0x000000013F440000-0x000000013F791000-memory.dmp

    Filesize

    3.3MB

  • memory/2744-107-0x000000013F440000-0x000000013F791000-memory.dmp

    Filesize

    3.3MB

  • memory/2748-158-0x000000013F280000-0x000000013F5D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-110-0x0000000002320000-0x0000000002671000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-76-0x000000013FC40000-0x000000013FF91000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-32-0x0000000002320000-0x0000000002671000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-37-0x0000000002320000-0x0000000002671000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-0-0x000000013F680000-0x000000013F9D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-105-0x000000013FD70000-0x00000001400C1000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-106-0x000000013FCF0000-0x0000000140041000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-1-0x0000000000180000-0x0000000000190000-memory.dmp

    Filesize

    64KB

  • memory/2756-136-0x0000000002320000-0x0000000002671000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-137-0x000000013F680000-0x000000013F9D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-54-0x0000000002320000-0x0000000002671000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-63-0x0000000002320000-0x0000000002671000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-134-0x000000013F680000-0x000000013F9D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-24-0x0000000002320000-0x0000000002671000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-71-0x000000013FF40000-0x0000000140291000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-7-0x0000000002320000-0x0000000002671000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-111-0x0000000002320000-0x0000000002671000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-100-0x000000013FF60000-0x00000001402B1000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-62-0x000000013FCB0000-0x0000000140001000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-159-0x000000013F680000-0x000000013F9D1000-memory.dmp

    Filesize

    3.3MB

  • memory/2756-108-0x000000013F250000-0x000000013F5A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2804-226-0x000000013F100000-0x000000013F451000-memory.dmp

    Filesize

    3.3MB

  • memory/2804-19-0x000000013F100000-0x000000013F451000-memory.dmp

    Filesize

    3.3MB

  • memory/2852-230-0x000000013F8B0000-0x000000013FC01000-memory.dmp

    Filesize

    3.3MB

  • memory/2852-38-0x000000013F8B0000-0x000000013FC01000-memory.dmp

    Filesize

    3.3MB

  • memory/2852-135-0x000000013F8B0000-0x000000013FC01000-memory.dmp

    Filesize

    3.3MB

  • memory/2872-155-0x000000013FF90000-0x00000001402E1000-memory.dmp

    Filesize

    3.3MB

  • memory/2908-236-0x000000013FCB0000-0x0000000140001000-memory.dmp

    Filesize

    3.3MB

  • memory/2908-80-0x000000013FCB0000-0x0000000140001000-memory.dmp

    Filesize

    3.3MB

  • memory/2928-109-0x000000013F250000-0x000000013F5A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2928-242-0x000000013F250000-0x000000013F5A1000-memory.dmp

    Filesize

    3.3MB

  • memory/2996-157-0x000000013FE10000-0x0000000140161000-memory.dmp

    Filesize

    3.3MB