Overview

overview

10

Static

static

211f7686f5...d3.exe

windows11_x64

10

211f7686f5...d3.exe

windows10_x64

10

211f7686f5...d3.exe

windows10_x64

10

Resubmissions

09-10-2021 06:02

211009-grepnafad7 10

08-10-2021 19:47

211008-yhw11segg5 10

08-10-2021 19:00

211008-xnq7aaegf2 10

Analysis

  • max time kernel
    1803s
  • max time network
    1571s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    09-10-2021 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe

  • Size

    166KB

  • MD5

    38662eca83bf7fff531b9bdc43f8ed52

  • SHA1

    1426c264bd6067cc8f5a76ac10182c380a18eb5b

  • SHA256

    211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3

  • SHA512

    4cdf5822e696a511bb689bfedad92ad10f3b148045eacd22977daa5b3397ee5e449db4fc31d97b3ac7e459ea3905eadf71ab6bfb91b9ff8d5219edec8278644e

Score
10/10
raccoonredlinesmokeloadertofseevidarbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fazanaharahe10.top/

http://xandelissane20.top/

http://ustiassosale30.top/

http://cytheriata40.top/

http://ggiergionard50.top/
rc4.i32
rc4.i32

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 1 IoCs
    stealer
  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 35 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Windows\System32\Upfc.exe
    C:\Windows\System32\Upfc.exe /launchtype periodic /cv QytAWiKNnUOGkOn/jWRI0w.0
    1⤵
      PID:4476
    • C:\Users\Admin\AppData\Local\Temp\211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
      "C:\Users\Admin\AppData\Local\Temp\211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe"
      1⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3800
      • C:\Users\Admin\AppData\Local\Temp\211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
        "C:\Users\Admin\AppData\Local\Temp\211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe"
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1248
    • C:\Windows\System32\sihclient.exe
      C:\Windows\System32\sihclient.exe /cv dn8LwwbFRkCXo9mq/8woaw.0.2
      1⤵
      • Modifies data under HKEY_USERS
      PID:3736
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      1⤵
      • Modifies data under HKEY_USERS
      PID:4596
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -s W32Time
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4608
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
      1⤵
        PID:4908
      • C:\Users\Admin\AppData\Local\Temp\2FA1.exe
        C:\Users\Admin\AppData\Local\Temp\2FA1.exe
        1⤵
        • Executes dropped EXE
        PID:3416
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 296
          2⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:4932
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3416 -ip 3416
        1⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Suspicious use of WriteProcessMemory
        PID:4184
      • C:\Users\Admin\AppData\Local\Temp\8A26.exe
        C:\Users\Admin\AppData\Local\Temp\8A26.exe
        1⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
      • C:\Users\Admin\AppData\Local\Temp\89B5.exe
        C:\Users\Admin\AppData\Local\Temp\89B5.exe
        1⤵
        • Executes dropped EXE
        PID:2204
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 240
          2⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:3340
      • C:\Users\Admin\AppData\Local\Temp\8EE6.exe
        C:\Users\Admin\AppData\Local\Temp\8EE6.exe
        1⤵
        • Executes dropped EXE
        PID:4856
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 304
          2⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:4804
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2204 -ip 2204
        1⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Suspicious use of WriteProcessMemory
        PID:1160
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4856 -ip 4856
        1⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Suspicious use of WriteProcessMemory
        PID:2400
      • C:\Users\Admin\AppData\Local\Temp\EBEB.exe
        C:\Users\Admin\AppData\Local\Temp\EBEB.exe
        1⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        PID:436
      • C:\Users\Admin\AppData\Local\Temp\961B.exe
        C:\Users\Admin\AppData\Local\Temp\961B.exe
        1⤵
        • Executes dropped EXE
        PID:1988
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 256
          2⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:1856
      • C:\Users\Admin\AppData\Local\Temp\9EA7.exe
        C:\Users\Admin\AppData\Local\Temp\9EA7.exe
        1⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:1692
      • C:\Users\Admin\AppData\Local\Temp\A3E8.exe
        C:\Users\Admin\AppData\Local\Temp\A3E8.exe
        1⤵
        • Executes dropped EXE
        PID:1668
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 304
          2⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:2724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1988 -ip 1988
        1⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Suspicious use of WriteProcessMemory
        PID:1204
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1668 -ip 1668
        1⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Suspicious use of WriteProcessMemory
        PID:2340

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2FA1.exe
        MD5

        4ade9bccd0b2b9447ff9dbb9c3880830

        SHA1

        52aef011732da2f9fea1ee555d370a119749ccd0

        SHA256

        2d2164bac6935ba3b38573e69f323ec242b3a259ecb06396964f57e3c93d7c6e

        SHA512

        06103380806a02eb19d3f102d6b69f43f3483dc1db6fa48ca53ec8d077b4a6fa35dbb1fc6c438c51ef45f10765a06d2497b0f8d38ae8ac8049106f1bd99c33e1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\2FA1.exe
        MD5

        4ade9bccd0b2b9447ff9dbb9c3880830

        SHA1

        52aef011732da2f9fea1ee555d370a119749ccd0

        SHA256

        2d2164bac6935ba3b38573e69f323ec242b3a259ecb06396964f57e3c93d7c6e

        SHA512

        06103380806a02eb19d3f102d6b69f43f3483dc1db6fa48ca53ec8d077b4a6fa35dbb1fc6c438c51ef45f10765a06d2497b0f8d38ae8ac8049106f1bd99c33e1

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\89B5.exe
        MD5

        20fe1450230d861579e323ffd7ba5485

        SHA1

        971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

        SHA256

        0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

        SHA512

        abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\89B5.exe
        MD5

        20fe1450230d861579e323ffd7ba5485

        SHA1

        971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633

        SHA256

        0cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3

        SHA512

        abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\8A26.exe
        MD5

        dd8a2cdd496f64590ff7d109578bcafb

        SHA1

        af670c9d07a6c173b078208d59ee87a456008e98

        SHA256

        8b0ce7f9bc14bd2a9d418ee89bd05157ebd1c624f5561194947cbc3e0af5debe

        SHA512

        cd5c4d3cb2eff8cfa478ab008e5cdce47ac68da5894374c059df0c4ddb5352cd5930a0bbec71d706a3d00085126fc42eec0991db88f6474e0fdac2a8881fde25

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\8EE6.exe
        MD5

        047b7730310a945e1a587c5395c0638a

        SHA1

        685e18a8f11c49fcd2829cd79fb4acdcd254f2fa

        SHA256

        4ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79

        SHA512

        f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\8EE6.exe
        MD5

        047b7730310a945e1a587c5395c0638a

        SHA1

        685e18a8f11c49fcd2829cd79fb4acdcd254f2fa

        SHA256

        4ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79

        SHA512

        f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\961B.exe
        MD5

        25a398ade67d1eb9974db341f4139a5b

        SHA1

        0fe163a25dc0c280fd334576605d0b988b8b5396

        SHA256

        7f5b4e168ef2a2cf6e339400752a2e3c12afeecb355fc5507b7db36cb70ec910

        SHA512

        e631adf0b0dbc126000d7662e1a89d2f53dd32e53337df09ce752f4cd9f064a1b6321eb0fdbf9f84776c856680ad555b6cf64d4a09ad9483e4058f7f1f539ca7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\961B.exe
        MD5

        25a398ade67d1eb9974db341f4139a5b

        SHA1

        0fe163a25dc0c280fd334576605d0b988b8b5396

        SHA256

        7f5b4e168ef2a2cf6e339400752a2e3c12afeecb355fc5507b7db36cb70ec910

        SHA512

        e631adf0b0dbc126000d7662e1a89d2f53dd32e53337df09ce752f4cd9f064a1b6321eb0fdbf9f84776c856680ad555b6cf64d4a09ad9483e4058f7f1f539ca7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\9EA7.exe
        MD5

        f6f63e66d59c509e9c76e930c3d27dd6

        SHA1

        a0f85bbcb4e2b5f01d5c4a9f39055e112ded33d3

        SHA256

        c39d96311181bd623c17bc6fb5c3cdc6b5a28e738b8ecf977368947d06e87710

        SHA512

        3785995ca2d80883f54df3750c9bc95d1b29be940ed1d99ab8a695fdf6e65f3846e5db70153129e9ff5bb1b897690e2bd551a934b5460b726121090cd9753e7f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\A3E8.exe
        MD5

        f1e1e438338d88719b74c70a4d61ce33

        SHA1

        bda4ae57aab1e313e43a9e17ff7e85017ce6dd57

        SHA256

        fc40be3dff950df17341a42e062dec4f496fafe5ffd455aab2656ce53949710b

        SHA512

        6ab179eb58dd61c3e83b8dbb9e42ef86b94de4a8e3c47d431cd4901c6109620e6b89e912b715e4817f9099da622ee19dd39174277b2d3ff28319ddc6e2c536ef

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\A3E8.exe
        MD5

        f1e1e438338d88719b74c70a4d61ce33

        SHA1

        bda4ae57aab1e313e43a9e17ff7e85017ce6dd57

        SHA256

        fc40be3dff950df17341a42e062dec4f496fafe5ffd455aab2656ce53949710b

        SHA512

        6ab179eb58dd61c3e83b8dbb9e42ef86b94de4a8e3c47d431cd4901c6109620e6b89e912b715e4817f9099da622ee19dd39174277b2d3ff28319ddc6e2c536ef

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\EBEB.exe
        MD5

        57b5f410bba704152ed728ae30b26665

        SHA1

        755da63fac5d2f95d600253a0a94e4d19c62eb96

        SHA256

        2dbeea7c52d13a743dbdbdde06da28d1616ea6b1d765684fd3ec1a8f44040269

        SHA512

        670a23161098b3c990f5c1c07ad86cb3fb14a61a62460f2e016d660331c07353a809ed5da92fa32e0e1d84512d8325fa3ecc896c0c2c10e1e8a6762a34cc416c

        Download Submit
      • memory/436-197-0x0000000000000000-mapping.dmp
        Download
      • memory/436-201-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/436-211-0x0000000006010000-0x0000000006011000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1248-151-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/1248-150-0x0000000000000000-mapping.dmp
        Download
      • memory/1428-165-0x0000000006120000-0x0000000006121000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-179-0x00000000086D0000-0x00000000086D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-168-0x0000000006180000-0x0000000006181000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-169-0x0000000006F10000-0x0000000006F11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-170-0x0000000006230000-0x0000000006231000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-171-0x00000000062C0000-0x00000000062C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-172-0x00000000064E0000-0x00000000064E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-173-0x00000000079A0000-0x00000000079A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-174-0x00000000080A0000-0x00000000080A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-175-0x0000000007B70000-0x0000000007B71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-176-0x0000000008B80000-0x0000000008B81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-177-0x0000000007DC0000-0x0000000007DC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-178-0x0000000007E60000-0x0000000007E61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-159-0x0000000000000000-mapping.dmp
        Download
      • memory/1428-180-0x0000000008770000-0x0000000008771000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-166-0x00000000062D0000-0x00000000062D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-167-0x00000000063E0000-0x00000000063E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-162-0x0000000000D90000-0x0000000000D91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1428-164-0x00000000068F0000-0x00000000068F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1668-241-0x000000000197D000-0x00000000019CC000-memory.dmp
        Filesize

        316KB

        Download
      • memory/1668-237-0x0000000000000000-mapping.dmp
        Download
      • memory/1668-244-0x0000000003300000-0x000000000338E000-memory.dmp
        Filesize

        568KB

        Download
      • memory/1692-240-0x00000000058C0000-0x00000000058C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1692-242-0x0000000005820000-0x0000000005821000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1692-228-0x0000000000320000-0x0000000000321000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1692-224-0x0000000000000000-mapping.dmp
        Download
      • memory/1988-223-0x00000000006D3000-0x00000000006F9000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1988-243-0x00000000005F0000-0x0000000000632000-memory.dmp
        Filesize

        264KB

        Download
      • memory/1988-220-0x0000000000000000-mapping.dmp
        Download
      • memory/2204-181-0x0000000000000000-mapping.dmp
        Download
      • memory/2204-184-0x0000000002D83000-0x0000000002DD2000-memory.dmp
        Filesize

        316KB

        Download
      • memory/2204-189-0x0000000002E70000-0x0000000002EFE000-memory.dmp
        Filesize

        568KB

        Download
      • memory/3240-153-0x0000000002C20000-0x0000000002C36000-memory.dmp
        Filesize

        88KB

        Download
      • memory/3416-158-0x00000000018C0000-0x00000000018D3000-memory.dmp
        Filesize

        76KB

        Download
      • memory/3416-157-0x000000000190D000-0x000000000191E000-memory.dmp
        Filesize

        68KB

        Download
      • memory/3416-154-0x0000000000000000-mapping.dmp
        Download
      • memory/3800-152-0x0000000000590000-0x0000000000599000-memory.dmp
        Filesize

        36KB

        Download
      • memory/3800-146-0x0000000000623000-0x000000000062C000-memory.dmp
        Filesize

        36KB

        Download
      • memory/4596-191-0x000001F23E4C0000-0x000001F23E4C4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/4596-149-0x000001F23BFD0000-0x000001F23BFD4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/4596-193-0x000001F23E200000-0x000001F23E204000-memory.dmp
        Filesize

        16KB

        Download
      • memory/4596-148-0x000001F23BDA0000-0x000001F23BDB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4596-147-0x000001F23BB60000-0x000001F23BB70000-memory.dmp
        Filesize

        64KB

        Download
      • memory/4596-192-0x000001F23E480000-0x000001F23E481000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4596-196-0x000001F23BED0000-0x000001F23BED1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4596-195-0x000001F23BFF0000-0x000001F23BFF4000-memory.dmp
        Filesize

        16KB

        Download
      • memory/4596-194-0x000001F23BFF0000-0x000001F23BFF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4856-190-0x0000000004B60000-0x0000000004C36000-memory.dmp
        Filesize

        856KB

        Download
      • memory/4856-188-0x0000000002FBD000-0x0000000003039000-memory.dmp
        Filesize

        496KB

        Download
      • memory/4856-185-0x0000000000000000-mapping.dmp
        Download