Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    21-05-2022 15:11

General

  • Target

    e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe

  • Size

    305KB

  • MD5

    62e9a0a9002954fc9b9b7f3eb6961cea

  • SHA1

    18a360987b4df973d3b5090582bdd03e0ff5cffd

  • SHA256

    e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a

  • SHA512

    750791e2c3c91df5ae3ad946571e232d810ed22bc83303a625a422c230285e9bdd0c5577623b4dc02bb91790769f59abdb5858bc97ad496773a594f49e66ccf3

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

https://ny-city-mall.com/search.php

https://fresh-cars.net/search.php

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND

    suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND

  • suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND

    suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND

  • Modifies Windows Firewall 1 TTPs
  • Deletes itself 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 4 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
    1⤵
      PID:2716
    • c:\windows\system32\sihost.exe
      sihost.exe
      1⤵
        PID:2772
      • c:\windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
          PID:2856
        • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
          "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
          1⤵
            PID:3244
          • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
            1⤵
              PID:3292
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
                PID:3472
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                1⤵
                  PID:3796
                • C:\Users\Admin\AppData\Local\Temp\e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe
                  "C:\Users\Admin\AppData\Local\Temp\e04f02af7697a106589fa281274a8ce60873902255803ec26b2fc4278cfe2a7a.exe"
                  1⤵
                  • Checks SCSI registry key(s)
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  PID:3488
                • C:\Windows\system32\cmd.exe
                  cmd
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4088
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2124
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3180
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv
                    2⤵
                      PID:3064
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv
                      2⤵
                        PID:2060
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv
                        2⤵
                          PID:3448
                        • C:\Windows\System32\Wbem\WMIC.exe
                          wmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv
                          2⤵
                            PID:304
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv
                            2⤵
                              PID:2140
                            • C:\Windows\System32\Wbem\WMIC.exe
                              wmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv
                              2⤵
                                PID:1204
                              • C:\Windows\System32\Wbem\WMIC.exe
                                wmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv
                                2⤵
                                  PID:2728
                                • C:\Windows\System32\Wbem\WMIC.exe
                                  wmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv
                                  2⤵
                                    PID:2664
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv
                                    2⤵
                                      PID:3968
                                    • C:\Windows\System32\Wbem\WMIC.exe
                                      wmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv
                                      2⤵
                                        PID:1016
                                      • C:\Windows\System32\Wbem\WMIC.exe
                                        wmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv
                                        2⤵
                                          PID:3732
                                        • C:\Windows\System32\Wbem\WMIC.exe
                                          wmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv
                                          2⤵
                                            PID:3144
                                          • C:\Windows\system32\ipconfig.exe
                                            ipconfig /displaydns
                                            2⤵
                                            • Gathers network information
                                            PID:3108
                                          • C:\Windows\system32\ROUTE.EXE
                                            route print
                                            2⤵
                                              PID:644
                                            • C:\Windows\system32\netsh.exe
                                              netsh firewall show state
                                              2⤵
                                                PID:3652
                                              • C:\Windows\system32\systeminfo.exe
                                                systeminfo
                                                2⤵
                                                • Gathers system information
                                                PID:3504
                                              • C:\Windows\system32\tasklist.exe
                                                tasklist /v
                                                2⤵
                                                • Enumerates processes with tasklist
                                                PID:1288
                                              • C:\Windows\system32\net.exe
                                                net accounts /domain
                                                2⤵
                                                • Suspicious use of WriteProcessMemory
                                                PID:1724
                                                • C:\Windows\system32\net1.exe
                                                  C:\Windows\system32\net1 accounts /domain
                                                  3⤵
                                                    PID:2516
                                                • C:\Windows\system32\net.exe
                                                  net share
                                                  2⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3744
                                                  • C:\Windows\system32\net1.exe
                                                    C:\Windows\system32\net1 share
                                                    3⤵
                                                      PID:1476
                                                  • C:\Windows\system32\net.exe
                                                    net user
                                                    2⤵
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:2196
                                                    • C:\Windows\system32\net1.exe
                                                      C:\Windows\system32\net1 user
                                                      3⤵
                                                        PID:900
                                                    • C:\Windows\system32\net.exe
                                                      net user /domain
                                                      2⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:3156
                                                      • C:\Windows\system32\net1.exe
                                                        C:\Windows\system32\net1 user /domain
                                                        3⤵
                                                          PID:1252
                                                      • C:\Windows\system32\net.exe
                                                        net use
                                                        2⤵
                                                          PID:300
                                                        • C:\Windows\system32\net.exe
                                                          net group
                                                          2⤵
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:200
                                                          • C:\Windows\system32\net1.exe
                                                            C:\Windows\system32\net1 group
                                                            3⤵
                                                              PID:4052
                                                          • C:\Windows\system32\net.exe
                                                            net localgroup
                                                            2⤵
                                                              PID:3768
                                                              • C:\Windows\system32\net1.exe
                                                                C:\Windows\system32\net1 localgroup
                                                                3⤵
                                                                  PID:2684
                                                              • C:\Windows\system32\NETSTAT.EXE
                                                                netstat -r
                                                                2⤵
                                                                • Gathers network information
                                                                PID:2192
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
                                                                  3⤵
                                                                    PID:2612
                                                                    • C:\Windows\system32\ROUTE.EXE
                                                                      C:\Windows\system32\route.exe print
                                                                      4⤵
                                                                        PID:2144
                                                                  • C:\Windows\system32\NETSTAT.EXE
                                                                    netstat -nao
                                                                    2⤵
                                                                    • Gathers network information
                                                                    PID:1344
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks /query
                                                                    2⤵
                                                                      PID:1204
                                                                    • C:\Windows\system32\ipconfig.exe
                                                                      ipconfig /all
                                                                      2⤵
                                                                      • Gathers network information
                                                                      PID:2544
                                                                  • C:\Windows\system32\msiexec.exe
                                                                    C:\Windows\system32\msiexec.exe /V
                                                                    1⤵
                                                                      PID:4064
                                                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                                                      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                                                      1⤵
                                                                      • Modifies Internet Explorer settings
                                                                      • Suspicious use of FindShellTrayWindow
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:2664
                                                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:82945 /prefetch:2
                                                                        2⤵
                                                                        • Modifies Internet Explorer settings
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:3740
                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                      C:\Windows\SysWOW64\explorer.exe
                                                                      1⤵
                                                                      • Accesses Microsoft Outlook profiles
                                                                      • outlook_office_path
                                                                      • outlook_win_path
                                                                      PID:3064
                                                                    • C:\Windows\explorer.exe
                                                                      C:\Windows\explorer.exe
                                                                      1⤵
                                                                        PID:2976
                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                        C:\Windows\SysWOW64\explorer.exe
                                                                        1⤵
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        PID:1492
                                                                      • C:\Windows\explorer.exe
                                                                        C:\Windows\explorer.exe
                                                                        1⤵
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        PID:2184
                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                        C:\Windows\SysWOW64\explorer.exe
                                                                        1⤵
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        PID:1004
                                                                      • C:\Windows\explorer.exe
                                                                        C:\Windows\explorer.exe
                                                                        1⤵
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        PID:848
                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                        C:\Windows\SysWOW64\explorer.exe
                                                                        1⤵
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        PID:208
                                                                      • C:\Windows\explorer.exe
                                                                        C:\Windows\explorer.exe
                                                                        1⤵
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        PID:216

                                                                      Network

                                                                      MITRE ATT&CK Matrix ATT&CK v6

                                                                      Execution

                                                                      Command-Line Interface

                                                                      1
                                                                      T1059

                                                                      Persistence

                                                                      Modify Existing Service

                                                                      1
                                                                      T1031

                                                                      Defense Evasion

                                                                      Modify Registry

                                                                      1
                                                                      T1112

                                                                      Discovery

                                                                      Query Registry

                                                                      1
                                                                      T1012

                                                                      Peripheral Device Discovery

                                                                      1
                                                                      T1120

                                                                      System Information Discovery

                                                                      3
                                                                      T1082

                                                                      Process Discovery

                                                                      1
                                                                      T1057

                                                                      Collection

                                                                      Email Collection

                                                                      1
                                                                      T1114

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                                        Filesize

                                                                        471B

                                                                        MD5

                                                                        bd72dc52da415559c02553bb1e7bd3c3

                                                                        SHA1

                                                                        64e00d8ec1ecb62146f0a2349e9fab7e7cb48ac4

                                                                        SHA256

                                                                        ac706580ffcb98d6b28184b26f71eaca509846170a3dba74c2a48a646e8c8eed

                                                                        SHA512

                                                                        e6e90e6c60e0f1419a9c1ce4863f5ef93b03967c8e0a5ebe570e48556ff0bd097acfe43e25e10ec8f2a4377c134d9c1ccf233b89c1bdce0038a04ef869a82139

                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
                                                                        Filesize

                                                                        404B

                                                                        MD5

                                                                        92a919321a268ef811fcec548a37821e

                                                                        SHA1

                                                                        9830c972a5d34413425b4b1adfc275da4f963981

                                                                        SHA256

                                                                        20601aad8773382e5a338fef785d0dc802ba4eaa8cf43c79a0729e4a64b62549

                                                                        SHA512

                                                                        0278f51a4bcad07e42a3492c09c0bf45a00fd9c47093a2c98c41431db17038e920c18a376007d8f00b8e965a7e5dd20f84ec3a9c223c8d2777cdf955c17281bb

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\2MBC82HJ.cookie
                                                                        Filesize

                                                                        241B

                                                                        MD5

                                                                        6ef533ff5630f102f17239d045d25e27

                                                                        SHA1

                                                                        a1140f20ffeabdf3d0b3e01b155f2446cb624bad

                                                                        SHA256

                                                                        0f69c16ffadb51ffa0a42098a915b4b68783c1fe0af02b4bc6be443fbf9a4e16

                                                                        SHA512

                                                                        33eb437a8a79c887121aa87a4b62199ec543bf494a1559b4fc0e683f9d2d5d52148b6e992a2c12d7434df351567428d6d981719da0586141b73a7c5f04d5e3bd

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\7WTDRGOZ.cookie
                                                                        Filesize

                                                                        110B

                                                                        MD5

                                                                        eff191ee57b84e9bb3d0e1de05fabaed

                                                                        SHA1

                                                                        c8f079dc4b7830518c0cf72ab7bb2ec9886b2179

                                                                        SHA256

                                                                        bdb62349bbbc93b6f0c54f91351945db2aa3af243c5f63f4395678b97150e254

                                                                        SHA512

                                                                        ea1892524f9e129812288c013b43e8f6a7ac44bed9b7c1f1a83f3d69f074db7638cdc720d41e4b8b3c3c118ca23d827eceedd39f12d789291d37cf44d4745f2b

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JOR8M0T2.cookie
                                                                        Filesize

                                                                        523B

                                                                        MD5

                                                                        dd53bec83369791bba0bbea0cd2ae07e

                                                                        SHA1

                                                                        108e9594ec6a6fd0b4e4151d1276f728f90bc5ed

                                                                        SHA256

                                                                        5a71d980cf5253b7a51f3545c27c232c87fa5e50ca1d61c71e4fb7dcebe00888

                                                                        SHA512

                                                                        6a12d635f92eaee19b187fa5be2f59642b459de2821d3fe7f600b8bbdfbee388b5173f841956fd3912a84f4676d4f4488a79f6597f5f796d515657e47418beda

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\N7BHT1WF.cookie
                                                                        Filesize

                                                                        319B

                                                                        MD5

                                                                        4cfac8651901db195dfbe194394af232

                                                                        SHA1

                                                                        b49d89a56a0ae7294829515b7e9f88f70eac00cf

                                                                        SHA256

                                                                        50150987754f8d5e747d4467f950c141a6c254408bf7370e2dd0c9fbb9145e4e

                                                                        SHA512

                                                                        a40859867a2603a52ae2e5f6e8d93d2ebfe3af32c0d4720864d6a28530e7cff9b791ee67b4550ce4069b4e1ffd7952d6f3fc5717f7e2f5a98621c330633869cc

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\O69DU3FJ.cookie
                                                                        Filesize

                                                                        608B

                                                                        MD5

                                                                        61ce8bdd39aac10d6b85dd5a12a6983f

                                                                        SHA1

                                                                        582df5cf7d254bfb37fd2f50036e16c6fb78e249

                                                                        SHA256

                                                                        7ddd114ac4eb92219b613cae7c530325cec5e8f6757f23e77a73e3bd592caf2f

                                                                        SHA512

                                                                        cd8edd9efebb165660d399304e9982e91ac657a248cc277f1408f314af1ef0072d2c1124d4b23d408f22d98ff40fce48d76ec899c5364f64d732301b64f04f4b

                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\QJA96849.cookie
                                                                        Filesize

                                                                        440B

                                                                        MD5

                                                                        edd2e43efd0023b0f3213f94ca5abbb8

                                                                        SHA1

                                                                        1d6ed70b0f7a8a1dd2dda0c25c3b06cb0b669853

                                                                        SHA256

                                                                        928fc356b67b12a0777e7761e4567d89be5e593ead0fa93efce09949f0c1d74f

                                                                        SHA512

                                                                        2ea8ef74773a411944308d1468194b6e9bbcad8379ed3e46a46b790c772f0654e9ed7cbd15b43f325ed9ac10b888cfc4e2e18d722848ae805bf637d80b01217c

                                                                      • memory/200-154-0x0000000000000000-mapping.dmp
                                                                      • memory/208-174-0x0000000000000000-mapping.dmp
                                                                      • memory/216-175-0x0000000000000000-mapping.dmp
                                                                      • memory/300-153-0x0000000000000000-mapping.dmp
                                                                      • memory/304-131-0x0000000000000000-mapping.dmp
                                                                      • memory/644-141-0x0000000000000000-mapping.dmp
                                                                      • memory/848-173-0x0000000000000000-mapping.dmp
                                                                      • memory/900-150-0x0000000000000000-mapping.dmp
                                                                      • memory/1004-172-0x0000000000000000-mapping.dmp
                                                                      • memory/1016-137-0x0000000000000000-mapping.dmp
                                                                      • memory/1204-133-0x0000000000000000-mapping.dmp
                                                                      • memory/1204-162-0x0000000000000000-mapping.dmp
                                                                      • memory/1252-152-0x0000000000000000-mapping.dmp
                                                                      • memory/1288-144-0x0000000000000000-mapping.dmp
                                                                      • memory/1344-161-0x0000000000000000-mapping.dmp
                                                                      • memory/1476-148-0x0000000000000000-mapping.dmp
                                                                      • memory/1492-170-0x0000000000000000-mapping.dmp
                                                                      • memory/1724-145-0x0000000000000000-mapping.dmp
                                                                      • memory/2060-127-0x0000000000000000-mapping.dmp
                                                                      • memory/2124-124-0x0000000000000000-mapping.dmp
                                                                      • memory/2140-132-0x0000000000000000-mapping.dmp
                                                                      • memory/2144-160-0x0000000000000000-mapping.dmp
                                                                      • memory/2184-171-0x0000000000000000-mapping.dmp
                                                                      • memory/2192-158-0x0000000000000000-mapping.dmp
                                                                      • memory/2196-149-0x0000000000000000-mapping.dmp
                                                                      • memory/2516-146-0x0000000000000000-mapping.dmp
                                                                      • memory/2544-163-0x0000000000000000-mapping.dmp
                                                                      • memory/2612-159-0x0000000000000000-mapping.dmp
                                                                      • memory/2664-135-0x0000000000000000-mapping.dmp
                                                                      • memory/2684-157-0x0000000000000000-mapping.dmp
                                                                      • memory/2728-134-0x0000000000000000-mapping.dmp
                                                                      • memory/2976-169-0x0000000000000000-mapping.dmp
                                                                      • memory/3064-126-0x0000000000000000-mapping.dmp
                                                                      • memory/3064-168-0x0000000000000000-mapping.dmp
                                                                      • memory/3068-122-0x00000000028D0000-0x00000000028DF000-memory.dmp
                                                                        Filesize

                                                                        60KB

                                                                      • memory/3068-119-0x0000000000B70000-0x0000000000B86000-memory.dmp
                                                                        Filesize

                                                                        88KB

                                                                      • memory/3108-140-0x0000000000000000-mapping.dmp
                                                                      • memory/3144-139-0x0000000000000000-mapping.dmp
                                                                      • memory/3156-151-0x0000000000000000-mapping.dmp
                                                                      • memory/3180-125-0x0000000000000000-mapping.dmp
                                                                      • memory/3448-128-0x0000000000000000-mapping.dmp
                                                                      • memory/3488-117-0x0000000000490000-0x000000000053E000-memory.dmp
                                                                        Filesize

                                                                        696KB

                                                                      • memory/3488-118-0x0000000000400000-0x000000000048D000-memory.dmp
                                                                        Filesize

                                                                        564KB

                                                                      • memory/3488-116-0x0000000000721000-0x0000000000731000-memory.dmp
                                                                        Filesize

                                                                        64KB

                                                                      • memory/3504-143-0x0000000000000000-mapping.dmp
                                                                      • memory/3652-142-0x0000000000000000-mapping.dmp
                                                                      • memory/3732-138-0x0000000000000000-mapping.dmp
                                                                      • memory/3744-147-0x0000000000000000-mapping.dmp
                                                                      • memory/3768-156-0x0000000000000000-mapping.dmp
                                                                      • memory/3796-184-0x0000017622AF0000-0x0000017622AF8000-memory.dmp
                                                                        Filesize

                                                                        32KB

                                                                      • memory/3796-176-0x0000017622D90000-0x0000017622D98000-memory.dmp
                                                                        Filesize

                                                                        32KB

                                                                      • memory/3796-185-0x0000017622F00000-0x0000017622F08000-memory.dmp
                                                                        Filesize

                                                                        32KB

                                                                      • memory/3796-186-0x0000017623000000-0x0000017623008000-memory.dmp
                                                                        Filesize

                                                                        32KB

                                                                      • memory/3796-187-0x0000017622A50000-0x0000017622A58000-memory.dmp
                                                                        Filesize

                                                                        32KB

                                                                      • memory/3796-188-0x00000176230D0000-0x00000176230D8000-memory.dmp
                                                                        Filesize

                                                                        32KB

                                                                      • memory/3968-136-0x0000000000000000-mapping.dmp
                                                                      • memory/4052-155-0x0000000000000000-mapping.dmp
                                                                      • memory/4088-123-0x0000000000000000-mapping.dmp