smokeloader | 08f0320fad62f2f218bc0ad7df7e8bc6e52ee818345e69e5792d2646ad7d3395

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 13:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08f0320fad62f2f218bc0ad7df7e8bc6e52ee818345e69e5792d2646ad7d3395.exe
Size

259KB
MD5

0e09691df0ea66e066cb9818b81342d5
SHA1

6399d6873895c330048eb4dbc40aae576bd513dd
SHA256

08f0320fad62f2f218bc0ad7df7e8bc6e52ee818345e69e5792d2646ad7d3395
SHA512

ed702d1789b376612fdcec5ccd456ed4ff3331973f6044195b3b352f1f71071d9c24fbc334dead2a28a14c41a0fde9be2c1187039e7e8614f078ae133bbbc579
SSDEEP

3072:KdXtHtbVs8Q5P0+VOWT5CRz7TmSaKg1KW1VVS+DhTDw02rwl2fvzB6p2ZeXGMh0r:uajvVQRvCSaKg1KeId02slWVe2U

Score

10^/10

smokeloader backdoor discovery trojan

Malware Config

Signatures

Detects Smokeloader packer 2 IoCs

resource	yara_rule
behavioral1/memory/1628-133-0x00000000005C0000-0x00000000005C9000-memory.dmp	family_smokeloader
behavioral1/memory/1628-136-0x00000000005C0000-0x00000000005C9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
38	1528	rundll32.exe
41	1528	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1480	494D.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1480 set thread context of 3820	1480	494D.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2676	1480	WerFault.exe	82

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	08f0320fad62f2f218bc0ad7df7e8bc6e52ee818345e69e5792d2646ad7d3395.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	08f0320fad62f2f218bc0ad7df7e8bc6e52ee818345e69e5792d2646ad7d3395.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	08f0320fad62f2f218bc0ad7df7e8bc6e52ee818345e69e5792d2646ad7d3395.exe

Checks processor information in registry 2 TTPs 45 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	494D.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	494D.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	494D.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	494D.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	494D.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	494D.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	494D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	494D.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1076	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	08f0320fad62f2f218bc0ad7df7e8bc6e52ee818345e69e5792d2646ad7d3395.exe
1628	08f0320fad62f2f218bc0ad7df7e8bc6e52ee818345e69e5792d2646ad7d3395.exe
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found
1076	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1076	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1628	08f0320fad62f2f218bc0ad7df7e8bc6e52ee818345e69e5792d2646ad7d3395.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1076	Process not Found
Token: SeCreatePagefilePrivilege	1076	Process not Found
Token: SeDebugPrivilege	3820	rundll32.exe
Token: SeShutdownPrivilege	1076	Process not Found
Token: SeCreatePagefilePrivilege	1076	Process not Found
Token: SeShutdownPrivilege	1076	Process not Found
Token: SeCreatePagefilePrivilege	1076	Process not Found
Token: SeShutdownPrivilege	1076	Process not Found
Token: SeCreatePagefilePrivilege	1076	Process not Found
Token: SeShutdownPrivilege	1076	Process not Found
Token: SeCreatePagefilePrivilege	1076	Process not Found
Token: SeShutdownPrivilege	1076	Process not Found
Token: SeCreatePagefilePrivilege	1076	Process not Found
Token: SeShutdownPrivilege	1076	Process not Found
Token: SeCreatePagefilePrivilege	1076	Process not Found
Token: SeShutdownPrivilege	1076	Process not Found
Token: SeCreatePagefilePrivilege	1076	Process not Found
Token: SeShutdownPrivilege	1076	Process not Found
Token: SeCreatePagefilePrivilege	1076	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3820	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1076	Process not Found
1076	Process not Found

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1480	1076	Process not Found	82
PID 1076 wrote to memory of 1480	1076	Process not Found	82
PID 1076 wrote to memory of 1480	1076	Process not Found	82
PID 1480 wrote to memory of 1528	1480	494D.exe	83
PID 1480 wrote to memory of 1528	1480	494D.exe	83
PID 1480 wrote to memory of 1528	1480	494D.exe	83
PID 1480 wrote to memory of 1528	1480	494D.exe	83
PID 1480 wrote to memory of 1528	1480	494D.exe	83
PID 1480 wrote to memory of 1528	1480	494D.exe	83
PID 1480 wrote to memory of 1528	1480	494D.exe	83
PID 1480 wrote to memory of 1528	1480	494D.exe	83
PID 1480 wrote to memory of 1528	1480	494D.exe	83
PID 1480 wrote to memory of 3820	1480	494D.exe	87
PID 1480 wrote to memory of 3820	1480	494D.exe	87
PID 1480 wrote to memory of 3820	1480	494D.exe	87
PID 1480 wrote to memory of 3820	1480	494D.exe	87

C:\Users\Admin\AppData\Local\Temp\08f0320fad62f2f218bc0ad7df7e8bc6e52ee818345e69e5792d2646ad7d3395.exe
"C:\Users\Admin\AppData\Local\Temp\08f0320fad62f2f218bc0ad7df7e8bc6e52ee818345e69e5792d2646ad7d3395.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1628

C:\Users\Admin\AppData\Local\Temp\494D.exe
C:\Users\Admin\AppData\Local\Temp\494D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Blocklisted process makes network request
  PID:1528
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1044
  2⤵
  - Program crash
  PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480
1⤵
PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\494D.exe

Filesize
840KB

MD5
f25703865c694c4929a14af5478cd6ea

SHA1
251e84c22a32a5ca4a9bdb948547f4444c44d9b2

SHA256
7030e22b40c9b56e0e4d8b02be53603815a664590aa5200fb4ce44bfd633eb61

SHA512
c0a56f4d85e777cdccaade6b00cd6fc0e52e8e71ff2d9dda164de4fee5ae63c1c53d008f4acbac097faba12100f5f4fad66f6045705ec73147896adfe9d3912d

Download Submit
C:\Users\Admin\AppData\Local\Temp\494D.exe

Filesize
840KB

MD5
f25703865c694c4929a14af5478cd6ea

SHA1
251e84c22a32a5ca4a9bdb948547f4444c44d9b2

SHA256
7030e22b40c9b56e0e4d8b02be53603815a664590aa5200fb4ce44bfd633eb61

SHA512
c0a56f4d85e777cdccaade6b00cd6fc0e52e8e71ff2d9dda164de4fee5ae63c1c53d008f4acbac097faba12100f5f4fad66f6045705ec73147896adfe9d3912d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prewodwyyerdeuy..tmp

Filesize
3.5MB

MD5
1951049d57a12b81d96e53ba69eecc2e

SHA1
7c02ee5b4c4f1de5e7955d641c0c4949a9907a22

SHA256
f904e96e8666928f318f5515400282402d1f5d4a6f05304b9e92982ef32e3ba4

SHA512
e7d4f0fd41b8cb17f3969ad094e114bff74c82d57676a23728bd232b83c36116104c1b364d896681f1b0ce0b6ecb746f47ddafbc0b5ac88801bfd599db5abe15

Download Submit
memory/1480-159-0x0000000006950000-0x0000000006A90000-memory.dmp

Filesize
1.2MB

Download
memory/1480-144-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1480-170-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1480-169-0x0000000005CC0000-0x0000000006819000-memory.dmp

Filesize
11.3MB

Download
memory/1480-155-0x0000000006950000-0x0000000006A90000-memory.dmp

Filesize
1.2MB

Download
memory/1480-154-0x0000000006950000-0x0000000006A90000-memory.dmp

Filesize
1.2MB

Download
memory/1480-142-0x00000000020F3000-0x0000000002194000-memory.dmp

Filesize
644KB

Download
memory/1480-143-0x0000000002260000-0x0000000002355000-memory.dmp

Filesize
980KB

Download
memory/1480-151-0x0000000005CC0000-0x0000000006819000-memory.dmp

Filesize
11.3MB

Download
memory/1480-157-0x0000000006950000-0x0000000006A90000-memory.dmp

Filesize
1.2MB

Download
memory/1480-156-0x0000000006950000-0x0000000006A90000-memory.dmp

Filesize
1.2MB

Download
memory/1480-152-0x0000000006950000-0x0000000006A90000-memory.dmp

Filesize
1.2MB

Download
memory/1480-158-0x0000000006950000-0x0000000006A90000-memory.dmp

Filesize
1.2MB

Download
memory/1480-149-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/1480-150-0x0000000005CC0000-0x0000000006819000-memory.dmp

Filesize
11.3MB

Download
memory/1480-153-0x0000000006950000-0x0000000006A90000-memory.dmp

Filesize
1.2MB

Download
memory/1528-147-0x0000000000700000-0x0000000000703000-memory.dmp

Filesize
12KB

Download
memory/1528-146-0x0000000000700000-0x0000000000703000-memory.dmp

Filesize
12KB

Download
memory/1528-145-0x0000000000630000-0x0000000000633000-memory.dmp

Filesize
12KB

Download
memory/1628-136-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/1628-134-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1628-133-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/1628-132-0x00000000005E8000-0x00000000005F8000-memory.dmp

Filesize
64KB

Download
memory/1628-137-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1628-135-0x00000000005E8000-0x00000000005F8000-memory.dmp

Filesize
64KB

Download
memory/3820-163-0x0000000003F50000-0x0000000004090000-memory.dmp

Filesize
1.2MB

Download
memory/3820-164-0x0000000000E00000-0x0000000001839000-memory.dmp

Filesize
10.2MB

Download
memory/3820-166-0x0000000003F50000-0x0000000004090000-memory.dmp

Filesize
1.2MB

Download
memory/3820-165-0x0000000003F50000-0x0000000004090000-memory.dmp

Filesize
1.2MB

Download
memory/3820-167-0x0000000003370000-0x0000000003EC9000-memory.dmp

Filesize
11.3MB

Download
memory/3820-168-0x0000000003370000-0x0000000003EC9000-memory.dmp

Filesize
11.3MB

Download
memory/3820-161-0x0000000003370000-0x0000000003EC9000-memory.dmp

Filesize
11.3MB

Download
memory/3820-162-0x0000000003F50000-0x0000000004090000-memory.dmp

Filesize
1.2MB

Download