Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2022 19:08
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
216KB
-
MD5
0f72a0242a1cfa4af571328687d73b90
-
SHA1
1b3af5d6e9ca50592211e3a29e65a1c7817c6e5e
-
SHA256
618eb7d2b5bd2e32203d01e076ce78fb580f4af7a3a417ec800d8d726b333df3
-
SHA512
0b318e94d76d660673bb0ebc4440889e48eea1be3df08a176190dbc3efefbfbf6bbf53a7f035c7f0fa7d4b40d829bcf0308eb04a40e7cdb8dcba28ed056228f5
-
SSDEEP
3072:9mDhL7HoV5Kzo8XKC0z77KeYGe5+hx7szW7b/zNHCDml:AdLTHzTaz77KeeK6S5Ca
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3440-133-0x00000000004E0000-0x00000000004E9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 40 3652 rundll32.exe 45 3652 rundll32.exe 62 3652 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
E786.exesswrrcbpid process 4436 E786.exe 2676 sswrrcb -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stop_collection_data\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\stop_collection_data.dll" rundll32.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stop_collection_data\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" rundll32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stop_collection_data\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService䨀" rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exesvchost.exepid process 3652 rundll32.exe 1240 svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 26 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\rss.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\reader_sl.exe rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\warning.gif rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Protect_R_RHP.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\CollectSignatures.aapp rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\stop_collection_data.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Close2x.png rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\A3DUtils.dll rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close2x.png rundll32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base.dll rundll32.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef.css rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4908 4436 WerFault.exe E786.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exesswrrcbdescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sswrrcb Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sswrrcb Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sswrrcb Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepid process 3440 file.exe 3440 file.exe 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 2628 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2628 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
file.exesswrrcbpid process 3440 file.exe 2676 sswrrcb -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 2628 Token: SeCreatePagefilePrivilege 2628 -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
E786.exedescription pid process target process PID 2628 wrote to memory of 4436 2628 E786.exe PID 2628 wrote to memory of 4436 2628 E786.exe PID 2628 wrote to memory of 4436 2628 E786.exe PID 4436 wrote to memory of 3652 4436 E786.exe rundll32.exe PID 4436 wrote to memory of 3652 4436 E786.exe rundll32.exe PID 4436 wrote to memory of 3652 4436 E786.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E786.exeC:\Users\Admin\AppData\Local\Temp\E786.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141243⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 5562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4436 -ip 44361⤵
-
C:\Users\Admin\AppData\Roaming\sswrrcbC:\Users\Admin\AppData\Roaming\sswrrcb1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\stop_collection_data.dll",bBVXcVlsSVdR2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\stop_collection_data.dllFilesize
797KB
MD5e0d1e0ebf1d0984357037aae57fa19fd
SHA10b866ea0b917481fde547bea710ff9a7522f9e08
SHA2568c0fe5c4827e6e1c959e35c1e33b1bf86f276adbf21351d97cd820593bd4b487
SHA5126467571037bcc76f041d747e5d9ace4b1ae91301cbfb97bad55e0da99c0285c49c100004333987d7054d068dfc51adbe29ccecf0e6721d94262e7c02faa9d59a
-
C:\Program Files (x86)\WindowsPowerShell\Modules\stop_collection_data.dllFilesize
797KB
MD5e0d1e0ebf1d0984357037aae57fa19fd
SHA10b866ea0b917481fde547bea710ff9a7522f9e08
SHA2568c0fe5c4827e6e1c959e35c1e33b1bf86f276adbf21351d97cd820593bd4b487
SHA5126467571037bcc76f041d747e5d9ace4b1ae91301cbfb97bad55e0da99c0285c49c100004333987d7054d068dfc51adbe29ccecf0e6721d94262e7c02faa9d59a
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\AirSpace.Etw.manFilesize
412KB
MD539e5270caae15015c8203fec413669c7
SHA1f44f5617f2bc496fb497a1e8ad13997ccecf0f6d
SHA2562e6cbfc09039d76897eaf701179ba2011d2ea134ca8b6c6e9792a0843006a5f1
SHA5129bdab6d4cea87cd1172a77554c0059dbd5f7f29ca754e4ed21aa99bc4b16f40fc28e32c81f0ab3ea49158c12cc6c5318a81bd942b916c0b1241b2c6818b2657a
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.3MB
MD58c98f951c66074d9810d55dcaa90a177
SHA1950357da8b72af9a9cc9675b107604bb68ede633
SHA2562d926ee6c111c525890b8ebfa320fbe5096ec9521529353cc2c6baea439639e0
SHA51270de0a50c7d28c0828d002b781d27691e1f8bfd2b569e10d624d1c191a0f686ad4d9b01484672d6a773a652d8914b2ee62018a47e038f0657eed60d5892c4537
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.ECApp_10.0.19041.1023_neutral__8wekyb3d8bbwe.xmlFilesize
2KB
MD513eb9cfbca43ebcd240e1fcff5acab4d
SHA15a0da86ab3f30905433677284eb843742f05afe5
SHA256616d6a37866683e848fac3a17cecdea05e51da55420adcf947e40d062f587bb8
SHA512256879b3d2c86ed4c3e8fccc8ffa09d11ae6eb6a2c9da4afa834f36b399752d7c46ceb638497cb28c48d874db0ccde15b73a22f1aa894b376aafd00f20b23352
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe.xmlFilesize
820B
MD5a8664f5906d9060a0a87bc01e35179bb
SHA11bbbc9f10431d2941805907a8a6d4009f4e2938c
SHA256a8ed53b828f69fb5e6e28eef9a38b5753320aa7a942b4a4c2dbf67705d21e309
SHA512389a4be3833050f89ea0bc5327514b3d80753eb6a214d4ad58d8c1b22770dcca2cdf099d4563db98e3d3f9530474b147e49cbed4b5b3e3a9e315a797f056049f
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
26KB
MD526b4cb86e7313855e188214dfee0abe4
SHA1c4488e4c3c91bb6bd49cc3e68d9fce83c59f8422
SHA256d182821a1030c629318d6e379cba49ac00db7a2b6aab70a3d245f7418ef490bc
SHA51278dd7247c0fd372bc146562f46dd453aaa9fc3e4a49fb669240f76bd90249534bf6ca660058bf854eb4c05170a2e2ddabc0813223b61f09f0673fb3939f6f2b1
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftNotepad.xmlFilesize
957B
MD506f405331f1f99bd455f4afa7b8ee0cc
SHA1815d8d81c01208aef4bc1a0048b2d4f4171b26f6
SHA256b752d2c5a3c66c338fd6cd92224d5995be0eac8fd47092b8cd6ea2cc28a5e790
SHA512a2a771f97346a5db7ee8e948cba2c9e223848e1c395eb335a6e3609739c125e0414e7a254f5ac81ca4a28b04cf4e631ee69edaaf24ef534b96c01c30f96c3a2c
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Windows.jfmFilesize
16KB
MD50038c90112a3e94c27bc88839e13c254
SHA10bd10b12e4f2ad7ca5658d073411bb6afa2ee1de
SHA2566f7a587c68234ca1995d98b82dba1a8ab84a58c69d5c298bbdd40f8ee75b75d1
SHA512bc991dcc5518018b051c11a8f92758d53dbb6105d31551325a7b4fc1cb35b82e1fb7ad675fe81bdca165578df4d7ad2e0b413d009f65ed2d47ad399e90a3d906
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\superbar.pngFilesize
38KB
MD545b3b7ada6575d1623bd52d029d7cf96
SHA1ae4810a660e18d7e40594d1e8e0fe33b46a7f2a4
SHA2560f35ace5268db33940ed18e946a9c65be4e31ec0ae31faa6e60122859c5cb5ca
SHA512c7d39db201687940bcbf8e3afb90becf5389640d7948e0cf3518bfae98fda1496650fa59a490631fcad894a9aa0f3d78e4d8b5bb9df57812abbc010c638926a8
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\utc.privacy.jsonFilesize
31B
MD54870433b19757ef8721b38acf2baa272
SHA1d9def40343d41a6a80e936fc12db58ebb3e3fdb8
SHA256cf39cf82fe54738a64f566a0f947ddabf90b7af56a899596fb34dca2a67ddfbc
SHA51279c72e2c4d8a8538879f11c09877f78ea363ee28f70da66cae50a3372e600a1939372945dc4542a5ee649c18adb5e7d1129fc97635d48c165737193f8b682550
-
C:\Users\Admin\AppData\Local\Temp\E786.exeFilesize
1.1MB
MD54c218215518e8bb6e9b02894ea2f3e46
SHA1b8c23cf7863abcc30bc79191f609c9ee4f9f33d2
SHA25603ac48aee2955b42f75b62c563887341a4157e910925e89e6fd6aed32595e1cb
SHA5129d58653c1c6338bf5323ecf6db0f7c362e60c820ab84d3483b324179588d3261c6479a60cc9bcc1f5d5875e7a7fa1e061a69f9a26b61f358f8d576f5db457b61
-
C:\Users\Admin\AppData\Local\Temp\E786.exeFilesize
1.1MB
MD54c218215518e8bb6e9b02894ea2f3e46
SHA1b8c23cf7863abcc30bc79191f609c9ee4f9f33d2
SHA25603ac48aee2955b42f75b62c563887341a4157e910925e89e6fd6aed32595e1cb
SHA5129d58653c1c6338bf5323ecf6db0f7c362e60c820ab84d3483b324179588d3261c6479a60cc9bcc1f5d5875e7a7fa1e061a69f9a26b61f358f8d576f5db457b61
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
C:\Users\Admin\AppData\Roaming\sswrrcbFilesize
216KB
MD50f72a0242a1cfa4af571328687d73b90
SHA11b3af5d6e9ca50592211e3a29e65a1c7817c6e5e
SHA256618eb7d2b5bd2e32203d01e076ce78fb580f4af7a3a417ec800d8d726b333df3
SHA5120b318e94d76d660673bb0ebc4440889e48eea1be3df08a176190dbc3efefbfbf6bbf53a7f035c7f0fa7d4b40d829bcf0308eb04a40e7cdb8dcba28ed056228f5
-
C:\Users\Admin\AppData\Roaming\sswrrcbFilesize
216KB
MD50f72a0242a1cfa4af571328687d73b90
SHA11b3af5d6e9ca50592211e3a29e65a1c7817c6e5e
SHA256618eb7d2b5bd2e32203d01e076ce78fb580f4af7a3a417ec800d8d726b333df3
SHA5120b318e94d76d660673bb0ebc4440889e48eea1be3df08a176190dbc3efefbfbf6bbf53a7f035c7f0fa7d4b40d829bcf0308eb04a40e7cdb8dcba28ed056228f5
-
\??\c:\program files (x86)\windowspowershell\modules\stop_collection_data.dllFilesize
797KB
MD5e0d1e0ebf1d0984357037aae57fa19fd
SHA10b866ea0b917481fde547bea710ff9a7522f9e08
SHA2568c0fe5c4827e6e1c959e35c1e33b1bf86f276adbf21351d97cd820593bd4b487
SHA5126467571037bcc76f041d747e5d9ace4b1ae91301cbfb97bad55e0da99c0285c49c100004333987d7054d068dfc51adbe29ccecf0e6721d94262e7c02faa9d59a
-
memory/1240-169-0x00000000039F0000-0x0000000004115000-memory.dmpFilesize
7.1MB
-
memory/1240-158-0x00000000039F0000-0x0000000004115000-memory.dmpFilesize
7.1MB
-
memory/2676-152-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/2676-150-0x0000000000703000-0x0000000000714000-memory.dmpFilesize
68KB
-
memory/2676-151-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/2964-171-0x0000000003F30000-0x0000000004655000-memory.dmpFilesize
7.1MB
-
memory/2964-170-0x0000000003F30000-0x0000000004655000-memory.dmpFilesize
7.1MB
-
memory/2964-167-0x0000000000000000-mapping.dmp
-
memory/3440-135-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/3440-134-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/3440-133-0x00000000004E0000-0x00000000004E9000-memory.dmpFilesize
36KB
-
memory/3440-132-0x0000000000603000-0x0000000000614000-memory.dmpFilesize
68KB
-
memory/3652-174-0x00000000048B0000-0x00000000049F0000-memory.dmpFilesize
1.2MB
-
memory/3652-153-0x00000000048B0000-0x00000000049F0000-memory.dmpFilesize
1.2MB
-
memory/3652-175-0x00000000048B0000-0x00000000049F0000-memory.dmpFilesize
1.2MB
-
memory/3652-146-0x0000000004C50000-0x0000000005375000-memory.dmpFilesize
7.1MB
-
memory/3652-145-0x0000000004C50000-0x0000000005375000-memory.dmpFilesize
7.1MB
-
memory/3652-147-0x0000000004C50000-0x0000000005375000-memory.dmpFilesize
7.1MB
-
memory/3652-173-0x0000000006650000-0x0000000006790000-memory.dmpFilesize
1.2MB
-
memory/3652-172-0x0000000006650000-0x0000000006790000-memory.dmpFilesize
1.2MB
-
memory/3652-154-0x00000000048B0000-0x00000000049F0000-memory.dmpFilesize
1.2MB
-
memory/3652-139-0x0000000000000000-mapping.dmp
-
memory/4436-144-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB
-
memory/4436-143-0x00000000022E0000-0x0000000002410000-memory.dmpFilesize
1.2MB
-
memory/4436-142-0x0000000000814000-0x0000000000902000-memory.dmpFilesize
952KB
-
memory/4436-136-0x0000000000000000-mapping.dmp
-
memory/4776-176-0x00007FF690596890-mapping.dmp
-
memory/4776-177-0x0000023B32710000-0x0000023B32850000-memory.dmpFilesize
1.2MB
-
memory/4776-178-0x0000023B32710000-0x0000023B32850000-memory.dmpFilesize
1.2MB
-
memory/4776-179-0x0000000000440000-0x0000000000659000-memory.dmpFilesize
2.1MB
-
memory/4776-180-0x0000023B32880000-0x0000023B32AAA000-memory.dmpFilesize
2.2MB