smokeloader | 1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317

Analysis

max time kernel
72s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe
Size

316KB
MD5

32a4b80280e9e86448dc027b15242a12
SHA1

8ef1be65e8a0d0d1ac4304222490bb11bc3fb534
SHA256

1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317
SHA512

66a6c84f4dd44339e24fef318b75be17025a0607e79b1c7ee3c95b364df969331ba3d41e16148c12c5bed09a7fb1765e35f0c79c76f632f1529449bb6b34c451
SSDEEP

6144:oKL50V19MEhPf2536xJA4Tl/aKO9/CJTk637eQfnd5xr8B:vi1TRO5qgy/u9CJb7d55

Score

10^/10

smokeloader backdoor discovery persistence trojan

Malware Config

Signatures

Detects Smokeloader packer 6 IoCs

resource	yara_rule
behavioral1/memory/504-133-0x0000000000620000-0x0000000000629000-memory.dmp	family_smokeloader
behavioral1/memory/1448-135-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/1448-137-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/1448-138-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/4644-184-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/4644-185-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
63	3424	rundll32.exe
65	3424	rundll32.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
4496	5F18.exe
792	B1CC.exe
4900	fvjsjth
4536	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3424	rundll32.exe
3424	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	B1CC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 504 set thread context of 1448	504	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1704	4496	WerFault.exe	87

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	70	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe
1448	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found
3068	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1448	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3068	Process not Found
Token: SeCreatePagefilePrivilege	3068	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 504 wrote to memory of 1448	504	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe	78
PID 504 wrote to memory of 1448	504	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe	78
PID 504 wrote to memory of 1448	504	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe	78
PID 504 wrote to memory of 1448	504	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe	78
PID 504 wrote to memory of 1448	504	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe	78
PID 504 wrote to memory of 1448	504	1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe	78
PID 3068 wrote to memory of 4496	3068	Process not Found	87
PID 3068 wrote to memory of 4496	3068	Process not Found	87
PID 3068 wrote to memory of 4496	3068	Process not Found	87
PID 4496 wrote to memory of 3424	4496	5F18.exe	88
PID 4496 wrote to memory of 3424	4496	5F18.exe	88
PID 4496 wrote to memory of 3424	4496	5F18.exe	88
PID 3068 wrote to memory of 792	3068	Process not Found	92
PID 3068 wrote to memory of 792	3068	Process not Found	92
PID 3068 wrote to memory of 792	3068	Process not Found	92
PID 792 wrote to memory of 4536	792	B1CC.exe	94
PID 792 wrote to memory of 4536	792	B1CC.exe	94
PID 792 wrote to memory of 4536	792	B1CC.exe	94

C:\Users\Admin\AppData\Local\Temp\1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe
"C:\Users\Admin\AppData\Local\Temp\1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:504
- C:\Users\Admin\AppData\Local\Temp\1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe
  "C:\Users\Admin\AppData\Local\Temp\1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1448

C:\Users\Admin\AppData\Local\Temp\5F18.exe
C:\Users\Admin\AppData\Local\Temp\5F18.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Rqdarrhtrsoihy.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Checks processor information in registry
  PID:3424
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14113
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 552
  2⤵
  - Program crash
  PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4496 -ip 4496
1⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\B1CC.exe
C:\Users\Admin\AppData\Local\Temp\B1CC.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:4536

C:\Users\Admin\AppData\Roaming\fvjsjth
C:\Users\Admin\AppData\Roaming\fvjsjth
1⤵
- Executes dropped EXE
PID:4900
- C:\Users\Admin\AppData\Roaming\fvjsjth
  C:\Users\Admin\AppData\Roaming\fvjsjth
  2⤵
  PID:4644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5F18.exe

Filesize
3.2MB

MD5
a4700ec681179281e843ee627e9920ec

SHA1
4eb090bbf8cfbd9a117c00976d7df516f7c54c3b

SHA256
1d2deeb2342c39825ddf077c76b49fd06af36ad04aa04246258e8b07ca07e653

SHA512
07d0a3b24a00cc9d302b24f2832ed6910616362a3b8f5d341603a89841e767cd84acde78ed7ed00bacc0c758c4544b29aace677473c19c3a9b9f4da7a4b1a6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F18.exe

Filesize
3.2MB

MD5
a4700ec681179281e843ee627e9920ec

SHA1
4eb090bbf8cfbd9a117c00976d7df516f7c54c3b

SHA256
1d2deeb2342c39825ddf077c76b49fd06af36ad04aa04246258e8b07ca07e653

SHA512
07d0a3b24a00cc9d302b24f2832ed6910616362a3b8f5d341603a89841e767cd84acde78ed7ed00bacc0c758c4544b29aace677473c19c3a9b9f4da7a4b1a6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1CC.exe

Filesize
1.9MB

MD5
63589fa4ff8152a1c42d4e842f7225ad

SHA1
699de2b96129b4b31fef9249dea15b51f978212f

SHA256
15cdd99ecee05ee297db2ad94c208dfa1901d9e55220bb7a77af69f4f83d1973

SHA512
b3ea8ef5569a68cf646d224dcbf5f913e74efa307330f2c442ca7f773a50c50221bb61c2af2acb436c613ad8b4d06d5f31cf1c84605f865a0c92df81c7870b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1CC.exe

Filesize
1.9MB

MD5
63589fa4ff8152a1c42d4e842f7225ad

SHA1
699de2b96129b4b31fef9249dea15b51f978212f

SHA256
15cdd99ecee05ee297db2ad94c208dfa1901d9e55220bb7a77af69f4f83d1973

SHA512
b3ea8ef5569a68cf646d224dcbf5f913e74efa307330f2c442ca7f773a50c50221bb61c2af2acb436c613ad8b4d06d5f31cf1c84605f865a0c92df81c7870b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rqdarrhtrsoihy.dll

Filesize
4.3MB

MD5
18652cdfcb5736a150c2a53abafe9490

SHA1
a236a6e9c1b2d5284225da1157d64d5c906baa4b

SHA256
a1b5689ee94ac4f80572e501e1db1a187716506584d55caaf9887a978e1dc8d3

SHA512
a6f1fa3eee01d475c96da1d4a6eb07757c67aaad810b1fc0a61a9a7ef9ecce01617b5d75a3fb34ef7b923305fde78a9c80df393e0d83a6de6e408c61a285fe79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rqdarrhtrsoihy.dll

Filesize
4.3MB

MD5
18652cdfcb5736a150c2a53abafe9490

SHA1
a236a6e9c1b2d5284225da1157d64d5c906baa4b

SHA256
a1b5689ee94ac4f80572e501e1db1a187716506584d55caaf9887a978e1dc8d3

SHA512
a6f1fa3eee01d475c96da1d4a6eb07757c67aaad810b1fc0a61a9a7ef9ecce01617b5d75a3fb34ef7b923305fde78a9c80df393e0d83a6de6e408c61a285fe79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rqdarrhtrsoihy.dll

Filesize
4.3MB

MD5
18652cdfcb5736a150c2a53abafe9490

SHA1
a236a6e9c1b2d5284225da1157d64d5c906baa4b

SHA256
a1b5689ee94ac4f80572e501e1db1a187716506584d55caaf9887a978e1dc8d3

SHA512
a6f1fa3eee01d475c96da1d4a6eb07757c67aaad810b1fc0a61a9a7ef9ecce01617b5d75a3fb34ef7b923305fde78a9c80df393e0d83a6de6e408c61a285fe79

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
456.8MB

MD5
c6121e3def66f8f4054380b965179507

SHA1
1a48d9c09d2ec7fa67036583fad0d87e6aee5778

SHA256
f363ae2596b1a4ad1e6c00dcff0f3fb944e684a99f93f6b83848f493f62cb180

SHA512
ec16b27df5a440868194991bc3a8085ef3f0f261191457dcbf082958b522f6d890eb8ddf4ac06ecec9d20a58b4e1eb3743ad1afe24c4b7640ae8db979c3dc801

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
451.9MB

MD5
0b945f5b6e86de498be20d846276db39

SHA1
62542efb46f03d9b9783e850aaecbdb1ff00dd01

SHA256
2885b6dce6bdf5b1e62dbd7803cfe8de141c76534ec9ae35f816d449590417ec

SHA512
3515c74dc4a528f3e60dc85677b0726f5cd3d9cc08432bdecc7ec4c6759bbd095c6f2c19941aea46c892ca9415d8ef84bb9a568a69ad763a2380b7b173c0c106

Download Submit
C:\Users\Admin\AppData\Roaming\fvjsjth

Filesize
316KB

MD5
32a4b80280e9e86448dc027b15242a12

SHA1
8ef1be65e8a0d0d1ac4304222490bb11bc3fb534

SHA256
1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317

SHA512
66a6c84f4dd44339e24fef318b75be17025a0607e79b1c7ee3c95b364df969331ba3d41e16148c12c5bed09a7fb1765e35f0c79c76f632f1529449bb6b34c451

Download Submit
C:\Users\Admin\AppData\Roaming\fvjsjth

Filesize
316KB

MD5
32a4b80280e9e86448dc027b15242a12

SHA1
8ef1be65e8a0d0d1ac4304222490bb11bc3fb534

SHA256
1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317

SHA512
66a6c84f4dd44339e24fef318b75be17025a0607e79b1c7ee3c95b364df969331ba3d41e16148c12c5bed09a7fb1765e35f0c79c76f632f1529449bb6b34c451

Download Submit
C:\Users\Admin\AppData\Roaming\fvjsjth

Filesize
316KB

MD5
32a4b80280e9e86448dc027b15242a12

SHA1
8ef1be65e8a0d0d1ac4304222490bb11bc3fb534

SHA256
1d552c111dd191aed39c9f08def26023ad631e70363cb96ec50e8de064e70317

SHA512
66a6c84f4dd44339e24fef318b75be17025a0607e79b1c7ee3c95b364df969331ba3d41e16148c12c5bed09a7fb1765e35f0c79c76f632f1529449bb6b34c451

Download Submit
memory/504-136-0x000000000050D000-0x0000000000522000-memory.dmp

Filesize
84KB

Download
memory/504-132-0x000000000050D000-0x0000000000522000-memory.dmp

Filesize
84KB

Download
memory/504-133-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/792-156-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/792-154-0x0000000002418000-0x00000000025C2000-memory.dmp

Filesize
1.7MB

Download
memory/792-162-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/792-155-0x00000000026D0000-0x0000000002AA0000-memory.dmp

Filesize
3.8MB

Download
memory/792-151-0x0000000000000000-mapping.dmp

Download
memory/1448-135-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1448-134-0x0000000000000000-mapping.dmp

Download
memory/1448-137-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1448-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2008-188-0x0000000000000000-mapping.dmp

Download
memory/2228-173-0x000001A9A7130000-0x000001A9A7270000-memory.dmp

Filesize
1.2MB

Download
memory/2228-175-0x000001A9A7130000-0x000001A9A7270000-memory.dmp

Filesize
1.2MB

Download
memory/2228-177-0x0000000000360000-0x00000000005FB000-memory.dmp

Filesize
2.6MB

Download
memory/2228-172-0x00007FF6885D6890-mapping.dmp

Download
memory/2228-178-0x000001A9A56E0000-0x000001A9A598C000-memory.dmp

Filesize
2.7MB

Download
memory/3424-163-0x0000000003970000-0x00000000044A0000-memory.dmp

Filesize
11.2MB

Download
memory/3424-149-0x00000000025F0000-0x0000000002A3E000-memory.dmp

Filesize
4.3MB

Download
memory/3424-164-0x0000000003970000-0x00000000044A0000-memory.dmp

Filesize
11.2MB

Download
memory/3424-165-0x0000000003970000-0x00000000044A0000-memory.dmp

Filesize
11.2MB

Download
memory/3424-166-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/3424-167-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/3424-168-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/3424-169-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/3424-170-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/3424-171-0x0000000004560000-0x00000000046A0000-memory.dmp

Filesize
1.2MB

Download
memory/3424-179-0x0000000003970000-0x00000000044A0000-memory.dmp

Filesize
11.2MB

Download
memory/3424-145-0x0000000000000000-mapping.dmp

Download
memory/4496-144-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/4496-139-0x0000000000000000-mapping.dmp

Download
memory/4496-143-0x0000000002800000-0x0000000002BB7000-memory.dmp

Filesize
3.7MB

Download
memory/4496-150-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/4496-142-0x00000000024F6000-0x00000000027F9000-memory.dmp

Filesize
3.0MB

Download
memory/4536-174-0x000000000237B000-0x0000000002525000-memory.dmp

Filesize
1.7MB

Download
memory/4536-159-0x0000000000000000-mapping.dmp

Download
memory/4536-187-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4536-176-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4588-186-0x0000000000000000-mapping.dmp

Download
memory/4644-180-0x0000000000000000-mapping.dmp

Download
memory/4644-185-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4644-184-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4900-183-0x000000000071D000-0x0000000000733000-memory.dmp

Filesize
88KB

Download