Malware Analysis Report

2025-08-11 01:38

Sample ID 230226-zbvp2sab3t
Target tmp
SHA256 c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
Tags
smokeloader backdoor trojan remcos warzonerat n collection infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan remcos warzonerat n collection infostealer persistence rat

Smokeloader family

SmokeLoader

Detects Smokeloader packer

Remcos

WarzoneRat, AveMaria

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Modifies registry class

Uses Task Scheduler COM API

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-26 20:33

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A

Smokeloader family

smokeloader

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-26 20:33

Reported

2023-02-26 20:35

Platform

win7-20230220-en

Max time kernel

150s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Network

N/A

Files

memory/1192-54-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1192-56-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1256-55-0x0000000002190000-0x00000000021A6000-memory.dmp

memory/1256-59-0x000007FEB1F40000-0x000007FEB1F4A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-26 20:33

Reported

2023-02-26 20:35

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Detects Smokeloader packer

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Remcos

rat remcos

SmokeLoader

trojan backdoor smokeloader

WarzoneRat, AveMaria

rat infostealer warzonerat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\D15E.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows VHost = "\"C:\\Windows\\svhost.exe\"" C:\Users\Admin\AppData\Local\Temp\D15E.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\svhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Windows VHost = "\"C:\\Windows\\svhost.exe\"" C:\Windows\svhost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D15E.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D15E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D20B.exe N/A
N/A N/A C:\Windows\svhost.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D20B.exe" C:\Users\Admin\AppData\Local\Temp\D20B.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1296 set thread context of 2116 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\svchost.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\D15E.exe N/A
File created C:\Windows\svhost.exe C:\Users\Admin\AppData\Local\Temp\D15E.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\D15E.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\svhost.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\Temp\D15E.exe
PID 3160 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\Temp\D15E.exe
PID 3160 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\Temp\D15E.exe
PID 3160 wrote to memory of 4496 N/A N/A C:\Users\Admin\AppData\Local\Temp\D20B.exe
PID 3160 wrote to memory of 4496 N/A N/A C:\Users\Admin\AppData\Local\Temp\D20B.exe
PID 3160 wrote to memory of 4496 N/A N/A C:\Users\Admin\AppData\Local\Temp\D20B.exe
PID 3160 wrote to memory of 4708 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 4708 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 4708 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 4708 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 3336 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 3336 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 3336 N/A N/A C:\Windows\explorer.exe
PID 2416 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\D15E.exe C:\Windows\svhost.exe
PID 2416 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\D15E.exe C:\Windows\svhost.exe
PID 2416 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\D15E.exe C:\Windows\svhost.exe
PID 1296 wrote to memory of 2116 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\svchost.exe
PID 1296 wrote to memory of 2116 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\svchost.exe
PID 1296 wrote to memory of 2116 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\svchost.exe
PID 1296 wrote to memory of 2116 N/A C:\Windows\svhost.exe C:\Windows\SysWOW64\svchost.exe
PID 3160 wrote to memory of 1432 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 1432 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 1432 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 1432 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 2300 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 2300 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 2300 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 2300 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3160 wrote to memory of 2108 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 2108 N/A N/A C:\Windows\explorer.exe
PID 3160 wrote to memory of 2108 N/A N/A C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\D15E.exe

C:\Users\Admin\AppData\Local\Temp\D15E.exe

C:\Users\Admin\AppData\Local\Temp\D20B.exe

C:\Users\Admin\AppData\Local\Temp\D20B.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\svhost.exe

"C:\Windows\svhost.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 29.220.184.93.in-addr.arpa udp
US 8.8.8.8:53 simplyadvanced1.com udp
NL 79.110.62.167:80 simplyadvanced1.com tcp
US 8.8.8.8:53 167.62.110.79.in-addr.arpa udp
NL 79.110.62.167:80 simplyadvanced1.com tcp
DE 173.212.217.108:1050 tcp
NL 212.87.204.251:5200 tcp
US 8.8.8.8:53 108.217.212.173.in-addr.arpa udp
US 8.8.8.8:53 251.204.87.212.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 20.189.173.12:443 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

memory/4476-133-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3160-134-0x00000000005C0000-0x00000000005D6000-memory.dmp

memory/4476-135-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D15E.exe

MD5 eefc82bd1babcace31d1823bf8974852
SHA1 ea1e7ffb166b2c12a95fad1c7398d5e2ff74ed52
SHA256 970833813b7677c96a5ac2b136a982bc32c1179cf77aee729a0f4993f23c1f34
SHA512 6b21c156df25befe6b884761288092c680590d6cd9f52434c01404d3ee4e7a769de2766075be2b4f160266c382966d3ea36a415ba7b4b0de84e347c2fd4713dc

C:\Users\Admin\AppData\Local\Temp\D15E.exe

MD5 eefc82bd1babcace31d1823bf8974852
SHA1 ea1e7ffb166b2c12a95fad1c7398d5e2ff74ed52
SHA256 970833813b7677c96a5ac2b136a982bc32c1179cf77aee729a0f4993f23c1f34
SHA512 6b21c156df25befe6b884761288092c680590d6cd9f52434c01404d3ee4e7a769de2766075be2b4f160266c382966d3ea36a415ba7b4b0de84e347c2fd4713dc

C:\Users\Admin\AppData\Local\Temp\D20B.exe

MD5 4da855885a48a88b2b99abdaf7dbaddb
SHA1 95be38902672a4f729325f4322449fafe52791c4
SHA256 e6e5fa379b321d66c93d236eadc5c81478c821b545a7ff9ac6d07e14ed5a8983
SHA512 4f5855573c3d08d8a11325775230544ecf79f884009a94c30c8bd4547e2ad873224ef1d34fd15b9e91423a5cf4351f22d4aa50be7c14cc2bdc2260c009e61c93

C:\Users\Admin\AppData\Local\Temp\D20B.exe

MD5 4da855885a48a88b2b99abdaf7dbaddb
SHA1 95be38902672a4f729325f4322449fafe52791c4
SHA256 e6e5fa379b321d66c93d236eadc5c81478c821b545a7ff9ac6d07e14ed5a8983
SHA512 4f5855573c3d08d8a11325775230544ecf79f884009a94c30c8bd4547e2ad873224ef1d34fd15b9e91423a5cf4351f22d4aa50be7c14cc2bdc2260c009e61c93

memory/4708-155-0x0000000000400000-0x000000000046B000-memory.dmp

C:\Windows\svhost.exe

MD5 eefc82bd1babcace31d1823bf8974852
SHA1 ea1e7ffb166b2c12a95fad1c7398d5e2ff74ed52
SHA256 970833813b7677c96a5ac2b136a982bc32c1179cf77aee729a0f4993f23c1f34
SHA512 6b21c156df25befe6b884761288092c680590d6cd9f52434c01404d3ee4e7a769de2766075be2b4f160266c382966d3ea36a415ba7b4b0de84e347c2fd4713dc

memory/4708-183-0x0000000000470000-0x00000000004F0000-memory.dmp

memory/4708-184-0x0000000000400000-0x000000000046B000-memory.dmp

memory/3336-185-0x0000000000A20000-0x0000000000A2C000-memory.dmp

memory/3336-192-0x0000000000A20000-0x0000000000A2C000-memory.dmp

memory/4708-206-0x0000000000400000-0x000000000046B000-memory.dmp

C:\Windows\svhost.exe

MD5 eefc82bd1babcace31d1823bf8974852
SHA1 ea1e7ffb166b2c12a95fad1c7398d5e2ff74ed52
SHA256 970833813b7677c96a5ac2b136a982bc32c1179cf77aee729a0f4993f23c1f34
SHA512 6b21c156df25befe6b884761288092c680590d6cd9f52434c01404d3ee4e7a769de2766075be2b4f160266c382966d3ea36a415ba7b4b0de84e347c2fd4713dc

C:\Windows\svhost.exe

MD5 eefc82bd1babcace31d1823bf8974852
SHA1 ea1e7ffb166b2c12a95fad1c7398d5e2ff74ed52
SHA256 970833813b7677c96a5ac2b136a982bc32c1179cf77aee729a0f4993f23c1f34
SHA512 6b21c156df25befe6b884761288092c680590d6cd9f52434c01404d3ee4e7a769de2766075be2b4f160266c382966d3ea36a415ba7b4b0de84e347c2fd4713dc

memory/2116-210-0x0000000001000000-0x000000000107C000-memory.dmp

memory/2116-211-0x0000000001000000-0x000000000107C000-memory.dmp

memory/2116-212-0x0000000001000000-0x000000000107C000-memory.dmp

memory/2116-213-0x0000000001000000-0x000000000107C000-memory.dmp

memory/1432-214-0x0000000000370000-0x0000000000379000-memory.dmp

memory/1432-216-0x0000000000380000-0x0000000000384000-memory.dmp

memory/1432-217-0x0000000000370000-0x0000000000379000-memory.dmp

memory/2300-218-0x0000000001040000-0x0000000001049000-memory.dmp

memory/2300-219-0x0000000001050000-0x0000000001054000-memory.dmp

memory/2300-220-0x0000000001040000-0x0000000001049000-memory.dmp

memory/2108-221-0x0000000000560000-0x0000000000569000-memory.dmp

memory/2108-222-0x0000000000570000-0x0000000000575000-memory.dmp

memory/2108-223-0x0000000000560000-0x0000000000569000-memory.dmp

memory/1432-226-0x0000000000380000-0x0000000000384000-memory.dmp

memory/2300-227-0x0000000001050000-0x0000000001054000-memory.dmp

memory/2108-228-0x0000000000570000-0x0000000000575000-memory.dmp