Analysis

  • max time kernel
    300s
  • max time network
    297s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/09/2023, 01:37

General

  • Target

    4098aa6438facda5fdc7dd24d893f4b71db89eec6561cb6e08a3b9db2b8902fe.exe

  • Size

    270KB

  • MD5

    60fd337ba59312469cbd074fee9d1b19

  • SHA1

    01200c7c9c2c3709991a4caebd5bbc045941056b

  • SHA256

    4098aa6438facda5fdc7dd24d893f4b71db89eec6561cb6e08a3b9db2b8902fe

  • SHA512

    2769a7f5e900e82c0627b50613a0eba5105718d28392fdbc758be048a44c19aebc5f97d02baa284e21a6055eca3642dc1b1be0b36b6c79866c1e104ab512282c

  • SSDEEP

    6144:cRVhrJ+j+5j68KsT6h/OCy5U9uAOLAm4Mqyqw6:cRLN+j+5+RsqGGuime/w6

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detected google phishing page
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4098aa6438facda5fdc7dd24d893f4b71db89eec6561cb6e08a3b9db2b8902fe.exe
    "C:\Users\Admin\AppData\Local\Temp\4098aa6438facda5fdc7dd24d893f4b71db89eec6561cb6e08a3b9db2b8902fe.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4868
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 212
      2⤵
      • Program crash
      PID:2288
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E087.bat" "
    1⤵
    • Checks computer location settings
    PID:336
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3084
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:4800
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2340
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4644
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:2788
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:2928
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:4396
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:388
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:1404
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:3868
  • C:\Users\Admin\AppData\Roaming\hhvtiet
    C:\Users\Admin\AppData\Roaming\hhvtiet
    1⤵
    • Executes dropped EXE
    PID:4208

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DZDMTHDJ\edgecompatviewlist[1].xml

          Filesize

          74KB

          MD5

          d4fc49dc14f63895d997fa4940f24378

          SHA1

          3efb1437a7c5e46034147cbbc8db017c69d02c31

          SHA256

          853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

          SHA512

          cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\464JII8V\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\DHSXK5YT\B8BxsscfVBr[1].ico

          Filesize

          1KB

          MD5

          e508eca3eafcc1fc2d7f19bafb29e06b

          SHA1

          a62fc3c2a027870d99aedc241e7d5babba9a891f

          SHA256

          e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a

          SHA512

          49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\GRCKJ08W.cookie

          Filesize

          132B

          MD5

          5d9cbd6a4b4e808780f0722dc9dc48fa

          SHA1

          dd5f4f7a7979c51160e654b0c1ab876d4e58a9a1

          SHA256

          3c6fb2b8e89dba2a0dc4760a25622198234f6949de2b79ca229ed25f45e04c69

          SHA512

          9838375ad0b2aaf403c54a7385c53f9e0e169e8f65aef3b05616a1a82377644c43b408191e98869e556269e72a47a719aad50623c22d818ba5389e9a01a226e5

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\HOO1L1Y6.cookie

          Filesize

          132B

          MD5

          695af10b1230a903b214f9508a20928a

          SHA1

          c561124d20f2540d661b7117f07d036c0bc59620

          SHA256

          e11b423406785bb326bde9328bb698caa01425c97e9fb3dee228cf277724a8c1

          SHA512

          6fb4c49dd55a1f2ec4f7c0f08ba7d4e2d922d183fba47a876167d0bd6795d03c9e76cd7efce008982368ecdde9b1a4b2a1f4ff6b6cc98bfdf4e253faac83272a

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          1KB

          MD5

          b5eda74305a01c41450e0d12777199e1

          SHA1

          36162e9e8c3a69b237d317f7c300f11927a37c12

          SHA256

          6e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594

          SHA512

          f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          24be8a92460b5b7a555b1da559296958

          SHA1

          94147054e8a04e82fea1c185af30c7c90b194064

          SHA256

          77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

          SHA512

          ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          24be8a92460b5b7a555b1da559296958

          SHA1

          94147054e8a04e82fea1c185af30c7c90b194064

          SHA256

          77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

          SHA512

          ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

          Filesize

          471B

          MD5

          c1481fcd5428e1e8013edc7621812724

          SHA1

          8e86eadf871ca94477b0e469360502203eab3d97

          SHA256

          9b9ad2ae252224803a2cc6f160d3305677ca54c8053008fd5b469574c42ac12e

          SHA512

          364e2fc399239cc2db6dd9e1f93ca5fb4b482ffe8e1d2a05a2c81d3c1efde9ad2d51a693dcde9f1198a35fa1e0d6ed3b46048cb56ac3be34e9ceb40c4c389ae6

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

          Filesize

          724B

          MD5

          ac89a852c2aaa3d389b2d2dd312ad367

          SHA1

          8f421dd6493c61dbda6b839e2debb7b50a20c930

          SHA256

          0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

          SHA512

          c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

          Filesize

          471B

          MD5

          3b7403306365b481a905b872a4a8fe8d

          SHA1

          848d8b54a1b0fa0f473fe13bbabcb7872c0a6067

          SHA256

          f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7

          SHA512

          bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          410B

          MD5

          28b5828edb5e7f8322c875a115f71423

          SHA1

          9d881f68709d25ad0f71959c63376076a285b94f

          SHA256

          f228632e02eaf47228b09dee2d6fa1af790eaac594699a00363e9a9201706be8

          SHA512

          a38878aae6a1146c2a0bbf7ea0c32f185278e517d10fda3a9facbe5cec50170d32db23a6ec22f9037d6a2c815d575fe09e958bc78aaadb73003a503d29695ee6

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          342B

          MD5

          2f73df9c5115d0e375c47d7ac370bc2f

          SHA1

          732527f3b4f5911585e83699bc209801594338fa

          SHA256

          ceeec8dce87e91ae1df6ef8b6d4769167aa43cd6525ccd580be042a720391122

          SHA512

          73e51500be46cbada3168f3d87b6b8ad22cae542061ae6740e652a1859ec66f4669334948262cd562bb6489c6bd8b144c0afae6cf4962b5d4ff48ca5003e8810

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          342B

          MD5

          e072e351c5999d41782c085152e61b64

          SHA1

          b809e641964d198c8397e49da8f327bdfae7c22f

          SHA256

          eda3f2ce69dd0da7cbe6b3e90995c2445efc460cccb8f5533a7bc55b3df88537

          SHA512

          b2208bc0bd67aa36bc6d7189b0d9d6eeef1880a968be9701f5a6912eb93d885224d0a3e3964768b71242e652097bfab6c838f20def3bea12dad9039796af3e23

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

          Filesize

          406B

          MD5

          400ccec628986e0d5f4c15808862cd8d

          SHA1

          803b6302b3fd16dc33504536311d69fc6960ebba

          SHA256

          6f8994da635ebef2488efa6c519a67a24cd4cbe0ad5814097527b8edf8ab8311

          SHA512

          da4338a4930506687a21ddd6d3080d5d709a5a26f9ecb9bb1a23ae738fab2910cd3959bdfa3d82d4953d91dea129203c1dd670b093bf079ec2b8222020132e0f

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

          Filesize

          392B

          MD5

          adb10b38f72ae3c015d736df9f951256

          SHA1

          6308c8d925db72bc26db8befc1c8592e73cd9b44

          SHA256

          202b330968cc4a513f4bf08e5392b3e048f19875fce713ccf579e455ca238505

          SHA512

          2dfdaa057f5edb9fcf9303769ee952898fd3852cc5fa25ab70441c53a05d04c19d3fa4596eb12afadd90a70507149c74758cb90b22531dd98b929b5ed6d36912

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

          Filesize

          406B

          MD5

          0a9e78c0c2396eea54e741cde93346f0

          SHA1

          b5801752168a89731a67f987b6644bc7f90e2adb

          SHA256

          7cf1b44a5b60adf6460d7d32e54509d2602fb8788aca7220ef8f523bc9e96f04

          SHA512

          252936503191583f700f194061eadb6056e18c7b2282839b16260cb2ab863969910c48d46a6704ad3bc2ecc681165e520ec6475ee1af48e2c075daddc6d55b8b

        • C:\Users\Admin\AppData\Local\Temp\E087.bat

          Filesize

          79B

          MD5

          403991c4d18ac84521ba17f264fa79f2

          SHA1

          850cc068de0963854b0fe8f485d951072474fd45

          SHA256

          ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

          SHA512

          a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

        • C:\Users\Admin\AppData\Roaming\hhvtiet

          Filesize

          96KB

          MD5

          7825cad99621dd288da81d8d8ae13cf5

          SHA1

          f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

          SHA256

          529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

          SHA512

          2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

        • C:\Users\Admin\AppData\Roaming\hhvtiet

          Filesize

          96KB

          MD5

          7825cad99621dd288da81d8d8ae13cf5

          SHA1

          f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

          SHA256

          529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

          SHA512

          2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

        • memory/2788-264-0x0000028B189C0000-0x0000028B189C2000-memory.dmp

          Filesize

          8KB

        • memory/2788-190-0x0000028B170E0000-0x0000028B170E2000-memory.dmp

          Filesize

          8KB

        • memory/2788-186-0x0000028B17020000-0x0000028B17022000-memory.dmp

          Filesize

          8KB

        • memory/2788-183-0x0000028B17000000-0x0000028B17002000-memory.dmp

          Filesize

          8KB

        • memory/2788-260-0x0000028B17A70000-0x0000028B17A72000-memory.dmp

          Filesize

          8KB

        • memory/2788-252-0x0000028B17A30000-0x0000028B17A32000-memory.dmp

          Filesize

          8KB

        • memory/2788-257-0x0000028B17A50000-0x0000028B17A52000-memory.dmp

          Filesize

          8KB

        • memory/2788-280-0x0000028B16A00000-0x0000028B16B00000-memory.dmp

          Filesize

          1024KB

        • memory/3084-99-0x0000016B4B3E0000-0x0000016B4B3E2000-memory.dmp

          Filesize

          8KB

        • memory/3084-80-0x0000016B4BA00000-0x0000016B4BA10000-memory.dmp

          Filesize

          64KB

        • memory/3084-64-0x0000016B4B220000-0x0000016B4B230000-memory.dmp

          Filesize

          64KB

        • memory/3248-31-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-34-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-57-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-58-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-54-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-53-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-51-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-49-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

          Filesize

          64KB

        • memory/3248-48-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-42-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-45-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-46-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-43-0x0000000003170000-0x0000000003180000-memory.dmp

          Filesize

          64KB

        • memory/3248-41-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-39-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-37-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-35-0x0000000003190000-0x00000000031A0000-memory.dmp

          Filesize

          64KB

        • memory/3248-55-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-32-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-4-0x0000000001340000-0x0000000001356000-memory.dmp

          Filesize

          88KB

        • memory/3248-30-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-28-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-25-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-26-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-24-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-22-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-21-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-19-0x0000000003170000-0x0000000003180000-memory.dmp

          Filesize

          64KB

        • memory/3248-18-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-16-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/3248-14-0x0000000002C10000-0x0000000002C20000-memory.dmp

          Filesize

          64KB

        • memory/3248-13-0x0000000002C10000-0x0000000002C20000-memory.dmp

          Filesize

          64KB

        • memory/4868-0-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4868-5-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4868-3-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB