Analysis

  • max time kernel
    300s
  • max time network
    297s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/09/2023, 01:38

General

  • Target

    66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe

  • Size

    239KB

  • MD5

    3740f9e5ed7e48041efa02b0d79024b9

  • SHA1

    e775e9c03e558d784a4d190172028c897a070628

  • SHA256

    66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d

  • SHA512

    61fdb7e0e41514424d22561633da1b7a5bdbe7b9e30842bf6d78e8ffa643a32a51d3d892a911640d807ace9e7c17958523aa0d32e0e33035634f3a93a1fd3f3e

  • SSDEEP

    6144:Kv46fuYXChoQTjlFgLuCY1dRuAOQY2mAw8y0:KAYzXChdTbv1buSmAw8y

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detected google phishing page
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe
    "C:\Users\Admin\AppData\Local\Temp\66a6f8d4fe9b7313ad385b35623d1b9bbed2710f5cb404a1da299c0420381d8d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3224
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4348
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 212
      2⤵
      • Program crash
      PID:772
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\80F3.bat" "
    1⤵
    • Checks computer location settings
    PID:3948
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3236
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:600
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4260
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1312
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:1924
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    PID:2152
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:5080
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4560
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:1236
  • C:\Users\Admin\AppData\Roaming\sidcjuw
    C:\Users\Admin\AppData\Roaming\sidcjuw
    1⤵
    • Executes dropped EXE
    PID:4480
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:4884

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DXFPCU0G\edgecompatviewlist[1].xml

          Filesize

          74KB

          MD5

          d4fc49dc14f63895d997fa4940f24378

          SHA1

          3efb1437a7c5e46034147cbbc8db017c69d02c31

          SHA256

          853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

          SHA512

          cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\KDS3E5LT\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\P83VY85R\B8BxsscfVBr[1].ico

          Filesize

          1KB

          MD5

          e508eca3eafcc1fc2d7f19bafb29e06b

          SHA1

          a62fc3c2a027870d99aedc241e7d5babba9a891f

          SHA256

          e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a

          SHA512

          49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          24be8a92460b5b7a555b1da559296958

          SHA1

          94147054e8a04e82fea1c185af30c7c90b194064

          SHA256

          77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

          SHA512

          ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\A6VVDV2B.cookie

          Filesize

          130B

          MD5

          3f44534ad318d9a937577be9fbbd13fc

          SHA1

          a8dd9604b97ec85bf10c08a534b548c4e491a2c5

          SHA256

          9731e8a8f7dce9e468d5a139e798b386c58c5ea11670e9dc6d5692b6fdc1ba2a

          SHA512

          1d22dc8123e2286e581f9f8cc23b264bf653e826d72e4730e66b279538fd7a72925b5ea6d03939d2eb4be5d706fcf6208de39aa2b6dd98142108259d4536fcb1

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\DLD2RPO9.cookie

          Filesize

          130B

          MD5

          0358299dc29d3cebdeca39aee3529b34

          SHA1

          daee3c8ae385b96a9adf9999c7357fbedc8b29a0

          SHA256

          d02a4f343b8598d44daedc74c6e20ad27c2f78bf851b9fa51ac57da34b6a6999

          SHA512

          c30455f46c72f173235467466fee9800e93751e9a291b1815a3f454e390ae94a556f6bb6fcb73d944b7cf63bb131c4229da6b025e747ecceb37a7beba8744a5d

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          1KB

          MD5

          b5eda74305a01c41450e0d12777199e1

          SHA1

          36162e9e8c3a69b237d317f7c300f11927a37c12

          SHA256

          6e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594

          SHA512

          f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          4KB

          MD5

          24be8a92460b5b7a555b1da559296958

          SHA1

          94147054e8a04e82fea1c185af30c7c90b194064

          SHA256

          77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

          SHA512

          ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

          Filesize

          724B

          MD5

          ac89a852c2aaa3d389b2d2dd312ad367

          SHA1

          8f421dd6493c61dbda6b839e2debb7b50a20c930

          SHA256

          0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

          SHA512

          c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

          Filesize

          471B

          MD5

          3b7403306365b481a905b872a4a8fe8d

          SHA1

          848d8b54a1b0fa0f473fe13bbabcb7872c0a6067

          SHA256

          f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7

          SHA512

          bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

          Filesize

          410B

          MD5

          558ebcbb8790a243413343b7a16486f1

          SHA1

          fb894561aaf893a3ff42b1a1273956bcdb0f5623

          SHA256

          efa97822bf8c8106795eab0144a2ae590bf5f1eab1772d5571046cab9d640a8b

          SHA512

          ac2ce4553283c93cc2980c0921f11f8db28301f43b5897b15c05fe07488a673285bac060f120fcd5bcef5ad69ace41c947f58d4f23ae407e285f327345d3f9cc

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

          Filesize

          342B

          MD5

          8294855de13b02d36935e67104f8fd50

          SHA1

          91b960dfd9307671975b1a33353b1ce6b2bf9415

          SHA256

          2c7c28969e4aa140eb7ca0d32b1e9fd29bf2f521cb7329f68796bbdad29f85c4

          SHA512

          b89be65040faf6abf5791c669e0d8f0fc780a404217b9450b5e20137607c6b86f8cb5ab21a7435d1789a429f67cf81c8f7c7eb7821d2d231b7de34a2f5e3a843

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

          Filesize

          392B

          MD5

          a3c00e5e978e4fa3db1a3e1e1a9d8c98

          SHA1

          d4d42699a0da7455b5de151e3e64cd0faa27ccdc

          SHA256

          621853cfb01de5b23b067bf7228da4e6b181a087daa820ef2a426380c110d646

          SHA512

          3fa0fb21f9fa557669604ba503a48b19c91c805023116bd1c26fba31d22a04572d2152e0d759b659851f246bfdf7f39887adf7837e84f43c30232d51dbddd338

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

          Filesize

          406B

          MD5

          8ac35dacc67080d6b1c2afcfab71990c

          SHA1

          1a5cd4c30c16922a9b2b27081e44386af3f92178

          SHA256

          2db5e7e891c52322bb2e0dcb992b4762764c90a802e7f4287c8721eda029ef6c

          SHA512

          2c11ec7464a85d5d498ff293a7d4b74a5ec078d936398d236ba9d582cf5e7e03722c9ff269d03cce54932eb6f09b2c3c756da2d5fc46af3db1503abcadc78fd7

        • C:\Users\Admin\AppData\Local\Temp\80F3.bat

          Filesize

          79B

          MD5

          403991c4d18ac84521ba17f264fa79f2

          SHA1

          850cc068de0963854b0fe8f485d951072474fd45

          SHA256

          ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

          SHA512

          a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

        • C:\Users\Admin\AppData\Roaming\sidcjuw

          Filesize

          96KB

          MD5

          7825cad99621dd288da81d8d8ae13cf5

          SHA1

          f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

          SHA256

          529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

          SHA512

          2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

        • C:\Users\Admin\AppData\Roaming\sidcjuw

          Filesize

          96KB

          MD5

          7825cad99621dd288da81d8d8ae13cf5

          SHA1

          f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

          SHA256

          529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

          SHA512

          2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

        • memory/1924-232-0x0000013EFABF0000-0x0000013EFABF2000-memory.dmp

          Filesize

          8KB

        • memory/1924-228-0x0000013EFABB0000-0x0000013EFABB2000-memory.dmp

          Filesize

          8KB

        • memory/1924-218-0x0000013EFAA70000-0x0000013EFAA72000-memory.dmp

          Filesize

          8KB

        • memory/1924-210-0x0000013EFAA50000-0x0000013EFAA52000-memory.dmp

          Filesize

          8KB

        • memory/1924-183-0x0000013EFA1F0000-0x0000013EFA1F2000-memory.dmp

          Filesize

          8KB

        • memory/1924-175-0x0000013EFA120000-0x0000013EFA122000-memory.dmp

          Filesize

          8KB

        • memory/1924-173-0x0000013EFA100000-0x0000013EFA102000-memory.dmp

          Filesize

          8KB

        • memory/2152-223-0x0000026FF5A20000-0x0000026FF5A40000-memory.dmp

          Filesize

          128KB

        • memory/2916-27-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-18-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-47-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-48-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-49-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-50-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-51-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-53-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-54-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-43-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-4-0x00000000012C0000-0x00000000012D6000-memory.dmp

          Filesize

          88KB

        • memory/2916-13-0x0000000001270000-0x0000000001280000-memory.dmp

          Filesize

          64KB

        • memory/2916-14-0x0000000001270000-0x0000000001280000-memory.dmp

          Filesize

          64KB

        • memory/2916-45-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-41-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-39-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-37-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-35-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/2916-34-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-32-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-30-0x0000000003160000-0x0000000003170000-memory.dmp

          Filesize

          64KB

        • memory/2916-28-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-16-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-24-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-25-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-22-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-23-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-21-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-46-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-19-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/2916-17-0x00000000030A0000-0x00000000030B0000-memory.dmp

          Filesize

          64KB

        • memory/3236-95-0x0000027DFEEF0000-0x0000027DFEEF2000-memory.dmp

          Filesize

          8KB

        • memory/3236-76-0x0000027DFEC00000-0x0000027DFEC10000-memory.dmp

          Filesize

          64KB

        • memory/3236-60-0x0000027DFE720000-0x0000027DFE730000-memory.dmp

          Filesize

          64KB

        • memory/4348-0-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4348-5-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

        • memory/4348-3-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB