Analysis

  • max time kernel
    300s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25/09/2023, 01:41

General

  • Target

    ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe

  • Size

    239KB

  • MD5

    4dda95005c2a31af0e82e806e6beaaea

  • SHA1

    42d6ba14fa10768957c4512ad5f892b86a26e11d

  • SHA256

    ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01

  • SHA512

    374d507fb60fd26b0e45f1c0d6a293ecfaf951da6cb369e05551b6757f11b4fba1e6e7127c11d111e4038f590d8e1cafb897b5a09087f229ee131ebfbf213fa1

  • SSDEEP

    6144:UX46fuYXChoQTjlFgLuCY1dRuAOS7aE24w8y0:UIYzXChdTbv1bu/Ow8y

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detected google phishing page
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe
    "C:\Users\Admin\AppData\Local\Temp\ae5de6ed1b2f285d4ae50e6fbaf27d601f3d9248e9a2e64b2b01781fb9db4f01.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:5032
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:5076
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 228
        2⤵
        • Program crash
        PID:620
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D5AA.bat" "
      1⤵
      • Checks computer location settings
      PID:4416
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2816
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:3908
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4844
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4112
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:2528
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:3068
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:4760
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3944
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:296
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:1108

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2RZQZMR9\edgecompatviewlist[1].xml

            Filesize

            74KB

            MD5

            d4fc49dc14f63895d997fa4940f24378

            SHA1

            3efb1437a7c5e46034147cbbc8db017c69d02c31

            SHA256

            853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

            SHA512

            cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\IN50PRLU\suggestions[1].en-US

            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\QITFT2GA\B8BxsscfVBr[1].ico

            Filesize

            1KB

            MD5

            e508eca3eafcc1fc2d7f19bafb29e06b

            SHA1

            a62fc3c2a027870d99aedc241e7d5babba9a891f

            SHA256

            e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a

            SHA512

            49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

            Filesize

            4KB

            MD5

            24be8a92460b5b7a555b1da559296958

            SHA1

            94147054e8a04e82fea1c185af30c7c90b194064

            SHA256

            77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

            SHA512

            ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\P4KS6DHX.cookie

            Filesize

            132B

            MD5

            ae6d2c116b227a1361071f67510732a5

            SHA1

            8e1010229ef150371b1146ab110d641de1907bd5

            SHA256

            dbe6b6c61946f47b2072505a2b7acb963e5fca0ac3deecfcdd3425b3a31e41e4

            SHA512

            4e41944db18e6c15fc1e835d6004e91c5fb5816097d795c7eb047de242ea083664f753cf4885b2a4ac46f8a77b26c64aedf22585f73593f5a3c2c0e7c416d471

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\YQZRRZN3.cookie

            Filesize

            132B

            MD5

            7051cba07fbbf2f635a3a84dc1b21871

            SHA1

            4e419718c4f0c5960a31c0d55706b9989c3ec1ff

            SHA256

            25e021ac01ce93733ee8738b791aefc634b409b5742cc21827de554486e47b3f

            SHA512

            496c2e9a03c3d1cabfed80cb73947fd825b39e0a2c9797ef9330369aec76c2c1e75784a9900988461a5dff8081c6688248ac95b6a805f76f5a6eacee3473af87

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

            Filesize

            1KB

            MD5

            b5eda74305a01c41450e0d12777199e1

            SHA1

            36162e9e8c3a69b237d317f7c300f11927a37c12

            SHA256

            6e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594

            SHA512

            f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

            Filesize

            4KB

            MD5

            24be8a92460b5b7a555b1da559296958

            SHA1

            94147054e8a04e82fea1c185af30c7c90b194064

            SHA256

            77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3

            SHA512

            ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

            Filesize

            471B

            MD5

            c1481fcd5428e1e8013edc7621812724

            SHA1

            8e86eadf871ca94477b0e469360502203eab3d97

            SHA256

            9b9ad2ae252224803a2cc6f160d3305677ca54c8053008fd5b469574c42ac12e

            SHA512

            364e2fc399239cc2db6dd9e1f93ca5fb4b482ffe8e1d2a05a2c81d3c1efde9ad2d51a693dcde9f1198a35fa1e0d6ed3b46048cb56ac3be34e9ceb40c4c389ae6

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

            Filesize

            724B

            MD5

            ac89a852c2aaa3d389b2d2dd312ad367

            SHA1

            8f421dd6493c61dbda6b839e2debb7b50a20c930

            SHA256

            0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

            SHA512

            c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

            Filesize

            471B

            MD5

            3b7403306365b481a905b872a4a8fe8d

            SHA1

            848d8b54a1b0fa0f473fe13bbabcb7872c0a6067

            SHA256

            f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7

            SHA512

            bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

            Filesize

            410B

            MD5

            3e7d4c6afba9f7cf4e096b1355e652f2

            SHA1

            1ac23790f489e83603d11ae0c654fa20fcd6932d

            SHA256

            ef6471ade1ebe47e498ffab27b7c639212bc4a9dcb4645bfa4e4156296ded66d

            SHA512

            5eea753cd74fc04f3bf62c5841c03ecc8793adc8acab78e2c30e2c9a8633654c4c0c5a594eedfcb81dc7292da5f8f2faec3fc8cce0c237ec3db4d1c18244d2a7

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

            Filesize

            342B

            MD5

            3ff199ee912934290c9c512d1431c662

            SHA1

            5f6dc92ab67e8f2430bb474ca3ae106cdcfeb786

            SHA256

            ed44a2d93bcded28787548eb853b7a79b0fb00c87712167c7ca5a8ef9a2eedf5

            SHA512

            d8d86570eed7107a7b765f8a6e24d2db2410015232033b9f823d94b25dc5bd93a0bcd0dc8b3ab336b55fd86ab34cbb70441cbda730c0db85f757181f027ce2d3

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

            Filesize

            406B

            MD5

            bfda709eb911dc52064ae673180093ec

            SHA1

            ad946a3c2b76e32d14825074e2eef7cc4c207e1f

            SHA256

            72112db1e03ee326db3848810339f4934d6e4a872ce137cd4506857d41f65ba3

            SHA512

            e9c1577d6cf3e1d7d0cda52f5581ee07e9e7c61d32423e13129a00cc7febc7eddd1c9bb53795dfa555cfea5b52bf79a1acc40028779e694fda8614b18c904932

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

            Filesize

            392B

            MD5

            cf6a44412a2b796ba930ded3a10649fb

            SHA1

            10c5fee293413210f4f96268385b13b5d075219f

            SHA256

            5dbdda8f1f19978ddfdf21bf12f79f1eae9f24b3bf80b1e88a7ccf49ccd76e43

            SHA512

            bb815b8a9c9bd0175445600f8a87384bd963523c7d04e42fee09a7ef97c4b516f035b9fea5e18ad1d5345feacdeb5947ed390473bd9033af2dad412f4b43a140

          • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

            Filesize

            406B

            MD5

            9677592b034aa24edebe8b538b4d057a

            SHA1

            1ce585ed4f613f9ecbf34e3ff229282762d98cb3

            SHA256

            0fc2d86724da0553cc238b1786bb0048538628c1fb7f4b908681e06a3feef6eb

            SHA512

            0e6ee012f6b8c1e0a95e2f6223bdb2b8fb7c644a946d5aaa1508cb94be36783488c0d2dce4bbd5d58cddaedb0404049729ac2f1d29b55c1cfd0a757ff00d628d

          • C:\Users\Admin\AppData\Local\Temp\D5AA.bat

            Filesize

            79B

            MD5

            403991c4d18ac84521ba17f264fa79f2

            SHA1

            850cc068de0963854b0fe8f485d951072474fd45

            SHA256

            ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

            SHA512

            a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

          • memory/2528-459-0x0000022A70800000-0x0000022A70900000-memory.dmp

            Filesize

            1024KB

          • memory/2528-424-0x0000022A74400000-0x0000022A74500000-memory.dmp

            Filesize

            1024KB

          • memory/2528-242-0x0000022A6FC90000-0x0000022A6FC92000-memory.dmp

            Filesize

            8KB

          • memory/2528-235-0x0000022A6FC50000-0x0000022A6FC52000-memory.dmp

            Filesize

            8KB

          • memory/2528-200-0x0000022A70600000-0x0000022A70700000-memory.dmp

            Filesize

            1024KB

          • memory/2528-217-0x0000022A71220000-0x0000022A71222000-memory.dmp

            Filesize

            8KB

          • memory/2528-232-0x0000022A6FC30000-0x0000022A6FC32000-memory.dmp

            Filesize

            8KB

          • memory/2528-394-0x0000022A726B0000-0x0000022A726B2000-memory.dmp

            Filesize

            8KB

          • memory/2528-398-0x0000022A73700000-0x0000022A73702000-memory.dmp

            Filesize

            8KB

          • memory/2528-401-0x0000022A73720000-0x0000022A73722000-memory.dmp

            Filesize

            8KB

          • memory/2528-405-0x0000022A73730000-0x0000022A73732000-memory.dmp

            Filesize

            8KB

          • memory/2528-408-0x0000022A73EB0000-0x0000022A73EB2000-memory.dmp

            Filesize

            8KB

          • memory/2528-411-0x0000022A73EC0000-0x0000022A73EC2000-memory.dmp

            Filesize

            8KB

          • memory/2528-416-0x0000022A73ED0000-0x0000022A73ED2000-memory.dmp

            Filesize

            8KB

          • memory/2528-420-0x0000022A73DB0000-0x0000022A73EB0000-memory.dmp

            Filesize

            1024KB

          • memory/2528-239-0x0000022A6FC70000-0x0000022A6FC72000-memory.dmp

            Filesize

            8KB

          • memory/2528-215-0x0000022A714C0000-0x0000022A714E0000-memory.dmp

            Filesize

            128KB

          • memory/2528-229-0x0000022A6FCE0000-0x0000022A6FCE2000-memory.dmp

            Filesize

            8KB

          • memory/2528-226-0x0000022A6FCC0000-0x0000022A6FCC2000-memory.dmp

            Filesize

            8KB

          • memory/2528-220-0x0000022A6FC10000-0x0000022A6FC12000-memory.dmp

            Filesize

            8KB

          • memory/2816-304-0x0000026A078A0000-0x0000026A078A1000-memory.dmp

            Filesize

            4KB

          • memory/2816-306-0x0000026A078B0000-0x0000026A078B1000-memory.dmp

            Filesize

            4KB

          • memory/2816-51-0x0000026A017A0000-0x0000026A017A2000-memory.dmp

            Filesize

            8KB

          • memory/2816-32-0x0000026A01940000-0x0000026A01950000-memory.dmp

            Filesize

            64KB

          • memory/2816-16-0x0000026A00F60000-0x0000026A00F70000-memory.dmp

            Filesize

            64KB

          • memory/3196-4-0x0000000000740000-0x0000000000756000-memory.dmp

            Filesize

            88KB

          • memory/4760-495-0x00000235DD5E0000-0x00000235DD600000-memory.dmp

            Filesize

            128KB

          • memory/5076-0-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

          • memory/5076-6-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

          • memory/5076-3-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB