Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-01-2024 23:08
Static task
static1
Behavioral task
behavioral1
Sample
toolspab2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
toolspab2.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
toolspab2.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
toolspab2.exe
Resource
win11-20231215-en
General
-
Target
toolspab2.exe
-
Size
207KB
-
MD5
38cb64fa3339058ae21850bb66b82279
-
SHA1
4ab731f54aec2b9a8c49bf5e38fe294e9745b604
-
SHA256
ef743dcfbc3b85460416d9708cd43452354c148b375ef94075aaa79207c6467b
-
SHA512
23ac1bfc8e21b879d347867e7a66af3a2b907265ce8fe415e6315ba7e1b9631c9c32d14b51e95e226661c1630f43d2d0e10e5d17705b9b6fe3200a3a1c13b3a7
-
SSDEEP
3072:JXNxFFqcLXdCOck2DLO5LE99KsIv3UVmi2nRpMqC3L4EkwAD:t3bqcLtL2LMMPa3UVxIyqCb41p
Malware Config
Extracted
smokeloader
pub2
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
2AB.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\s9me1c1c1ksa.exe\DisableExceptionChainValidation 2AB.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "cxgqtream.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\s9me1c1c1ksa.exe 2AB.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Deletes itself 1 IoCs
Processes:
pid process 3188 -
Executes dropped EXE 5 IoCs
Processes:
2AB.exe8F5.exeWindowsUpdater.execejvhajcejvhajpid process 128 2AB.exe 576 8F5.exe 5060 WindowsUpdater.exe 3804 cejvhaj 2256 cejvhaj -
Loads dropped DLL 2 IoCs
Processes:
WindowsUpdater.exepid process 5060 WindowsUpdater.exe 5060 WindowsUpdater.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\s9me1c1c1ksa.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\s9me1c1c1ksa.exe\"" explorer.exe -
Processes:
2AB.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2AB.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
2AB.exeexplorer.exepid process 128 2AB.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe 2104 explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
toolspab2.execejvhajdescription pid process target process PID 2452 set thread context of 2680 2452 toolspab2.exe toolspab2.exe PID 3804 set thread context of 2256 3804 cejvhaj cejvhaj -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3112 2104 WerFault.exe explorer.exe -
NSIS installer 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\8F5.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\8F5.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
toolspab2.execejvhajdescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cejvhaj Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cejvhaj Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cejvhaj Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2AB.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2AB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2AB.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-894477223-740240645-3565689000-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
toolspab2.exepid process 2680 toolspab2.exe 2680 toolspab2.exe 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
toolspab2.exe2AB.execejvhajpid process 2680 toolspab2.exe 128 2AB.exe 128 2AB.exe 2256 cejvhaj -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
2AB.exeexplorer.exedescription pid process Token: SeDebugPrivilege 128 2AB.exe Token: SeRestorePrivilege 128 2AB.exe Token: SeBackupPrivilege 128 2AB.exe Token: SeLoadDriverPrivilege 128 2AB.exe Token: SeCreatePagefilePrivilege 128 2AB.exe Token: SeShutdownPrivilege 128 2AB.exe Token: SeTakeOwnershipPrivilege 128 2AB.exe Token: SeChangeNotifyPrivilege 128 2AB.exe Token: SeCreateTokenPrivilege 128 2AB.exe Token: SeMachineAccountPrivilege 128 2AB.exe Token: SeSecurityPrivilege 128 2AB.exe Token: SeAssignPrimaryTokenPrivilege 128 2AB.exe Token: SeCreateGlobalPrivilege 128 2AB.exe Token: 33 128 2AB.exe Token: SeDebugPrivilege 2104 explorer.exe Token: SeRestorePrivilege 2104 explorer.exe Token: SeBackupPrivilege 2104 explorer.exe Token: SeLoadDriverPrivilege 2104 explorer.exe Token: SeCreatePagefilePrivilege 2104 explorer.exe Token: SeShutdownPrivilege 2104 explorer.exe Token: SeTakeOwnershipPrivilege 2104 explorer.exe Token: SeChangeNotifyPrivilege 2104 explorer.exe Token: SeCreateTokenPrivilege 2104 explorer.exe Token: SeMachineAccountPrivilege 2104 explorer.exe Token: SeSecurityPrivilege 2104 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2104 explorer.exe Token: SeCreateGlobalPrivilege 2104 explorer.exe Token: 33 2104 explorer.exe Token: SeShutdownPrivilege 3188 Token: SeCreatePagefilePrivilege 3188 Token: SeShutdownPrivilege 3188 Token: SeCreatePagefilePrivilege 3188 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3188 -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
toolspab2.exe2AB.exe8F5.execejvhajdescription pid process target process PID 2452 wrote to memory of 2680 2452 toolspab2.exe toolspab2.exe PID 2452 wrote to memory of 2680 2452 toolspab2.exe toolspab2.exe PID 2452 wrote to memory of 2680 2452 toolspab2.exe toolspab2.exe PID 2452 wrote to memory of 2680 2452 toolspab2.exe toolspab2.exe PID 2452 wrote to memory of 2680 2452 toolspab2.exe toolspab2.exe PID 2452 wrote to memory of 2680 2452 toolspab2.exe toolspab2.exe PID 3188 wrote to memory of 128 3188 2AB.exe PID 3188 wrote to memory of 128 3188 2AB.exe PID 3188 wrote to memory of 128 3188 2AB.exe PID 128 wrote to memory of 2104 128 2AB.exe explorer.exe PID 128 wrote to memory of 2104 128 2AB.exe explorer.exe PID 128 wrote to memory of 2104 128 2AB.exe explorer.exe PID 3188 wrote to memory of 576 3188 8F5.exe PID 3188 wrote to memory of 576 3188 8F5.exe PID 3188 wrote to memory of 576 3188 8F5.exe PID 576 wrote to memory of 5060 576 8F5.exe WindowsUpdater.exe PID 576 wrote to memory of 5060 576 8F5.exe WindowsUpdater.exe PID 576 wrote to memory of 5060 576 8F5.exe WindowsUpdater.exe PID 3804 wrote to memory of 2256 3804 cejvhaj cejvhaj PID 3804 wrote to memory of 2256 3804 cejvhaj cejvhaj PID 3804 wrote to memory of 2256 3804 cejvhaj cejvhaj PID 3804 wrote to memory of 2256 3804 cejvhaj cejvhaj PID 3804 wrote to memory of 2256 3804 cejvhaj cejvhaj PID 3804 wrote to memory of 2256 3804 cejvhaj cejvhaj
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"C:\Users\Admin\AppData\Local\Temp\toolspab2.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2680
-
C:\Users\Admin\AppData\Local\Temp\2AB.exeC:\Users\Admin\AppData\Local\Temp\2AB.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:128 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
PID:2104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 11563⤵
- Program crash
PID:3112
-
C:\Users\Admin\AppData\Local\Temp\8F5.exeC:\Users\Admin\AppData\Local\Temp\8F5.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2104 -ip 21041⤵PID:2504
-
C:\Users\Admin\AppData\Roaming\cejvhajC:\Users\Admin\AppData\Roaming\cejvhaj1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Users\Admin\AppData\Roaming\cejvhajC:\Users\Admin\AppData\Roaming\cejvhaj2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2256
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2AB.exeFilesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
C:\Users\Admin\AppData\Local\Temp\8F5.exeFilesize
1.8MB
MD503918e44603c5469a8fc59d1efd19005
SHA16bff85b451ef4a80217c129dfba1b93d73ea5198
SHA256f1703d0de341ffdae415e871328ba3f7cdfa6c9b09e67db5f5f1ca6edef06eed
SHA51211b4d3255e22c5d8025f4f63b8957a2c8f51750b2d058037271949add0dca259ebf108f4c57830167f7502a8ed79e462d71eeb0838960dec11a335c2f3b9f4ab
-
C:\Users\Admin\AppData\Local\Temp\8F5.exeFilesize
1.6MB
MD59d72d1ffb28744907d35148ace38f37f
SHA1e0bf0666167dc03d5888d4554c0c382948378604
SHA256d6f3dc6c411aa62c812d40e21c54c074f8a1c78a0b858bebbb62c4c958593c17
SHA5129823ba2f118d226cd9fe6d24058688a1c4f54d26031c1b263c50d4f9a1654735bcdaf0915d3470935e18d408ce9a6475a38538bf60ec9b339cb300696796f6f3
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
1.5MB
MD51ec1166182774f4c843e51f801898a85
SHA1d9a58161925684763f671a24c55dce2691df3053
SHA2565ce328ea4b2324cd1191cee596f41eb6d61c7be8945b11b80d50ca4e918d1468
SHA512d3bfe40404eecfb2c0a618283ec74f8b59908f570bcb2f371543950d2ca804a197d1b6e84d176b10416885f00b57ee8b4e2e1b4f9fbab0c700abd43bf4db0b8b
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
1.7MB
MD5277848a12e47b2f94f3def66b2b1c050
SHA163bc2b269ef24a08b1d103e40ab0cb275e3ac579
SHA2567bfd0344485c50c7e23f7403a10dd934ed67b36e7494d35d3d9bb731de13b6e7
SHA512c91761808485d8246d10c8b041721192291b8c090f0f774714ab60e037e78421d9b36d353b18d4757ac455fd238ee150a9b536e6418d7124d1466b2e03ecb895
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exeFilesize
1.5MB
MD5a35909608fdcb8c4c9fbe280af835f57
SHA16da64610041089df12e95b5cce2566e1b9ca6e56
SHA256db4480ca2f78c5ed7664f05ea35e8e172e2cfeba6f318c1296d9c3738aa59a26
SHA5120dfe1854f152dc01fbc7220b3ce1a4e905a20633d8bc9e96c0c005cd750eab5c2148b3e87ad3df4c826ff8c58a5ca463c0f175a6767118cd00534412231de39e
-
C:\Users\Admin\AppData\Local\Temp\lib.dllFilesize
1.4MB
MD5456fa3f949e5cad9cfec4c51f61b1c4b
SHA13b303837f9042a27470c303d58a758b44daa67fa
SHA256ac3d6adac8491ba52979a08a0ab02e8987befbb391eff8f4c3bddb75445c637f
SHA512df47df41f5e7cbea4396b1482fe28ef9c6afe04e9d3f7a284a9ce478838352f3694bf1c121d4bf458f9bf06a20de3a862d2a91ce4eae2a8edd4601eed3b6b875
-
C:\Users\Admin\AppData\Local\Temp\nsnC12.tmp\System.dllFilesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
C:\Users\Admin\AppData\Roaming\cejvhajFilesize
207KB
MD538cb64fa3339058ae21850bb66b82279
SHA14ab731f54aec2b9a8c49bf5e38fe294e9745b604
SHA256ef743dcfbc3b85460416d9708cd43452354c148b375ef94075aaa79207c6467b
SHA51223ac1bfc8e21b879d347867e7a66af3a2b907265ce8fe415e6315ba7e1b9631c9c32d14b51e95e226661c1630f43d2d0e10e5d17705b9b6fe3200a3a1c13b3a7
-
memory/128-20-0x00000000772A6000-0x00000000772A7000-memory.dmpFilesize
4KB
-
memory/128-22-0x00000000028D0000-0x00000000028D1000-memory.dmpFilesize
4KB
-
memory/128-21-0x00000000023D0000-0x0000000002436000-memory.dmpFilesize
408KB
-
memory/128-24-0x0000000002900000-0x000000000290C000-memory.dmpFilesize
48KB
-
memory/128-25-0x00000000023D0000-0x0000000002436000-memory.dmpFilesize
408KB
-
memory/128-16-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/128-41-0x00000000023D0000-0x0000000002436000-memory.dmpFilesize
408KB
-
memory/128-19-0x0000000000720000-0x000000000072D000-memory.dmpFilesize
52KB
-
memory/128-40-0x00000000028F0000-0x00000000028F1000-memory.dmpFilesize
4KB
-
memory/128-18-0x00000000023D0000-0x0000000002436000-memory.dmpFilesize
408KB
-
memory/576-38-0x00000000008D0000-0x0000000000E66000-memory.dmpFilesize
5.6MB
-
memory/576-48-0x00000000008D0000-0x0000000000E66000-memory.dmpFilesize
5.6MB
-
memory/2104-31-0x0000000000E00000-0x0000000000EC4000-memory.dmpFilesize
784KB
-
memory/2104-62-0x0000000004680000-0x0000000004682000-memory.dmpFilesize
8KB
-
memory/2104-28-0x0000000000640000-0x0000000000A6D000-memory.dmpFilesize
4.2MB
-
memory/2104-36-0x0000000000E00000-0x0000000000EC4000-memory.dmpFilesize
784KB
-
memory/2104-26-0x0000000000640000-0x0000000000A6D000-memory.dmpFilesize
4.2MB
-
memory/2104-64-0x0000000000640000-0x0000000000A6C000-memory.dmpFilesize
4.2MB
-
memory/2104-65-0x0000000000E00000-0x0000000000EC4000-memory.dmpFilesize
784KB
-
memory/2256-74-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2256-72-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2452-1-0x0000000000780000-0x0000000000880000-memory.dmpFilesize
1024KB
-
memory/2452-2-0x0000000000760000-0x0000000000769000-memory.dmpFilesize
36KB
-
memory/2680-6-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2680-3-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2680-4-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3188-73-0x0000000002C10000-0x0000000002C26000-memory.dmpFilesize
88KB
-
memory/3188-5-0x0000000000AA0000-0x0000000000AB6000-memory.dmpFilesize
88KB
-
memory/3804-71-0x00000000007D0000-0x00000000008D0000-memory.dmpFilesize
1024KB
-
memory/5060-61-0x0000000072430000-0x0000000072B47000-memory.dmpFilesize
7.1MB
-
memory/5060-58-0x0000000072430000-0x0000000072B47000-memory.dmpFilesize
7.1MB