Analysis

  • max time kernel
    127s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-02-2024 23:38

General

  • Target

    5212ecaf2c3880d92f371356d84105be.exe

  • Size

    254KB

  • MD5

    5212ecaf2c3880d92f371356d84105be

  • SHA1

    d17cc3b0083fef207a84eefbb927ac9a79ef01ae

  • SHA256

    cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84

  • SHA512

    a1987d88d57e2a835f81b771da0bd8f8d26800d023d088558a688979bd876a8f142fdfe2b2462907be6401152fc3ec7dd87bae0749e118c9ca82080963253a09

  • SSDEEP

    3072:Gl6mR5pZ1bjBUEzlFJYPBWk8XMF5uaaaETz:+XpZRj2yY5p4RaavT

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://kamsmad.com/tmp/index.php

http://souzhensil.ru/tmp/index.php

http://teplokub.com.ua/tmp/index.php

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 13 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe
    "C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2120
  • C:\Users\Admin\AppData\Local\Temp\81CD.exe
    C:\Users\Admin\AppData\Local\Temp\81CD.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Local\Temp\81CD.exe
      C:\Users\Admin\AppData\Local\Temp\81CD.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2732
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8815.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\8815.dll
      2⤵
      • Loads dropped DLL
      PID:2472
  • C:\Users\Admin\AppData\Local\Temp\98E7.exe
    C:\Users\Admin\AppData\Local\Temp\98E7.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 124
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:2436
  • C:\Users\Admin\AppData\Local\Temp\C89F.exe
    C:\Users\Admin\AppData\Local\Temp\C89F.exe
    1⤵
    • Executes dropped EXE
    • Writes to the Master Boot Record (MBR)
    PID:2884
  • C:\Users\Admin\AppData\Local\Temp\1691.exe
    C:\Users\Admin\AppData\Local\Temp\1691.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
      "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
      2⤵
      • Executes dropped EXE
      PID:360
    • C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
      2⤵
        PID:2212
    • C:\Users\Admin\AppData\Local\Temp\71FA.exe
      C:\Users\Admin\AppData\Local\Temp\71FA.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1380
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {A0908533-2672-457E-A75B-CFB7876BF3FB} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
      1⤵
        PID:1156
        • C:\Users\Admin\AppData\Roaming\wvsdgbi
          C:\Users\Admin\AppData\Roaming\wvsdgbi
          2⤵
            PID:2236
        • C:\Users\Admin\AppData\Local\Temp\BA7F.exe
          C:\Users\Admin\AppData\Local\Temp\BA7F.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp" /SL5="$60120,4323177,54272,C:\Users\Admin\AppData\Local\Temp\BA7F.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of FindShellTrayWindow
            PID:1960
        • C:\Users\Admin\AppData\Local\Temp\F53F.exe
          C:\Users\Admin\AppData\Local\Temp\F53F.exe
          1⤵
          • Executes dropped EXE
          PID:1164

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1691.exe

          Filesize

          192KB

          MD5

          fd244ee8b33bd29d464da59a42e004be

          SHA1

          4e8af53e7d4f4c7dfe760309da320a4525528e0f

          SHA256

          251dfaa20ff2ce38a7a0b74255bd585b7a09ee2164ac20da6da84ad0463a78a5

          SHA512

          79333e02b2adba42eb6bdcbd495334991400e52d5b9cebb35b1c71eefc4704eea69aea8c71f508079c976af6888d9fb1041c13f78c37d7928cbcd6d464678a59

        • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

          Filesize

          960KB

          MD5

          33173a5f01c70ff647485f5427453242

          SHA1

          5a8b4455ed301b4c0d9870625d7b642ad843902e

          SHA256

          415ae01e28996f7ac8c5178d401e04aaf324527ebd8ac050a7c0ad4632df8b18

          SHA512

          0a236b0ec3162ab9fa51fda9672b69cc9d6762d06bd04d2fc6ab261b2341ed854c5896ae4bd2108ad019211330e5437c0a2afd6b10093346d667cef47932cafc

        • C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

          Filesize

          1.6MB

          MD5

          d3c015d761ac4697c31779ebd67685fe

          SHA1

          6eda243187265592a404feca52bf612ddc66e396

          SHA256

          689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea

          SHA512

          680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab

        • C:\Users\Admin\AppData\Local\Temp\71FA.exe

          Filesize

          253KB

          MD5

          3893d9674f9791363d8f92edae4427a7

          SHA1

          93603d9de7c259c8437f320f032ba171be67e200

          SHA256

          ad3a5d32351e9b26a5206751e45f27bf4def2890008e573dce58c4e9791fdcce

          SHA512

          9918357b96ea5af2ec3f056c0d7c41a025558fba88d6ada2ade153dc5b944670acdcc0e1abc76e52d9a9186abd15345519802f605473bf4fb59c81f972a3a6d6

        • C:\Users\Admin\AppData\Local\Temp\71FA.exe

          Filesize

          128KB

          MD5

          3fa5e88a9e8bd660c006932ec3845228

          SHA1

          80a085e19a9587ac268e8dc6cfd1621b50155279

          SHA256

          8848be5d2e2df5d044fdf6b6bd8e79e5c5176a27b97c18707194e768731f658d

          SHA512

          108d4d9e03747d05ba46307b2b6bb64ca0f7e8afca6c913b6f87da5c05749821ed5a15c21eb5c3068201b923b7f24114c856a0eb475d03c9e4708c3820e09a3b

        • C:\Users\Admin\AppData\Local\Temp\81CD.exe

          Filesize

          1.8MB

          MD5

          147f5f5bbc80b2ad753993e15f3f32c2

          SHA1

          16d73b4abeef12cf76414338901eb7bbef46775f

          SHA256

          40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990

          SHA512

          9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

        • C:\Users\Admin\AppData\Local\Temp\81CD.exe

          Filesize

          768KB

          MD5

          b616caf2b54103fcf72e6151adac0d46

          SHA1

          5d29d9ef0ff53427fa8ffbc4bd3f58c389ef3783

          SHA256

          2f57d61873f49865c3bcaa2acf7049c810a24c308594def9f28278e59a644fb0

          SHA512

          f8b0971dbcfc8a5de2ccd1f0d5696bbd81c6c4044a1bc36c07f083085e47d8f13b41bf1da9617fce46e93f1560e43f6b62687ca49a2380780f5ad2dbbe5f68c7

        • C:\Users\Admin\AppData\Local\Temp\8815.dll

          Filesize

          2.0MB

          MD5

          b66379323022a073f1f7cdefed747401

          SHA1

          14cfd615676b85960154df8273ca841f4a0e268b

          SHA256

          19a75f92a288042be52f1d38976909a22f81e92d22b69b6ab2f1f4d5856448db

          SHA512

          94b8dbe483f2f624723b831186bfcabc52eb74b8293f7acc4e3152ccdaef86885e2fb89453b91a78493795c99edc96e47dbbd489f92aec4cb30c21c064eb052b

        • C:\Users\Admin\AppData\Local\Temp\98E7.exe

          Filesize

          1.7MB

          MD5

          c7b647893b52c1b36181304002961423

          SHA1

          e43d7d3c3223134e57144ef90382f1c78217f6f1

          SHA256

          6a84875c462e57fb65f7f34085d63b5a1eab2727d8d054f3729ce9aa018d7adc

          SHA512

          23bfe8eca534a96449d6f7608ae400f32a91ed9a007810d3f7c3c52cdd2ed3a383dae034e1b072e3754cc35cc3e4e2af1c719adf08056a1da6d0ea96d7c1a0e3

        • C:\Users\Admin\AppData\Local\Temp\98E7.exe

          Filesize

          1.8MB

          MD5

          e06282697d839fc8dcc478cb22cfeb5b

          SHA1

          7d3f2ca8affc4d3140e4f1db85d08a89cea944c3

          SHA256

          375e852ed9c6e2b246d823b07cfebf845481a52dbe1d088ebdd9ada3756aa0ee

          SHA512

          d11ebe71e0dde27a1cf6629a3aaa1fc0557ffa03a7132373bcb1846b44401a0d763225a72ed4c666a019a87836fbc5c2c34b7d965728a5b99060cf25555ed1ad

        • C:\Users\Admin\AppData\Local\Temp\BA7F.exe

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Local\Temp\BA7F.exe

          Filesize

          128KB

          MD5

          e48b303a406230ddb31007a3ea0d27a2

          SHA1

          8df366aa720491a63af411e0e0a26645773b55f1

          SHA256

          c7433bf662afa8fd5fe8bf7ba195be675663556d71709ed7bcab124393adb30b

          SHA512

          bd9d5b526a27aa6d3f24884f280edb550665fc29be4585b499cf649c41c1f6d382f6438c8a817341c48936d8964fac2d9d55e2702e25b6ccafc46b3a5c9b715c

        • C:\Users\Admin\AppData\Local\Temp\C89F.exe

          Filesize

          256KB

          MD5

          df2076b7ede154d455fdd1035115de54

          SHA1

          62df9325ff2fce5e5a2cf121e84065221a513d77

          SHA256

          0730675048e9e0a97e9ad20f73712d7e3ba6ed114a7cdfbf8b50075656c4395c

          SHA512

          5f55d313b2451f14f101d7383e03cdc3a9b36a9f6487a7c164def8018b76983e6fe74288f4457a2f4273d117f1a10a886409f713173bb1f791e86205caf80430

        • C:\Users\Admin\AppData\Local\Temp\F53F.exe

          Filesize

          128KB

          MD5

          a31328e6b465a963c2b205c482aedf25

          SHA1

          d1013c617f538e22c9013169fee642e98d830700

          SHA256

          c8fc9768f9045b6cab7a18ef570d328362dfba04b31dec4c75b169d992215ff6

          SHA512

          a522fb6091d0bd1b61f9006903b6e355c9a11afbf3d6dfe10c0b417cc17974c9b88fd20b024d60c771a6829597190a4ea519ef8d5afbc5654b10f2fc673029a5

        • C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp

          Filesize

          689KB

          MD5

          17a8697f12a3c6196f9af529950bda6a

          SHA1

          95ffe3ac2e052da21827e107ce49d5a09b9f7b34

          SHA256

          c28497147101366a323a5c0040823d9fdd7905b7d190bc645d31b6e2b3d741c5

          SHA512

          0befe7903b827a78eb7297d560db27c6cad0324203e8a29fc91cd1cb7ead2f903ccb00caa21a8c28abf820f21334f9f56cb439bcb9dc247c08cea6119a3d1b74

        • C:\Users\Admin\AppData\Roaming\wvsdgbi

          Filesize

          64KB

          MD5

          2d5fd1a161ead4bbc4d3d9a4d24088ac

          SHA1

          f103187c99590f719834d61edb68a971ee846f70

          SHA256

          7e6065957202b3839e1b85e1efa258b80575df942a66e0f6d18ee3a74981416e

          SHA512

          770cb619ef55e0f52060a63a2eb7f58c0901a41a07bfed2a27dc6a0e3f4775f3d6b28617e0f87b16dedf4e47512bb4b40016bb73566315c8a938283f0bb2025a

        • \Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

          Filesize

          1.2MB

          MD5

          7c277165dcead3616b33d9432afcb485

          SHA1

          b725f0009bb07f8c3f434adc10ccc8d78967ea62

          SHA256

          a3548e60aee3eacd24068a097a0fd848bf9d61a19e54a88068b5be7539384c30

          SHA512

          2f5d098b0ca693dc399479f293ce38b0254149481dcc397715cff47a55b870c2a3ae7824cc1587838ce0f511633fecc961384e836bbccde66734207d1f5e8105

        • \Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

          Filesize

          1.1MB

          MD5

          dee6f72532b423c83b1483ef216a83d3

          SHA1

          06a812a3c174067dcf15447be310608fe0235a0b

          SHA256

          e02a6c5a59aa4d07173f6fc254dabff117e1519a5d49fe1428d854ab5be007a0

          SHA512

          7a41ce71088edff82af7963381c84871e72ee1bc6fb1889d79015103baa040a31f4433ff52604af45fd6787401ddd9e0d222b015d8b0a22640ec3e3a61580974

        • \Users\Admin\AppData\Local\Temp\81CD.exe

          Filesize

          896KB

          MD5

          ec107905993c0e3ea3796938a7703089

          SHA1

          4a8808f5bb1417798986fe5c6ceee88054fe3e7c

          SHA256

          88ea05c6230cc8c381064df526862873b066a8103c60b901c74a07354fe9e17d

          SHA512

          c9773f0045f684e98c6d44140c4865cb0508b4748913157e0a1ce4dfed491cd214ef73717fa7e458f8aeb8ce5b365ab9deac88ca4ad1517ef95b616b1f80b030

        • \Users\Admin\AppData\Local\Temp\8815.dll

          Filesize

          256KB

          MD5

          c931486255b9c380f896c33d143ef6b1

          SHA1

          9be428ebd706d03688beea3149f3558d0df2c206

          SHA256

          48bb51efe6e7a7f4aa37e3563a9095d5ccac4535152604314dcfb91b487d4c6d

          SHA512

          9cff9c19d17406d826beffc5c7111f8aa84594da7a42f372f8e73ca137445aa52be3aa751c91bad810c12ad7dcb559932b34656848c4be67eb764fa1c6809ae3

        • \Users\Admin\AppData\Local\Temp\8815.dll

          Filesize

          768KB

          MD5

          02c83601301167faeb74495444d6590e

          SHA1

          7fb880beff3b8fb64f37d42decc74b04ce0b9e84

          SHA256

          91d39b36e4fb9afd9170ffa1d6d67ab5061fc4ef4ab6487e8dadc14e8832ad76

          SHA512

          ee1912737514199238210a0d5d34fe005aa3cd12bc97851aa09c6da21a9acb84bbe19b5e90bb935ade2856e74be910259c20dc279d8190c9760107108a0a2753

        • \Users\Admin\AppData\Local\Temp\98E7.exe

          Filesize

          64KB

          MD5

          792d533d0d2b84ccc8f2d789e7ca689a

          SHA1

          3544294922fd322470e28223d761d52b8e354684

          SHA256

          64745a7b5f17c59ac594897efacbac9c5a70a2d7bdcf280c952a27a83a2590c2

          SHA512

          4429675ccc21a8c6d6c5065f96115a39e6f94c37ba922bf445af577b5965e80e1bfc4d9fbd0e111dd7977a694315168afd1eb9b272a61c204adb5090b3df7f0c

        • \Users\Admin\AppData\Local\Temp\98E7.exe

          Filesize

          896KB

          MD5

          a61f7b2d959ae679f200b29d0c01a66b

          SHA1

          a41b1fae529bc2eae5534c2b5fe127ab9bc7bc59

          SHA256

          3e24125978e4544fb1dc8bfb49fa4d1cce7c5a19519b356c999b43a63ebad59e

          SHA512

          b971bddbe88379a5085634ce305ba3de7958125417ddc569af68b6ad06b240bf448555ce20f18b77af886d81fe1a999833d04f6fd30e7071a8349cb2424c4d98

        • \Users\Admin\AppData\Local\Temp\98E7.exe

          Filesize

          768KB

          MD5

          f9bb28763560357668845c53eeb31a3f

          SHA1

          54f4d6b3196c1578049999be4ff714d8f9f5bb0c

          SHA256

          2e0238b7a233ca044c5a1fd2732d80a63b9277a3fdf668095a6ee9cfa02706b7

          SHA512

          a6830bdc2468a28fdb57fc07e9085ba2cb673b4c8b148391a228155f7a31ade151bc6f872e162111c8254a11ce35f2cc9ec3d670e9e81c6ae1769a80117e54e7

        • \Users\Admin\AppData\Local\Temp\InstallSetup4.exe

          Filesize

          960KB

          MD5

          28158c533348f213e23e5bdac3b09369

          SHA1

          ce453cdc9510ea68131ba32f86430e98920ab21c

          SHA256

          c46f3259eabc8a4e47b562d0bbfaabf0599a2cefb6483020b3cb4b0ba37a61b4

          SHA512

          974e4feeb50ce21ffe784e65df6e2e816fcdfdfc484d3f1a044d58184246b2b247f87c4cee245dc0e20df7a49a3fa0dae73838ddc28922db90e21a4358015eba

        • \Users\Admin\AppData\Local\Temp\is-82H22.tmp\_isetup\_iscrypt.dll

          Filesize

          2KB

          MD5

          a69559718ab506675e907fe49deb71e9

          SHA1

          bc8f404ffdb1960b50c12ff9413c893b56f2e36f

          SHA256

          2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

          SHA512

          e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

        • \Users\Admin\AppData\Local\Temp\is-82H22.tmp\_isetup\_isdecmp.dll

          Filesize

          13KB

          MD5

          a813d18268affd4763dde940246dc7e5

          SHA1

          c7366e1fd925c17cc6068001bd38eaef5b42852f

          SHA256

          e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

          SHA512

          b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

        • \Users\Admin\AppData\Local\Temp\is-82H22.tmp\_isetup\_shfoldr.dll

          Filesize

          22KB

          MD5

          92dc6ef532fbb4a5c3201469a5b5eb63

          SHA1

          3e89ff837147c16b4e41c30d6c796374e0b8e62c

          SHA256

          9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

          SHA512

          9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

        • memory/360-171-0x0000000002660000-0x0000000002A58000-memory.dmp

          Filesize

          4.0MB

        • memory/1164-160-0x0000000000400000-0x0000000002D8C000-memory.dmp

          Filesize

          41.5MB

        • memory/1164-172-0x0000000000400000-0x0000000002D8C000-memory.dmp

          Filesize

          41.5MB

        • memory/1164-173-0x0000000002F22000-0x0000000002F83000-memory.dmp

          Filesize

          388KB

        • memory/1164-174-0x0000000000220000-0x000000000028B000-memory.dmp

          Filesize

          428KB

        • memory/1208-107-0x0000000002DA0000-0x0000000002DB6000-memory.dmp

          Filesize

          88KB

        • memory/1208-4-0x0000000002A90000-0x0000000002AA6000-memory.dmp

          Filesize

          88KB

        • memory/1380-111-0x0000000000220000-0x000000000022B000-memory.dmp

          Filesize

          44KB

        • memory/1380-110-0x0000000002E32000-0x0000000002E48000-memory.dmp

          Filesize

          88KB

        • memory/1380-108-0x0000000000400000-0x0000000002D3E000-memory.dmp

          Filesize

          41.2MB

        • memory/1532-90-0x0000000000D70000-0x0000000001626000-memory.dmp

          Filesize

          8.7MB

        • memory/1704-117-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

        • memory/2120-2-0x0000000000220000-0x000000000022B000-memory.dmp

          Filesize

          44KB

        • memory/2120-3-0x0000000000400000-0x0000000002D3F000-memory.dmp

          Filesize

          41.2MB

        • memory/2120-5-0x0000000000400000-0x0000000002D3F000-memory.dmp

          Filesize

          41.2MB

        • memory/2120-1-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

          Filesize

          1024KB

        • memory/2468-52-0x0000000000130000-0x0000000000131000-memory.dmp

          Filesize

          4KB

        • memory/2468-55-0x00000000775A0000-0x00000000775A1000-memory.dmp

          Filesize

          4KB

        • memory/2468-50-0x0000000000130000-0x0000000000131000-memory.dmp

          Filesize

          4KB

        • memory/2468-49-0x0000000000D00000-0x00000000015AF000-memory.dmp

          Filesize

          8.7MB

        • memory/2468-47-0x0000000000130000-0x0000000000131000-memory.dmp

          Filesize

          4KB

        • memory/2468-58-0x0000000000140000-0x0000000000141000-memory.dmp

          Filesize

          4KB

        • memory/2472-35-0x0000000010000000-0x000000001020C000-memory.dmp

          Filesize

          2.0MB

        • memory/2472-82-0x0000000002770000-0x000000000288B000-memory.dmp

          Filesize

          1.1MB

        • memory/2472-79-0x0000000002770000-0x000000000288B000-memory.dmp

          Filesize

          1.1MB

        • memory/2472-78-0x0000000000BE0000-0x0000000000D1C000-memory.dmp

          Filesize

          1.2MB

        • memory/2472-36-0x0000000000140000-0x0000000000146000-memory.dmp

          Filesize

          24KB

        • memory/2696-21-0x0000000004B50000-0x0000000004D07000-memory.dmp

          Filesize

          1.7MB

        • memory/2696-17-0x0000000004990000-0x0000000004B48000-memory.dmp

          Filesize

          1.7MB

        • memory/2696-18-0x0000000004990000-0x0000000004B48000-memory.dmp

          Filesize

          1.7MB

        • memory/2732-25-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

        • memory/2732-28-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

        • memory/2732-73-0x0000000002BD0000-0x0000000002CEB000-memory.dmp

          Filesize

          1.1MB

        • memory/2732-72-0x0000000010000000-0x000000001020C000-memory.dmp

          Filesize

          2.0MB

        • memory/2732-33-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

        • memory/2732-69-0x0000000002A90000-0x0000000002BCC000-memory.dmp

          Filesize

          1.2MB

        • memory/2732-31-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

        • memory/2732-32-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

        • memory/2732-29-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

        • memory/2732-40-0x0000000000280000-0x0000000000286000-memory.dmp

          Filesize

          24KB

        • memory/2732-77-0x0000000002BD0000-0x0000000002CEB000-memory.dmp

          Filesize

          1.1MB

        • memory/2732-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2884-71-0x0000000000400000-0x0000000002D8C000-memory.dmp

          Filesize

          41.5MB

        • memory/2884-68-0x0000000000220000-0x000000000028B000-memory.dmp

          Filesize

          428KB

        • memory/2884-67-0x0000000002F60000-0x0000000003060000-memory.dmp

          Filesize

          1024KB

        • memory/2884-94-0x0000000000400000-0x0000000002D8C000-memory.dmp

          Filesize

          41.5MB

        • memory/2884-75-0x0000000000400000-0x0000000002D8C000-memory.dmp

          Filesize

          41.5MB