vjw0rm | 14516968b1e01bd308c319bde2d4cdba32bf37f07d9e5f003ebc5b1bb1059d71

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
19-03-2022 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

order_receipt.js
Size

11KB
MD5

69f29cd9961eea44bdf9ac54d34dc1c4
SHA1

8b603318d383c298e6613fda82f15fa88cc25fa8
SHA256

14516968b1e01bd308c319bde2d4cdba32bf37f07d9e5f003ebc5b1bb1059d71
SHA512

ed7b5708c0be99b93225e47ded369195ccef8ee8da4a8b7d775ed195be6a4d5f2c6385ef2f625bb3230e4a9369c339261a22d8799fdf55bced1c78bfe9b54d50

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Extracted

Family

vjw0rm

http://zeegod.duckdns.org:9001

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

9 1512 wscript.exe
Executes dropped EXE 5 IoCs

Processes:

L08Y1W0THA.comL08Y1W0THA.comL08Y1W0THA.comL08Y1W0THA.comL08Y1W0THA.com

pid process

3452 L08Y1W0THA.com
4296 L08Y1W0THA.com
2600 L08Y1W0THA.com
2932 L08Y1W0THA.com
3064 L08Y1W0THA.com

flow	pid	process
9	1512	wscript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeL08Y1W0THA.comL08Y1W0THA.com

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	L08Y1W0THA.com
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	L08Y1W0THA.com

Drops startup file 4 IoCs

Processes:

L08Y1W0THA.comwscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L08Y1W0THA.com	L08Y1W0THA.com
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\order_receipt.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\order_receipt.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L08Y1W0THA.com	L08Y1W0THA.com

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeL08Y1W0THA.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LMOXHX511V = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\order_receipt.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TWLP = "C:\\Users\\Admin\\AppData\\Roaming\\L08Y1W0THA.com"	L08Y1W0THA.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

75 ip-api.com

flow	ioc
75	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

L08Y1W0THA.comL08Y1W0THA.com

description	pid	process	target process
PID 3452 set thread context of 4296	3452	L08Y1W0THA.com	L08Y1W0THA.com
PID 2600 set thread context of 3064	2600	L08Y1W0THA.com	L08Y1W0THA.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

L08Y1W0THA.comL08Y1W0THA.com

pid	process
3452	L08Y1W0THA.com
3452	L08Y1W0THA.com
3452	L08Y1W0THA.com
3452	L08Y1W0THA.com
3452	L08Y1W0THA.com
3452	L08Y1W0THA.com
3452	L08Y1W0THA.com
3452	L08Y1W0THA.com
3452	L08Y1W0THA.com
3452	L08Y1W0THA.com
2600	L08Y1W0THA.com
2600	L08Y1W0THA.com
2600	L08Y1W0THA.com
2600	L08Y1W0THA.com
2600	L08Y1W0THA.com
2600	L08Y1W0THA.com
2600	L08Y1W0THA.com
2600	L08Y1W0THA.com
2600	L08Y1W0THA.com
2600	L08Y1W0THA.com
2600	L08Y1W0THA.com
2600	L08Y1W0THA.com

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

L08Y1W0THA.comL08Y1W0THA.comL08Y1W0THA.comL08Y1W0THA.comWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3452	L08Y1W0THA.com
Token: SeDebugPrivilege	4296	L08Y1W0THA.com
Token: SeDebugPrivilege	2600	L08Y1W0THA.com
Token: SeDebugPrivilege	3064	L08Y1W0THA.com
Token: SeIncreaseQuotaPrivilege	3352	WMIC.exe
Token: SeSecurityPrivilege	3352	WMIC.exe
Token: SeTakeOwnershipPrivilege	3352	WMIC.exe
Token: SeLoadDriverPrivilege	3352	WMIC.exe
Token: SeSystemProfilePrivilege	3352	WMIC.exe
Token: SeSystemtimePrivilege	3352	WMIC.exe
Token: SeProfSingleProcessPrivilege	3352	WMIC.exe
Token: SeIncBasePriorityPrivilege	3352	WMIC.exe
Token: SeCreatePagefilePrivilege	3352	WMIC.exe
Token: SeBackupPrivilege	3352	WMIC.exe
Token: SeRestorePrivilege	3352	WMIC.exe
Token: SeShutdownPrivilege	3352	WMIC.exe
Token: SeDebugPrivilege	3352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3352	WMIC.exe
Token: SeRemoteShutdownPrivilege	3352	WMIC.exe
Token: SeUndockPrivilege	3352	WMIC.exe
Token: SeManageVolumePrivilege	3352	WMIC.exe
Token: 33	3352	WMIC.exe
Token: 34	3352	WMIC.exe
Token: 35	3352	WMIC.exe
Token: 36	3352	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3352	WMIC.exe
Token: SeSecurityPrivilege	3352	WMIC.exe
Token: SeTakeOwnershipPrivilege	3352	WMIC.exe
Token: SeLoadDriverPrivilege	3352	WMIC.exe
Token: SeSystemProfilePrivilege	3352	WMIC.exe
Token: SeSystemtimePrivilege	3352	WMIC.exe
Token: SeProfSingleProcessPrivilege	3352	WMIC.exe
Token: SeIncBasePriorityPrivilege	3352	WMIC.exe
Token: SeCreatePagefilePrivilege	3352	WMIC.exe
Token: SeBackupPrivilege	3352	WMIC.exe
Token: SeRestorePrivilege	3352	WMIC.exe
Token: SeShutdownPrivilege	3352	WMIC.exe
Token: SeDebugPrivilege	3352	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3352	WMIC.exe
Token: SeRemoteShutdownPrivilege	3352	WMIC.exe
Token: SeUndockPrivilege	3352	WMIC.exe
Token: SeManageVolumePrivilege	3352	WMIC.exe
Token: 33	3352	WMIC.exe
Token: 34	3352	WMIC.exe
Token: 35	3352	WMIC.exe
Token: 36	3352	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3952	WMIC.exe
Token: SeSecurityPrivilege	3952	WMIC.exe
Token: SeTakeOwnershipPrivilege	3952	WMIC.exe
Token: SeLoadDriverPrivilege	3952	WMIC.exe
Token: SeSystemProfilePrivilege	3952	WMIC.exe
Token: SeSystemtimePrivilege	3952	WMIC.exe
Token: SeProfSingleProcessPrivilege	3952	WMIC.exe
Token: SeIncBasePriorityPrivilege	3952	WMIC.exe
Token: SeCreatePagefilePrivilege	3952	WMIC.exe
Token: SeBackupPrivilege	3952	WMIC.exe
Token: SeRestorePrivilege	3952	WMIC.exe
Token: SeShutdownPrivilege	3952	WMIC.exe
Token: SeDebugPrivilege	3952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3952	WMIC.exe
Token: SeRemoteShutdownPrivilege	3952	WMIC.exe
Token: SeUndockPrivilege	3952	WMIC.exe
Token: SeManageVolumePrivilege	3952	WMIC.exe
Token: 33	3952	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

wscript.exeL08Y1W0THA.comL08Y1W0THA.comL08Y1W0THA.comL08Y1W0THA.comcmd.execmd.execmd.exe

description	pid	process	target process
PID 1512 wrote to memory of 3400	1512	wscript.exe	wscript.exe
PID 1512 wrote to memory of 3400	1512	wscript.exe	wscript.exe
PID 1512 wrote to memory of 3452	1512	wscript.exe	L08Y1W0THA.com
PID 1512 wrote to memory of 3452	1512	wscript.exe	L08Y1W0THA.com
PID 1512 wrote to memory of 3452	1512	wscript.exe	L08Y1W0THA.com
PID 3452 wrote to memory of 4296	3452	L08Y1W0THA.com	L08Y1W0THA.com
PID 3452 wrote to memory of 4296	3452	L08Y1W0THA.com	L08Y1W0THA.com
PID 3452 wrote to memory of 4296	3452	L08Y1W0THA.com	L08Y1W0THA.com
PID 3452 wrote to memory of 4296	3452	L08Y1W0THA.com	L08Y1W0THA.com
PID 3452 wrote to memory of 4296	3452	L08Y1W0THA.com	L08Y1W0THA.com
PID 3452 wrote to memory of 4296	3452	L08Y1W0THA.com	L08Y1W0THA.com
PID 3452 wrote to memory of 4296	3452	L08Y1W0THA.com	L08Y1W0THA.com
PID 3452 wrote to memory of 4296	3452	L08Y1W0THA.com	L08Y1W0THA.com
PID 4296 wrote to memory of 2600	4296	L08Y1W0THA.com	L08Y1W0THA.com
PID 4296 wrote to memory of 2600	4296	L08Y1W0THA.com	L08Y1W0THA.com
PID 4296 wrote to memory of 2600	4296	L08Y1W0THA.com	L08Y1W0THA.com
PID 2600 wrote to memory of 2932	2600	L08Y1W0THA.com	L08Y1W0THA.com
PID 2600 wrote to memory of 2932	2600	L08Y1W0THA.com	L08Y1W0THA.com
PID 2600 wrote to memory of 2932	2600	L08Y1W0THA.com	L08Y1W0THA.com
PID 2600 wrote to memory of 3064	2600	L08Y1W0THA.com	L08Y1W0THA.com
PID 2600 wrote to memory of 3064	2600	L08Y1W0THA.com	L08Y1W0THA.com
PID 2600 wrote to memory of 3064	2600	L08Y1W0THA.com	L08Y1W0THA.com
PID 2600 wrote to memory of 3064	2600	L08Y1W0THA.com	L08Y1W0THA.com
PID 2600 wrote to memory of 3064	2600	L08Y1W0THA.com	L08Y1W0THA.com
PID 2600 wrote to memory of 3064	2600	L08Y1W0THA.com	L08Y1W0THA.com
PID 2600 wrote to memory of 3064	2600	L08Y1W0THA.com	L08Y1W0THA.com
PID 2600 wrote to memory of 3064	2600	L08Y1W0THA.com	L08Y1W0THA.com
PID 3064 wrote to memory of 4384	3064	L08Y1W0THA.com	wscript.exe
PID 3064 wrote to memory of 4384	3064	L08Y1W0THA.com	wscript.exe
PID 3064 wrote to memory of 4384	3064	L08Y1W0THA.com	wscript.exe
PID 3064 wrote to memory of 1240	3064	L08Y1W0THA.com	cmd.exe
PID 3064 wrote to memory of 1240	3064	L08Y1W0THA.com	cmd.exe
PID 3064 wrote to memory of 1240	3064	L08Y1W0THA.com	cmd.exe
PID 1240 wrote to memory of 3352	1240	cmd.exe	WMIC.exe
PID 1240 wrote to memory of 3352	1240	cmd.exe	WMIC.exe
PID 1240 wrote to memory of 3352	1240	cmd.exe	WMIC.exe
PID 3064 wrote to memory of 4160	3064	L08Y1W0THA.com	cmd.exe
PID 3064 wrote to memory of 4160	3064	L08Y1W0THA.com	cmd.exe
PID 3064 wrote to memory of 4160	3064	L08Y1W0THA.com	cmd.exe
PID 4160 wrote to memory of 3952	4160	cmd.exe	WMIC.exe
PID 4160 wrote to memory of 3952	4160	cmd.exe	WMIC.exe
PID 4160 wrote to memory of 3952	4160	cmd.exe	WMIC.exe
PID 3064 wrote to memory of 1428	3064	L08Y1W0THA.com	cmd.exe
PID 3064 wrote to memory of 1428	3064	L08Y1W0THA.com	cmd.exe
PID 3064 wrote to memory of 1428	3064	L08Y1W0THA.com	cmd.exe
PID 1428 wrote to memory of 2228	1428	cmd.exe	WMIC.exe
PID 1428 wrote to memory of 2228	1428	cmd.exe	WMIC.exe
PID 1428 wrote to memory of 2228	1428	cmd.exe	WMIC.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\order_receipt.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\XaoShGXEdx.js"
2⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\L08Y1W0THA.com
"C:\Users\Admin\AppData\Local\Temp\L08Y1W0THA.com"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452

C:\Users\Admin\AppData\Local\Temp\L08Y1W0THA.com
"C:\Users\Admin\AppData\Local\Temp\L08Y1W0THA.com"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Roaming\L08Y1W0THA.com
"C:\Users\Admin\AppData\Roaming\L08Y1W0THA.com"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Roaming\L08Y1W0THA.com
"C:\Users\Admin\AppData\Roaming\L08Y1W0THA.com"
5⤵
- Executes dropped EXE
PID:2932

C:\Users\Admin\AppData\Roaming\L08Y1W0THA.com
"C:\Users\Admin\AppData\Roaming\L08Y1W0THA.com"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\cookie.vbs
6⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get OSArchitecture /format:list
6⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get OSArchitecture /format:list
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
6⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
6⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
7⤵
PID:2228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\L08Y1W0THA.com.log
MD5
99e770c0d4043aa84ef3d3cbc7723c25

SHA1
19829c5c413fccba750a3357f938dfa94486acad

SHA256
33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

SHA512
ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

Download Submit
C:\Users\Admin\AppData\Local\Temp\L08Y1W0THA.com
MD5
1409a67f156893c8d26d57add0174799

SHA1
1c1b0e6349d5bd5e5d776340e8c2844703a5d230

SHA256
41d1a0a0e0b530967e960476780edfc06de7b9f9f42884b71c02af5619cd95f8

SHA512
934e49b428ac1f5a0060c6e43bf3fb82b2e0ebd9ac55115dfe5d4043a9cb601550bd5ccea811fe6d86a395404822579c5573a5e352a3ba17baaf79db1aad3d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\L08Y1W0THA.com
MD5
1409a67f156893c8d26d57add0174799

SHA1
1c1b0e6349d5bd5e5d776340e8c2844703a5d230

SHA256
41d1a0a0e0b530967e960476780edfc06de7b9f9f42884b71c02af5619cd95f8

SHA512
934e49b428ac1f5a0060c6e43bf3fb82b2e0ebd9ac55115dfe5d4043a9cb601550bd5ccea811fe6d86a395404822579c5573a5e352a3ba17baaf79db1aad3d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\L08Y1W0THA.com
MD5
1409a67f156893c8d26d57add0174799

SHA1
1c1b0e6349d5bd5e5d776340e8c2844703a5d230

SHA256
41d1a0a0e0b530967e960476780edfc06de7b9f9f42884b71c02af5619cd95f8

SHA512
934e49b428ac1f5a0060c6e43bf3fb82b2e0ebd9ac55115dfe5d4043a9cb601550bd5ccea811fe6d86a395404822579c5573a5e352a3ba17baaf79db1aad3d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookie.vbs
MD5
059d9d13b1727cade3ec8623beb6af34

SHA1
64c04a10d46d74c744f936712b9f6e22d4ba5276

SHA256
b33838516a0ffebf5b223b28a09d4d71bbf6a06cfb69741ae5595ed1287f435a

SHA512
4bce49296111d6555452a6805aa2f7058e31218fb47e7e0ece8d01ca41d4c232b08ff2fcc56fbe28ad43ebc356eeac6b30cb58eee3f40a4da8a3331869b0ca7b

Download Submit
C:\Users\Admin\AppData\Roaming\L08Y1W0THA.com
MD5
1409a67f156893c8d26d57add0174799

SHA1
1c1b0e6349d5bd5e5d776340e8c2844703a5d230

SHA256
41d1a0a0e0b530967e960476780edfc06de7b9f9f42884b71c02af5619cd95f8

SHA512
934e49b428ac1f5a0060c6e43bf3fb82b2e0ebd9ac55115dfe5d4043a9cb601550bd5ccea811fe6d86a395404822579c5573a5e352a3ba17baaf79db1aad3d17

Download Submit
C:\Users\Admin\AppData\Roaming\L08Y1W0THA.com
MD5
1409a67f156893c8d26d57add0174799

SHA1
1c1b0e6349d5bd5e5d776340e8c2844703a5d230

SHA256
41d1a0a0e0b530967e960476780edfc06de7b9f9f42884b71c02af5619cd95f8

SHA512
934e49b428ac1f5a0060c6e43bf3fb82b2e0ebd9ac55115dfe5d4043a9cb601550bd5ccea811fe6d86a395404822579c5573a5e352a3ba17baaf79db1aad3d17

Download Submit
C:\Users\Admin\AppData\Roaming\L08Y1W0THA.com
MD5
1409a67f156893c8d26d57add0174799

SHA1
1c1b0e6349d5bd5e5d776340e8c2844703a5d230

SHA256
41d1a0a0e0b530967e960476780edfc06de7b9f9f42884b71c02af5619cd95f8

SHA512
934e49b428ac1f5a0060c6e43bf3fb82b2e0ebd9ac55115dfe5d4043a9cb601550bd5ccea811fe6d86a395404822579c5573a5e352a3ba17baaf79db1aad3d17

Download Submit
C:\Users\Admin\AppData\Roaming\L08Y1W0THA.com
MD5
1409a67f156893c8d26d57add0174799

SHA1
1c1b0e6349d5bd5e5d776340e8c2844703a5d230

SHA256
41d1a0a0e0b530967e960476780edfc06de7b9f9f42884b71c02af5619cd95f8

SHA512
934e49b428ac1f5a0060c6e43bf3fb82b2e0ebd9ac55115dfe5d4043a9cb601550bd5ccea811fe6d86a395404822579c5573a5e352a3ba17baaf79db1aad3d17

Download Submit
C:\Users\Admin\AppData\Roaming\XaoShGXEdx.js
MD5
14742214ca98f7af7f89d7f7a4f4fc83

SHA1
001da8065d28762e93641630125121f14aedceb0

SHA256
863db6134cb55a376494668bc17b6a70e905eccb98c340af8a85cb29af76c15c

SHA512
0da618574424c1c24afbc317232b74ea9f37313aea1bbbfd517d089d4088489e3747a0f43e5167dfd8a7f78252bb9a4512050829fec62ce6747e0fac7c8e8f67

Download Submit
memory/2600-158-0x0000000070D80000-0x0000000070D92000-memory.dmp

Filesize
72KB

Download
memory/2600-157-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/2600-154-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/3064-159-0x0000000006DD0000-0x0000000006E36000-memory.dmp

Filesize
408KB

Download
memory/3064-155-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/3064-156-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3452-140-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3452-146-0x0000000073B60000-0x0000000073B72000-memory.dmp

Filesize
72KB

Download
memory/3452-141-0x0000000006880000-0x0000000006E24000-memory.dmp

Filesize
5.6MB

Download
memory/3452-139-0x0000000004DB0000-0x0000000004E4C000-memory.dmp

Filesize
624KB

Download
memory/3452-138-0x0000000000350000-0x0000000000424000-memory.dmp

Filesize
848KB

Download
memory/3452-137-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/4296-150-0x00000000062F0000-0x0000000006382000-memory.dmp

Filesize
584KB

Download
memory/4296-145-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/4296-144-0x0000000075170000-0x0000000075920000-memory.dmp

Filesize
7.7MB

Download
memory/4296-142-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download