e2604e06a1d397760f22a668b48821dc20f06a8c3a28d165b9c96569b0e88bbb

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2604e06a1d397760f22a668b48821dc20f06a8c3a28d165b9c96569b0e88bbb.vbe
Size

11KB
MD5

4565da69d82d3d17f33436b132261de7
SHA1

5e124ae25d9ec64cc681546299e0fa2d4f4b50d4
SHA256

e2604e06a1d397760f22a668b48821dc20f06a8c3a28d165b9c96569b0e88bbb
SHA512

7390abe671d2ad1a430bfb69888cdcb7f6e9284cc9432338a5b1eddeb0624987b92a56009e50c283c46894256ca1ab43640cac3ecbf09bd4b69867cccb6f4329
SSDEEP

192:YeHNd/sigyX/tr7b7RMAv0Evwfk5Pv4fX//CxHQ6V62nN4je5K:zHMiTFPXHvwfk5PvQiHQ6EGijT

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2840	WScript.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2804	vlc.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2980	powershell.exe
2980	powershell.exe
3044	powershell.exe
3044	powershell.exe
1420	powershell.exe
1420	powershell.exe
2232	powershell.exe
2232	powershell.exe
1324	powershell.exe
1324	powershell.exe
2012	powershell.exe
2012	powershell.exe
1636	powershell.exe
3024	powershell.exe
1636	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	vlc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2804	vlc.exe
2804	vlc.exe
2804	vlc.exe
2804	vlc.exe
2804	vlc.exe
2804	vlc.exe
2804	vlc.exe
2804	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2804	vlc.exe
2804	vlc.exe
2804	vlc.exe
2804	vlc.exe
2804	vlc.exe
2804	vlc.exe
2804	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2804	vlc.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2892	2708	taskeng.exe	32
PID 2708 wrote to memory of 2892	2708	taskeng.exe	32
PID 2708 wrote to memory of 2892	2708	taskeng.exe	32
PID 2892 wrote to memory of 2980	2892	WScript.exe	34
PID 2892 wrote to memory of 2980	2892	WScript.exe	34
PID 2892 wrote to memory of 2980	2892	WScript.exe	34
PID 2980 wrote to memory of 1228	2980	powershell.exe	36
PID 2980 wrote to memory of 1228	2980	powershell.exe	36
PID 2980 wrote to memory of 1228	2980	powershell.exe	36
PID 2892 wrote to memory of 3044	2892	WScript.exe	37
PID 2892 wrote to memory of 3044	2892	WScript.exe	37
PID 2892 wrote to memory of 3044	2892	WScript.exe	37
PID 3044 wrote to memory of 2908	3044	powershell.exe	39
PID 3044 wrote to memory of 2908	3044	powershell.exe	39
PID 3044 wrote to memory of 2908	3044	powershell.exe	39
PID 2892 wrote to memory of 1420	2892	WScript.exe	40
PID 2892 wrote to memory of 1420	2892	WScript.exe	40
PID 2892 wrote to memory of 1420	2892	WScript.exe	40
PID 1420 wrote to memory of 2176	1420	powershell.exe	42
PID 1420 wrote to memory of 2176	1420	powershell.exe	42
PID 1420 wrote to memory of 2176	1420	powershell.exe	42
PID 2892 wrote to memory of 2232	2892	WScript.exe	43
PID 2892 wrote to memory of 2232	2892	WScript.exe	43
PID 2892 wrote to memory of 2232	2892	WScript.exe	43
PID 2232 wrote to memory of 444	2232	powershell.exe	45
PID 2232 wrote to memory of 444	2232	powershell.exe	45
PID 2232 wrote to memory of 444	2232	powershell.exe	45
PID 2892 wrote to memory of 1324	2892	WScript.exe	46
PID 2892 wrote to memory of 1324	2892	WScript.exe	46
PID 2892 wrote to memory of 1324	2892	WScript.exe	46
PID 1324 wrote to memory of 1696	1324	powershell.exe	48
PID 1324 wrote to memory of 1696	1324	powershell.exe	48
PID 1324 wrote to memory of 1696	1324	powershell.exe	48
PID 2892 wrote to memory of 2012	2892	WScript.exe	49
PID 2892 wrote to memory of 2012	2892	WScript.exe	49
PID 2892 wrote to memory of 2012	2892	WScript.exe	49
PID 2012 wrote to memory of 2332	2012	powershell.exe	51
PID 2012 wrote to memory of 2332	2012	powershell.exe	51
PID 2012 wrote to memory of 2332	2012	powershell.exe	51
PID 2892 wrote to memory of 1636	2892	WScript.exe	52
PID 2892 wrote to memory of 1636	2892	WScript.exe	52
PID 2892 wrote to memory of 1636	2892	WScript.exe	52
PID 2892 wrote to memory of 3024	2892	WScript.exe	55
PID 2892 wrote to memory of 3024	2892	WScript.exe	55
PID 2892 wrote to memory of 3024	2892	WScript.exe	55
PID 3024 wrote to memory of 2908	3024	powershell.exe	57
PID 3024 wrote to memory of 2908	3024	powershell.exe	57
PID 3024 wrote to memory of 2908	3024	powershell.exe	57
PID 1636 wrote to memory of 2912	1636	powershell.exe	58
PID 1636 wrote to memory of 2912	1636	powershell.exe	58
PID 1636 wrote to memory of 2912	1636	powershell.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2604e06a1d397760f22a668b48821dc20f06a8c3a28d165b9c96569b0e88bbb.vbe"
1⤵
- Blocklisted process makes network request
PID:2840

C:\Windows\system32\taskeng.exe
taskeng.exe {F88F7F7A-4CC7-4DFF-ADA7-9F7755A86299} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\uaDoJtHubxengYS.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2980" "1240"
      4⤵
      PID:1228
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3044" "1244"
      4⤵
      PID:2908
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1420" "1240"
      4⤵
      PID:2176
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2232" "1240"
      4⤵
      PID:444
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1324" "1244"
      4⤵
      PID:1696
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2012" "1240"
      4⤵
      PID:2332
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1636" "1184"
      4⤵
      PID:2912
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3024" "1128"
      4⤵
      PID:2908

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StartPop.rmi"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259456066.txt

Filesize
1KB

MD5
e5e4b0d4e32bcdc90eebb1a942d21280

SHA1
faeffb2f5142f65e9453b98fb365616602a6f081

SHA256
ed87b4329ad3193a533f8087ee538cc4bbb67fe94b2dce07268b434a93973743

SHA512
de291dee44bb0d96c8bce283c03525a5478ef10b28e2f487d703b22dfc9cebf26af379d5082652688ed92a61688ac86db5004b37775e0c94d9322ad9b062a6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259471820.txt

Filesize
1KB

MD5
811012a49510eff2e3a06f44c7f3073e

SHA1
bf1dca0b9124fa98d46cfbc114fed41aca60c4b2

SHA256
1120b3adc13804588088c4c83b47b68eddc767d6bc29c18ac66221289645e85b

SHA512
e2ad60de1a394d62bef20037bcc039b593534d351632db8bf5a781f2699d64f3d67aac31e31d48c87a6d34ee2a14acbba1e00830ba9b999575b85ea7abf3e6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259483785.txt

Filesize
1KB

MD5
9cf09a2cf7e3edd25a119d1dfe1acac8

SHA1
875e430aa03f7d4b82ddd0ed57e3412d7b79f3b3

SHA256
df90d1b2cd2070386d04a778f697f7cc6aa44c398820b1650ffaee40ae5340ad

SHA512
a96149ce6f23b487b22abe17ceaa54e90738da019ca6d7322a2703740067fe94fac789c7c69b103a324d4dfd81d4b81de03d9176071020fdd38667b97a40b962

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259498022.txt

Filesize
1KB

MD5
480e75aba6bc02c72b94bca74ce8fd88

SHA1
8119a459f8bb6732ef34edab73807ad729a144c1

SHA256
bf2a14ccd9497f68c9d5bcbc349f175f06c8895cad4a45a421e23a88aa87ae39

SHA512
902d4d55da31396de939ca2f13490c954de284e40d45809721ce0d2802000c907e184faa2ed0d2ba853885e446ba4adc336023b8c77893b81ec48e490183cd78

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259516371.txt

Filesize
1KB

MD5
f6c70e483754134366d87f4e4cedbf7d

SHA1
8ad4044632cea670d46e2be0cb0d11630f44af17

SHA256
f2ed9853fa244ad620e855e58541a1347618b86d3ecf3d63714305bb3c68bddb

SHA512
bd154d92e5321cda83e46910ee5973ca411e9e39aec418d0884132e6b9b4e5fa794777950be499e07e0d101a47d8f76eeede00becf358129d2976d3bf9068260

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259529159.txt

Filesize
1KB

MD5
64c6219e69c51dd386a42133942b0c3a

SHA1
e4e8cdab6ddb8da41c9e4be711ccb5eed1c15a77

SHA256
b75296a28542075f6bb0f9d525ffcad2e5b36aaeb360b5b38626a6afebde6168

SHA512
4c51a12696cf3cb7fb685b33cc1f545912b12db5c65993e01fda5145d281efbacf6581828dda80b7e226ceac11074fadc4a0fa6132685e8261159c21dcda80e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259559959.txt

Filesize
1KB

MD5
446b5e8ffcf58530dbac0fd1c751856b

SHA1
624a50b3e70e675805a2b39a645d47f1dc38aa09

SHA256
25f6a6022b4f367b94328dc5edab1f837d092c5dcedd7b8a5a19fac42fd8f3f0

SHA512
5e5c978b578a6622d15eade27561824e75206d17e3060b348c0b657c7e2d9e2b2fb99d7f470055affb0dacbf6767909624f0a0528bbbbc49848c3db8cf77a990

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259563427.txt

Filesize
1KB

MD5
cbabb671377a780fe726a38570f42bf5

SHA1
c8c2f9710b5447cb5d670c730e2216ee8b91def8

SHA256
7f5728fe9b096158b8f092c366875c2d9a9965ad2dc3cb2837730c69c4327548

SHA512
06f4f806d3120867df0687d55a888b604d13b5db697dc2e58a47aaabbdb6e9de57f8f5897ee746005d9931ebe4416470294a4733f0bcb54ea02d4a29514c43c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
37e2c99922f2e9cf59c37a4b0e359c09

SHA1
eec6edb22f3add8fad56a4f4cc7b3258a7c7e9c7

SHA256
486c1f05f022a043aa25e43c1a406333af8a59cab37b868066b310c4da6f9ce5

SHA512
44f3d3ce2cc502aaf8da2a13d2599e29c34cdafb3c98a4fe1fbf85d1faec9ee33244010c73fbc4802db0adf1791d307f8f8ded4bccf5a40b3278045ebfce2694

Download Submit
C:\Users\Admin\AppData\Roaming\uaDoJtHubxengYS.vbs

Filesize
2KB

MD5
477e3b6cbf610f72373118d4ca9cdbb2

SHA1
ca88c1b80fa6248644497449c294f92b5a32b300

SHA256
9d75154b064fc63a3de686569088ef8c7ac31f2826dc4557d5e7074535bbdf3c

SHA512
ad3d81784cb1199839e66c7b88ac1da0c14a7f8a6f3f9a7bbb496fc953f02253733e5f7370efe5c08d9c5f4a9f037d84d814e958ea8715732d9e3df14b94b119

Download Submit
memory/2804-77-0x000007FEF19F0000-0x000007FEF1A0B000-memory.dmp

Filesize
108KB

Download
memory/2804-86-0x000007FEF0C80000-0x000007FEF0CA4000-memory.dmp

Filesize
144KB

Download
memory/2804-110-0x000007FEED370000-0x000007FEEE420000-memory.dmp

Filesize
16.7MB

Download
memory/2804-60-0x000007FEF66E0000-0x000007FEF6714000-memory.dmp

Filesize
208KB

Download
memory/2804-59-0x000000013F7F0000-0x000000013F8E8000-memory.dmp

Filesize
992KB

Download
memory/2804-62-0x000007FEF70F0000-0x000007FEF7108000-memory.dmp

Filesize
96KB

Download
memory/2804-63-0x000007FEF6B30000-0x000007FEF6B47000-memory.dmp

Filesize
92KB

Download
memory/2804-64-0x000007FEF1BA0000-0x000007FEF1BB1000-memory.dmp

Filesize
68KB

Download
memory/2804-65-0x000007FEF1B80000-0x000007FEF1B97000-memory.dmp

Filesize
92KB

Download
memory/2804-66-0x000007FEF1B60000-0x000007FEF1B71000-memory.dmp

Filesize
68KB

Download
memory/2804-67-0x000007FEF1B40000-0x000007FEF1B5D000-memory.dmp

Filesize
116KB

Download
memory/2804-68-0x000007FEF1B20000-0x000007FEF1B31000-memory.dmp

Filesize
68KB

Download
memory/2804-61-0x000007FEF26B0000-0x000007FEF2966000-memory.dmp

Filesize
2.7MB

Download
memory/2804-69-0x000007FEED370000-0x000007FEEE420000-memory.dmp

Filesize
16.7MB

Download
memory/2804-83-0x000007FEF1660000-0x000007FEF1671000-memory.dmp

Filesize
68KB

Download
memory/2804-90-0x000007FEEFA50000-0x000007FEEFA62000-memory.dmp

Filesize
72KB

Download
memory/2804-89-0x000007FEEFA70000-0x000007FEEFA81000-memory.dmp

Filesize
68KB

Download
memory/2804-88-0x000007FEEFAD0000-0x000007FEEFAF3000-memory.dmp

Filesize
140KB

Download
memory/2804-87-0x000007FEF0E30000-0x000007FEF0E48000-memory.dmp

Filesize
96KB

Download
memory/2804-75-0x000007FEF1A40000-0x000007FEF1A51000-memory.dmp

Filesize
68KB

Download
memory/2804-85-0x000007FEF1630000-0x000007FEF1658000-memory.dmp

Filesize
160KB

Download
memory/2804-84-0x000007FEF0D50000-0x000007FEF0DA7000-memory.dmp

Filesize
348KB

Download
memory/2804-82-0x000007FEEFB00000-0x000007FEEFB7C000-memory.dmp

Filesize
496KB

Download
memory/2804-81-0x000007FEF1680000-0x000007FEF16E7000-memory.dmp

Filesize
412KB

Download
memory/2804-80-0x000007FEF16F0000-0x000007FEF1720000-memory.dmp

Filesize
192KB

Download
memory/2804-79-0x000007FEF1720000-0x000007FEF1738000-memory.dmp

Filesize
96KB

Download
memory/2804-78-0x000007FEF1740000-0x000007FEF1751000-memory.dmp

Filesize
68KB

Download
memory/2804-76-0x000007FEF1A20000-0x000007FEF1A31000-memory.dmp

Filesize
68KB

Download
memory/2804-74-0x000007FEF1A60000-0x000007FEF1A71000-memory.dmp

Filesize
68KB

Download
memory/2804-73-0x000007FEF1A80000-0x000007FEF1A98000-memory.dmp

Filesize
96KB

Download
memory/2804-72-0x000007FEF1AA0000-0x000007FEF1AC1000-memory.dmp

Filesize
132KB

Download
memory/2804-71-0x000007FEF1AD0000-0x000007FEF1B11000-memory.dmp

Filesize
260KB

Download
memory/2804-70-0x000007FEEFB80000-0x000007FEEFD8B000-memory.dmp

Filesize
2.0MB

Download
memory/2980-8-0x0000000002A40000-0x0000000002A48000-memory.dmp

Filesize
32KB

Download
memory/2980-7-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2980-6-0x000000001B480000-0x000000001B762000-memory.dmp

Filesize
2.9MB

Download
memory/3044-17-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/3044-16-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download