5edc00ae5ea6c8a2453bfaacf8b4cf6360027e1c066bd3c96dc4106af5c3b88f

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documt736098.vbe
Size

9KB
MD5

8113e63e2ba4ac63a4621b2d9441524d
SHA1

05b433f2cfb14f9d1ec947e32a496c45a2cfa22a
SHA256

d5d3a7f4ca9b374465da72f550cc5a04e751c6a4ed18ab917a304318a9b4409b
SHA512

730e21b73e6320146c53dd9092246578a476b24efb6dbcd902e905df05039274cd2adf76293e54e1d9a3cb01e88d3800db867597bbffd979ecfea5729d4d62d9
SSDEEP

192:egjmLPbnOqiR2jutyT8vPka6hfuIMynp9KAvPxK:tjcPbg2+yT8HkaTTqp0AvQ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2472	WScript.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1324	vlc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2712	powershell.exe
2712	powershell.exe
2352	powershell.exe
2844	powershell.exe
2352	powershell.exe
2012	powershell.exe
2012	powershell.exe
2348	powershell.exe
2348	powershell.exe
1072	powershell.exe
1072	powershell.exe
448	powershell.exe
448	powershell.exe
3004	powershell.exe
3004	powershell.exe
2584	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1324	vlc.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1324	vlc.exe
1324	vlc.exe
1324	vlc.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1324	vlc.exe
1324	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1324	vlc.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2120	2344	taskeng.exe	32
PID 2344 wrote to memory of 2120	2344	taskeng.exe	32
PID 2344 wrote to memory of 2120	2344	taskeng.exe	32
PID 2120 wrote to memory of 2712	2120	WScript.exe	34
PID 2120 wrote to memory of 2712	2120	WScript.exe	34
PID 2120 wrote to memory of 2712	2120	WScript.exe	34
PID 2712 wrote to memory of 2696	2712	powershell.exe	36
PID 2712 wrote to memory of 2696	2712	powershell.exe	36
PID 2712 wrote to memory of 2696	2712	powershell.exe	36
PID 2120 wrote to memory of 2352	2120	WScript.exe	37
PID 2120 wrote to memory of 2352	2120	WScript.exe	37
PID 2120 wrote to memory of 2352	2120	WScript.exe	37
PID 2120 wrote to memory of 2844	2120	WScript.exe	40
PID 2120 wrote to memory of 2844	2120	WScript.exe	40
PID 2120 wrote to memory of 2844	2120	WScript.exe	40
PID 2844 wrote to memory of 3044	2844	powershell.exe	42
PID 2844 wrote to memory of 3044	2844	powershell.exe	42
PID 2844 wrote to memory of 3044	2844	powershell.exe	42
PID 2352 wrote to memory of 2900	2352	powershell.exe	43
PID 2352 wrote to memory of 2900	2352	powershell.exe	43
PID 2352 wrote to memory of 2900	2352	powershell.exe	43
PID 2120 wrote to memory of 2012	2120	WScript.exe	44
PID 2120 wrote to memory of 2012	2120	WScript.exe	44
PID 2120 wrote to memory of 2012	2120	WScript.exe	44
PID 2012 wrote to memory of 2328	2012	powershell.exe	46
PID 2012 wrote to memory of 2328	2012	powershell.exe	46
PID 2012 wrote to memory of 2328	2012	powershell.exe	46
PID 2120 wrote to memory of 2348	2120	WScript.exe	47
PID 2120 wrote to memory of 2348	2120	WScript.exe	47
PID 2120 wrote to memory of 2348	2120	WScript.exe	47
PID 2348 wrote to memory of 2856	2348	powershell.exe	49
PID 2348 wrote to memory of 2856	2348	powershell.exe	49
PID 2348 wrote to memory of 2856	2348	powershell.exe	49
PID 2120 wrote to memory of 1072	2120	WScript.exe	50
PID 2120 wrote to memory of 1072	2120	WScript.exe	50
PID 2120 wrote to memory of 1072	2120	WScript.exe	50
PID 1072 wrote to memory of 2904	1072	powershell.exe	52
PID 1072 wrote to memory of 2904	1072	powershell.exe	52
PID 1072 wrote to memory of 2904	1072	powershell.exe	52
PID 2120 wrote to memory of 448	2120	WScript.exe	53
PID 2120 wrote to memory of 448	2120	WScript.exe	53
PID 2120 wrote to memory of 448	2120	WScript.exe	53
PID 448 wrote to memory of 3040	448	powershell.exe	55
PID 448 wrote to memory of 3040	448	powershell.exe	55
PID 448 wrote to memory of 3040	448	powershell.exe	55
PID 2120 wrote to memory of 3004	2120	WScript.exe	56
PID 2120 wrote to memory of 3004	2120	WScript.exe	56
PID 2120 wrote to memory of 3004	2120	WScript.exe	56
PID 3004 wrote to memory of 1712	3004	powershell.exe	58
PID 3004 wrote to memory of 1712	3004	powershell.exe	58
PID 3004 wrote to memory of 1712	3004	powershell.exe	58
PID 2120 wrote to memory of 2584	2120	WScript.exe	59
PID 2120 wrote to memory of 2584	2120	WScript.exe	59
PID 2120 wrote to memory of 2584	2120	WScript.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documt736098.vbe"
1⤵
- Blocklisted process makes network request
PID:2472

C:\Windows\system32\taskeng.exe
taskeng.exe {F5FC80A3-71D9-4061-9819-361DD5E612C5} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2712" "1236"
      4⤵
      PID:2696
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2352" "1240"
      4⤵
      PID:2900
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2844" "1136"
      4⤵
      PID:3044
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2012" "1252"
      4⤵
      PID:2328
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2348" "1244"
      4⤵
      PID:2856
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1072" "1248"
      4⤵
      PID:2904
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "448" "1236"
      4⤵
      PID:3040
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3004" "1244"
      4⤵
      PID:1712
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StartRevoke.AAC"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259460256.txt

Filesize
1KB

MD5
0bfdc22fc4d5ccf5053c2fcb413be397

SHA1
0d6b695e8446eec968a089f4c11bf1d561d7d3ae

SHA256
13cf381028dc2de85757fc4f2630a860831fdc1ed61787d5f50e7fb404638a48

SHA512
7f91d96f3ffb14950a040914addbf7d30e2ffc7a245b40a56c3051ea3194d0d8be3a45ad828c403fe35644b83ff0d41fc8b870e14d9cf9a290cf07e771defbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259486128.txt

Filesize
1KB

MD5
0b2c1778f885dfab4be5845f55460457

SHA1
67ad1f563235dae1b5853ddfebe2cbd3526e4893

SHA256
3f7baeae148a490ebbd0dad80874239c533d133beb404b7fa7f8be75be8f6b8e

SHA512
0de56caa1796ce353d4771bff5ced34d08f64535d6dc947900adb5e82f413f3f594a8b982a9b49784f49ad1a157d4a93028aba6c074f52646e74f4367b2cd0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259486620.txt

Filesize
1KB

MD5
bbae1d67647738c2db1bd527513ef4e9

SHA1
c47b47412d55836db06372636008d9400c44526e

SHA256
ad0603765c6a57d88267035e3a6e68e45496ecdbff3205d481c9cfeac69f46f1

SHA512
d0ad968f4bdcab4bd84689847c9ecfb7c3d66ffa5178b1d9d74f0c89b53b8324f9985087dabb4bf65ca4b7627f0687ce69e29c871329adf9122487944eb4a503

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259502603.txt

Filesize
1KB

MD5
d34a730d9768f0415727a42711619667

SHA1
28436e3d8e623202bf70a8e3d359580bb976fd5c

SHA256
bf84b81232f4a13c60097b26cb860cc3094c184650cc6828ee8a36f1140d429a

SHA512
00f1a78be9ac6c24bbbec50644fd28b8159ec795f42e7cc59b40867c8dcf8a65291e9b0199183b0eb3fe77a6f5819ee827e87d5871a64ff751eb1322cd3523ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259521001.txt

Filesize
1KB

MD5
4051faca01f6016f1e26abd55c70148e

SHA1
ade0330a8f966336c844b31f805621c45e8f4ee0

SHA256
e711403e8e270dce17379151044c2c88505f42319999562262e03ffded49ea53

SHA512
5b06f9f2112f9cd0359a14af643e89fc1b2e4e18927fd514d188d14b119bdb5dcdac4112995fd11b4fcbc5e4c91c547ccc81a343e01763c7c95d25fc34a8b792

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259534771.txt

Filesize
1KB

MD5
aa7ec14e9d86b6a17d6004a146474e3a

SHA1
08a23548ffa7edb64754e013e81128e97004ef86

SHA256
46db1ee2f6f63b0069bfa650943fae88e1719628c65246df0571deb1df75f860

SHA512
6576d443cc4b05d5914c49e1f3cdb4edd6fd604229fa1e82819f3052b7e5a489a03b62e813146c5c2f03b6a01df4927fd4d3fd61c9b5c6f69b335b848a541972

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259548877.txt

Filesize
1KB

MD5
1a367105df4dbbaba06ccac6ebfec311

SHA1
e3d1b62ecc08a28ddc488bf5b0b05e1498f4fcf3

SHA256
d3baa1842bed51a937babe8683f81cb390ca89b42c67fa9bfcfa5608883e374e

SHA512
25bc3347172774fd2b5630a122ed340764c28435235706569fcd9833acfca42819ecddb519488558c280badc63cdc888c954b0f828ec757fe1447ae9d48c528a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259566112.txt

Filesize
1KB

MD5
23af03f2b36af4da5c9de2dfa93799a9

SHA1
e721a25c56aac52116d3657ada0ce59cfec23771

SHA256
8ac288a06b74f66c0012673c4a2204cb5de3c5a497ab053ddb75d1fdfa06a8f9

SHA512
c773a93d89a6eb112a0fa9ba93ef32f5cf4b410e95f28691282475588a9a986ed223aeb38be18e0ae182565a2c2612c6900a71771ea25bdf62f1dd569175fbd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
05f216d3e0fc945597b887088977cd3e

SHA1
144362668c0e0adf19b2586b9c1b5b264a29a2d3

SHA256
90db8eb81ed66168dc2603f7c9749831c20e166c0e6a9b6fff5e6db9665d09c0

SHA512
cf59ea4cb08142e7dbbd3c10036ba88e1f0254645ecd849739568e919f23fc61e892b892864cebbf5bffe80d1ee79e93cb3d40351817ca24ad2534330547be4d

Download Submit
C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs

Filesize
2KB

MD5
78fdde7d507d9d64ddd3808c52231caa

SHA1
cd989a13a2f92c404ddd56f9b9126e529b091f74

SHA256
0c26896cb8ca3eaa7e009abac4eff302f5a8fd312f987a2d802bdf4d67c0fd0a

SHA512
d77b609a544ee038e2673201d756b2a8f486a288ca0df10d1161f1516982405a7ed075c84b16d4f3ff1bde7a8ee21797e51df6e576e7ea0b85ae9835f534321a

Download Submit
memory/1324-34-0x000007FEF13D0000-0x000007FEF13E1000-memory.dmp

Filesize
68KB

Download
memory/1324-42-0x000007FEEFF50000-0x000007FEEFF61000-memory.dmp

Filesize
68KB

Download
memory/1324-23-0x000007FEF53C0000-0x000007FEF53D1000-memory.dmp

Filesize
68KB

Download
memory/1324-26-0x000007FEF18D0000-0x000007FEF18ED000-memory.dmp

Filesize
116KB

Download
memory/1324-25-0x000007FEF5380000-0x000007FEF5391000-memory.dmp

Filesize
68KB

Download
memory/1324-20-0x000007FEF5A50000-0x000007FEF5D06000-memory.dmp

Filesize
2.7MB

Download
memory/1324-28-0x000007FEF18B0000-0x000007FEF18C1000-memory.dmp

Filesize
68KB

Download
memory/1324-27-0x000007FEEF600000-0x000007FEEF80B000-memory.dmp

Filesize
2.0MB

Download
memory/1324-29-0x000007FEF1860000-0x000007FEF18A1000-memory.dmp

Filesize
260KB

Download
memory/1324-38-0x000007FEF1340000-0x000007FEF1370000-memory.dmp

Filesize
192KB

Download
memory/1324-37-0x000007FEF1370000-0x000007FEF1388000-memory.dmp

Filesize
96KB

Download
memory/1324-36-0x000007FEF1390000-0x000007FEF13A1000-memory.dmp

Filesize
68KB

Download
memory/1324-35-0x000007FEF13B0000-0x000007FEF13CB000-memory.dmp

Filesize
108KB

Download
memory/1324-22-0x000007FEF53E0000-0x000007FEF53F7000-memory.dmp

Filesize
92KB

Download
memory/1324-33-0x000007FEF17D0000-0x000007FEF17E1000-memory.dmp

Filesize
68KB

Download
memory/1324-32-0x000007FEF17F0000-0x000007FEF1801000-memory.dmp

Filesize
68KB

Download
memory/1324-31-0x000007FEF1810000-0x000007FEF1828000-memory.dmp

Filesize
96KB

Download
memory/1324-30-0x000007FEF1830000-0x000007FEF1851000-memory.dmp

Filesize
132KB

Download
memory/1324-40-0x000007FEF12D0000-0x000007FEF1337000-memory.dmp

Filesize
412KB

Download
memory/1324-21-0x000007FEF6E70000-0x000007FEF6E88000-memory.dmp

Filesize
96KB

Download
memory/1324-44-0x000007FEEFBB0000-0x000007FEEFBD8000-memory.dmp

Filesize
160KB

Download
memory/1324-47-0x000007FEEF5E0000-0x000007FEEF5F1000-memory.dmp

Filesize
68KB

Download
memory/1324-46-0x000007FEEFB60000-0x000007FEEFB78000-memory.dmp

Filesize
96KB

Download
memory/1324-49-0x000007FEEF550000-0x000007FEEF57F000-memory.dmp

Filesize
188KB

Download
memory/1324-48-0x000007FEEF580000-0x000007FEEF5D7000-memory.dmp

Filesize
348KB

Download
memory/1324-45-0x000007FEEFB80000-0x000007FEEFBA4000-memory.dmp

Filesize
144KB

Download
memory/1324-43-0x000007FEEFBE0000-0x000007FEEFC37000-memory.dmp

Filesize
348KB

Download
memory/1324-41-0x000007FEEFF70000-0x000007FEEFFEC000-memory.dmp

Filesize
496KB

Download
memory/1324-39-0x000007FEECA70000-0x000007FEEDB20000-memory.dmp

Filesize
16.7MB

Download
memory/1324-24-0x000007FEF53A0000-0x000007FEF53B7000-memory.dmp

Filesize
92KB

Download
memory/1324-18-0x000000013FC30000-0x000000013FD28000-memory.dmp

Filesize
992KB

Download
memory/1324-19-0x000007FEF6300000-0x000007FEF6334000-memory.dmp

Filesize
208KB

Download
memory/1324-81-0x000007FEECA70000-0x000007FEEDB20000-memory.dmp

Filesize
16.7MB

Download
memory/2352-16-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2352-17-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2712-8-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/2712-7-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2712-6-0x000000001B8D0000-0x000000001BBB2000-memory.dmp

Filesize
2.9MB

Download