47fb37d285424a155defa75f5788442f68228ca67cf3e07d156f10c9b621e2de

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47fb37d285424a155defa75f5788442f68228ca67cf3e07d156f10c9b621e2de.vbs
Size

17KB
MD5

a7c2edb4d802f4195a1370be0063422b
SHA1

30c32d08e7ca9dd1fe3cede09700947530c53ee2
SHA256

47fb37d285424a155defa75f5788442f68228ca67cf3e07d156f10c9b621e2de
SHA512

069ba00e62335b61550dca3c37422e054f5fb17cde5d7d8b999c2abcdbd8ea193daab3660afb2cf621ad2db43ea6c85f82cb69fe62dfe3f658d678048df5fafe
SSDEEP

384:bZEeqBbbhht0F0o9BHdJD/UgdSmqSy65TGd:bZEeqhhhtzorHdJD/UgdSmqSy65TGd

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	532	WScript.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2864	powershell.exe
1764	powershell.exe
2864	powershell.exe
2068	powershell.exe
2068	powershell.exe
2944	powershell.exe
2944	powershell.exe
2820	powershell.exe
2820	powershell.exe
2156	powershell.exe
2156	powershell.exe
276	powershell.exe
276	powershell.exe
2668	powershell.exe
2668	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2836	wmplayer.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 532	2328	WScript.exe	31
PID 2328 wrote to memory of 532	2328	WScript.exe	31
PID 2328 wrote to memory of 532	2328	WScript.exe	31
PID 2684 wrote to memory of 2808	2684	taskeng.exe	33
PID 2684 wrote to memory of 2808	2684	taskeng.exe	33
PID 2684 wrote to memory of 2808	2684	taskeng.exe	33
PID 2808 wrote to memory of 2864	2808	WScript.exe	35
PID 2808 wrote to memory of 2864	2808	WScript.exe	35
PID 2808 wrote to memory of 2864	2808	WScript.exe	35
PID 2808 wrote to memory of 1764	2808	WScript.exe	38
PID 2808 wrote to memory of 1764	2808	WScript.exe	38
PID 2808 wrote to memory of 1764	2808	WScript.exe	38
PID 2864 wrote to memory of 2764	2864	powershell.exe	40
PID 2864 wrote to memory of 2764	2864	powershell.exe	40
PID 2864 wrote to memory of 2764	2864	powershell.exe	40
PID 1764 wrote to memory of 2076	1764	powershell.exe	41
PID 1764 wrote to memory of 2076	1764	powershell.exe	41
PID 1764 wrote to memory of 2076	1764	powershell.exe	41
PID 2808 wrote to memory of 2068	2808	WScript.exe	42
PID 2808 wrote to memory of 2068	2808	WScript.exe	42
PID 2808 wrote to memory of 2068	2808	WScript.exe	42
PID 2068 wrote to memory of 236	2068	powershell.exe	44
PID 2068 wrote to memory of 236	2068	powershell.exe	44
PID 2068 wrote to memory of 236	2068	powershell.exe	44
PID 2808 wrote to memory of 2944	2808	WScript.exe	46
PID 2808 wrote to memory of 2944	2808	WScript.exe	46
PID 2808 wrote to memory of 2944	2808	WScript.exe	46
PID 2944 wrote to memory of 2252	2944	powershell.exe	48
PID 2944 wrote to memory of 2252	2944	powershell.exe	48
PID 2944 wrote to memory of 2252	2944	powershell.exe	48
PID 2808 wrote to memory of 2820	2808	WScript.exe	49
PID 2808 wrote to memory of 2820	2808	WScript.exe	49
PID 2808 wrote to memory of 2820	2808	WScript.exe	49
PID 2820 wrote to memory of 1704	2820	powershell.exe	51
PID 2820 wrote to memory of 1704	2820	powershell.exe	51
PID 2820 wrote to memory of 1704	2820	powershell.exe	51
PID 2808 wrote to memory of 2156	2808	WScript.exe	53
PID 2808 wrote to memory of 2156	2808	WScript.exe	53
PID 2808 wrote to memory of 2156	2808	WScript.exe	53
PID 2156 wrote to memory of 2228	2156	powershell.exe	55
PID 2156 wrote to memory of 2228	2156	powershell.exe	55
PID 2156 wrote to memory of 2228	2156	powershell.exe	55
PID 2808 wrote to memory of 276	2808	WScript.exe	56
PID 2808 wrote to memory of 276	2808	WScript.exe	56
PID 2808 wrote to memory of 276	2808	WScript.exe	56
PID 276 wrote to memory of 1860	276	powershell.exe	58
PID 276 wrote to memory of 1860	276	powershell.exe	58
PID 276 wrote to memory of 1860	276	powershell.exe	58
PID 2808 wrote to memory of 2668	2808	WScript.exe	59
PID 2808 wrote to memory of 2668	2808	WScript.exe	59
PID 2808 wrote to memory of 2668	2808	WScript.exe	59
PID 2668 wrote to memory of 1888	2668	powershell.exe	61
PID 2668 wrote to memory of 1888	2668	powershell.exe	61
PID 2668 wrote to memory of 1888	2668	powershell.exe	61
PID 2808 wrote to memory of 2196	2808	WScript.exe	62
PID 2808 wrote to memory of 2196	2808	WScript.exe	62
PID 2808 wrote to memory of 2196	2808	WScript.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47fb37d285424a155defa75f5788442f68228ca67cf3e07d156f10c9b621e2de.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\out.vbe"
  2⤵
  - Blocklisted process makes network request
  PID:532

C:\Windows\system32\taskeng.exe
taskeng.exe {6549DB32-6D78-411E-A197-C4E2DC728AAB} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\qSqOPawvHoBdGel.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2864" "1244"
      4⤵
      PID:2764
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1764" "1132"
      4⤵
      PID:2076
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2068" "1240"
      4⤵
      PID:236
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2944" "1244"
      4⤵
      PID:2252
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2820" "1232"
      4⤵
      PID:1704
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2156" "1236"
      4⤵
      PID:2228
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "276" "1236"
      4⤵
      PID:1860
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2668" "1236"
      4⤵
      PID:1888
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    PID:2196
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2196" "1240"
      4⤵
      PID:2392

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\out.vbe

Filesize
8KB

MD5
1f728a1a3707688ff942828693fe5087

SHA1
b3b101a73eb95afccecd9134d59749af8172c88d

SHA256
8a9fe12c582a9899f79fa0a40befd9fd5a29fa41d4143ad6da9725c8a5aa5306

SHA512
fea26ab73e9ce1ccfa16a1df052bd049b0a9376fdd63480f596858963dbb900edb1840586c0ebce9b220340be880e12bec229d28c166d5e8bfe9afe6fc288aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259473970.txt

Filesize
1KB

MD5
055d00fab032f696bb40e405fada897b

SHA1
374d32a8b75e7e03aa63bbdd7442f5ce841b7bba

SHA256
abfaba232dc9c818f637d52d294a03705037f839a9666e7e526fb24ff558c1e6

SHA512
ec82ca0e43e53e665ffd6f076db80d227a416d108c6c8f16d2a6d0a7225fecf738d196f524eda0b33ccf6fd4f2696717ed8714169cfa52c0820a21747f56dd75

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259477478.txt

Filesize
1KB

MD5
11546a3213c0cdd8141c218742f4d4f4

SHA1
b705993844f317488c2a6c6d0748d7e4b5b9c168

SHA256
80fcd0d1d0662226c73661e65eaa7de7d7d5240be546de7ab4c17561afbca742

SHA512
a60ef06471239a48a9bf2b7ea8278f985be9593bbe2066cc1918348d56a03a81e0d4d9c4d812afab96be7c98586385fab60877a7717fd6d4a511110d4fd853f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259492789.txt

Filesize
1KB

MD5
63e116e6da807615ee2d4456f365df6b

SHA1
5a888e76cc3dc969b4a6a2befe587d9c60b266e1

SHA256
58a267b7b663c1a9b08826402a19d9c4068e51dc658e9160df3bcc1a37d0d2f5

SHA512
2c7ec936e3c055db125dc12d98ab52a47a58dafd6a05e7c5962289bb5a327764752f71d93a2f8f977e10bed9454178b8495b7bf42f6ad62d32de71973441ca9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259503243.txt

Filesize
1KB

MD5
6904f0870907e7dc8136c21f62021ef0

SHA1
f1fba17520a0ecf684c14313f78032550c2c0796

SHA256
f236ee53e91d60478ee3064588895ac48ca72640efc222122a0f837217289ff0

SHA512
fbc8a8b9ba60149aac7c4240016a1c7c675500654b1bb2dd32b48bc90bc0201ed24965895e2b09ba61bf5e6d8f5c5ce5742f6cc462f158266daf736e16a13104

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259519135.txt

Filesize
1KB

MD5
9f985402628b696347905e4508ee6796

SHA1
d8053465d2a5cb117e2030a019e9062939ec056a

SHA256
736d8ff660b3298f0354e48c7fc471cc2c8c9020b1ec56cbb9ed4b18a8a63780

SHA512
713bbf76f8938b0acc551b255a69650f4f6403da1cde04ab3704c0df78d83ee7beb0b51a714ab85e1150218068a5978066922783aae30dc4c16e1fb970cfdad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259538164.txt

Filesize
1KB

MD5
530bf6ee5715164572db32bd6ca9f22e

SHA1
a15fb8e26246fbba7f97599701c4c56648422096

SHA256
7aa93a385d7df5bd5cd2299846b370a9e08278459426c05b9bba17e819cadaa0

SHA512
a8d804b635ee75767cc262c26c8802349bab6aab41dea87b35d4b478afb0d12342fc49a4797d213c2688b254c36c486eb47d5b9b6d4b749d3d205866877665c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259550771.txt

Filesize
1KB

MD5
04f1d57517bd65024b04709c246756bb

SHA1
0e6a9b9d7e95179eab98c5d47d73f6b6875df3c6

SHA256
c9371ea241d0e566fdbe1f894086589a27d895a7ff6f4ef106a480f31f627c8a

SHA512
907a0a639e29ff097b5a4734b324b8f5fd47e6bf0ecd6c093b2d0319c490e04cab844995f68157fd1c3191f3b56c9be38456356eeaf82b503410419903b4c881

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259564441.txt

Filesize
1KB

MD5
2c61f26d65bab3e23f579526a862c80b

SHA1
961fd0711b6df960249c84cadb7f3a98cddf6846

SHA256
756f42e6d15689bffb07369e86f98e74fbcdde2c5985aff1d73c2380e19303fe

SHA512
aef07cecd6451082bf4eb55edffca10398f6bb5c84cdf0de984880ae97ad21e4e75c47033f1d962145089429b1b322ae1c46b7bb54462d32966a4e9ddf8c5b0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
20cba0ceb4010f3869a984eaf9a10180

SHA1
ba7e99595d98538bba1474e80c192995e21d3263

SHA256
a97cb65b92e41bba59f050fb26f4d13a1f173c1064d3c7cf1cbe216be0355ea1

SHA512
5c973b9546a861739ae6f60bd9f52bf2f2bbd5fbaa1156ff1f11745150a6505e3b1832a9e4691080382e360a2ff2c55d19aa39e21c4c73c1062c1ab432ea68ea

Download Submit
C:\Users\Admin\AppData\Roaming\qSqOPawvHoBdGel.vbs

Filesize
2KB

MD5
a27ccb57ff1d5685f3b744f83ae76ceb

SHA1
be394b0554203ad342bd5b86a3f549577cdc7ea4

SHA256
dcbcc67a49fd29985c87993db391ab12dbc531a15b24cbc7149bd74adea174fc

SHA512
6fc2b6eaf3cf055206e1253654bf8542dabebab4159f0fd049e800bce4a2f9c3638ed0e754e695e079f6baed9267db72f5c41a3b5393fd521419adb1e40e3613

Download Submit
memory/2068-73-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/2068-72-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2820-93-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/2820-92-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2836-18-0x0000000004620000-0x000000000462A000-memory.dmp

Filesize
40KB

Download
memory/2836-56-0x0000000004620000-0x000000000462A000-memory.dmp

Filesize
40KB

Download
memory/2836-19-0x0000000004620000-0x000000000462A000-memory.dmp

Filesize
40KB

Download
memory/2836-16-0x0000000004620000-0x000000000462A000-memory.dmp

Filesize
40KB

Download
memory/2836-17-0x0000000004620000-0x000000000462A000-memory.dmp

Filesize
40KB

Download
memory/2836-13-0x0000000002560000-0x0000000002562000-memory.dmp

Filesize
8KB

Download
memory/2864-62-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2864-12-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2864-11-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2944-82-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2944-81-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download