Overview

overview

10

Static

static

10

vamicheatloader.exe

windows7-x64

10

vamicheatloader.exe

windows10-2004-x64

Analysis

  • max time kernel
    132s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2024 17:34

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    vamicheatloader.exe

  • Size

    77KB

  • MD5

    b074da06d9857ac5261d62b2446774a4

  • SHA1

    7137511fab7f416097aafba40cb0b6becf6c9d6e

  • SHA256

    d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58

  • SHA512

    04faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367

  • SSDEEP

    1536:+dWwWpRvrlUSvelsuFXvnd4hbAbYUU0XXS06YTUgOrEKvN:I2TSSmnZvGAbD5iST/Or9N

Score
10/10
modiloaderxwormexecutionpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

rooms-belkin.gl.at.ply.gg:48066

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Extracted

Family

xworm

Version

5.0

C2

lot-feeds.gl.at.ply.gg:55815

Mutex

ESm62iVh1zU7IuaI

Attributes
  • Install_directory

    %AppData%

  • install_file

    RuntimeBroker.exe

aes.plain

Signatures

  • Detect Xworm Payload 4 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • ModiLoader Second Stage 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 7 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe
    "C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\vamicheatloader.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vamicheatloader.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3316
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1564
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:1880
    • C:\Users\Admin\AppData\Local\Temp\huhady.exe
      "C:\Users\Admin\AppData\Local\Temp\huhady.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\huhady.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5004
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'huhady.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2232
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3796
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:744
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1376
    • C:\Users\Admin\AppData\Local\Temp\itpndf.exe
      "C:\Users\Admin\AppData\Local\Temp\itpndf.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      PID:764
    • C:\Users\Admin\AppData\Local\Temp\tylqcl.exe
      "C:\Users\Admin\AppData\Local\Temp\tylqcl.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Windows\SYSTEM32\shutdown.exe
      shutdown.exe /f /s /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:32
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2584
  • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
    C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2912
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:376
  • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
    C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1376
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    C:\Users\Admin\AppData\Roaming\svchost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4768
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa38c6855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    156eef78ab09ed3f1bae50155c67a949

    SHA1

    fcd424021246b9a11eb9a4fedae46a4a189749c0

    SHA256

    585a5a7c33f57a3564c9e422f008cd7babeffa122d51c1fe982ecda02030e523

    SHA512

    18bf31419032ba61eaa76f3b5f4095ac64de4852d7b152bb472c026e0106935deac06b30e9fd39e485675e1044c604ec87480eb0757eb92f13ff987f36529bb2

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    a7cc007980e419d553568a106210549a

    SHA1

    c03099706b75071f36c3962fcc60a22f197711e0

    SHA256

    a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

    SHA512

    b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d28a889fd956d5cb3accfbaf1143eb6f

    SHA1

    157ba54b365341f8ff06707d996b3635da8446f7

    SHA256

    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

    SHA512

    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    ce4540390cc4841c8973eb5a3e9f4f7d

    SHA1

    2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

    SHA256

    e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

    SHA512

    2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    54522d22658e4f8f87ecb947b71b8feb

    SHA1

    6a6144bdf9c445099f52211b6122a2ecf72b77e9

    SHA256

    af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

    SHA512

    55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    9bc110200117a3752313ca2acaf8a9e1

    SHA1

    fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

    SHA256

    c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

    SHA512

    1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    aeceee3981c528bdc5e1c635b65d223d

    SHA1

    de9939ed37edca6772f5cdd29f6a973b36b7d31b

    SHA256

    b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

    SHA512

    df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Log.tmp
    Filesize

    25B

    MD5

    c265525b01c83559e4d4bba15f733031

    SHA1

    66962ccaecf3f0f109a7bbbed14f446a6c3ebeba

    SHA256

    7afaea8d0b8ee68df80874ca6ba0d2e267503cd89e5a5d50d7205db6d11373f2

    SHA512

    4d3caa277a9920ba25dba8d1036246902cedb7e3d85c627759abff086d75afc2267b8f65232a1730d0559c7b894c70f02ce838e281daf8a74d9b6a41e4f8fb2f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Log.tmp
    Filesize

    64B

    MD5

    f3584ccae36c311a42d6f94e2a55784f

    SHA1

    26a70b7a353e6b4afa7043521465c4aa80945153

    SHA256

    3253e98d826449817ebea3b5d9e9c770ea96e0e4a1e629b9112058034a18488e

    SHA512

    a3e366ebc159520973485caaf9980a532ca1fdfeb3c1ba1a7316f9c69e2064a4a78bad2349639c0ebcae0adc1d04dcb20c93642855ba85abcc1cc30068b8c88e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Log.tmp
    Filesize

    76B

    MD5

    775137813b04c15648648288ae9b1f5f

    SHA1

    1342913a4e2820f61a9a61b27c370efdb129f0a6

    SHA256

    1ed81857d278e02c03e82eb0d0329808be777f96e41e8c9612a376809e9a55ab

    SHA512

    d0f68da3f7d8376ff9556d784873d2fa3b246879306faa1dac36645314d7137d39f759c7358965fa1a40ccad666e79f17cc7f31c9b17da1c8b710be70ac6a50d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Log.tmp
    Filesize

    90B

    MD5

    9c42c61d8a97d9ec66f60f809e344b62

    SHA1

    35ac4f1aec3e4249c471a309f864733c0e476aa6

    SHA256

    b4e87f9c0fd2b55123bcfdcfc3ff260bec0b2a5a61ed99a97c934848875963aa

    SHA512

    a088d0752d9d04a91afa5419fedf3170ed8ef2de1fe4eb4f55942cec1b9710d4743ef40cf01bcee32785d6c9c9587604e380dc6dc3839b86f5ae07f5fc0aab32

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4ad5j3k.qbn.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\huhady.exe
    Filesize

    45KB

    MD5

    6816bd828cec3eb7012a7317bed42155

    SHA1

    29682d363e53e88339361fe541db48ab7232e074

    SHA256

    e6cca25d0b2423b673b8bc8b38ccc048b132613bd7a19afa59dc362a6c990c31

    SHA512

    bdcdd5be61c8093b577fe4b334c5cd7fbff0074557fa2136cefbe1c09cb57b9f51b516f7366a094e4e7a1c2a6d6815884f365fae1679ad11018023effae378c6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\itpndf.exe
    Filesize

    206KB

    MD5

    0cf4fe7f1d12a7dd703e09dcfd4d733b

    SHA1

    3c01c96d2120c5567e32fcfa293dfa60daeea289

    SHA256

    93c6910f522338836a99a7e52968718656514eed8afed1ce5a1eef8a42e37ce0

    SHA512

    878a54fe636c2ef836db64dd58dad9870827baf3084a6d346ebe35c624a115729f8d0ded4ae1b30c8749dacb2267f7813491e7a23e8f7e320395b85fc7d928cb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    77KB

    MD5

    b074da06d9857ac5261d62b2446774a4

    SHA1

    7137511fab7f416097aafba40cb0b6becf6c9d6e

    SHA256

    d75b041e9c687214d97c0110be211d91d0242115475171620a8791f6e79bfc58

    SHA512

    04faf087159d02915d9981f4666b2dcc1441f6212f9fe8ef8750e1b69436159ac1063c9a2191f59c77864b7688955e3f5e9db7fe0c5f50791bcbb52c49fa3367

    Download Submit
  • memory/764-136-0x0000000000400000-0x0000000000487000-memory.dmp
    Filesize

    540KB

    Download
  • memory/764-128-0x0000000000400000-0x0000000000487000-memory.dmp
    Filesize

    540KB

    Download
  • memory/1564-53-0x00000240DC570000-0x00000240DC78C000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1840-18-0x00007FF841560000-0x00007FF842021000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1840-15-0x00007FF841560000-0x00007FF842021000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1840-14-0x00007FF841560000-0x00007FF842021000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1840-10-0x000001FB783E0000-0x000001FB78402000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1840-3-0x00007FF841560000-0x00007FF842021000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3044-58-0x00007FF841563000-0x00007FF841565000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-0-0x0000000000C60000-0x0000000000C7A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3044-59-0x00007FF841560000-0x00007FF842021000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3044-137-0x00000000015C0000-0x00000000015CA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3044-2-0x00007FF841560000-0x00007FF842021000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3044-1-0x00007FF841563000-0x00007FF841565000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-172-0x00007FF841560000-0x00007FF842021000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4832-71-0x0000000000490000-0x00000000004A2000-memory.dmp
    Filesize

    72KB

    Download