a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-en-20211208
submitted
15-02-2022 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
Size

3.1MB
MD5

a04867c5f9d320599b65764601f975e2
SHA1

6a8377a8b63d8dbaa32c8595c899694a86c4a527
SHA256

a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196
SHA512

c908c0436a6d50a41f26e701f96d3e85fc23ae44c98ef747d6e21d50239c8d41930fea7aefd9178a07bd5372f180a0db0261252f4f7625660a158d207fc0c2f4

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 1588 WScript.exe
14 1588 WScript.exe
15 1588 WScript.exe
16 1588 WScript.exe
Executes dropped EXE 2 IoCs

Processes:

clayer.exeforbarvp.exe

pid process

1916 clayer.exe
268 forbarvp.exe

flow	pid	process
13	1588	WScript.exe
14	1588	WScript.exe
15	1588	WScript.exe
16	1588	WScript.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

forbarvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	forbarvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	forbarvp.exe

Loads dropped DLL 9 IoCs

Processes:

a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.execlayer.exeforbarvp.exe

pid	process
1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
268	forbarvp.exe
268	forbarvp.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe	themida
\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe	themida
\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe	themida
behavioral1/memory/268-70-0x0000000000BE0000-0x00000000012AB000-memory.dmp	themida
behavioral1/memory/268-71-0x0000000000BE0000-0x00000000012AB000-memory.dmp	themida
behavioral1/memory/268-73-0x0000000000BE0000-0x00000000012AB000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

forbarvp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA forbarvp.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

forbarvp.exe

pid process

268 forbarvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	forbarvp.exe

flow	ioc
4	ip-api.com

pid	process
268	forbarvp.exe

Drops file in Program Files directory 3 IoCs

Processes:

a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

forbarvp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	forbarvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	forbarvp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

clayer.exe

pid process

1916 clayer.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

forbarvp.exe

pid process

268 forbarvp.exe

pid	process
268	forbarvp.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

clayer.exe

pid	process
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

clayer.exe

pid	process
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe
1916	clayer.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exeforbarvp.exe

description	pid	process	target process
PID 1600 wrote to memory of 1916	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	clayer.exe
PID 1600 wrote to memory of 1916	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	clayer.exe
PID 1600 wrote to memory of 1916	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	clayer.exe
PID 1600 wrote to memory of 1916	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	clayer.exe
PID 1600 wrote to memory of 1916	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	clayer.exe
PID 1600 wrote to memory of 1916	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	clayer.exe
PID 1600 wrote to memory of 1916	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	clayer.exe
PID 1600 wrote to memory of 268	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	forbarvp.exe
PID 1600 wrote to memory of 268	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	forbarvp.exe
PID 1600 wrote to memory of 268	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	forbarvp.exe
PID 1600 wrote to memory of 268	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	forbarvp.exe
PID 1600 wrote to memory of 268	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	forbarvp.exe
PID 1600 wrote to memory of 268	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	forbarvp.exe
PID 1600 wrote to memory of 268	1600	a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe	forbarvp.exe
PID 268 wrote to memory of 1784	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1784	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1784	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1784	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1784	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1784	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1784	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1588	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1588	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1588	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1588	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1588	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1588	268	forbarvp.exe	WScript.exe
PID 268 wrote to memory of 1588	268	forbarvp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe
"C:\Users\Admin\AppData\Local\Temp\a985e6243988c8f0d6efc9b9688517a1da5ea8b88dab77587865ff60fac98196.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exe
"C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1916

C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe
"C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cpyaxsd.vbs"
3⤵
PID:1784

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pooajhl.vbs"
3⤵
- Blocklisted process makes network request
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpyaxsd.vbs
MD5
efae82caeffabeeba25e327d1ade9b43

SHA1
e23becfea9a76ecbbce5819e8caa962e15c2036b

SHA256
6fc79d8e720d3461931d289d38a638dcc1b25f5d10ff73f146cdf8526a78510e

SHA512
497cbeb95c212c682c3a2602615d30145ad51898f1aae92b06a6d79616ab9b8f26aef4215df284d8be787aef242d49950386fd425eff76cd7da8c58bf81ad9ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exe
MD5
a9b07ab88765c14f3a37ddaa3548bbea

SHA1
64e57975e760302e17ef0821e208d178035d0d1c

SHA256
8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17

SHA512
eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\hempen\clayer.exe
MD5
a9b07ab88765c14f3a37ddaa3548bbea

SHA1
64e57975e760302e17ef0821e208d178035d0d1c

SHA256
8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17

SHA512
eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe
MD5
db9f562738a4cd6adbfde0669264da02

SHA1
350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1

SHA256
52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191

SHA512
35b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe
MD5
db9f562738a4cd6adbfde0669264da02

SHA1
350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1

SHA256
52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191

SHA512
35b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pooajhl.vbs
MD5
e5c8a7a1c9a7270f2c2ffe16ccda5252

SHA1
d1f2818cad5de689285d70734a91bd0a1176135b

SHA256
ad2c97470e15c64a276875d2e426e04d4efd99bef0a01b0aa1e78764136e37ce

SHA512
85ab429e811f7594a82bab0e25e174bdb2f2e5d20f725b45201b2eca1f007c14f2e90a5405cf7b50b3ca487ab6c9bf50e6ab84675f6c868fb42eec8386b8e74e

Download Submit
\Users\Admin\AppData\Local\Temp\hempen\clayer.exe
MD5
a9b07ab88765c14f3a37ddaa3548bbea

SHA1
64e57975e760302e17ef0821e208d178035d0d1c

SHA256
8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17

SHA512
eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33

Download Submit
\Users\Admin\AppData\Local\Temp\hempen\clayer.exe
MD5
a9b07ab88765c14f3a37ddaa3548bbea

SHA1
64e57975e760302e17ef0821e208d178035d0d1c

SHA256
8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17

SHA512
eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33

Download Submit
\Users\Admin\AppData\Local\Temp\hempen\clayer.exe
MD5
a9b07ab88765c14f3a37ddaa3548bbea

SHA1
64e57975e760302e17ef0821e208d178035d0d1c

SHA256
8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17

SHA512
eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33

Download Submit
\Users\Admin\AppData\Local\Temp\hempen\clayer.exe
MD5
a9b07ab88765c14f3a37ddaa3548bbea

SHA1
64e57975e760302e17ef0821e208d178035d0d1c

SHA256
8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17

SHA512
eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33

Download Submit
\Users\Admin\AppData\Local\Temp\hempen\clayer.exe
MD5
a9b07ab88765c14f3a37ddaa3548bbea

SHA1
64e57975e760302e17ef0821e208d178035d0d1c

SHA256
8f6ac9c6b7c5b8012b5d47f5d7a0d5dafe0ccd05c6f1d5de1bec2230bd4b1b17

SHA512
eec12c491cbe959227ee064426206da47582a1d0168e9b4de8007068056d0052fc75bd2d792c3779860982c9b159168d9c807af5f40ff606d47c7130ccef2a33

Download Submit
\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe
MD5
db9f562738a4cd6adbfde0669264da02

SHA1
350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1

SHA256
52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191

SHA512
35b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7

Download Submit
\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe
MD5
db9f562738a4cd6adbfde0669264da02

SHA1
350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1

SHA256
52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191

SHA512
35b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7

Download Submit
\Users\Admin\AppData\Local\Temp\hempen\forbarvp.exe
MD5
db9f562738a4cd6adbfde0669264da02

SHA1
350c4acbd7a7b26e3ef5d4aaaecf660c7a8a07d1

SHA256
52ce26bf711a0d2ea410e325fdb0acc1b81d3305c421b0fa2a882780a0c7c191

SHA512
35b7d1f9f40e49563092c523a0a27554d22e8587e3378aea46711d20c155ac2746d24c19c15c7db3a915480e04ef738d6d19cac6a5ce1c6b881a506b2ee968e7

Download Submit
\Users\Admin\AppData\Local\Temp\nsnC8BC.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/268-70-0x0000000000BE0000-0x00000000012AB000-memory.dmp

Filesize
6.8MB

Download
memory/268-71-0x0000000000BE0000-0x00000000012AB000-memory.dmp

Filesize
6.8MB

Download
memory/268-72-0x0000000076F80000-0x0000000076F82000-memory.dmp

Filesize
8KB

Download
memory/268-73-0x0000000000BE0000-0x00000000012AB000-memory.dmp

Filesize
6.8MB

Download
memory/1600-54-0x0000000075471000-0x0000000075473000-memory.dmp

Filesize
8KB

Download
memory/1916-78-0x0000000000402000-0x0000000000404000-memory.dmp

Filesize
8KB

Download
memory/1916-80-0x00000000009F0000-0x0000000000A38000-memory.dmp

Filesize
288KB

Download
memory/1916-79-0x00000000009F0000-0x0000000000A38000-memory.dmp

Filesize
288KB

Download
memory/1916-81-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1916-82-0x00000000009F0000-0x0000000000A38000-memory.dmp

Filesize
288KB

Download