4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247

Analysis

max time kernel
118s
max time network
139s
platform
windows7_x64
resource
win7-en-20211208
submitted
15-02-2022 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe
Size

5.9MB
MD5

3919bb58a275715604a36797fce5cc4f
SHA1

60c6d11d0401ecf45b760a6c52b947ccca821d8a
SHA256

4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247
SHA512

8af2d40ee99a7ba9a0b7cc8786cf627cab03a5dd7f85cb12a3dc72de678a33094b16a74fb69f7ad98d29a4ec158b312b3fc2749087268a91f83dc825b40c39a7

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

13 1768 WScript.exe
14 1768 WScript.exe
15 1768 WScript.exe
16 1768 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

searer.exeturneyvp.exeIntelRapid.exe

pid process

772 searer.exe
1348 turneyvp.exe
1852 IntelRapid.exe

flow	pid	process
13	1768	WScript.exe
14	1768	WScript.exe
15	1768	WScript.exe
16	1768	WScript.exe

pid	process
772	searer.exe
1348	turneyvp.exe
1852	IntelRapid.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

searer.exeturneyvp.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	searer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	turneyvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	turneyvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	searer.exe

Drops startup file 1 IoCs

Processes:

searer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk searer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	searer.exe

Loads dropped DLL 9 IoCs

Processes:

4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exeturneyvp.exesearer.exe

pid	process
1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe
1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe
1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe
1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe
1348	turneyvp.exe
1348	turneyvp.exe
772	searer.exe
772	searer.exe
772	searer.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\droopt\searer.exe	themida
\Users\Admin\AppData\Local\Temp\droopt\searer.exe	themida
C:\Users\Admin\AppData\Local\Temp\droopt\searer.exe	themida
\Users\Admin\AppData\Local\Temp\droopt\turneyvp.exe	themida
behavioral1/memory/772-61-0x000000013FBA0000-0x00000001404B7000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\droopt\turneyvp.exe	themida
behavioral1/memory/772-62-0x000000013FBA0000-0x00000001404B7000-memory.dmp	themida
\Users\Admin\AppData\Local\Temp\droopt\turneyvp.exe	themida
\Users\Admin\AppData\Local\Temp\droopt\turneyvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\droopt\turneyvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\droopt\searer.exe	themida
behavioral1/memory/1348-73-0x0000000000360000-0x00000000009D8000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral1/memory/1348-71-0x0000000000360000-0x00000000009D8000-memory.dmp	themida
behavioral1/memory/1348-75-0x0000000000360000-0x00000000009D8000-memory.dmp	themida
behavioral1/memory/1348-76-0x0000000000360000-0x00000000009D8000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral1/memory/1852-80-0x000000013F6D0000-0x000000013FFE7000-memory.dmp	themida
behavioral1/memory/1852-81-0x000000013F6D0000-0x000000013FFE7000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

searer.exeturneyvp.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	searer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	turneyvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

searer.exeturneyvp.exeIntelRapid.exe

pid process

772 searer.exe
1348 turneyvp.exe
1852 IntelRapid.exe

flow	ioc
4	ip-api.com

pid	process
772	searer.exe
1348	turneyvp.exe
1852	IntelRapid.exe

Drops file in Program Files directory 3 IoCs

Processes:

4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

turneyvp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	turneyvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	turneyvp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

1852 IntelRapid.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

turneyvp.exe

pid process

1348 turneyvp.exe

pid	process
1852	IntelRapid.exe

pid	process
1348	turneyvp.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exesearer.exeturneyvp.exe

description	pid	process	target process
PID 1908 wrote to memory of 772	1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe	searer.exe
PID 1908 wrote to memory of 772	1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe	searer.exe
PID 1908 wrote to memory of 772	1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe	searer.exe
PID 1908 wrote to memory of 772	1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe	searer.exe
PID 1908 wrote to memory of 1348	1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe	turneyvp.exe
PID 1908 wrote to memory of 1348	1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe	turneyvp.exe
PID 1908 wrote to memory of 1348	1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe	turneyvp.exe
PID 1908 wrote to memory of 1348	1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe	turneyvp.exe
PID 1908 wrote to memory of 1348	1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe	turneyvp.exe
PID 1908 wrote to memory of 1348	1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe	turneyvp.exe
PID 1908 wrote to memory of 1348	1908	4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe	turneyvp.exe
PID 772 wrote to memory of 1852	772	searer.exe	IntelRapid.exe
PID 772 wrote to memory of 1852	772	searer.exe	IntelRapid.exe
PID 772 wrote to memory of 1852	772	searer.exe	IntelRapid.exe
PID 1348 wrote to memory of 1736	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1736	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1736	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1736	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1736	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1736	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1736	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1768	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1768	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1768	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1768	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1768	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1768	1348	turneyvp.exe	WScript.exe
PID 1348 wrote to memory of 1768	1348	turneyvp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe
"C:\Users\Admin\AppData\Local\Temp\4faac433dc2e0494006797d9888d12bd9a53e0f0492774b8f69ddcf0a5f70247.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\droopt\searer.exe
"C:\Users\Admin\AppData\Local\Temp\droopt\searer.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:1852

C:\Users\Admin\AppData\Local\Temp\droopt\turneyvp.exe
"C:\Users\Admin\AppData\Local\Temp\droopt\turneyvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\gfowgpxduny.vbs"
3⤵
PID:1736

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\umkrrqapt.vbs"
3⤵
- Blocklisted process makes network request
PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\droopt\searer.exe

MD5
c43f57a26092d31ef02696f8850b4960

SHA1
5fd387f4f5d73fd84a28c121bff7e0d05b42789e

SHA256
dce6b541c822235cc52b2ba927e40fa39bfcbdab834870936dee131785994d93

SHA512
a17253d004d8b6e355e49d32d0997636291935936a85656fef0686ba7585af314a275f51bf89c7687c51b7e791e7391d60166da187b43e5b54af0d4cbf33b76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\droopt\searer.exe

MD5
c43f57a26092d31ef02696f8850b4960

SHA1
5fd387f4f5d73fd84a28c121bff7e0d05b42789e

SHA256
dce6b541c822235cc52b2ba927e40fa39bfcbdab834870936dee131785994d93

SHA512
a17253d004d8b6e355e49d32d0997636291935936a85656fef0686ba7585af314a275f51bf89c7687c51b7e791e7391d60166da187b43e5b54af0d4cbf33b76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\droopt\turneyvp.exe

MD5
17e6b50e6b3bd0ed3c3d7bb319e5c3bb

SHA1
5ee76f504a953ce4d801100a1621033e6c4fe3f6

SHA256
561986fd98e2ef79cfab1b7c0ebc4185d4c1b0f101ff10fc086d30fb6f02d283

SHA512
6db1eb445485889795196cd87c6631b08b3a9da7c2ca37b7bf806b44ff6f5f37715d2fef6cc29e5a7b5c3995d011b0c610ff7c73a41a5f466f7d9fbe1705920f

Download Submit
C:\Users\Admin\AppData\Local\Temp\droopt\turneyvp.exe

MD5
17e6b50e6b3bd0ed3c3d7bb319e5c3bb

SHA1
5ee76f504a953ce4d801100a1621033e6c4fe3f6

SHA256
561986fd98e2ef79cfab1b7c0ebc4185d4c1b0f101ff10fc086d30fb6f02d283

SHA512
6db1eb445485889795196cd87c6631b08b3a9da7c2ca37b7bf806b44ff6f5f37715d2fef6cc29e5a7b5c3995d011b0c610ff7c73a41a5f466f7d9fbe1705920f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gfowgpxduny.vbs

MD5
cf2fe4dbec3c7059e82bcef131db3dbb

SHA1
ab3b6c94e5193207341df371cffeeecf5a85c395

SHA256
098b505475c371fc99171775ac000ac159c1571a266c59d7c3154a3e9de8297c

SHA512
04671106f27e816f7d7efa4239aac7505a0696db91bce6f8d8a3838f4f78564b6415d60409d4de7c8f12e958dbef82f51ab7117d6b67dd3b8b9e40c97aad2cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\umkrrqapt.vbs

MD5
ef3fa9e1964b0ca2915f473b925ae050

SHA1
bb0c85060df2287b035a438d2d67b2ec6e8a0ad4

SHA256
498e0dcd816a3ca8396e8b4bc14df925a06c8e21252e968c98e568dec67b2f23

SHA512
b83eb9bc8521f5408ff067ed7604f20693f69f2890bae33ad80009f6557e42d1ca69335f4347ff8dc98715c998683179c6fe32569ae548891943b098c5a2308b

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

MD5
c43f57a26092d31ef02696f8850b4960

SHA1
5fd387f4f5d73fd84a28c121bff7e0d05b42789e

SHA256
dce6b541c822235cc52b2ba927e40fa39bfcbdab834870936dee131785994d93

SHA512
a17253d004d8b6e355e49d32d0997636291935936a85656fef0686ba7585af314a275f51bf89c7687c51b7e791e7391d60166da187b43e5b54af0d4cbf33b76c

Download Submit
\Users\Admin\AppData\Local\Temp\droopt\searer.exe

MD5
c43f57a26092d31ef02696f8850b4960

SHA1
5fd387f4f5d73fd84a28c121bff7e0d05b42789e

SHA256
dce6b541c822235cc52b2ba927e40fa39bfcbdab834870936dee131785994d93

SHA512
a17253d004d8b6e355e49d32d0997636291935936a85656fef0686ba7585af314a275f51bf89c7687c51b7e791e7391d60166da187b43e5b54af0d4cbf33b76c

Download Submit
\Users\Admin\AppData\Local\Temp\droopt\searer.exe

MD5
c43f57a26092d31ef02696f8850b4960

SHA1
5fd387f4f5d73fd84a28c121bff7e0d05b42789e

SHA256
dce6b541c822235cc52b2ba927e40fa39bfcbdab834870936dee131785994d93

SHA512
a17253d004d8b6e355e49d32d0997636291935936a85656fef0686ba7585af314a275f51bf89c7687c51b7e791e7391d60166da187b43e5b54af0d4cbf33b76c

Download Submit
\Users\Admin\AppData\Local\Temp\droopt\turneyvp.exe

MD5
17e6b50e6b3bd0ed3c3d7bb319e5c3bb

SHA1
5ee76f504a953ce4d801100a1621033e6c4fe3f6

SHA256
561986fd98e2ef79cfab1b7c0ebc4185d4c1b0f101ff10fc086d30fb6f02d283

SHA512
6db1eb445485889795196cd87c6631b08b3a9da7c2ca37b7bf806b44ff6f5f37715d2fef6cc29e5a7b5c3995d011b0c610ff7c73a41a5f466f7d9fbe1705920f

Download Submit
\Users\Admin\AppData\Local\Temp\droopt\turneyvp.exe

MD5
17e6b50e6b3bd0ed3c3d7bb319e5c3bb

SHA1
5ee76f504a953ce4d801100a1621033e6c4fe3f6

SHA256
561986fd98e2ef79cfab1b7c0ebc4185d4c1b0f101ff10fc086d30fb6f02d283

SHA512
6db1eb445485889795196cd87c6631b08b3a9da7c2ca37b7bf806b44ff6f5f37715d2fef6cc29e5a7b5c3995d011b0c610ff7c73a41a5f466f7d9fbe1705920f

Download Submit
\Users\Admin\AppData\Local\Temp\droopt\turneyvp.exe

MD5
17e6b50e6b3bd0ed3c3d7bb319e5c3bb

SHA1
5ee76f504a953ce4d801100a1621033e6c4fe3f6

SHA256
561986fd98e2ef79cfab1b7c0ebc4185d4c1b0f101ff10fc086d30fb6f02d283

SHA512
6db1eb445485889795196cd87c6631b08b3a9da7c2ca37b7bf806b44ff6f5f37715d2fef6cc29e5a7b5c3995d011b0c610ff7c73a41a5f466f7d9fbe1705920f

Download Submit
\Users\Admin\AppData\Local\Temp\nso6C5B.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

MD5
c43f57a26092d31ef02696f8850b4960

SHA1
5fd387f4f5d73fd84a28c121bff7e0d05b42789e

SHA256
dce6b541c822235cc52b2ba927e40fa39bfcbdab834870936dee131785994d93

SHA512
a17253d004d8b6e355e49d32d0997636291935936a85656fef0686ba7585af314a275f51bf89c7687c51b7e791e7391d60166da187b43e5b54af0d4cbf33b76c

Download Submit
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

MD5
c43f57a26092d31ef02696f8850b4960

SHA1
5fd387f4f5d73fd84a28c121bff7e0d05b42789e

SHA256
dce6b541c822235cc52b2ba927e40fa39bfcbdab834870936dee131785994d93

SHA512
a17253d004d8b6e355e49d32d0997636291935936a85656fef0686ba7585af314a275f51bf89c7687c51b7e791e7391d60166da187b43e5b54af0d4cbf33b76c

Download Submit
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe

MD5
c43f57a26092d31ef02696f8850b4960

SHA1
5fd387f4f5d73fd84a28c121bff7e0d05b42789e

SHA256
dce6b541c822235cc52b2ba927e40fa39bfcbdab834870936dee131785994d93

SHA512
a17253d004d8b6e355e49d32d0997636291935936a85656fef0686ba7585af314a275f51bf89c7687c51b7e791e7391d60166da187b43e5b54af0d4cbf33b76c

Download Submit
memory/772-62-0x000000013FBA0000-0x00000001404B7000-memory.dmp

Filesize
9.1MB

Download
memory/772-70-0x000007FEFBE21000-0x000007FEFBE23000-memory.dmp

Filesize
8KB

Download
memory/772-61-0x000000013FBA0000-0x00000001404B7000-memory.dmp

Filesize
9.1MB

Download
memory/772-68-0x00000000775F0000-0x00000000775F2000-memory.dmp

Filesize
8KB

Download
memory/1348-73-0x0000000000360000-0x00000000009D8000-memory.dmp

Filesize
6.5MB

Download
memory/1348-71-0x0000000000360000-0x00000000009D8000-memory.dmp

Filesize
6.5MB

Download
memory/1348-75-0x0000000000360000-0x00000000009D8000-memory.dmp

Filesize
6.5MB

Download
memory/1348-76-0x0000000000360000-0x00000000009D8000-memory.dmp

Filesize
6.5MB

Download
memory/1348-72-0x0000000077790000-0x0000000077792000-memory.dmp

Filesize
8KB

Download
memory/1852-80-0x000000013F6D0000-0x000000013FFE7000-memory.dmp

Filesize
9.1MB

Download
memory/1852-81-0x000000013F6D0000-0x000000013FFE7000-memory.dmp

Filesize
9.1MB

Download
memory/1908-55-0x0000000076731000-0x0000000076733000-memory.dmp

Filesize
8KB

Download