26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680

Analysis

max time kernel
148s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
15-02-2022 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
Size

3.1MB
MD5

e02a6d825992d0532b21584beeb2e91a
SHA1

375ddee62c5598026fcb1420dba4273e95cabb8d
SHA256

26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680
SHA512

80bfeb85caa5244d262684d21f02b5ccc2c206b670ae88628badf3104d90c907d211930bf3b7620ad61b4b3b1fedcd9a76c35556ed321766dbfb96cfa95621ba

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

58 1852 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

enmesh.exeflaviavp.exeDpEditor.exe

pid process

5072 enmesh.exe
5036 flaviavp.exe
2080 DpEditor.exe

flow	pid	process
58	1852	WScript.exe

pid	process
5072	enmesh.exe
5036	flaviavp.exe
2080	DpEditor.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

flaviavp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	flaviavp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	flaviavp.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

flaviavp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	flaviavp.exe

Loads dropped DLL 1 IoCs

Processes:

26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe

pid process

732 26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe

pid	process
732	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe	themida
C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe	themida
behavioral2/memory/5036-135-0x0000000000650000-0x0000000000D15000-memory.dmp	themida
behavioral2/memory/5036-136-0x0000000000650000-0x0000000000D15000-memory.dmp	themida
behavioral2/memory/5036-137-0x0000000000650000-0x0000000000D15000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

flaviavp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA flaviavp.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

flaviavp.exe

pid process

5036 flaviavp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	flaviavp.exe

flow	ioc
18	ip-api.com

pid	process
5036	flaviavp.exe

Drops file in Program Files directory 3 IoCs

Processes:

26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
File created	C:\Program Files (x86)\foler\olader\acppage.dll	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe

Drops file in Windows directory 10 IoCs

Processes:

svchost.exeDpEditor.exeTiWorker.exeenmesh.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\	DpEditor.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\	enmesh.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

flaviavp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	flaviavp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	flaviavp.exe

Modifies registry class 1 IoCs

Processes:

flaviavp.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings flaviavp.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

DpEditor.exe

pid process

2080 DpEditor.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

flaviavp.exe

pid process

5036 flaviavp.exe
5036 flaviavp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	flaviavp.exe

pid	process
2080	DpEditor.exe

pid	process
5036	flaviavp.exe
5036	flaviavp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	3016	svchost.exe
Token: SeCreatePagefilePrivilege	3016	svchost.exe
Token: SeShutdownPrivilege	3016	svchost.exe
Token: SeCreatePagefilePrivilege	3016	svchost.exe
Token: SeShutdownPrivilege	3016	svchost.exe
Token: SeCreatePagefilePrivilege	3016	svchost.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe
Token: SeRestorePrivilege	2744	TiWorker.exe
Token: SeSecurityPrivilege	2744	TiWorker.exe
Token: SeBackupPrivilege	2744	TiWorker.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exeflaviavp.exeenmesh.exe

description	pid	process	target process
PID 732 wrote to memory of 5072	732	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	enmesh.exe
PID 732 wrote to memory of 5072	732	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	enmesh.exe
PID 732 wrote to memory of 5072	732	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	enmesh.exe
PID 732 wrote to memory of 5036	732	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	flaviavp.exe
PID 732 wrote to memory of 5036	732	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	flaviavp.exe
PID 732 wrote to memory of 5036	732	26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe	flaviavp.exe
PID 5036 wrote to memory of 2104	5036	flaviavp.exe	WScript.exe
PID 5036 wrote to memory of 2104	5036	flaviavp.exe	WScript.exe
PID 5036 wrote to memory of 2104	5036	flaviavp.exe	WScript.exe
PID 5072 wrote to memory of 2080	5072	enmesh.exe	DpEditor.exe
PID 5072 wrote to memory of 2080	5072	enmesh.exe	DpEditor.exe
PID 5072 wrote to memory of 2080	5072	enmesh.exe	DpEditor.exe
PID 5036 wrote to memory of 1852	5036	flaviavp.exe	WScript.exe
PID 5036 wrote to memory of 1852	5036	flaviavp.exe	WScript.exe
PID 5036 wrote to memory of 1852	5036	flaviavp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe
"C:\Users\Admin\AppData\Local\Temp\26052e47598d4c3642f18f72b661166ca7cf5c74490f9d9e8f2beca5fce1b680.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\geason\enmesh.exe
"C:\Users\Admin\AppData\Local\Temp\geason\enmesh.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
PID:2080

C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe
"C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bkvpdhbhtrca.vbs"
3⤵
PID:2104

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jenyyvo.vbs"
3⤵
- Blocklisted process makes network request
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5
0eba55cd63e8d506b12a25c740c9ec49

SHA1
dd0c783cb618f98d163b850edae5c0f50ee463d0

SHA256
917315cde7163224e24bed6f36e950c38d725ba07020769a89f572613476d5fa

SHA512
353d04bb205cc7138d43bc4c996787b3137a5a3f0f9c40aceda6f7d31964209bc26405b8c54a87e0c0230df5354f224910fc9997be5a7c143ef4afc46389f43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkvpdhbhtrca.vbs

MD5
e42078cfd0eda5b9618e5642aaf9185c

SHA1
837b437d767f26e280417fc933ba0fafc3eeb27e

SHA256
c31bf0ce789a9f340d94615e902651814fc5c1dce0768cd570e8c66ab797a1ae

SHA512
ac049d2438a5ec05e4132090e59f1b1171b190bb5e2079fcfeec35bfbf6119cb50fe3bdf55d04d7303c052940e11a6bf58517188f7fbfb024542e068db92fcb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\geason\enmesh.exe

MD5
ccbc63bdca7c5436c81f32ccfae9456c

SHA1
1d4c3083166ef769f8f0e4296c9dc8b56b12ba8b

SHA256
2061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a

SHA512
37e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916

Download Submit
C:\Users\Admin\AppData\Local\Temp\geason\enmesh.exe

MD5
ccbc63bdca7c5436c81f32ccfae9456c

SHA1
1d4c3083166ef769f8f0e4296c9dc8b56b12ba8b

SHA256
2061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a

SHA512
37e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916

Download Submit
C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe

MD5
9c8142047df3966d72ee64a59b467a29

SHA1
ad46a75ae11827c7776a41662abb7d0ba0d6e33a

SHA256
22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f

SHA512
4761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\geason\flaviavp.exe

MD5
9c8142047df3966d72ee64a59b467a29

SHA1
ad46a75ae11827c7776a41662abb7d0ba0d6e33a

SHA256
22ec2adbd53e81bd8f3a189b5c475ee7078ebe8f79af2771dd4a2d3cfc3fae9f

SHA512
4761aa85d4afec93f3b829fb9060d9f8af501674398c5764bcaf7bace8a35bef49028d326cbff956127c1600964cfb9a59b19973ca0bad0bcb91833b9bb33bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jenyyvo.vbs

MD5
f8c84e40e0b7c5a3e5c1c5cb0c690e99

SHA1
6a74891e352355d0952f0c6fe9c64280edc1fe2a

SHA256
59f8a9d58ff735a42c5bc32710d4dc6b0232a626b8043189d96fe0212796b062

SHA512
b676e8a3c106307085713c571dd7de0d79b470db6a715e9da3888f51cec8bdde4d4541158abf52abdbb976e5b00a0b042b1524a25962e5c765680944544d8b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfA602.tmp\UAC.dll

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
ccbc63bdca7c5436c81f32ccfae9456c

SHA1
1d4c3083166ef769f8f0e4296c9dc8b56b12ba8b

SHA256
2061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a

SHA512
37e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe

MD5
ccbc63bdca7c5436c81f32ccfae9456c

SHA1
1d4c3083166ef769f8f0e4296c9dc8b56b12ba8b

SHA256
2061a4ba324c47bdc95660d47a7ac6b624e01d847ff4170975e7deb28500525a

SHA512
37e1c1c0c922b8f1c1ed37a40b2d5e36f06f7b6d1138abf10b5b97482f9665c6515d837080e99a60251cba6935b087dc704914a7c82364aa2e3b9439ac2a8916

Download Submit
memory/2080-154-0x0000000002600000-0x0000000002648000-memory.dmp

Filesize
288KB

Download
memory/2080-153-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2080-146-0x000000000045A000-0x000000000045C000-memory.dmp

Filesize
8KB

Download
memory/2080-151-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2080-152-0x000000000045B000-0x000000000045C000-memory.dmp

Filesize
4KB

Download
memory/3016-140-0x00000207FF990000-0x00000207FF9A0000-memory.dmp

Filesize
64KB

Download
memory/3016-141-0x00000207826B0000-0x00000207826B4000-memory.dmp

Filesize
16KB

Download
memory/3016-139-0x00000207FF930000-0x00000207FF940000-memory.dmp

Filesize
64KB

Download
memory/5036-136-0x0000000000650000-0x0000000000D15000-memory.dmp

Filesize
6.8MB

Download
memory/5036-135-0x0000000000650000-0x0000000000D15000-memory.dmp

Filesize
6.8MB

Download
memory/5036-137-0x0000000000650000-0x0000000000D15000-memory.dmp

Filesize
6.8MB

Download
memory/5036-147-0x0000000077B74000-0x0000000077B76000-memory.dmp

Filesize
8KB

Download
memory/5072-145-0x0000000002390000-0x00000000023D8000-memory.dmp

Filesize
288KB

Download
memory/5072-144-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download