49a3b199025018458e69db1fcf9db5b7f9dd1f9e825c5ed94caff4103ad4fa0b

Resubmissions

01-07-2022 14:29

220701-rtnqfsgbcp 9

01-07-2022 12:59

220701-p717lafbf4 9

Analysis

max time kernel
11s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38e3ff2c1ad395cc854e2b620adc1a0f.exe
Size

7.6MB
MD5

38e3ff2c1ad395cc854e2b620adc1a0f
SHA1

ff1f4c054615337476ec558d22c69f578c5a9af2
SHA256

49a3b199025018458e69db1fcf9db5b7f9dd1f9e825c5ed94caff4103ad4fa0b
SHA512

0bd5b7b8dd03f9099504d6271e2bcd4aac0fd8a24b6097ac71ce33328bf4e7c305183919c40c1a64271eebf48643040ad4d0f0311bcd04a5143f237e39f16d98

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 38e3ff2c1ad395cc854e2b620adc1a0f.exe
Executes dropped EXE 2 IoCs

Processes:

update.exeSecurityHealthService32.exe

pid process

2040 update.exe
1152 SecurityHealthService32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	38e3ff2c1ad395cc854e2b620adc1a0f.exe

pid	process
2040	update.exe
1152	SecurityHealthService32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	38e3ff2c1ad395cc854e2b620adc1a0f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	38e3ff2c1ad395cc854e2b620adc1a0f.exe

Deletes itself 1 IoCs

Processes:

update.exe

pid process

2040 update.exe
Loads dropped DLL 2 IoCs

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exeupdate.exe

pid process

1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe
2040 update.exe

pid	process
2040	update.exe

pid	process
1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe
2040	update.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1180-55-0x00000000011C0000-0x0000000001DFB000-memory.dmp	themida
behavioral1/memory/1180-56-0x00000000011C0000-0x0000000001DFB000-memory.dmp	themida
behavioral1/memory/1180-57-0x00000000011C0000-0x0000000001DFB000-memory.dmp	themida
behavioral1/memory/1180-58-0x00000000011C0000-0x0000000001DFB000-memory.dmp	themida
behavioral1/memory/1180-59-0x00000000011C0000-0x0000000001DFB000-memory.dmp	themida
behavioral1/memory/1180-83-0x00000000011C0000-0x0000000001DFB000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	38e3ff2c1ad395cc854e2b620adc1a0f.exe

Drops file in Windows directory 3 IoCs

Processes:

SecurityHealthService32.exeupdate.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe	SecurityHealthService32.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe	SecurityHealthService32.exe
File created	C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe	update.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

update.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	update.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	update.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	update.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\update.exe = "11001"	update.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SecurityHealthService32.exe

pid process

1152 SecurityHealthService32.exe
1152 SecurityHealthService32.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exe

pid process

1180 38e3ff2c1ad395cc854e2b620adc1a0f.exe

pid	process
1152	SecurityHealthService32.exe
1152	SecurityHealthService32.exe

pid	process
1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

38e3ff2c1ad395cc854e2b620adc1a0f.exeupdate.exe

description	pid	process	target process
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 1180 wrote to memory of 2040	1180	38e3ff2c1ad395cc854e2b620adc1a0f.exe	update.exe
PID 2040 wrote to memory of 816	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 816	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 816	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 816	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1664	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1664	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1664	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1664	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1948	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1948	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1948	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1948	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 688	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 688	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 688	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 688	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1200	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1200	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1200	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1200	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1088	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1088	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1088	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1088	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1868	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1868	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1868	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1868	2040	update.exe	powershell.exe
PID 2040 wrote to memory of 1152	2040	update.exe	SecurityHealthService32.exe
PID 2040 wrote to memory of 1152	2040	update.exe	SecurityHealthService32.exe
PID 2040 wrote to memory of 1152	2040	update.exe	SecurityHealthService32.exe
PID 2040 wrote to memory of 1152	2040	update.exe	SecurityHealthService32.exe

C:\Users\Admin\AppData\Local\Temp\38e3ff2c1ad395cc854e2b620adc1a0f.exe
"C:\Users\Admin\AppData\Local\Temp\38e3ff2c1ad395cc854e2b620adc1a0f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionProcess "SecurityHealthService.exe"
3⤵
PID:816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionProcess "SecurityHealthServiceManager.exe"
3⤵
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionProcess "SecurityHealthService32.exe"
3⤵
PID:1664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64"
3⤵
PID:1200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\System32"
3⤵
PID:688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\Temp"
3⤵
PID:1868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath "C:\Windows\SysWOW64\Tasks\Microsoft\Windows"
3⤵
PID:1088

C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
"C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1152

C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe
"C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe"
4⤵
PID:1548

C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
"C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe"
5⤵
PID:280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.exe
Filesize
7.3MB

MD5
41f159509017d234e08eb4f820bab935

SHA1
1c27a70f922a95f66f58d8e4b7e91d92c84da6e3

SHA256
4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31

SHA512
0fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe
Filesize
7.3MB

MD5
41f159509017d234e08eb4f820bab935

SHA1
1c27a70f922a95f66f58d8e4b7e91d92c84da6e3

SHA256
4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31

SHA512
0fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1b7f4d3010e4feb4e7135745a6179729

SHA1
fb7d4928d5dafdc2b736424cab4728fb3905e6e3

SHA256
d896d38ecc7e9d006d4bf6b536f47110fbe8f5eea513544e908afccecaf82ea8

SHA512
a7e192325ce6b71aa2c9841c520e4e54c73aeeb7b5b97fc90b8bff15335558e58520f21d029b9f7b2a8878e0ce4bf8566c4d43e59381ad98185bcef5a719bbfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1b7f4d3010e4feb4e7135745a6179729

SHA1
fb7d4928d5dafdc2b736424cab4728fb3905e6e3

SHA256
d896d38ecc7e9d006d4bf6b536f47110fbe8f5eea513544e908afccecaf82ea8

SHA512
a7e192325ce6b71aa2c9841c520e4e54c73aeeb7b5b97fc90b8bff15335558e58520f21d029b9f7b2a8878e0ce4bf8566c4d43e59381ad98185bcef5a719bbfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1b7f4d3010e4feb4e7135745a6179729

SHA1
fb7d4928d5dafdc2b736424cab4728fb3905e6e3

SHA256
d896d38ecc7e9d006d4bf6b536f47110fbe8f5eea513544e908afccecaf82ea8

SHA512
a7e192325ce6b71aa2c9841c520e4e54c73aeeb7b5b97fc90b8bff15335558e58520f21d029b9f7b2a8878e0ce4bf8566c4d43e59381ad98185bcef5a719bbfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1b7f4d3010e4feb4e7135745a6179729

SHA1
fb7d4928d5dafdc2b736424cab4728fb3905e6e3

SHA256
d896d38ecc7e9d006d4bf6b536f47110fbe8f5eea513544e908afccecaf82ea8

SHA512
a7e192325ce6b71aa2c9841c520e4e54c73aeeb7b5b97fc90b8bff15335558e58520f21d029b9f7b2a8878e0ce4bf8566c4d43e59381ad98185bcef5a719bbfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1b7f4d3010e4feb4e7135745a6179729

SHA1
fb7d4928d5dafdc2b736424cab4728fb3905e6e3

SHA256
d896d38ecc7e9d006d4bf6b536f47110fbe8f5eea513544e908afccecaf82ea8

SHA512
a7e192325ce6b71aa2c9841c520e4e54c73aeeb7b5b97fc90b8bff15335558e58520f21d029b9f7b2a8878e0ce4bf8566c4d43e59381ad98185bcef5a719bbfa

Download Submit
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
C:\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
C:\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe
Filesize
7.3MB

MD5
41f159509017d234e08eb4f820bab935

SHA1
1c27a70f922a95f66f58d8e4b7e91d92c84da6e3

SHA256
4460dd8114b5609ea4e9644a659de0f5b188696d27dc8846d633628b3ade7c31

SHA512
0fdbad1473708fbf1116638195881026caab40a5b64ab31ca25a027af81189bf94af403d5b1c35c5561970adaeef648b8ed5ef8c3ba63b163e931787e82636ab

Download Submit
\Windows\ServiceProfiles\LocalService\SecurityHealthService32.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
\Windows\ServiceProfiles\NetworkService\Downloads\DiscordUpdate.exe
Filesize
485KB

MD5
242bc7c5c924f53af3d876624f802be8

SHA1
ce435b3ca9982de65635c9a4e912b9f1b5961f4c

SHA256
a92019f29ffade45a834433ab66a80ced9bf24e15825b118f08bc5f5f8b17045

SHA512
bdcb899814595c2e42775dd4916e7328ad1797c7e2326a875610256461655c1b3127a42eeadc749c1704165d18e90c769b64ecac9f87f0c79d399aba787907a6

Download Submit
memory/280-109-0x0000000000000000-mapping.dmp

Download
memory/688-89-0x0000000000000000-mapping.dmp

Download
memory/816-86-0x0000000000000000-mapping.dmp

Download
memory/1088-91-0x0000000000000000-mapping.dmp

Download
memory/1088-115-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1152-101-0x0000000000000000-mapping.dmp

Download
memory/1180-83-0x00000000011C0000-0x0000000001DFB000-memory.dmp

Filesize
12.2MB

Download
memory/1180-59-0x00000000011C0000-0x0000000001DFB000-memory.dmp

Filesize
12.2MB

Download
memory/1180-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

Filesize
8KB

Download
memory/1180-58-0x00000000011C0000-0x0000000001DFB000-memory.dmp

Filesize
12.2MB

Download
memory/1180-57-0x00000000011C0000-0x0000000001DFB000-memory.dmp

Filesize
12.2MB

Download
memory/1180-56-0x00000000011C0000-0x0000000001DFB000-memory.dmp

Filesize
12.2MB

Download
memory/1180-55-0x00000000011C0000-0x0000000001DFB000-memory.dmp

Filesize
12.2MB

Download
memory/1200-90-0x0000000000000000-mapping.dmp

Download
memory/1200-119-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-105-0x0000000000000000-mapping.dmp

Download
memory/1664-87-0x0000000000000000-mapping.dmp

Download
memory/1664-120-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1868-92-0x0000000000000000-mapping.dmp

Download
memory/1868-114-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/1948-88-0x0000000000000000-mapping.dmp

Download
memory/1948-116-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-71-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/2040-68-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/2040-75-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/2040-73-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/2040-72-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/2040-79-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/2040-70-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/2040-77-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/2040-66-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/2040-81-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/2040-62-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/2040-84-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/2040-117-0x0000000010000000-0x0000000010085000-memory.dmp

Filesize
532KB

Download
memory/2040-118-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download
memory/2040-61-0x0000000000000000-mapping.dmp

Download
memory/2040-85-0x000000007DD60000-0x000000007DE70000-memory.dmp

Filesize
1.1MB

Download