e9c4e47b26d88a24036a8718f3ebeb0da76e1cf9c340784d7c05fcef45a2fcc7

Analysis

max time kernel
142s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 02:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

79674ae8e6bcee87ad8395f1cacf96a7.exe
Size

15.0MB
MD5

79674ae8e6bcee87ad8395f1cacf96a7
SHA1

929b0a98269efe5bfe8dff3c429355788903f5fb
SHA256

e9c4e47b26d88a24036a8718f3ebeb0da76e1cf9c340784d7c05fcef45a2fcc7
SHA512

5b93cb0dfadf86c76ce2ade9609161ab5ce1b05795a04868ef61153cd9aa0c92c8aa79cc3b20e4473b49d8941c42ad889d2ef6e56fbf1b6b93cf835d31dff58a
SSDEEP

393216:P6aB8giQFMCylttxx1s4/a4DVx4WIWgy8xPro6sxKbVl2WPp7PEco+:P6y8gNFaDrx1s4ZzIth183Gl2WPpYq

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	79674ae8e6bcee87ad8395f1cacf96a7.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\w32time\Parameters\ServiceDll = "C:\\Windows\\system32\\w32time.DLL"	w32tm.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	79674ae8e6bcee87ad8395f1cacf96a7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	79674ae8e6bcee87ad8395f1cacf96a7.exe

Themida packer 15 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2620-0-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-2-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-3-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-4-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-5-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-6-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-7-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-8-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-9-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-10-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-19-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-23-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-30-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-76-0x000000013F160000-0x0000000141739000-memory.dmp	themida
behavioral1/memory/2620-93-0x000000013F160000-0x0000000141739000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	79674ae8e6bcee87ad8395f1cacf96a7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2620	79674ae8e6bcee87ad8395f1cacf96a7.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\ReadyBoot\ReadyBoot.etl	powershell.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot	powershell.exe
File opened for modification	C:\Windows\Prefetch\CLRGC.EXE-5D5B90F5.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\DRVINST.EXE-4CB4314A.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\PfSvPerfStats.bin	powershell.exe
File opened for modification	C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-863AA78D.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-860C49A4.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\TASKHOST.EXE-7238F31D.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-2CD59FDD.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\AgAppLaunch.db	powershell.exe
File opened for modification	C:\Windows\Prefetch\AgGlGlobalHistory.db	powershell.exe
File opened for modification	C:\Windows\Prefetch\AgRobust.db	powershell.exe
File opened for modification	C:\Windows\Prefetch\BFSVC.EXE-9C7A4DEE.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\MSCORSVW.EXE-245ED79E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\NETSH.EXE-F1B6DA12.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\NTOSBOOT-B00DFAAD.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SPPSVC.EXE-B0F8131B.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\AgGlFaultHistory.db	powershell.exe
File opened for modification	C:\Windows\Prefetch\AgGlFgAppHistory.db	powershell.exe
File opened for modification	C:\Windows\Prefetch\CMD.EXE-4A81B364.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SETUPUGC.EXE-E3C49C28.pf	powershell.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1888	sc.exe
2728	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2780	powershell.exe
760	powershell.exe
1360	powershell.exe
2072	powershell.exe
292	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	292	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2620	79674ae8e6bcee87ad8395f1cacf96a7.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2780	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	28
PID 2620 wrote to memory of 2780	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	28
PID 2620 wrote to memory of 2780	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	28
PID 2620 wrote to memory of 2904	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	31
PID 2620 wrote to memory of 2904	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	31
PID 2620 wrote to memory of 2904	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	31
PID 2904 wrote to memory of 2816	2904	net.exe	32
PID 2904 wrote to memory of 2816	2904	net.exe	32
PID 2904 wrote to memory of 2816	2904	net.exe	32
PID 2620 wrote to memory of 2696	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	33
PID 2620 wrote to memory of 2696	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	33
PID 2620 wrote to memory of 2696	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	33
PID 2620 wrote to memory of 2544	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	36
PID 2620 wrote to memory of 2544	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	36
PID 2620 wrote to memory of 2544	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	36
PID 2620 wrote to memory of 2432	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	37
PID 2620 wrote to memory of 2432	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	37
PID 2620 wrote to memory of 2432	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	37
PID 2620 wrote to memory of 1888	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	40
PID 2620 wrote to memory of 1888	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	40
PID 2620 wrote to memory of 1888	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	40
PID 2620 wrote to memory of 2728	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	42
PID 2620 wrote to memory of 2728	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	42
PID 2620 wrote to memory of 2728	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	42
PID 2620 wrote to memory of 760	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	45
PID 2620 wrote to memory of 760	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	45
PID 2620 wrote to memory of 760	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	45
PID 2620 wrote to memory of 1360	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	47
PID 2620 wrote to memory of 1360	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	47
PID 2620 wrote to memory of 1360	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	47
PID 2620 wrote to memory of 2072	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	50
PID 2620 wrote to memory of 2072	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	50
PID 2620 wrote to memory of 2072	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	50
PID 2620 wrote to memory of 292	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	48
PID 2620 wrote to memory of 292	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	48
PID 2620 wrote to memory of 292	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	48
PID 2620 wrote to memory of 2156	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	53
PID 2620 wrote to memory of 2156	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	53
PID 2620 wrote to memory of 2156	2620	79674ae8e6bcee87ad8395f1cacf96a7.exe	53

C:\Users\Admin\AppData\Local\Temp\79674ae8e6bcee87ad8395f1cacf96a7.exe
"C:\Users\Admin\AppData\Local\Temp\79674ae8e6bcee87ad8395f1cacf96a7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\79674ae8e6bcee87ad8395f1cacf96a7.exe.bak' -force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\system32\net.exe
  net stop w32time
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop w32time
    3⤵
    PID:2816
- C:\Windows\system32\w32tm.exe
  w32tm /unregister
  2⤵
  PID:2696
- C:\Windows\system32\w32tm.exe
  w32tm /register
  2⤵
  - Sets DLL path for service in the registry
  PID:2544
- C:\Windows\system32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:2432
- C:\Windows\system32\sc.exe
  sc stop "PcaSvc"
  2⤵
  - Launches sc.exe
  PID:1888
- C:\Windows\system32\sc.exe
  sc config "PcaSvc" start=disabled
  2⤵
  - Launches sc.exe
  PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell (GWMI Win32_Processor).VirtualizationFirmwareEnabled
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "$env:firmware_type"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "confirm-securebootuefi"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2620 -s 676
  2⤵
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7a9e65453ca1bbbe80883811efc531bf

SHA1
89c72758015dfd55e29f323f5018bfcab285e8e0

SHA256
ddf6cc3bb26d61e2b2a34fe5a95806f2804cf480866f3cfdb0fb57b974350321

SHA512
32f2e305be6697d6578654d9ba913a55ae20670920d2954cef3e69239632312182448c3c99f6bfbdae94be4172a80a394d9bcc9070ee15843fef1a75419baae8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7a9e65453ca1bbbe80883811efc531bf

SHA1
89c72758015dfd55e29f323f5018bfcab285e8e0

SHA256
ddf6cc3bb26d61e2b2a34fe5a95806f2804cf480866f3cfdb0fb57b974350321

SHA512
32f2e305be6697d6578654d9ba913a55ae20670920d2954cef3e69239632312182448c3c99f6bfbdae94be4172a80a394d9bcc9070ee15843fef1a75419baae8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UWAO12OQ4AGROCYB4656.temp

Filesize
7KB

MD5
7a9e65453ca1bbbe80883811efc531bf

SHA1
89c72758015dfd55e29f323f5018bfcab285e8e0

SHA256
ddf6cc3bb26d61e2b2a34fe5a95806f2804cf480866f3cfdb0fb57b974350321

SHA512
32f2e305be6697d6578654d9ba913a55ae20670920d2954cef3e69239632312182448c3c99f6bfbdae94be4172a80a394d9bcc9070ee15843fef1a75419baae8

Download Submit
memory/292-90-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/292-88-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/292-85-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/292-84-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/292-72-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/292-71-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/292-67-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/760-78-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/760-46-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/760-92-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/760-79-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/760-77-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/760-74-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/760-53-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/760-52-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/760-51-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/760-50-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/760-47-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/760-49-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/760-48-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/1360-82-0x0000000001F40000-0x0000000001FC0000-memory.dmp

Filesize
512KB

Download
memory/1360-80-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/1360-94-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/1360-91-0x0000000001F40000-0x0000000001FC0000-memory.dmp

Filesize
512KB

Download
memory/1360-70-0x0000000001F40000-0x0000000001FC0000-memory.dmp

Filesize
512KB

Download
memory/1360-73-0x0000000001F40000-0x0000000001FC0000-memory.dmp

Filesize
512KB

Download
memory/1360-64-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/2072-87-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/2072-81-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/2072-83-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/2072-86-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/2072-65-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/2072-66-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/2072-75-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/2072-68-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/2072-69-0x00000000023C0000-0x0000000002440000-memory.dmp

Filesize
512KB

Download
memory/2072-89-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-3-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-8-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-6-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-7-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-15-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/2620-76-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-5-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-0-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-93-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-30-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-9-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-37-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download
memory/2620-1-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/2620-4-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-10-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-19-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-23-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2620-2-0x000000013F160000-0x0000000141739000-memory.dmp

Filesize
37.8MB

Download
memory/2780-20-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2780-21-0x0000000002A14000-0x0000000002A17000-memory.dmp

Filesize
12KB

Download
memory/2780-16-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2780-17-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2780-18-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2780-22-0x0000000002A1B000-0x0000000002A82000-memory.dmp

Filesize
412KB

Download