a628618f961434862d7ae607e762b29d299ad695648caac0b7c37278b623e373

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad1427f6cca3d14f405f847fdb508efa.exe
Size

2.6MB
MD5

ad1427f6cca3d14f405f847fdb508efa
SHA1

c131531758503e531edfc322048269291d7719c0
SHA256

a628618f961434862d7ae607e762b29d299ad695648caac0b7c37278b623e373
SHA512

905581251e9ddfb451d09a9c07b6e8e5ce73563ca9eb16422d43991613546cb619791c22a18c147af7680a237c0ebeac59427c53dd57b83cf4a9e4cdeb1e2c33
SSDEEP

49152:tU/5M1X4Wl/YvzYCQR9RQs+C40yZpJaD99Gf:tKq4oEa9RQs+Cn4/UKf

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ad1427f6cca3d14f405f847fdb508efa.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ad1427f6cca3d14f405f847fdb508efa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ad1427f6cca3d14f405f847fdb508efa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe

Executes dropped EXE 4 IoCs

pid	Process
2800	explorer.exe
2672	spoolsv.exe
2536	svchost.exe
2780	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
1048	ad1427f6cca3d14f405f847fdb508efa.exe
2800	explorer.exe
2672	spoolsv.exe
2536	svchost.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1048-0-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/files/0x000f0000000122e5-7.dat	themida
behavioral1/memory/2800-11-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/files/0x000f0000000122e5-15.dat	themida
behavioral1/files/0x0030000000015c5b-17.dat	themida
behavioral1/memory/2800-22-0x0000000003520000-0x0000000003B37000-memory.dmp	themida
behavioral1/memory/2672-24-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/files/0x0030000000015c5b-27.dat	themida
behavioral1/files/0x0008000000015cc2-30.dat	themida
behavioral1/memory/2536-35-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/memory/1048-37-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/memory/2780-43-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/memory/2780-48-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/memory/2672-49-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/memory/1048-50-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/memory/2800-51-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/memory/2800-52-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/memory/2536-53-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/memory/2536-55-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/memory/2800-64-0x0000000000400000-0x0000000000A17000-memory.dmp	themida
behavioral1/memory/2536-73-0x0000000000400000-0x0000000000A17000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ad1427f6cca3d14f405f847fdb508efa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1048	ad1427f6cca3d14f405f847fdb508efa.exe
2800	explorer.exe
2672	spoolsv.exe
2536	svchost.exe
2780	spoolsv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	ad1427f6cca3d14f405f847fdb508efa.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2980	schtasks.exe
3040	schtasks.exe
1940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2800	explorer.exe
2536	svchost.exe
2536	svchost.exe
2800	explorer.exe
2800	explorer.exe
2536	svchost.exe
2800	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2800	explorer.exe
2536	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1048	ad1427f6cca3d14f405f847fdb508efa.exe
1048	ad1427f6cca3d14f405f847fdb508efa.exe
2800	explorer.exe
2800	explorer.exe
2672	spoolsv.exe
2672	spoolsv.exe
2536	svchost.exe
2536	svchost.exe
2780	spoolsv.exe
2780	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2800	1048	ad1427f6cca3d14f405f847fdb508efa.exe	28
PID 1048 wrote to memory of 2800	1048	ad1427f6cca3d14f405f847fdb508efa.exe	28
PID 1048 wrote to memory of 2800	1048	ad1427f6cca3d14f405f847fdb508efa.exe	28
PID 1048 wrote to memory of 2800	1048	ad1427f6cca3d14f405f847fdb508efa.exe	28
PID 2800 wrote to memory of 2672	2800	explorer.exe	29
PID 2800 wrote to memory of 2672	2800	explorer.exe	29
PID 2800 wrote to memory of 2672	2800	explorer.exe	29
PID 2800 wrote to memory of 2672	2800	explorer.exe	29
PID 2672 wrote to memory of 2536	2672	spoolsv.exe	30
PID 2672 wrote to memory of 2536	2672	spoolsv.exe	30
PID 2672 wrote to memory of 2536	2672	spoolsv.exe	30
PID 2672 wrote to memory of 2536	2672	spoolsv.exe	30
PID 2536 wrote to memory of 2780	2536	svchost.exe	31
PID 2536 wrote to memory of 2780	2536	svchost.exe	31
PID 2536 wrote to memory of 2780	2536	svchost.exe	31
PID 2536 wrote to memory of 2780	2536	svchost.exe	31
PID 2800 wrote to memory of 2704	2800	explorer.exe	32
PID 2800 wrote to memory of 2704	2800	explorer.exe	32
PID 2800 wrote to memory of 2704	2800	explorer.exe	32
PID 2800 wrote to memory of 2704	2800	explorer.exe	32
PID 2536 wrote to memory of 2980	2536	svchost.exe	33
PID 2536 wrote to memory of 2980	2536	svchost.exe	33
PID 2536 wrote to memory of 2980	2536	svchost.exe	33
PID 2536 wrote to memory of 2980	2536	svchost.exe	33
PID 2536 wrote to memory of 3040	2536	svchost.exe	38
PID 2536 wrote to memory of 3040	2536	svchost.exe	38
PID 2536 wrote to memory of 3040	2536	svchost.exe	38
PID 2536 wrote to memory of 3040	2536	svchost.exe	38
PID 2536 wrote to memory of 1940	2536	svchost.exe	40
PID 2536 wrote to memory of 1940	2536	svchost.exe	40
PID 2536 wrote to memory of 1940	2536	svchost.exe	40
PID 2536 wrote to memory of 1940	2536	svchost.exe	40

C:\Users\Admin\AppData\Local\Temp\ad1427f6cca3d14f405f847fdb508efa.exe
"C:\Users\Admin\AppData\Local\Temp\ad1427f6cca3d14f405f847fdb508efa.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2800
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2536
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2780
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:03 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2980
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:04 /f
        5⤵
        Creates scheduled task(s)
        
        PID:3040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:05 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1940
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\spoolsv.exe

Filesize
2.6MB

MD5
22decbad45b551a45193ea3f859129eb

SHA1
de5d47700754c2891f4525c3e21c164817a20c85

SHA256
efbbcc825eceb86535a8a5ecd39b317471b30e4c4bf0014192f0b858d9699b2c

SHA512
095800f0bed6266c1c7eb1e02b62706406c493b2363322f6eede35926a1ffba3dc3d7bbaa60f42f3544a2862077440cb96a444e1a53ee106cdea8d1c12c5f652

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
1.7MB

MD5
93877b66a29abd1270cd01b20c846fc5

SHA1
0c085b0de9f4f392ff81b1e756aaf05111204513

SHA256
0a8fec1559e7246783dee577679c6c899648d97baa605a24156f13d062dc5af0

SHA512
54d985cb83784e614a717d0be3df4e1a0246b4f1425f0a7cf4b8eac4881f5f70ba20128444a18977aefbc02b5b6d5104444645daa21fa71c89b27f06fa4111b8

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
1.7MB

MD5
78b76f7b3d2d342d932254315f901e3d

SHA1
c447b631b935902d081225fad3098baa40bcf21c

SHA256
28efd42f78360229973fc5ab2bb2ff2d659ed169e3a11c0ec835748f019406f3

SHA512
46a99d49f3de8330c7f8dc334500f1a11cfa8ceb75e75318b3c0807a8aba47f6e6b89c74d46e87465d7db4c5a0668d1aaf1cdaf811734410ee361a46ddc3e369

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
2.6MB

MD5
ddb087430c0fa0bca8357f701763b61e

SHA1
3a52de00094da0c458c222d750b90fd05bb28cb8

SHA256
dd633a70f13544242cc2cbc3ca2078036f7d8abb1ac715bc79e37e0f6fa50bfc

SHA512
e5fe029721619e560311e9550be40490099d1e7ac8654a96e9fee2f0708a365e48dd7a5d88a75db6ff9c58442b5096d3fe876d0b7a9f564ad499fbcc4a830c3c

Download Submit
\Windows\Resources\svchost.exe

Filesize
2.6MB

MD5
250bca199bc8381a2c4db7c3befef848

SHA1
db7b471a1a4c3d1b8c24588872bf36f1a959ea42

SHA256
b4e668e43d88f109ba178e4d0b955c3ae4c127dad24441d16cf1636b4da6d080

SHA512
113eca3fe2711aa58e1becef1fd09dcb9f5b3a5768da2c4106c21c98b141ebed6671e8efc6a01455c7447ab317f18ec35875e1f7334a9f8d0ae15cf5b7b6c007

Download Submit
memory/1048-47-0x0000000003450000-0x0000000003A67000-memory.dmp

Filesize
6.1MB

Download
memory/1048-0-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/1048-1-0x0000000077A40000-0x0000000077A42000-memory.dmp

Filesize
8KB

Download
memory/1048-37-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/1048-50-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2536-53-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2536-73-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2536-55-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2536-35-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2672-24-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2672-49-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2672-33-0x00000000032F0000-0x0000000003907000-memory.dmp

Filesize
6.1MB

Download
memory/2780-48-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2780-43-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2800-22-0x0000000003520000-0x0000000003B37000-memory.dmp

Filesize
6.1MB

Download
memory/2800-52-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2800-51-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2800-64-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/2800-11-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download