e934ef0b1bad86d0a8d2a08a90b64b309404b2983649f8e34d400704ce8c65c0

Resubmissions

21/07/2024, 05:03

240721-fprqrsvcjf 9

18/05/2024, 00:50

240518-a7abjsca2z 9

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
18/05/2024, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CardingMachine.exe
Size

615.1MB
MD5

796c4e013accc1d47e263f2438248e5e
SHA1

dbca3bb74c9715a4b21259fa644a39a59bb438a7
SHA256

e934ef0b1bad86d0a8d2a08a90b64b309404b2983649f8e34d400704ce8c65c0
SHA512

5ae71ea3ac4f15c6143a424e1e2491294e5f2e5508ca4c05b6fa2676634140ec03e27b698ab0378726b421369e36988f56e016e145ba10b2d517577a00de926c
SSDEEP

49152:lNjqYcOatzfsFfG/oDx4tDhdLDG15f9pTo0trQyYxQw:lNjFcOaxYG/M43HA5fVt8Q

Score

9^/10

evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CardingMachine.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
540	powershell.exe
348	powershell.exe
2860	powershell.exe
2288	powershell.exe
2560	powershell.exe
2036	powershell.exe
1468	powershell.exe
1864	powershell.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CardingMachine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	CardingMachine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe

Executes dropped EXE 3 IoCs

pid	Process
2912	ULEXPY.exe
2076	ULEXPY.exe
2116	ULEXPY.exe

Loads dropped DLL 1 IoCs

pid	Process
2428	cmd.exe

Themida packer 27 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2084-0-0x00000000000F0000-0x0000000000773000-memory.dmp	themida
behavioral1/memory/2084-3-0x00000000000F0000-0x0000000000773000-memory.dmp	themida
behavioral1/memory/2084-6-0x00000000000F0000-0x0000000000773000-memory.dmp	themida
behavioral1/memory/2084-4-0x00000000000F0000-0x0000000000773000-memory.dmp	themida
behavioral1/memory/2084-5-0x00000000000F0000-0x0000000000773000-memory.dmp	themida
behavioral1/memory/2084-2-0x00000000000F0000-0x0000000000773000-memory.dmp	themida
behavioral1/memory/2084-26-0x00000000000F0000-0x0000000000773000-memory.dmp	themida
behavioral1/memory/2912-30-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2912-33-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2912-34-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2912-32-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2912-31-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2912-45-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2076-50-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2076-51-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2076-54-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2076-56-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2076-52-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2076-53-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2912-68-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2912-69-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2116-75-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2116-76-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2116-77-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2116-78-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2116-79-0x00000000000C0000-0x0000000000743000-memory.dmp	themida
behavioral1/memory/2116-80-0x00000000000C0000-0x0000000000743000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CardingMachine.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2084	CardingMachine.exe
2912	ULEXPY.exe
2076	ULEXPY.exe
2116	ULEXPY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2156	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2356	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2036	powershell.exe
2560	powershell.exe
1864	powershell.exe
1468	powershell.exe
540	powershell.exe
348	powershell.exe
2288	powershell.exe
2860	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2036	2084	CardingMachine.exe	28
PID 2084 wrote to memory of 2036	2084	CardingMachine.exe	28
PID 2084 wrote to memory of 2036	2084	CardingMachine.exe	28
PID 2084 wrote to memory of 2036	2084	CardingMachine.exe	28
PID 2084 wrote to memory of 2560	2084	CardingMachine.exe	30
PID 2084 wrote to memory of 2560	2084	CardingMachine.exe	30
PID 2084 wrote to memory of 2560	2084	CardingMachine.exe	30
PID 2084 wrote to memory of 2560	2084	CardingMachine.exe	30
PID 2084 wrote to memory of 2428	2084	CardingMachine.exe	32
PID 2084 wrote to memory of 2428	2084	CardingMachine.exe	32
PID 2084 wrote to memory of 2428	2084	CardingMachine.exe	32
PID 2084 wrote to memory of 2428	2084	CardingMachine.exe	32
PID 2428 wrote to memory of 2356	2428	cmd.exe	34
PID 2428 wrote to memory of 2356	2428	cmd.exe	34
PID 2428 wrote to memory of 2356	2428	cmd.exe	34
PID 2428 wrote to memory of 2356	2428	cmd.exe	34
PID 2428 wrote to memory of 2912	2428	cmd.exe	35
PID 2428 wrote to memory of 2912	2428	cmd.exe	35
PID 2428 wrote to memory of 2912	2428	cmd.exe	35
PID 2428 wrote to memory of 2912	2428	cmd.exe	35
PID 2912 wrote to memory of 1864	2912	ULEXPY.exe	36
PID 2912 wrote to memory of 1864	2912	ULEXPY.exe	36
PID 2912 wrote to memory of 1864	2912	ULEXPY.exe	36
PID 2912 wrote to memory of 1864	2912	ULEXPY.exe	36
PID 2912 wrote to memory of 1468	2912	ULEXPY.exe	38
PID 2912 wrote to memory of 1468	2912	ULEXPY.exe	38
PID 2912 wrote to memory of 1468	2912	ULEXPY.exe	38
PID 2912 wrote to memory of 1468	2912	ULEXPY.exe	38
PID 2912 wrote to memory of 2156	2912	ULEXPY.exe	40
PID 2912 wrote to memory of 2156	2912	ULEXPY.exe	40
PID 2912 wrote to memory of 2156	2912	ULEXPY.exe	40
PID 2912 wrote to memory of 2156	2912	ULEXPY.exe	40
PID 2024 wrote to memory of 2076	2024	taskeng.exe	45
PID 2024 wrote to memory of 2076	2024	taskeng.exe	45
PID 2024 wrote to memory of 2076	2024	taskeng.exe	45
PID 2024 wrote to memory of 2076	2024	taskeng.exe	45
PID 2076 wrote to memory of 540	2076	ULEXPY.exe	46
PID 2076 wrote to memory of 540	2076	ULEXPY.exe	46
PID 2076 wrote to memory of 540	2076	ULEXPY.exe	46
PID 2076 wrote to memory of 540	2076	ULEXPY.exe	46
PID 2076 wrote to memory of 348	2076	ULEXPY.exe	48
PID 2076 wrote to memory of 348	2076	ULEXPY.exe	48
PID 2076 wrote to memory of 348	2076	ULEXPY.exe	48
PID 2076 wrote to memory of 348	2076	ULEXPY.exe	48
PID 2024 wrote to memory of 2116	2024	taskeng.exe	50
PID 2024 wrote to memory of 2116	2024	taskeng.exe	50
PID 2024 wrote to memory of 2116	2024	taskeng.exe	50
PID 2024 wrote to memory of 2116	2024	taskeng.exe	50
PID 2116 wrote to memory of 2860	2116	ULEXPY.exe	51
PID 2116 wrote to memory of 2860	2116	ULEXPY.exe	51
PID 2116 wrote to memory of 2860	2116	ULEXPY.exe	51
PID 2116 wrote to memory of 2860	2116	ULEXPY.exe	51
PID 2116 wrote to memory of 2288	2116	ULEXPY.exe	52
PID 2116 wrote to memory of 2288	2116	ULEXPY.exe	52
PID 2116 wrote to memory of 2288	2116	ULEXPY.exe	52
PID 2116 wrote to memory of 2288	2116	ULEXPY.exe	52

C:\Users\Admin\AppData\Local\Temp\CardingMachine.exe
"C:\Users\Admin\AppData\Local\Temp\CardingMachine.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\s1lw.0.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2356
- - C:\ProgramData\software\ULEXPY.exe
    "C:\ProgramData\software\ULEXPY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1864
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1468
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "ULEXPY" /tr C:\ProgramData\software\ULEXPY.exe /f
      4⤵
      Creates scheduled task(s)
      PID:2156

C:\Windows\system32\taskeng.exe
taskeng.exe {5F556CA2-21A6-417F-9AF1-D21DF2465722} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\ProgramData\software\ULEXPY.exe
  C:\ProgramData\software\ULEXPY.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:348
- C:\ProgramData\software\ULEXPY.exe
  C:\ProgramData\software\ULEXPY.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\s1lw.0.bat

Filesize
174B

MD5
9eec50ca85a330d5fc88acc5044b6293

SHA1
f3ea690ffc8111883a66cd36ba98a7ae6d98d337

SHA256
2a64a7762bfbd92e79d250e8192f2d0d04ca3fc0c07668d044b0b9657e0196dd

SHA512
31ae2997ba2380e625b868cd78931a792eb77df25305596c67e1ce34c8b7a3b590168b333335a50b1861066ec89be7124d4f47b3b96206265d971bbded488c13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7RBY7X48LMVGVQAUOS22.temp

Filesize
7KB

MD5
aea396fd2e65bfcbcf5b372b6a139814

SHA1
3ba53042de77e78dacf9f5b8376de6ce33271d75

SHA256
7661ba0bb74a8a29e815f5ce0fb945d7a71445cd1c12ad0c00732a1e8f8685aa

SHA512
59f6e36e789f1520575643da47b9c48f11aa8353110a25f1483d3a44b8650f0cac1dda28020a6b19728aa93bce7438d5274d9208008817974ca59b3df577a059

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6792f322e612770362f954e8cbda01c1

SHA1
71c7e214beaf65f315b1245dfd20aebdfd5cdd00

SHA256
7f821ee7e3ee3973bab2d77e2c5023622d83ac559dfc95bb85ba9c7a42eb2e62

SHA512
b9dd20182db72de870987331267aa60544eeebabbfd449195df38dca52eac56796ad0948718aa35938bd1eff319926d1c78fcc9d48ac0f2c952b8fbf133624eb

Download Submit
memory/2076-50-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2076-53-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2076-52-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2076-56-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2076-54-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2076-51-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2084-26-0x00000000000F0000-0x0000000000773000-memory.dmp

Filesize
6.5MB

Download
memory/2084-1-0x00000000772B0000-0x00000000772B2000-memory.dmp

Filesize
8KB

Download
memory/2084-3-0x00000000000F0000-0x0000000000773000-memory.dmp

Filesize
6.5MB

Download
memory/2084-6-0x00000000000F0000-0x0000000000773000-memory.dmp

Filesize
6.5MB

Download
memory/2084-4-0x00000000000F0000-0x0000000000773000-memory.dmp

Filesize
6.5MB

Download
memory/2084-5-0x00000000000F0000-0x0000000000773000-memory.dmp

Filesize
6.5MB

Download
memory/2084-2-0x00000000000F0000-0x0000000000773000-memory.dmp

Filesize
6.5MB

Download
memory/2084-0-0x00000000000F0000-0x0000000000773000-memory.dmp

Filesize
6.5MB

Download
memory/2116-75-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2116-76-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2116-80-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2116-79-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2116-78-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2116-77-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2912-32-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2912-69-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2912-33-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2912-68-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2912-34-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2912-30-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2912-31-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download
memory/2912-45-0x00000000000C0000-0x0000000000743000-memory.dmp

Filesize
6.5MB

Download