98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
Size

2.5MB
MD5

5824a4b66310c7d39e7801ff7e6d0d08
SHA1

88237f48e2ff6d446638d6db16537f1274669130
SHA256

98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f
SHA512

ffe5370847e06b5c81f162ca62998fe0d30981443a753330b5c8de0a09985f0aef2be99992162a81deeae0c22d24b0726b56c79b76598e87953fad03001103fc
SSDEEP

49152:WxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxL:Wxx9NUFkQx753uWuCyyxL

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
2120	explorer.exe
1976	spoolsv.exe
2704	svchost.exe
2860	spoolsv.exe

Loads dropped DLL 4 IoCs

pid	Process
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
2120	explorer.exe
1976	spoolsv.exe
2704	svchost.exe

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1740-0-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/1740-3-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/files/0x000900000001877f-7.dat	themida
behavioral1/memory/2120-12-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2120-19-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/files/0x000800000001878c-20.dat	themida
behavioral1/memory/1976-25-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/1976-32-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/files/0x000700000001925c-36.dat	themida
behavioral1/memory/2704-38-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2860-48-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2860-51-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/1976-53-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/1740-55-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2120-56-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2704-57-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2120-69-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida
behavioral1/memory/2704-80-0x0000000000400000-0x0000000000A0E000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
2120	explorer.exe
1976	spoolsv.exe
2704	svchost.exe
2860	spoolsv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2616	schtasks.exe
2040	schtasks.exe
1492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2704	svchost.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2120	explorer.exe
2704	svchost.exe
2704	svchost.exe
2120	explorer.exe
2704	svchost.exe
2120	explorer.exe
2120	explorer.exe
2704	svchost.exe
2120	explorer.exe
2704	svchost.exe
2120	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2120	explorer.exe
2704	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
2120	explorer.exe
2120	explorer.exe
1976	spoolsv.exe
1976	spoolsv.exe
2704	svchost.exe
2704	svchost.exe
2860	spoolsv.exe
2860	spoolsv.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2120	1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe	30
PID 1740 wrote to memory of 2120	1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe	30
PID 1740 wrote to memory of 2120	1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe	30
PID 1740 wrote to memory of 2120	1740	98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe	30
PID 2120 wrote to memory of 1976	2120	explorer.exe	31
PID 2120 wrote to memory of 1976	2120	explorer.exe	31
PID 2120 wrote to memory of 1976	2120	explorer.exe	31
PID 2120 wrote to memory of 1976	2120	explorer.exe	31
PID 1976 wrote to memory of 2704	1976	spoolsv.exe	32
PID 1976 wrote to memory of 2704	1976	spoolsv.exe	32
PID 1976 wrote to memory of 2704	1976	spoolsv.exe	32
PID 1976 wrote to memory of 2704	1976	spoolsv.exe	32
PID 2704 wrote to memory of 2860	2704	svchost.exe	33
PID 2704 wrote to memory of 2860	2704	svchost.exe	33
PID 2704 wrote to memory of 2860	2704	svchost.exe	33
PID 2704 wrote to memory of 2860	2704	svchost.exe	33
PID 2120 wrote to memory of 2192	2120	explorer.exe	34
PID 2120 wrote to memory of 2192	2120	explorer.exe	34
PID 2120 wrote to memory of 2192	2120	explorer.exe	34
PID 2120 wrote to memory of 2192	2120	explorer.exe	34
PID 2704 wrote to memory of 2616	2704	svchost.exe	35
PID 2704 wrote to memory of 2616	2704	svchost.exe	35
PID 2704 wrote to memory of 2616	2704	svchost.exe	35
PID 2704 wrote to memory of 2616	2704	svchost.exe	35
PID 2704 wrote to memory of 2040	2704	svchost.exe	39
PID 2704 wrote to memory of 2040	2704	svchost.exe	39
PID 2704 wrote to memory of 2040	2704	svchost.exe	39
PID 2704 wrote to memory of 2040	2704	svchost.exe	39
PID 2704 wrote to memory of 1492	2704	svchost.exe	41
PID 2704 wrote to memory of 1492	2704	svchost.exe	41
PID 2704 wrote to memory of 1492	2704	svchost.exe	41
PID 2704 wrote to memory of 1492	2704	svchost.exe	41

C:\Users\Admin\AppData\Local\Temp\98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe
"C:\Users\Admin\AppData\Local\Temp\98afd4feb9c82d74686199f58b21d0470fe9c7ce6f86bc53ded6b3ac1503ef4f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2120
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2704
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2860
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:33 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2616
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:34 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:35 /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1492
- - C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe
    3⤵
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\svchost.exe

Filesize
2.5MB

MD5
debb00c5c172e145020d65efb9d2d0d4

SHA1
c9baf155ec5484839c1e9d7c006c8eec39b1af29

SHA256
c2f37b13f7667e46242a36ae9ab7905c89859be931bdaacdb806ede8ac5b657a

SHA512
3483d343c6e04cdc2e46133d4af339d32355ffd741a69a77d4ca5fb792523f17bd7ffa8585b5559d026f048aa665cb2c954680283c0328709b123138858cc7db

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
2.5MB

MD5
86bad5643d61a256dba09219e8244a7a

SHA1
6daa149d0b227c9dfbf0661d400dc3729953f35d

SHA256
02471ab7c03fa3b35bbdbc5da49d9c795c27f46960cc416c51394610c4800c82

SHA512
97941105f9b25dac328f0df8e89c6a999bf02352546684182312c15f938a32b2af8c0ef17ad61b8eaee9d6fefa13f4e7177a412025a94b21d8d911804bcbe7f3

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
2.5MB

MD5
bc5455a948adf6a5c5c23f223c593b88

SHA1
c0dd77e799ede480af3d0addc117595d2947dc35

SHA256
8cf0adcdf338bdb40d6964a55d41fa4f9b881f776cfd188a60f4a3603867bb8d

SHA512
386d84ba2826147a637028e720d04c4957019f0ded2a1164ee1e383bbb6587fbd41215a6adbf9f07efe035feb56969e138da155f45ae8b353dd127a2be2f0ab1

Download Submit
memory/1740-3-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/1740-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/1740-11-0x0000000003610000-0x0000000003C1E000-memory.dmp

Filesize
6.1MB

Download
memory/1740-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/1976-37-0x0000000003600000-0x0000000003C0E000-memory.dmp

Filesize
6.1MB

Download
memory/1976-25-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/1976-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/1976-32-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2120-19-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2120-23-0x0000000003860000-0x0000000003E6E000-memory.dmp

Filesize
6.1MB

Download
memory/2120-12-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2120-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2120-58-0x0000000003860000-0x0000000003E6E000-memory.dmp

Filesize
6.1MB

Download
memory/2120-69-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2704-38-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2704-47-0x0000000003140000-0x000000000374E000-memory.dmp

Filesize
6.1MB

Download
memory/2704-57-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2704-80-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2860-48-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download
memory/2860-51-0x0000000000400000-0x0000000000A0E000-memory.dmp

Filesize
6.1MB

Download