a60f629e541d8a51838e40cb1d207c79ff22b6f59cfb8c4af6496f23e86bfa69

Analysis

max time kernel
53s
max time network
45s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 00:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

proton hair.exe
Size

5.9MB
MD5

7b36a62976cae81fc3e773895a2f09eb
SHA1

e7c4f3d66ccc6fd89d0fce19cf971fc7f1c12b4d
SHA256

a60f629e541d8a51838e40cb1d207c79ff22b6f59cfb8c4af6496f23e86bfa69
SHA512

bca0bd2f8e8ee45dd6aac5d217ed960a1f066b7e3219dbad1ae7965a11613b0177e43bbeea89fec1f8675a926438a59348223b13d55657ee6bb38d7774897750
SSDEEP

98304:vuNcJEmD6vuf5d2yYZYeQjWmVF9yr5Q8CP56v6Egs8BZtZJC9us8NYa5DJS5Nf:1JEmXd2yYmrKmVXyrWtUv6EgFBZt/O84

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	proton hair.exe

Sets service image path in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nkOZbQFcEqheAsOlnYBiJPjgsW\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\nkOZbQFcEqheAsOlnYBiJPjgsW"	sDQ0X.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\EpMtHrvXlqcIgTxpbnvrEe\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\EpMtHrvXlqcIgTxpbnvrEe"	nopfL.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\xwJGbpwHfB\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\xwJGbpwHfB"	oiYnr.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NalDrv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\NalDrv.sys"	4LgnY.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	proton hair.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	proton hair.exe

Executes dropped EXE 4 IoCs

pid	Process
1120	sDQ0X.exe
2688	nopfL.exe
1916	oiYnr.exe
3028	4LgnY.exe

Loads dropped DLL 4 IoCs

pid	Process
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2332	taskmgr.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2284-0-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/2284-3-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/2284-4-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/2284-2-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/2284-6-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/2284-18-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/2284-24-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/2284-49-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/2284-109-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida
behavioral1/memory/2284-119-0x0000000140000000-0x0000000140ED0000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	proton hair.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2284	proton hair.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\Chair.json	proton hair.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\sDQ0X.exe	proton hair.exe
File created	C:\Windows\SoftwareDistribution\Download\pcoUI.sys	proton hair.exe
File created	C:\Windows\SoftwareDistribution\Download\nopfL.exe	proton hair.exe
File created	C:\Windows\SoftwareDistribution\Download\Pm8wg.sys	proton hair.exe
File created	C:\Windows\SoftwareDistribution\Download\oiYnr.exe	proton hair.exe
File created	C:\Windows\SoftwareDistribution\Download\4LgnY.sys	taskmgr.exe
File created	C:\Windows\SoftwareDistribution\Download\4LgnY.exe	taskmgr.exe
File created	C:\Windows\SoftwareDistribution\Download\hOogK.sys	proton hair.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
348	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe
2284	proton hair.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
1120	sDQ0X.exe
2688	nopfL.exe
1916	oiYnr.exe
3028	4LgnY.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1120	sDQ0X.exe
Token: SeLoadDriverPrivilege	2688	nopfL.exe
Token: SeLoadDriverPrivilege	1916	oiYnr.exe
Token: SeDebugPrivilege	348	taskkill.exe
Token: SeDebugPrivilege	2332	taskmgr.exe
Token: SeSystemEnvironmentPrivilege	3028	4LgnY.exe
Token: SeDebugPrivilege	3028	4LgnY.exe
Token: SeLoadDriverPrivilege	3028	4LgnY.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe
2332	taskmgr.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 696	2284	proton hair.exe	32
PID 2284 wrote to memory of 696	2284	proton hair.exe	32
PID 2284 wrote to memory of 696	2284	proton hair.exe	32
PID 696 wrote to memory of 1480	696	cmd.exe	33
PID 696 wrote to memory of 1480	696	cmd.exe	33
PID 696 wrote to memory of 1480	696	cmd.exe	33
PID 696 wrote to memory of 2472	696	cmd.exe	34
PID 696 wrote to memory of 2472	696	cmd.exe	34
PID 696 wrote to memory of 2472	696	cmd.exe	34
PID 696 wrote to memory of 2772	696	cmd.exe	35
PID 696 wrote to memory of 2772	696	cmd.exe	35
PID 696 wrote to memory of 2772	696	cmd.exe	35
PID 2284 wrote to memory of 2768	2284	proton hair.exe	36
PID 2284 wrote to memory of 2768	2284	proton hair.exe	36
PID 2284 wrote to memory of 2768	2284	proton hair.exe	36
PID 2284 wrote to memory of 2868	2284	proton hair.exe	37
PID 2284 wrote to memory of 2868	2284	proton hair.exe	37
PID 2284 wrote to memory of 2868	2284	proton hair.exe	37
PID 2284 wrote to memory of 1120	2284	proton hair.exe	39
PID 2284 wrote to memory of 1120	2284	proton hair.exe	39
PID 2284 wrote to memory of 1120	2284	proton hair.exe	39
PID 2284 wrote to memory of 2688	2284	proton hair.exe	41
PID 2284 wrote to memory of 2688	2284	proton hair.exe	41
PID 2284 wrote to memory of 2688	2284	proton hair.exe	41
PID 2284 wrote to memory of 1916	2284	proton hair.exe	43
PID 2284 wrote to memory of 1916	2284	proton hair.exe	43
PID 2284 wrote to memory of 1916	2284	proton hair.exe	43
PID 2284 wrote to memory of 1896	2284	proton hair.exe	45
PID 2284 wrote to memory of 1896	2284	proton hair.exe	45
PID 2284 wrote to memory of 1896	2284	proton hair.exe	45
PID 1896 wrote to memory of 348	1896	cmd.exe	46
PID 1896 wrote to memory of 348	1896	cmd.exe	46
PID 1896 wrote to memory of 348	1896	cmd.exe	46
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2284 wrote to memory of 2332	2284	proton hair.exe	49
PID 2332 wrote to memory of 3028	2332	taskmgr.exe	50
PID 2332 wrote to memory of 3028	2332	taskmgr.exe	50
PID 2332 wrote to memory of 3028	2332	taskmgr.exe	50

C:\Users\Admin\AppData\Local\Temp\proton hair.exe
"C:\Users\Admin\AppData\Local\Temp\proton hair.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\proton hair.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\proton hair.exe" MD5
    3⤵
    PID:1480
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2472
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2868
- C:\Windows\SoftwareDistribution\Download\sDQ0X.exe
  "C:\Windows\SoftwareDistribution\Download\sDQ0X.exe" -map C:\Windows\SoftwareDistribution\Download\hOogK.sys
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\SoftwareDistribution\Download\nopfL.exe
  "C:\Windows\SoftwareDistribution\Download\nopfL.exe" -map C:\Windows\SoftwareDistribution\Download\pcoUI.sys
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SoftwareDistribution\Download\oiYnr.exe
  "C:\Windows\SoftwareDistribution\Download\oiYnr.exe" -map C:\Windows\SoftwareDistribution\Download\Pm8wg.sys
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM WmiPrvSE.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:348
- C:\Windows\System32\taskmgr.exe
  "C:\Windows\System32\taskmgr.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SoftwareDistribution\Download\4LgnY.exe
    "C:\Windows\SoftwareDistribution\Download\4LgnY.exe" -map C:\Windows\SoftwareDistribution\Download\4LgnY.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SoftwareDistribution\Download\4LgnY.exe

Filesize
260KB

MD5
083c6c05ac5875d0b6e997e894ca07bc

SHA1
69d0116998e8a70db5852fccb86d45975ce88a9a

SHA256
03aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca

SHA512
fb0b9994f9ddadd825476ed19a8299ef90536dae58b4f3087145ca4033a63d4ae0da944ac8bf4e71324e1b63af755ab1d82019e55de6377b00c9812ed57f3fdf

Download Submit
\Windows\SoftwareDistribution\Download\sDQ0X.exe

Filesize
143KB

MD5
94c281a07f2292e97b30dbc917b48745

SHA1
056e79947f2f87fa2d2c8ce2d3c5a58262296d24

SHA256
6e92e43f2aedb5157d1f4f192eb8fd2c27e445c39b65dd7cca1c9573d0562a26

SHA512
81fd6ed827a68c757247ee7dc9b37847162466adfa29f7c80d99e2f56035614581471566569e16e2d71308982f3756214f2bdada9580e3589ed99bb0f003a8d6

Download Submit
memory/2284-12-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-8-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-2-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/2284-5-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-6-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/2284-7-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-14-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-9-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-10-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-11-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-4-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/2284-109-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/2284-20-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-16-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-17-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-18-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/2284-13-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-24-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/2284-3-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/2284-49-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/2284-0-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/2284-119-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/2284-120-0x0000000077480000-0x0000000077629000-memory.dmp

Filesize
1.7MB

Download
memory/2284-1-0x00000000774D0000-0x00000000774D2000-memory.dmp

Filesize
8KB

Download
memory/2332-81-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/2332-83-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/2332-91-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/2332-90-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2332-87-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2332-85-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/2332-99-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/2332-97-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/2332-95-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/2332-93-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/2332-72-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/2332-110-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2332-111-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2332-112-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download
memory/2332-75-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/2332-77-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/2332-79-0x0000000000060000-0x00000000000BA000-memory.dmp

Filesize
360KB

Download
memory/2332-123-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2332-124-0x0000000140000000-0x0000000140ED0000-memory.dmp

Filesize
14.8MB

Download