xmrig | 8f4c3348423dbc5dadff663216b4b015109535a06e5a81fb7cb3993a90ff26c5

Analysis

max time kernel
7s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3554553.exe
Size

4.5MB
MD5

25a1e0a4d436eea408e79a07f45ff684
SHA1

da6fbf78868b855451769fb1255f7c2cdef66ace
SHA256

8f4c3348423dbc5dadff663216b4b015109535a06e5a81fb7cb3993a90ff26c5
SHA512

f7d17b6ce23042d30d9f9bad91684e627b1f8f9bb79ec2c67c3b79791f5444a2fabdcccee48ef3335df3a262060a7300d32aa81a36a1e48fc4299b6668e91df5
SSDEEP

98304:pKF6T4Y6cTie8X081BO2hVvXMtld70frtH1EOq+kYc6EPGo7v4+uT:QFrdSiekO2XvXMtld7WkYc6EC+uT

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/3052-89-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3052-92-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3052-93-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3052-94-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3052-96-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3052-95-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3052-90-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3052-98-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3052-99-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	3554553.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	2311.exe

Executes dropped EXE 3 IoCs

pid	Process
4260	2311.exe
3968	115.exe
4592	Firefox.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3052-87-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-88-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-89-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-92-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-93-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-94-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-96-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-95-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-90-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-86-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-85-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-84-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-98-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3052-99-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	115.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1068	sc.exe
2044	sc.exe
4608	sc.exe
4472	sc.exe
2832	sc.exe
2136	sc.exe
2404	sc.exe
2600	sc.exe
1908	sc.exe
2796	sc.exe
1084	sc.exe
3680	sc.exe
3052	sc.exe
1072	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3968	115.exe
2144	powershell.exe
2144	powershell.exe
3968	115.exe
3968	115.exe
3968	115.exe
3968	115.exe
3968	115.exe
3968	115.exe
3968	115.exe
3968	115.exe
3968	115.exe
3968	115.exe
3968	115.exe
3968	115.exe
3968	115.exe
3968	115.exe
4592	Firefox.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeShutdownPrivilege	3088	powercfg.exe
Token: SeCreatePagefilePrivilege	3088	powercfg.exe
Token: SeShutdownPrivilege	3476	powercfg.exe
Token: SeCreatePagefilePrivilege	3476	powercfg.exe
Token: SeShutdownPrivilege	3488	powercfg.exe
Token: SeCreatePagefilePrivilege	3488	powercfg.exe
Token: SeShutdownPrivilege	2216	powercfg.exe
Token: SeCreatePagefilePrivilege	2216	powercfg.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1776	1296	3554553.exe	90
PID 1296 wrote to memory of 1776	1296	3554553.exe	90
PID 1296 wrote to memory of 1776	1296	3554553.exe	90
PID 1776 wrote to memory of 4260	1776	cmd.exe	94
PID 1776 wrote to memory of 4260	1776	cmd.exe	94
PID 1776 wrote to memory of 4260	1776	cmd.exe	94
PID 4260 wrote to memory of 3968	4260	2311.exe	96
PID 4260 wrote to memory of 3968	4260	2311.exe	96
PID 3188 wrote to memory of 1212	3188	cmd.exe	151
PID 3188 wrote to memory of 1212	3188	cmd.exe	151

C:\Users\Admin\AppData\Local\Temp\3554553.exe
"C:\Users\Admin\AppData\Local\Temp\3554553.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\2121.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Roaming\2311.exe
    2311 -p123 -dC:\Users\Admin\AppData\Roaming
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Users\Admin\AppData\Roaming\115.exe
      "C:\Users\Admin\AppData\Roaming\115.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:3968
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "Firefox"
        5⤵
        Launches sc.exe
        
        PID:2404
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:2044
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "Firefox" binpath= "C:\ProgramData\Firefox.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:3680
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "Firefox"
        5⤵
        Launches sc.exe
        
        PID:2796
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3088
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:4472
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:2832
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:3052
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1084
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2136
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3188

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
1⤵
PID:2740

C:\ProgramData\Firefox.exe
C:\ProgramData\Firefox.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4592
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:3052
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2220
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:4652
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:1724
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:4224
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:2672
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1072
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1068
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2600
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1908
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3564

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:1972

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Firefox.exe

Filesize
254KB

MD5
ee5eb1cf7d80bb34b11cda0d57a32ff2

SHA1
f114cda7b458ffb4300c4c33d5764c9a5ec34ff9

SHA256
6431260cead616e966eb209a1702226e39734d9163c7c837572054ffcf5fcfe4

SHA512
a232f927aa7ecc129e88f1144083bda76c46ea8f362b2e94485660b85c1c0fb0e7a55422141d6f8bb5f7bfe2673a0d48273058c39e4009be3078a4aaf4831c63

Download Submit
C:\ProgramData\Firefox.exe

Filesize
154KB

MD5
604294a19c8fba713542284a4a8c8217

SHA1
ae711cc3c0ed78b228e5ac3a6f4e8172bbf21242

SHA256
555b8838c9c20fddfbda5566e2a4e2b73b4e24422ecfecebb04164f4fb1f4eb1

SHA512
5d76e76451646fd5af2a1ca76664938d9bce8d0efc8e162d5695377615cec3f9b5c9927c34787ce53483ee61310de45fd449879e1ae453203e4c22e4eaad014d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phaaw3ah.ope.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\115.exe

Filesize
1.3MB

MD5
c1747716d00dc8fdff521a111c3c55ae

SHA1
52e0d57d31415f808da761fe89244e6577a11230

SHA256
eea5ec2ac8b73894b1921ae8bf7c389641f8b4f13866678b5354fa3b024b80c7

SHA512
2faca631865d2186913cfbdd42c570e76ac298e64201c16fe2b2abe30aba9f314e0c37afdd033fd775624b36ef181bade063f6de043864cbd67caadfcf7572c7

Download Submit
C:\Users\Admin\AppData\Roaming\115.exe

Filesize
948KB

MD5
3ee13ba7beb11c596e4b69b54969ecf9

SHA1
9724e82bfff7d605a424f4ff480bca21a271bdd1

SHA256
8f51082336dd9a36cd38b7a4f803a6ac4a162d6789786a424450db40d5a16977

SHA512
7223ef6610b5f4bcf8fd7d0f8893a53ca3260558007cb0f31fc9da3d2ea9f1637dcfa135d24fffa8a34c229bc2395ac79dee6bb1e09fd3e24bba138cda4556a7

Download Submit
C:\Users\Admin\AppData\Roaming\115.exe

Filesize
1.4MB

MD5
5ffc1adce12ed6a08bc49640d0247036

SHA1
cdbf266eb1e0d49c2d8789541a14d88893781173

SHA256
9a894cfae9b83cad7ce24f975571ff4f9ccf9b06fd07f47e15ea98ae3c6e0974

SHA512
c919a239597525bc15b13c0b31cae9bb9bc1c70ef19fd9c6f08f3bd7e95ae1c7da348c82fd87ff2d280e6d048e1aaaeb605a9e03419243d9ef85d0c0447967ba

Download Submit
C:\Users\Admin\AppData\Roaming\2121.bat

Filesize
22B

MD5
124010ee831f1263a1bfff78fe7c5e1d

SHA1
ab25a327d550aa8ac3b616d1cd9e91cf4a9179d0

SHA256
9ffca63f74d789d6857d3b48855eb8cedbf37265739556983f519c75b4a2d903

SHA512
ea99fdc3ca643e4d3dcd7c7ef17ad1fcb47463c8e123e0954b33ce8279d3b43e728635372c6fefc3b63b268df0268a2105503dd258d33002047beb6a9f4323eb

Download Submit
C:\Users\Admin\AppData\Roaming\2311.exe

Filesize
1.1MB

MD5
c091532e0d22a9c4f6112f91a55b4a36

SHA1
374f2bf4fcd3abb1f6e79c53672658aad25b840c

SHA256
c5421a5f08c54202b0a4441f59973a4e3958e7040414909f2531d10abaf8eb81

SHA512
c4a10c9dcc48b8d8ee487ee0d4bba2c9f9c91dacda6eaeab870af2ebf782a61703c6a6ca9f8cd10a07211b30645ca1e493410c117951e22f6a9f2666dd8d21a4

Download Submit
C:\Users\Admin\AppData\Roaming\2311.exe

Filesize
1024KB

MD5
f6396d8b126a227dbdd002d7a2370c4c

SHA1
794436b86f606d2fd057d81013d39cddfa8858bf

SHA256
5db4096c34bb4f8bf470b7adfa4beab13e99ed96d276512c8b6b56d94920334c

SHA512
b666cf46a1224b0340a0113defeec72db282af37c056ef65a19f879a37d6b72321c7bc23ef2afe485ba150497aec221489388f1bc946f12f62002b4895a597fb

Download Submit
memory/2144-32-0x00007FF937700000-0x00007FF9381C1000-memory.dmp

Filesize
10.8MB

Download
memory/2144-33-0x00000237FA780000-0x00000237FA790000-memory.dmp

Filesize
64KB

Download
memory/2144-34-0x00000237FA780000-0x00000237FA790000-memory.dmp

Filesize
64KB

Download
memory/2144-27-0x00000237FC830000-0x00000237FC852000-memory.dmp

Filesize
136KB

Download
memory/2144-37-0x00007FF937700000-0x00007FF9381C1000-memory.dmp

Filesize
10.8MB

Download
memory/2220-76-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2220-78-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2220-77-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2220-79-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2220-80-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2220-83-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2740-52-0x0000026765660000-0x0000026765670000-memory.dmp

Filesize
64KB

Download
memory/2740-66-0x0000026767D20000-0x0000026767D3C000-memory.dmp

Filesize
112KB

Download
memory/2740-71-0x0000026767D50000-0x0000026767D5A000-memory.dmp

Filesize
40KB

Download
memory/2740-72-0x0000026765660000-0x0000026765670000-memory.dmp

Filesize
64KB

Download
memory/2740-62-0x0000026765660000-0x0000026765670000-memory.dmp

Filesize
64KB

Download
memory/2740-51-0x0000026765660000-0x0000026765670000-memory.dmp

Filesize
64KB

Download
memory/2740-68-0x0000026767D60000-0x0000026767D7A000-memory.dmp

Filesize
104KB

Download
memory/2740-69-0x0000026767D10000-0x0000026767D18000-memory.dmp

Filesize
32KB

Download
memory/2740-70-0x0000026767D40000-0x0000026767D46000-memory.dmp

Filesize
24KB

Download
memory/2740-67-0x0000026767D00000-0x0000026767D0A000-memory.dmp

Filesize
40KB

Download
memory/2740-75-0x00007FF9374C0000-0x00007FF937F81000-memory.dmp

Filesize
10.8MB

Download
memory/2740-50-0x00007FF9374C0000-0x00007FF937F81000-memory.dmp

Filesize
10.8MB

Download
memory/2740-64-0x0000026767AF0000-0x0000026767BA5000-memory.dmp

Filesize
724KB

Download
memory/2740-65-0x0000026767BB0000-0x0000026767BBA000-memory.dmp

Filesize
40KB

Download
memory/2740-63-0x0000026767AD0000-0x0000026767AEC000-memory.dmp

Filesize
112KB

Download
memory/3052-93-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-92-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-84-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-86-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-90-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-95-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-96-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-94-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-91-0x0000026A617E0000-0x0000026A61800000-memory.dmp

Filesize
128KB

Download
memory/3052-85-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-89-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-88-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-87-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-97-0x0000026A61CF0000-0x0000026A61D10000-memory.dmp

Filesize
128KB

Download
memory/3052-98-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-100-0x0000026A61D10000-0x0000026A61D30000-memory.dmp

Filesize
128KB

Download
memory/3052-99-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3052-101-0x0000026A61D10000-0x0000026A61D30000-memory.dmp

Filesize
128KB

Download