xmrig | 4489ff33e7a91c7485a1c1dd8a6102868e385f74fd8b5dbdbf4b505bbe9193b3

Analysis

max time kernel
114s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-03-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gfgghdh.exe
Size

5.0MB
MD5

b03c2d7df7eabc44f36397cb66ac3e77
SHA1

486f521d16d96878a74ff9212cf2da5b184e0430
SHA256

4489ff33e7a91c7485a1c1dd8a6102868e385f74fd8b5dbdbf4b505bbe9193b3
SHA512

5cffc7a0ba01e5db793a62a3fc1dc2454cbd5b768f66959adac11e1523958bc48ef4c1dd5ff074988c04b6269853671ab480074a117d30184631d9936c154051
SSDEEP

98304:22gWGh4M2YYF05TqTcAJ5ubzxFAvJWJkC0dLM658jmpMJAxmEjmiFDzQbTMo7KlJ:22gWGh4M2nF0pqTcA/gFonCu0SmEDFD5

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral1/memory/2704-32-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2704-35-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2704-36-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2704-38-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2704-39-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2704-37-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2704-33-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2704-40-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2704-41-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2704-46-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2704-47-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2704-48-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2704-49-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
2944	ghghghg.exe
2692	fgfdgd.exe

Loads dropped DLL 8 IoCs

pid	Process
1312	gfgghdh.exe
1312	gfgghdh.exe
2708	taskeng.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2704-27-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-29-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-30-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-31-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-28-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-32-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-35-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-36-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-38-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-39-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-37-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-33-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-40-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-41-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-46-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-47-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-48-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2704-49-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2944 set thread context of 2704	2944	ghghghg.exe	47

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	ghghghg.exe
2944	ghghghg.exe
2944	ghghghg.exe
2944	ghghghg.exe
2944	ghghghg.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2344	powercfg.exe
Token: SeShutdownPrivilege	2688	powercfg.exe
Token: SeShutdownPrivilege	3052	powercfg.exe
Token: SeShutdownPrivilege	2872	powercfg.exe
Token: SeLockMemoryPrivilege	2704	explorer.exe
Token: SeLockMemoryPrivilege	2704	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe
2704	explorer.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2944	1312	gfgghdh.exe	28
PID 1312 wrote to memory of 2944	1312	gfgghdh.exe	28
PID 1312 wrote to memory of 2944	1312	gfgghdh.exe	28
PID 1312 wrote to memory of 2940	1312	gfgghdh.exe	29
PID 1312 wrote to memory of 2940	1312	gfgghdh.exe	29
PID 1312 wrote to memory of 2940	1312	gfgghdh.exe	29
PID 1312 wrote to memory of 2660	1312	gfgghdh.exe	31
PID 1312 wrote to memory of 2660	1312	gfgghdh.exe	31
PID 1312 wrote to memory of 2660	1312	gfgghdh.exe	31
PID 1312 wrote to memory of 2664	1312	gfgghdh.exe	32
PID 1312 wrote to memory of 2664	1312	gfgghdh.exe	32
PID 1312 wrote to memory of 2664	1312	gfgghdh.exe	32
PID 2660 wrote to memory of 2552	2660	cmd.exe	35
PID 2660 wrote to memory of 2552	2660	cmd.exe	35
PID 2660 wrote to memory of 2552	2660	cmd.exe	35
PID 2708 wrote to memory of 2692	2708	taskeng.exe	37
PID 2708 wrote to memory of 2692	2708	taskeng.exe	37
PID 2708 wrote to memory of 2692	2708	taskeng.exe	37
PID 2692 wrote to memory of 2448	2692	fgfdgd.exe	38
PID 2692 wrote to memory of 2448	2692	fgfdgd.exe	38
PID 2692 wrote to memory of 2448	2692	fgfdgd.exe	38
PID 2944 wrote to memory of 2704	2944	ghghghg.exe	47
PID 2944 wrote to memory of 2704	2944	ghghghg.exe	47
PID 2944 wrote to memory of 2704	2944	ghghghg.exe	47
PID 2944 wrote to memory of 2704	2944	ghghghg.exe	47
PID 2944 wrote to memory of 2704	2944	ghghghg.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gfgghdh.exe
"C:\Users\Admin\AppData\Local\Temp\gfgghdh.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
  "C:\Users\Admin\AppData\Local\Temp\ghghghg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2704
- C:\Windows\system32\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfdgd"
  2⤵
  PID:2940
- C:\Windows\system32\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2552
- C:\Windows\system32\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\gfgghdh.exe" "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe"
  2⤵
  PID:2664

C:\Windows\system32\taskeng.exe
taskeng.exe {B067BDFB-540C-4C43-84A7-CDC4CCB033F1} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
  C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2692 -s 544
    3⤵
    - Loads dropped DLL
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ghghghg.exe

Filesize
2.1MB

MD5
379bb8646e1ac7db9bcc8dfb8299cccb

SHA1
fc86ff46cfd91546302f2359e8aa2c157919f8ae

SHA256
db24ea61131d89d295322befabdfbbb3307ac39f77faf8089f0188f08b82eb25

SHA512
64fbbb4ebaba4bf2215d76990920d2022ebd2b505379ebcf2a02055d6ef406184812c56e8d5532f08afdd950ea6217500aa45f9eeffcdc13bc790c89edfb46db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe

Filesize
2.9MB

MD5
ec8e888a2e0a4b1e76b8cae708e648e9

SHA1
53522bc0877bc5a75aafba20aaea2ae0083877fd

SHA256
63fce9c5e58c5acd235c15e24eb06433fb5d3130840e9ab3cf723f2ffc7ff403

SHA512
19343206268f412fe66e743a4bda8a04fc64998a1db4f54a087363b079d0fa0dd3efd0a3691994a015b3ce42499a5f17007ebb659c0cc02caffb29d5a3a5c35b

Download Submit
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe

Filesize
1.1MB

MD5
33c002fc198c26103a8e359fda3b14af

SHA1
78b50524ef1f9335051570eca00d35369dda6ee9

SHA256
00059789885104ab25f5b31164f88e896defe8c4419cf008b4c393cedda0d16f

SHA512
3a323c65e15ee8515ffe22c6fa4a289bc522835546cab9756209fc2e32424b0463747d97219847b7d6d8c421596d530e3964035356104f012eb4b9c37df6022c

Download Submit
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe

Filesize
1.0MB

MD5
f7f35b95702d21382e9151873fc3989d

SHA1
94765168cdd049072fdb9514db9b297f3ae0b5f2

SHA256
6f22bea35b65638ebb517b9c4da2750f0eeabd29a4eae4faaa9a82d661b98cc8

SHA512
01c32280ea9190940900be425360c10611dcbca76689ed7991697ea79ed0c4924c40c6bd49ffa4a638d3e3f96e65ee32142e0b168b6440ff707bfbe7c0807480

Download Submit
\Users\Admin\AppData\Local\Temp\ghghghg.exe

Filesize
3.3MB

MD5
38eb30a59fa0d86a928dabf13c9e2fda

SHA1
b8a6e58ad8a561e95c9e83e46628994d36dbcc7e

SHA256
ce325d6fbec1247f8858337266113775870db8bc39758b437da5c0621d5910e3

SHA512
e7923566dfa638e29475a50fe3ec2b908b44c5c3fd0b0ce83b9e3bf08562e9c3f2ad498f17e588fe64dbdc96e3cae88116f443288515992c7e3160bc5f4445b2

Download Submit
\Users\Admin\AppData\Local\Temp\ghghghg.exe

Filesize
2.9MB

MD5
024b8049d4dc70bc389394280599437a

SHA1
d5c33c09a13f6b81138507ff53cccebd11d17a6d

SHA256
7e3cb582eec79ca02be82f2e6fce3f42b7304c9e6a01a4f5d51ce6b0cecc5bd6

SHA512
e9dad8fb52e96e6fcda6fb5a33d36fff931e61d9b7329009193a952f00aaa3e674c43d665d9adc20bcb3b624dd8636e5f9dfc9dd7824fed5a38030b9e8eed858

Download Submit
\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe

Filesize
1.6MB

MD5
e16a702401db195908936fe03fc7e95c

SHA1
1f3b697d23298b257fca4bfb661d9221b76e4d21

SHA256
11ce6da72f89ea4fb4356395391d48bf9e79e0a52ad9bce906a91b0f8ff499bd

SHA512
a5e511a8882c246c848b53a23554f46132a2da3bf261ebe56b39c6d295f0b990ef238ec34fe19d82faf7d8a216f6050be76810571148cac66dcc896f20b0d8cc

Download Submit
\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe

Filesize
217KB

MD5
5f2118d929402b9132937510a6d642c2

SHA1
2dcee005516c5e1ce7730dfd3d1a5fbf32ce346c

SHA256
8d2cc3aa9522f1b92a8870ad0d1f7a9a721402a56ccfa3077f9468349cf6d153

SHA512
14c6a40b186257fb7c80124c0f07072e413a632e8d9a8198a7e0027a3ca631363162f4a9df02e8377b58e5a0f58dd11e89e7fb3a6e6e652df5f785d29ada5f81

Download Submit
\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe

Filesize
139KB

MD5
974c2a3b831c85b8cf1fece02e6a0f49

SHA1
5e64d49ea9d6f81e3030f596472a2431c4dc8ef4

SHA256
443b763f9937a4d9600291ba88ac4cfd9c6808fcaa188609a14c79c1b2537232

SHA512
331bd547e9777ec872063dc2abb36eb1806c58078d7e5cf9820d2a6075fd1faec177527177f9ce08a5672b82c7ad2946bff151ab4bf7f1e82d57095929dbab58

Download Submit
\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe

Filesize
241KB

MD5
01ab910b33460bfd06d496c9ed228ad6

SHA1
dbc9d2837d71332bdc6ceb806fc9a652c9ac3a9d

SHA256
53d0ec6793a295f04943b3a03f6509d28fe04b5ed487e4f9da1bc03dd11e797b

SHA512
e8e953e42586703ba82e037e24939c9796891b5bae9c2c9810afad39c381c2a221f156d2c5d3eefb4fc4bae3613d6ae8532e8964365247fb0fa14d6907abe7af

Download Submit
\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe

Filesize
173KB

MD5
80817d0687c7aa22b8a3f97f285cd0ff

SHA1
7ae34687e56d914025a41e1984159024723926b5

SHA256
932dba1268584c3eba002748f161ea6f43397c583b7ad7704e11a85365cb979b

SHA512
7164e022b9ddf90e9f23e3f92ca86c41a458e05fa6ffe339b5a42b4cf6e6c09c4f24103cac2914c12d724804c695ab9d568bc071338c37a316d465750b096c7c

Download Submit
\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe

Filesize
1.6MB

MD5
eeb811f299020d374146151289cf6d82

SHA1
cfcb35a8b6cd8f765a2273a82750d829aafac996

SHA256
7815299461382393a0ec0db03e692014fd457638657049185009b477238c282b

SHA512
8048b57e5f5f1ef42f732095160fa50a4c09431353c1bf21e03cc0b87f16ff9bc999762944d4a5be7cbe37b2c0a0c75a80f87eb855e43c89219864922db05e0b

Download Submit
memory/1312-2-0x0000000002380000-0x0000000002400000-memory.dmp

Filesize
512KB

Download
memory/1312-1-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/1312-0-0x00000000008D0000-0x0000000000DD0000-memory.dmp

Filesize
5.0MB

Download
memory/1312-13-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-20-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/2692-19-0x0000000001110000-0x0000000001610000-memory.dmp

Filesize
5.0MB

Download
memory/2692-18-0x000007FEF4B80000-0x000007FEF556C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-44-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/2692-43-0x000007FEF4B80000-0x000007FEF556C000-memory.dmp

Filesize
9.9MB

Download
memory/2704-31-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-42-0x00000000003A0000-0x00000000003C0000-memory.dmp

Filesize
128KB

Download
memory/2704-28-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-32-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-34-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/2704-35-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-36-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-38-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-39-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-37-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-33-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-40-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-41-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-30-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-29-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-27-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-45-0x00000000003A0000-0x00000000003C0000-memory.dmp

Filesize
128KB

Download
memory/2704-46-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-47-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-48-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-49-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2704-50-0x00000000003A0000-0x00000000003C0000-memory.dmp

Filesize
128KB

Download
memory/2704-51-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/2704-52-0x00000000003A0000-0x00000000003C0000-memory.dmp

Filesize
128KB

Download
memory/2704-53-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download