Overview

overview

10

Static

static

3

bb33ac9f59...7f.exe

windows7-x64

10

bb33ac9f59...7f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-04-2024 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb33ac9f59e994eabaa81a036595b9a02b0ebfc1e35e8d429c5d761b5b7e607f.exe

  • Size

    471KB

  • MD5

    00b886f9ccc974b936ed6e3c34beab63

  • SHA1

    7d8fbf07e990a870accc9407d6487af5d26fbfc6

  • SHA256

    bb33ac9f59e994eabaa81a036595b9a02b0ebfc1e35e8d429c5d761b5b7e607f

  • SHA512

    df64d4b0bee8790572433780887cbc823be5b275791c6f455bfeecf70dc832783dd1aefb3ca234c1cb2ac56ceeda6d7ce7a53e03009fb7d20b0652ddf4ced828

  • SSDEEP

    6144:6C8T2w7qrXDOXTk1uv45QZwwsqHy6KdFK/XLG+df05csjUOMXuSl7lsV1kGLoB:6C8ThBvYGs+6KD3V05cEOXuSlZq

Score
10/10
phorphiexxmrigevasionloaderminerpersistencetrojanworm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Signatures

  • Phorphiex

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

    wormtrojanloaderphorphiex
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • Windows security bypass 2 TTPs 18 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 7 IoCs
    miner
  • Downloads MZ/PE file
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 14 IoCs
  • Windows security modification 2 TTPs 21 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 60 IoCs
  • Suspicious use of SendNotifyMessage 60 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\bb33ac9f59e994eabaa81a036595b9a02b0ebfc1e35e8d429c5d761b5b7e607f.exe
        "C:\Users\Admin\AppData\Local\Temp\bb33ac9f59e994eabaa81a036595b9a02b0ebfc1e35e8d429c5d761b5b7e607f.exe"
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2408
        • C:\Users\Admin\AppData\Local\Temp\38AD.exe
          "C:\Users\Admin\AppData\Local\Temp\38AD.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2400
          • C:\Users\Admin\AppData\Local\Temp\355431807.exe
            C:\Users\Admin\AppData\Local\Temp\355431807.exe
            4⤵
            • Windows security bypass
            • Executes dropped EXE
            • Loads dropped DLL
            • Windows security modification
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Users\Admin\AppData\Local\Temp\179263459.exe
              C:\Users\Admin\AppData\Local\Temp\179263459.exe
              5⤵
              • Windows security bypass
              • Executes dropped EXE
              • Loads dropped DLL
              • Windows security modification
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious behavior: SetClipboardViewer
              • Suspicious use of WriteProcessMemory
              PID:1336
              • C:\Users\Admin\AppData\Local\Temp\827110172.exe
                C:\Users\Admin\AppData\Local\Temp\827110172.exe
                6⤵
                • Executes dropped EXE
                PID:2520
              • C:\Users\Admin\AppData\Local\Temp\1655633351.exe
                C:\Users\Admin\AppData\Local\Temp\1655633351.exe
                6⤵
                • Executes dropped EXE
                PID:2072
              • C:\Users\Admin\AppData\Local\Temp\62945056.exe
                C:\Users\Admin\AppData\Local\Temp\62945056.exe
                6⤵
                • Executes dropped EXE
                PID:1692
            • C:\Users\Admin\AppData\Local\Temp\460927657.exe
              C:\Users\Admin\AppData\Local\Temp\460927657.exe
              5⤵
              • Windows security bypass
              • Executes dropped EXE
              • Windows security modification
              • Adds Run key to start application
              • Drops file in Windows directory
              PID:320
            • C:\Users\Admin\AppData\Local\Temp\2456532587.exe
              C:\Users\Admin\AppData\Local\Temp\2456532587.exe
              5⤵
              • Executes dropped EXE
              PID:2772
            • C:\Users\Admin\AppData\Local\Temp\1194929494.exe
              C:\Users\Admin\AppData\Local\Temp\1194929494.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:648
              • C:\Users\Admin\AppData\Local\Temp\3517119788.exe
                C:\Users\Admin\AppData\Local\Temp\3517119788.exe
                6⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:1736
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
        2⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
          3⤵
          • Creates scheduled task(s)
          PID:2028
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
        2⤵
          PID:1740
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
          2⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\system32\schtasks.exe
            "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
            3⤵
            • Creates scheduled task(s)
            PID:2492
        • C:\Windows\System32\notepad.exe
          C:\Windows\System32\notepad.exe
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2432
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {70F24D6F-92EF-4878-97E3-724E20A6404E} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
          "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2568

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFFQJ7AH\2[1]
        Filesize

        14KB

        MD5

        fce292c79288067dc17919ed588c161c

        SHA1

        bb44fa2c95af5bbd11e49264a40c16d6f343fa21

        SHA256

        4ef8146d85d60c2867bdbe44304b5ba00cceb208f4c10c9f91183308e1da3828

        SHA512

        73dac29753044a720fc43b4ee19d320e06855167cdf0ebf329207aa16faa13fd6d2937bd87b54e544dd8d4c3da634773abd73769d3915154099ff01e6e03033e

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PU2MMJX7\1[1]
        Filesize

        92KB

        MD5

        5dde1286cd55e25fe0fc60d2b064d137

        SHA1

        dd311cfbddc4dae8e15ad7b629adfab617b2a727

        SHA256

        a6ddd8b13c1192dd4740991eb836641fff23b2beff06bb348e6cfc613e8abd50

        SHA512

        e5d0efdd47b92b89a2e3e0cf0ab4f8258ba667ce7ac75123248d9c59058322caea8f8980b013d144f7d039bc376760d17c8c16b4c985fd1940f90cc1c450a450

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PU2MMJX7\5[1]
        Filesize

        8KB

        MD5

        93c0bd2539d4d4eb74fe6d41c928f66c

        SHA1

        c7a2010ebd934828e20450c5318c8e20168f4ba8

        SHA256

        5d9f88fcde1bd7fbe7ecba0dae737da96a55005b0d61c45c4251be0677195299

        SHA512

        b8c7cdad4cf1ffd9a3bb6ffb36dabec957169bd43e27f0ec48c19693dd014c09916c0df0a46e808dba0450707c89e7dba7d3ff439d763fbe1e4d8b09fad2aad6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        5bd1836206ecb54e4ebb51c425b74d60

        SHA1

        46021a26ca21fc66c7ed4b4e2236ba4b111c595f

        SHA256

        3cb548edeade3a4687a391a141050a527cac578a35639e02c035c01b674d37f2

        SHA512

        b45853529c5da0371a064db4c9ffe1cb124c7c00960edab39709a1be2a220b8b7d7049baa02bd2beaf70efef67459e10f0b2a15fb6469a523864a4410cdf7ded

        Download Submit
      • C:\Users\Admin\tbtnds.dat
        Filesize

        4KB

        MD5

        4d05ff13465f0cff58ea537f2eedd9f6

        SHA1

        1a80ca259a54cc4e1aaf99f19ef4e8bc23b0e00e

        SHA256

        3493d3ca6a8d132d0028b187e66e92647021b98460ead835cbbeb9af983dd02e

        SHA512

        6dba55549d4f27f0be003a52ba3c0ed8c05f4e08f6a98764ca29f4378a677cb21f97be1ffc28e2588aa528ff211bc69aacac6bd5bb358655d1b1699a41faf931

        Download Submit
      • C:\Users\Admin\tbtnds.dat
        Filesize

        4KB

        MD5

        d73cf76255ed3e90e72d98d28e8eddd3

        SHA1

        d58abac9bb8e4bb30cea4ef3ba7aa19186189fb5

        SHA256

        bfcb5f4589729deeeb57b92842933b144322a672cfe3ce11586f1aec83472781

        SHA512

        20ef064050ba23e5163435c595bc9c81422ca3b8ac82338ff965961a954bd9c0da9b13f489997015565908d1105784b712ccc2b3a478fe990e4b99e071bfa9b2

        Download Submit
      • C:\Users\Admin\tbtnds.dat
        Filesize

        4KB

        MD5

        5316d80bd0563089775992ed8e17e34b

        SHA1

        19160342b6cb50b6085f833d1344d90370cd3fcc

        SHA256

        8b252776e62e2a1bf61e59d3a1f1a40eb9b5bff0f936861f7bce6aaa63f39ee6

        SHA512

        45d8e4550068347fb3f62ca13d9f249593c164760e297cc7db5a20c9079474bb0ac62fa83cdb6571278af572831bef0709ebbfd34e5bf239ab759afddb66c3d9

        Download Submit
      • \Users\Admin\AppData\Local\Temp\1194929494.exe
        Filesize

        6KB

        MD5

        0d539e8277f20391a31babff8714fdb0

        SHA1

        a4e63870aa5fd258dde4f02be70732c27f556fa9

        SHA256

        669035f4f05fe6ffc7722987c41f802f3a11298cb3a154b00c4e76df2ae5fe32

        SHA512

        700ff1733a064ddda80c0ac4702e50a8c0ddd97f154ff894f89d16603c02076a13e1a93ca51224579898cdf69e560a69dff60d4f5e26a479e74a3e3350f822ff

        Download Submit
      • \Users\Admin\AppData\Local\Temp\179263459.exe
        Filesize

        92KB

        MD5

        9d5d9c05478676448e711c067bfac5fc

        SHA1

        9de1e4e02e8b9c2e998f92b5e2b7ec0a6bc832ef

        SHA256

        b4f3a86dc3d34a311aec138b02208b181fb9f767203df3bd26d779a28e3d71ed

        SHA512

        1d47c1d17f968304aa2cfe2e8100d309f95f7303c94455c1098a8ae238fc1e1fbfcb86368836750b48b7a47c67bbcd35f901c4fb9457ab43b7f3ef1cb376e7a3

        Download Submit
      • \Users\Admin\AppData\Local\Temp\2456532587.exe
        Filesize

        8KB

        MD5

        80f97c916a3eb0e5663761ac5ee1ddd1

        SHA1

        4ee54f2bf257f9490eaa2c988a5705ef7b11d2bc

        SHA256

        9e06f61d715b1b88507e3e70390721ab7ab35d70fe2df6edaaf0e565783e7d2f

        SHA512

        85e30cfc5c02543820f884602701986aa1e40d587da13c35b76b80dc95c0d6b3e18f5b0ad083fcfa3e9b92935306e4f8faec36ac28ac25e53fb03dcba4a092a6

        Download Submit
      • \Users\Admin\AppData\Local\Temp\3517119788.exe
        Filesize

        5.4MB

        MD5

        41ab08c1955fce44bfd0c76a64d1945a

        SHA1

        2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

        SHA256

        dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

        SHA512

        38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

        Download Submit
      • \Users\Admin\AppData\Local\Temp\355431807.exe
        Filesize

        85KB

        MD5

        10ffc145e1c09190a496a0e0527b4f3f

        SHA1

        e21fba21a11eecb4bc37638f48aed9f09d8912f6

        SHA256

        80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

        SHA512

        bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

        Download Submit
      • \Users\Admin\AppData\Local\Temp\38AD.exe
        Filesize

        9KB

        MD5

        62b97cf4c0abafeda36e3fc101a5a022

        SHA1

        328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

        SHA256

        e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

        SHA512

        32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

        Download Submit
      • \Users\Admin\AppData\Local\Temp\460927657.exe
        Filesize

        14KB

        MD5

        2f4ab1a4a57649200550c0906d57bc28

        SHA1

        94bc52ed3921791630b2a001d9565b8f1bd3bd17

        SHA256

        baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

        SHA512

        ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

        Download Submit
      • memory/1736-130-0x000000013F0C0000-0x000000013F636000-memory.dmp
        Filesize

        5.5MB

        Download
      • memory/2408-8-0x0000000002670000-0x0000000002671000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2408-9-0x0000000000400000-0x000000000047ADB0-memory.dmp
        Filesize

        491KB

        Download
      • memory/2432-151-0x00000000000B0000-0x00000000000D0000-memory.dmp
        Filesize

        128KB

        Download
      • memory/2432-163-0x0000000140000000-0x00000001407EF000-memory.dmp
        Filesize

        7.9MB

        Download
      • memory/2432-162-0x0000000140000000-0x00000001407EF000-memory.dmp
        Filesize

        7.9MB

        Download
      • memory/2432-161-0x0000000140000000-0x00000001407EF000-memory.dmp
        Filesize

        7.9MB

        Download
      • memory/2432-158-0x0000000140000000-0x00000001407EF000-memory.dmp
        Filesize

        7.9MB

        Download
      • memory/2432-157-0x0000000000100000-0x0000000000120000-memory.dmp
        Filesize

        128KB

        Download
      • memory/2432-156-0x0000000140000000-0x00000001407EF000-memory.dmp
        Filesize

        7.9MB

        Download
      • memory/2432-153-0x0000000140000000-0x00000001407EF000-memory.dmp
        Filesize

        7.9MB

        Download
      • memory/2432-152-0x0000000000100000-0x0000000000120000-memory.dmp
        Filesize

        128KB

        Download
      • memory/2536-120-0x000000001B180000-0x000000001B462000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2536-121-0x0000000002320000-0x0000000002328000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2536-122-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2536-123-0x00000000024F0000-0x0000000002570000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2536-124-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2536-125-0x00000000024F0000-0x0000000002570000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2536-126-0x00000000024F0000-0x0000000002570000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2536-127-0x000007FEF5BB0000-0x000007FEF654D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2568-150-0x000000013F850000-0x000000013FDC6000-memory.dmp
        Filesize

        5.5MB

        Download
      • memory/2996-146-0x0000000002570000-0x00000000025F0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2996-139-0x000000001B1B0000-0x000000001B492000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2996-141-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2996-140-0x0000000001FE0000-0x0000000001FE8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2996-147-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2996-142-0x0000000002570000-0x00000000025F0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2996-145-0x0000000002570000-0x00000000025F0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2996-144-0x0000000002570000-0x00000000025F0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2996-143-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp
        Filesize

        9.6MB

        Download