xmrig | 22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184

Analysis

max time kernel
8s
max time network
10s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
Size

2.9MB
MD5

b3fc214094fbc7d1542542fd86d23963
SHA1

50f97ed0a4719a75ef7bd31c38a829ec0d155e92
SHA256

22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184
SHA512

070ba8b6a5f6a89915f4516434b23e77b60e5a1ba87f251754ecbbd3b2616ec5de3a3939ab480ab471fb42ce82c11bdb1b51b3f6391e9ce0328c40a7b88593b1
SSDEEP

49152:SGCL+RB7rH7cRsZPAEXl6PxJt3rMYS3Usa5Lcq/CqjJxQA5VMvPV3/SdLS:TCU3H7lZoEXl+ft7MYSoLN/CCxQA5VsV

Score

10^/10

xmrig discovery evasion execution miner upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/1596-33-0x0000000000400000-0x0000000000DEC000-memory.dmp	xmrig

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2160	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
2264	svchost.exe
2616	svchost.exe
1976	svchost.exe
2828	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1596-0-0x0000000000400000-0x0000000000DEC000-memory.dmp	upx
behavioral1/files/0x0004000000011ba2-19.dat	upx
behavioral1/memory/2616-22-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2264-24-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1976-26-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2616-30-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/2828-28-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral1/memory/1596-33-0x0000000000400000-0x0000000000DEC000-memory.dmp	upx

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\Fonts\conhost.exe	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
File opened for modification	\??\c:\windows\Fonts\svchost.exe	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
File opened for modification	\??\c:\windows\Fonts\WinRing0x64.sys	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
File created	\??\c:\windows\Fonts\svchost.exe	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
File created	\??\c:\windows\Fonts\conhost.exe	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
File created	\??\c:\windows\Fonts\WinRing0x64.sys	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
File opened for modification	C:\Windows\Fonts	attrib.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2704	sc.exe
2504	sc.exe
2832	sc.exe
2936	sc.exe
2740	sc.exe
2808	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2656	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	30
PID 1596 wrote to memory of 2656	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	30
PID 1596 wrote to memory of 2656	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	30
PID 1596 wrote to memory of 2656	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	30
PID 1596 wrote to memory of 2184	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	31
PID 1596 wrote to memory of 2184	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	31
PID 1596 wrote to memory of 2184	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	31
PID 1596 wrote to memory of 2184	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	31
PID 1596 wrote to memory of 2740	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	34
PID 1596 wrote to memory of 2740	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	34
PID 1596 wrote to memory of 2740	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	34
PID 1596 wrote to memory of 2740	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	34
PID 1596 wrote to memory of 2760	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	35
PID 1596 wrote to memory of 2760	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	35
PID 1596 wrote to memory of 2760	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	35
PID 1596 wrote to memory of 2760	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	35
PID 1596 wrote to memory of 2808	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	36
PID 1596 wrote to memory of 2808	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	36
PID 1596 wrote to memory of 2808	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	36
PID 1596 wrote to memory of 2808	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	36
PID 1596 wrote to memory of 2736	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	37
PID 1596 wrote to memory of 2736	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	37
PID 1596 wrote to memory of 2736	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	37
PID 1596 wrote to memory of 2736	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	37
PID 1596 wrote to memory of 2704	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	38
PID 1596 wrote to memory of 2704	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	38
PID 1596 wrote to memory of 2704	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	38
PID 1596 wrote to memory of 2704	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	38
PID 1596 wrote to memory of 2504	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	41
PID 1596 wrote to memory of 2504	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	41
PID 1596 wrote to memory of 2504	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	41
PID 1596 wrote to memory of 2504	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	41
PID 1596 wrote to memory of 2980	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	42
PID 1596 wrote to memory of 2980	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	42
PID 1596 wrote to memory of 2980	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	42
PID 1596 wrote to memory of 2980	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	42
PID 1596 wrote to memory of 2832	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	43
PID 1596 wrote to memory of 2832	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	43
PID 1596 wrote to memory of 2832	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	43
PID 1596 wrote to memory of 2832	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	43
PID 1596 wrote to memory of 2580	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	45
PID 1596 wrote to memory of 2580	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	45
PID 1596 wrote to memory of 2580	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	45
PID 1596 wrote to memory of 2580	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	45
PID 2656 wrote to memory of 1896	2656	cmd.exe	50
PID 2656 wrote to memory of 1896	2656	cmd.exe	50
PID 2656 wrote to memory of 1896	2656	cmd.exe	50
PID 2656 wrote to memory of 1896	2656	cmd.exe	50
PID 2184 wrote to memory of 2812	2184	net.exe	51
PID 2184 wrote to memory of 2812	2184	net.exe	51
PID 2184 wrote to memory of 2812	2184	net.exe	51
PID 2184 wrote to memory of 2812	2184	net.exe	51
PID 1596 wrote to memory of 2936	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	47
PID 1596 wrote to memory of 2936	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	47
PID 1596 wrote to memory of 2936	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	47
PID 1596 wrote to memory of 2936	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	47
PID 1596 wrote to memory of 2616	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	56
PID 1596 wrote to memory of 2616	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	56
PID 1596 wrote to memory of 2616	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	56
PID 1596 wrote to memory of 2616	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	56
PID 1596 wrote to memory of 2264	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	57
PID 1596 wrote to memory of 2264	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	57
PID 1596 wrote to memory of 2264	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	57
PID 1596 wrote to memory of 2264	1596	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	57

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
"C:\Users\Admin\AppData\Local\Temp\22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -h -r -a C:\Windows\Fonts
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1896
- C:\Windows\SysWOW64\net.exe
  net stop MicrosotMaims
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MicrosotMaims
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- C:\Windows\SysWOW64\sc.exe
  sc delete MicrosotMaims
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Windows\SysWOW64\net.exe
  net stop MicrosotMais
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MicrosotMais
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- C:\Windows\SysWOW64\sc.exe
  sc delete MicrosotMais
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Windows\SysWOW64\net.exe
  net stop lanmanserver /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2736
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop lanmanserver /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2920
- C:\Windows\SysWOW64\sc.exe
  sc config lanmanserver start= DISABLED 2>nul
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\SysWOW64\sc.exe
  sc delete lanmanserver
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2504
- C:\Windows\SysWOW64\net.exe
  net stop mssecsvc2.0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mssecsvc2.0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
- C:\Windows\SysWOW64\sc.exe
  sc delete mssecsvc2.0
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Windows\SysWOW64\net.exe
  net stop mssecsvc2.1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2580
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mssecsvc2.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:752
- C:\Windows\SysWOW64\sc.exe
  sc delete mssecsvc2.1
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2936
- \??\c:\windows\Fonts\svchost.exe
  c:\windows\Fonts\svchost.exe install MicrosotMaims c:\windows\Fonts\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- \??\c:\windows\Fonts\svchost.exe
  c:\windows\Fonts\svchost.exe set MicrosotMaims DisplayName Network Location Service
  2⤵
  - Executes dropped EXE
  PID:2264
- \??\c:\windows\Fonts\svchost.exe
  c:\windows\Fonts\svchost.exe set MicrosotMaims Description Provides performance library information from Windows Management.
  2⤵
  - Executes dropped EXE
  PID:2828
- \??\c:\windows\Fonts\svchost.exe
  c:\windows\Fonts\svchost.exe start MicrosotMaims
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
275B

MD5
f709885679418637442330ed6d445fe4

SHA1
175f52af23a7ae847e0f4ba134c95e3a5a8cba1a

SHA256
62560ead9fcdcc8d7a4738c184ff91e37b0a0ddc5c49bfe9f3672be0a799404c

SHA512
8773fd2386047226fc4507a2cec0b263ccbb73b26838967faebdb25bf78787db80adbfadd67eab52356f5de21ce2db7107590c3e338e488f3e82ae5f1aa2c307

Download Submit
C:\Windows\Fonts\svchost.exe

Filesize
87KB

MD5
3215a773eecd1089babe6b9975086ebd

SHA1
6f28080e58149aeb72dfd0f2568ce80de4eff43c

SHA256
516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c

SHA512
664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad

Download Submit
memory/1596-0-0x0000000000400000-0x0000000000DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1596-20-0x0000000000DF0000-0x0000000000E43000-memory.dmp

Filesize
332KB

Download
memory/1596-33-0x0000000000400000-0x0000000000DEC000-memory.dmp

Filesize
9.9MB

Download
memory/1976-26-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2264-24-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2616-22-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2616-30-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/2828-28-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download