xmrig | 22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184

Analysis

max time kernel
140s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
Size

2.9MB
MD5

b3fc214094fbc7d1542542fd86d23963
SHA1

50f97ed0a4719a75ef7bd31c38a829ec0d155e92
SHA256

22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184
SHA512

070ba8b6a5f6a89915f4516434b23e77b60e5a1ba87f251754ecbbd3b2616ec5de3a3939ab480ab471fb42ce82c11bdb1b51b3f6391e9ce0328c40a7b88593b1
SSDEEP

49152:SGCL+RB7rH7cRsZPAEXl6PxJt3rMYS3Usa5Lcq/CqjJxQA5VMvPV3/SdLS:TCU3H7lZoEXl+ft7MYSoLN/CCxQA5VsV

Score

10^/10

xmrig discovery evasion execution miner upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/memory/3976-30-0x0000000000400000-0x0000000000DEC000-memory.dmp	xmrig

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe

Deletes itself 1 IoCs

pid	Process
4720	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
3724	svchost.exe
5028	svchost.exe
3992	svchost.exe
1396	svchost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3976-0-0x0000000000400000-0x0000000000DEC000-memory.dmp	upx
behavioral2/files/0x00090000000233d7-7.dat	upx
behavioral2/memory/3724-15-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/3724-26-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/3992-24-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/1396-22-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/5028-20-0x0000000140000000-0x0000000140053000-memory.dmp	upx
behavioral2/memory/3976-30-0x0000000000400000-0x0000000000DEC000-memory.dmp	upx

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	\??\c:\windows\Fonts\svchost.exe	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
File created	\??\c:\windows\Fonts\conhost.exe	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
File created	\??\c:\windows\Fonts\WinRing0x64.sys	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
File opened for modification	\??\c:\windows\Fonts\conhost.exe	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
File opened for modification	\??\c:\windows\Fonts\svchost.exe	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
File opened for modification	\??\c:\windows\Fonts\WinRing0x64.sys	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
File opened for modification	C:\Windows\Fonts	attrib.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4980	sc.exe
3300	sc.exe
3432	sc.exe
3452	sc.exe
3572	sc.exe
1776	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 1980	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	84
PID 3976 wrote to memory of 1980	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	84
PID 3976 wrote to memory of 1980	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	84
PID 3976 wrote to memory of 3564	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	85
PID 3976 wrote to memory of 3564	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	85
PID 3976 wrote to memory of 3564	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	85
PID 3976 wrote to memory of 1776	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	86
PID 3976 wrote to memory of 1776	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	86
PID 3976 wrote to memory of 1776	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	86
PID 3976 wrote to memory of 2156	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	87
PID 3976 wrote to memory of 2156	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	87
PID 3976 wrote to memory of 2156	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	87
PID 3976 wrote to memory of 3572	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	88
PID 3976 wrote to memory of 3572	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	88
PID 3976 wrote to memory of 3572	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	88
PID 3976 wrote to memory of 1100	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	89
PID 3976 wrote to memory of 1100	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	89
PID 3976 wrote to memory of 1100	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	89
PID 3976 wrote to memory of 3452	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	90
PID 3976 wrote to memory of 3452	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	90
PID 3976 wrote to memory of 3452	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	90
PID 3976 wrote to memory of 3432	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	91
PID 3976 wrote to memory of 3432	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	91
PID 3976 wrote to memory of 3432	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	91
PID 3976 wrote to memory of 3924	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	92
PID 3976 wrote to memory of 3924	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	92
PID 3976 wrote to memory of 3924	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	92
PID 3976 wrote to memory of 4980	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	93
PID 3976 wrote to memory of 4980	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	93
PID 3976 wrote to memory of 4980	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	93
PID 3976 wrote to memory of 4572	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	94
PID 3976 wrote to memory of 4572	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	94
PID 3976 wrote to memory of 4572	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	94
PID 3976 wrote to memory of 3300	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	95
PID 3976 wrote to memory of 3300	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	95
PID 3976 wrote to memory of 3300	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	95
PID 3976 wrote to memory of 3724	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	99
PID 3976 wrote to memory of 3724	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	99
PID 3976 wrote to memory of 5028	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	100
PID 3976 wrote to memory of 5028	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	100
PID 3976 wrote to memory of 3992	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	101
PID 3976 wrote to memory of 3992	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	101
PID 3976 wrote to memory of 1396	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	102
PID 3976 wrote to memory of 1396	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	102
PID 1980 wrote to memory of 4660	1980	cmd.exe	116
PID 1980 wrote to memory of 4660	1980	cmd.exe	116
PID 1980 wrote to memory of 4660	1980	cmd.exe	116
PID 1100 wrote to memory of 3192	1100	net.exe	117
PID 1100 wrote to memory of 3192	1100	net.exe	117
PID 1100 wrote to memory of 3192	1100	net.exe	117
PID 4572 wrote to memory of 4772	4572	net.exe	118
PID 4572 wrote to memory of 4772	4572	net.exe	118
PID 4572 wrote to memory of 4772	4572	net.exe	118
PID 3924 wrote to memory of 2104	3924	net.exe	121
PID 3924 wrote to memory of 2104	3924	net.exe	121
PID 3924 wrote to memory of 2104	3924	net.exe	121
PID 2156 wrote to memory of 2380	2156	net.exe	120
PID 2156 wrote to memory of 2380	2156	net.exe	120
PID 2156 wrote to memory of 2380	2156	net.exe	120
PID 3564 wrote to memory of 540	3564	net.exe	119
PID 3564 wrote to memory of 540	3564	net.exe	119
PID 3564 wrote to memory of 540	3564	net.exe	119
PID 3976 wrote to memory of 4720	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	122
PID 3976 wrote to memory of 4720	3976	22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe	122

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4660	attrib.exe

C:\Users\Admin\AppData\Local\Temp\22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe
"C:\Users\Admin\AppData\Local\Temp\22289a61cd8a347a03da845d34820534b3e617781447a91c6a0fb3b1e6f6a184.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\SysWOW64\cmd.exe
  cmd /c attrib -s -h -r -a %SystemRoot%\Fonts
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -h -r -a C:\Windows\Fonts
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4660
- C:\Windows\SysWOW64\net.exe
  net stop MicrosotMaims
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MicrosotMaims
    3⤵
    - System Location Discovery: System Language Discovery
    PID:540
- C:\Windows\SysWOW64\sc.exe
  sc delete MicrosotMaims
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Windows\SysWOW64\net.exe
  net stop MicrosotMais
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop MicrosotMais
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- C:\Windows\SysWOW64\sc.exe
  sc delete MicrosotMais
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3572
- C:\Windows\SysWOW64\net.exe
  net stop lanmanserver /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop lanmanserver /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3192
- C:\Windows\SysWOW64\sc.exe
  sc config lanmanserver start= DISABLED 2>nul
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3452
- C:\Windows\SysWOW64\sc.exe
  sc delete lanmanserver
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3432
- C:\Windows\SysWOW64\net.exe
  net stop mssecsvc2.0
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mssecsvc2.0
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2104
- C:\Windows\SysWOW64\sc.exe
  sc delete mssecsvc2.0
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4980
- C:\Windows\SysWOW64\net.exe
  net stop mssecsvc2.1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mssecsvc2.1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4772
- C:\Windows\SysWOW64\sc.exe
  sc delete mssecsvc2.1
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3300
- \??\c:\windows\Fonts\svchost.exe
  c:\windows\Fonts\svchost.exe install MicrosotMaims c:\windows\Fonts\conhost.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- \??\c:\windows\Fonts\svchost.exe
  c:\windows\Fonts\svchost.exe set MicrosotMaims DisplayName Network Location Service
  2⤵
  - Executes dropped EXE
  PID:5028
- \??\c:\windows\Fonts\svchost.exe
  c:\windows\Fonts\svchost.exe set MicrosotMaims Description Provides performance library information from Windows Management.
  2⤵
  - Executes dropped EXE
  PID:3992
- \??\c:\windows\Fonts\svchost.exe
  c:\windows\Fonts\svchost.exe start MicrosotMaims
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tem.vbs"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tem.vbs

Filesize
275B

MD5
f709885679418637442330ed6d445fe4

SHA1
175f52af23a7ae847e0f4ba134c95e3a5a8cba1a

SHA256
62560ead9fcdcc8d7a4738c184ff91e37b0a0ddc5c49bfe9f3672be0a799404c

SHA512
8773fd2386047226fc4507a2cec0b263ccbb73b26838967faebdb25bf78787db80adbfadd67eab52356f5de21ce2db7107590c3e338e488f3e82ae5f1aa2c307

Download Submit
C:\Windows\Fonts\svchost.exe

Filesize
87KB

MD5
3215a773eecd1089babe6b9975086ebd

SHA1
6f28080e58149aeb72dfd0f2568ce80de4eff43c

SHA256
516319905545cf575de3322f7733d99d5293df4a38d46fccf1a41e23b64d2d6c

SHA512
664c519958fa80bb266764bf58543e9bd67665b540a78b9e7db4f25729c00fefbe5768a4fe75fa0b7905b19c9a02ba88b09e1eaef578593d5e97f450e22227ad

Download Submit
memory/1396-22-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3724-15-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3724-26-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/3976-0-0x0000000000400000-0x0000000000DEC000-memory.dmp

Filesize
9.9MB

Download
memory/3976-30-0x0000000000400000-0x0000000000DEC000-memory.dmp

Filesize
9.9MB

Download
memory/3992-24-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download
memory/5028-20-0x0000000140000000-0x0000000140053000-memory.dmp

Filesize
332KB

Download