4add94ef0e28097e0b754cdcf5cdf6316ea7747984574da0953d9a63e5d33a84

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd248041ccc9f9404d133ca7637a36de_JaffaCakes118.js
Size

643KB
MD5

bd248041ccc9f9404d133ca7637a36de
SHA1

a0160b0fa4ff0101987ef2b2b98a133705c11622
SHA256

4add94ef0e28097e0b754cdcf5cdf6316ea7747984574da0953d9a63e5d33a84
SHA512

b9ad5313e794de5fdb23b38f1fa6a8e2b03d22e3aa456e9be465b56167f6665a86461b80fabedbb2399559ec727cc5fcf525239dbb58293c75b644323d128597
SSDEEP

12288:q19D1UunvDLeSAtdiHc/6u3cIDJYP63AZEua70aa8Q2aGO:q19DpLaSAtmc/A2JC6QZEuM/aGO

Score

8^/10

discovery evasion

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	2432	cscript.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2804	netsh.exe
2468	netsh.exe

Deletes itself 1 IoCs

pid	Process
2432	cscript.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1096	icacls.exe
2172	icacls.exe
1568	icacls.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	mountvol.exe
File opened (read-only)	\??\B:	mountvol.exe
File opened (read-only)	\??\A:	mountvol.exe
File opened (read-only)	\??\G:	mountvol.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1456	sc.exe
2588	sc.exe
1176	sc.exe
1324	sc.exe
1748	sc.exe
1604	sc.exe
2392	sc.exe
1600	sc.exe
2024	sc.exe
800	sc.exe
340	sc.exe
2940	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2752	taskkill.exe
1752	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2432	cscript.exe
2360	powershell.exe
2432	cscript.exe
2432	cscript.exe
2432	cscript.exe
2432	cscript.exe
852	powershell.exe
2432	cscript.exe
2432	cscript.exe
2432	cscript.exe
2432	cscript.exe
2432	cscript.exe
2432	cscript.exe
2432	cscript.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	cscript.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeBackupPrivilege	1976	vssvc.exe
Token: SeRestorePrivilege	1976	vssvc.exe
Token: SeAuditPrivilege	1976	vssvc.exe
Token: SeDebugPrivilege	852	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2976	2296	wscript.exe	28
PID 2296 wrote to memory of 2976	2296	wscript.exe	28
PID 2296 wrote to memory of 2976	2296	wscript.exe	28
PID 2976 wrote to memory of 2512	2976	net.exe	30
PID 2976 wrote to memory of 2512	2976	net.exe	30
PID 2976 wrote to memory of 2512	2976	net.exe	30
PID 2296 wrote to memory of 2672	2296	wscript.exe	31
PID 2296 wrote to memory of 2672	2296	wscript.exe	31
PID 2296 wrote to memory of 2672	2296	wscript.exe	31
PID 2672 wrote to memory of 2832	2672	wscript.exe	32
PID 2672 wrote to memory of 2832	2672	wscript.exe	32
PID 2672 wrote to memory of 2832	2672	wscript.exe	32
PID 2832 wrote to memory of 2288	2832	net.exe	34
PID 2832 wrote to memory of 2288	2832	net.exe	34
PID 2832 wrote to memory of 2288	2832	net.exe	34
PID 2672 wrote to memory of 2432	2672	wscript.exe	35
PID 2672 wrote to memory of 2432	2672	wscript.exe	35
PID 2672 wrote to memory of 2432	2672	wscript.exe	35
PID 2432 wrote to memory of 2468	2432	cscript.exe	37
PID 2432 wrote to memory of 2468	2432	cscript.exe	37
PID 2432 wrote to memory of 2468	2432	cscript.exe	37
PID 2468 wrote to memory of 1756	2468	net.exe	39
PID 2468 wrote to memory of 1756	2468	net.exe	39
PID 2468 wrote to memory of 1756	2468	net.exe	39
PID 2432 wrote to memory of 668	2432	cscript.exe	40
PID 2432 wrote to memory of 668	2432	cscript.exe	40
PID 2432 wrote to memory of 668	2432	cscript.exe	40
PID 668 wrote to memory of 1200	668	csc.exe	41
PID 668 wrote to memory of 1200	668	csc.exe	41
PID 668 wrote to memory of 1200	668	csc.exe	41
PID 2432 wrote to memory of 2752	2432	cscript.exe	43
PID 2432 wrote to memory of 2752	2432	cscript.exe	43
PID 2432 wrote to memory of 2752	2432	cscript.exe	43
PID 2432 wrote to memory of 1752	2432	cscript.exe	45
PID 2432 wrote to memory of 1752	2432	cscript.exe	45
PID 2432 wrote to memory of 1752	2432	cscript.exe	45
PID 2432 wrote to memory of 2492	2432	cscript.exe	46
PID 2432 wrote to memory of 2492	2432	cscript.exe	46
PID 2432 wrote to memory of 2492	2432	cscript.exe	46
PID 2432 wrote to memory of 2360	2432	cscript.exe	49
PID 2432 wrote to memory of 2360	2432	cscript.exe	49
PID 2432 wrote to memory of 2360	2432	cscript.exe	49
PID 2432 wrote to memory of 2024	2432	cscript.exe	51
PID 2432 wrote to memory of 2024	2432	cscript.exe	51
PID 2432 wrote to memory of 2024	2432	cscript.exe	51
PID 2432 wrote to memory of 1324	2432	cscript.exe	53
PID 2432 wrote to memory of 1324	2432	cscript.exe	53
PID 2432 wrote to memory of 1324	2432	cscript.exe	53
PID 2432 wrote to memory of 340	2432	cscript.exe	55
PID 2432 wrote to memory of 340	2432	cscript.exe	55
PID 2432 wrote to memory of 340	2432	cscript.exe	55
PID 2432 wrote to memory of 1604	2432	cscript.exe	56
PID 2432 wrote to memory of 1604	2432	cscript.exe	56
PID 2432 wrote to memory of 1604	2432	cscript.exe	56
PID 2432 wrote to memory of 800	2432	cscript.exe	57
PID 2432 wrote to memory of 800	2432	cscript.exe	57
PID 2432 wrote to memory of 800	2432	cscript.exe	57
PID 2432 wrote to memory of 1748	2432	cscript.exe	59
PID 2432 wrote to memory of 1748	2432	cscript.exe	59
PID 2432 wrote to memory of 1748	2432	cscript.exe	59
PID 2432 wrote to memory of 1548	2432	cscript.exe	66
PID 2432 wrote to memory of 1548	2432	cscript.exe	66
PID 2432 wrote to memory of 1548	2432	cscript.exe	66
PID 2432 wrote to memory of 516	2432	cscript.exe	67

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	cscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\bd248041ccc9f9404d133ca7637a36de_JaffaCakes118.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2512
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\bd248041ccc9f9404d133ca7637a36de_JaffaCakes118.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\System32\net.exe
    "C:\Windows\System32\net.exe" session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:2288
- - C:\Windows\System32\cscript.exe
    "C:\Windows\System32\cscript.exe" -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58} C:\Users\Admin\AppData\Local\Temp\bd248041ccc9f9404d133ca7637a36de_JaffaCakes118.js
    3⤵
    - Blocklisted process makes network request
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2432
  - - C:\Windows\System32\net.exe
      "C:\Windows\System32\net.exe" session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:1756
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mszmcn0e\mszmcn0e.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72C0.tmp" "c:\Users\Admin\AppData\Local\Temp\mszmcn0e\CSCA9C0F2E986D94B93887D2459463E17DC.TMP"
        5⤵
        
        PID:1200
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM Raccine.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2752
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /F /IM RaccineSettings.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1752
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /DELETE /TN "Raccine Rules Updater" /F
      4⤵
      PID:2492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-CimInstance Win32_ShadowCopy | Remove-CimInstance
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2360
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config SQLTELEMETRY start= disabled
      4⤵
      Launches sc.exe
      PID:2024
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      4⤵
      Launches sc.exe
      PID:1324
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config SQLWriter start= disabled
      4⤵
      Launches sc.exe
      PID:340
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config SstpSvc start= disabled
      4⤵
      Launches sc.exe
      PID:1604
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config MBAMService start= disabled
      4⤵
      Launches sc.exe
      PID:800
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config wuauserv start= disabled
      4⤵
      Launches sc.exe
      PID:1748
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
      4⤵
      PID:1548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rd /s /q D:\\$Recycle.bin
      4⤵
      PID:516
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config Dnscache start= auto
      4⤵
      Launches sc.exe
      PID:2392
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config fdPHost start= auto
      4⤵
      Launches sc.exe
      PID:1456
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config FDResPub start= auto
      4⤵
      Launches sc.exe
      PID:2940
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config SSDPSRV start= auto
      4⤵
      Launches sc.exe
      PID:1600
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config upnphost start= auto
      4⤵
      Launches sc.exe
      PID:2588
  - - C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config RemoteRegistry start= auto
      4⤵
      Launches sc.exe
      PID:1176
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="Network Discovery" new enable=Yes
      4⤵
      Modifies Windows Firewall
      PID:2804
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
      4⤵
      Modifies Windows Firewall
      PID:2468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:852
  - - C:\Windows\System32\mountvol.exe
      "mountvol.exe"
      4⤵
      PID:2120
  - - C:\Windows\System32\mountvol.exe
      "C:\Windows\System32\mountvol.exe" A: \\?\Volume{27f24444-d10e-11ee-ac7b-806e6f6e6963}\
      4⤵
      Enumerates connected drives
      PID:1200
  - - C:\Windows\System32\mountvol.exe
      "C:\Windows\System32\mountvol.exe" B: \\?\Volume{f8244c01-d0cf-11ee-aeaa-5a791e92bc44}\
      4⤵
      Enumerates connected drives
      PID:268
  - - C:\Windows\System32\mountvol.exe
      "C:\Windows\System32\mountvol.exe" E: \\?\Volume{27f24443-d10e-11ee-ac7b-806e6f6e6963}\
      4⤵
      Enumerates connected drives
      PID:1452
  - - C:\Windows\System32\mountvol.exe
      "C:\Windows\System32\mountvol.exe" G: \\?\Volume{27f24447-d10e-11ee-ac7b-806e6f6e6963}\
      4⤵
      Enumerates connected drives
      PID:1464
  - - C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:2172
  - - C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "D:*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:1096
  - - C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "Z:*" /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:1568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k regsvc
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES72C0.tmp

Filesize
1KB

MD5
ea85fa99e7ebcb69a653cc511971a4c8

SHA1
4737f0f184339fd8d9e672f9f674c63727a3541a

SHA256
c437ffab0eddef7a7976549aa498ade920b8ff2de9b29382303cf5d2c398df5a

SHA512
8aa37e17c188d13d3e1c7910d1c3eaa2c210679a1123fdfab88c614eccd41b06dac49720fd64c37a0ab230a74163b2588dd021c89f927cadfa6c6e509c5829b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mszmcn0e\mszmcn0e.dll

Filesize
3KB

MD5
2ff38a7e2243e63fc61c6ce9882952be

SHA1
4ef6b8f03b6a2654708dada3cc87f3f9fe1c2366

SHA256
eeca96532e83460f2237a213dcfb53d1a7f5eda09c0660d3ae6df141f0c5e49d

SHA512
a9e4e8d7ce0b0805721c0b34a6b5c2fb262ff0050962b08d52447298bf09df3b2baa35598399f4e5dc488b23bd8de6849fcf7d322c28fa23113699e3a732b74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1e92bf185393abb8157bfa8b936d5b13

SHA1
c529d4a7b9f7f50a679ca7e253027f805110f1f6

SHA256
2d27e96c16ecce46829e35c0af242d53c4418828e2a861634c4393b462d4ac01

SHA512
e6b50e086a13eca2aa83f9a45a449437656b463182c39070a92837dd30dfd60e1a5a3f6365073c502d32030e9149f792b59e9b152b49b42e1020670f0399a0ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Google.url

Filesize
107B

MD5
32d749003710359c2e1be1fab2101fbe

SHA1
db69bf8f9c024a4da418ecb28e0be18eda17aa26

SHA256
cf9c5b11bf1dca19434f5e3271375ee48a55e570195c556fd19bf5731954ed05

SHA512
63944d18a2b9f8c8e8ba125b7a19326d351e0afecf20a4c6ae0bbdf18a870fde07acc240e2735a6d91a7fc45d072929680c037364d720dc9985e071281e8ed5e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mszmcn0e\CSCA9C0F2E986D94B93887D2459463E17DC.TMP

Filesize
652B

MD5
af659691161b8c68264bbaed69530883

SHA1
08e319f438650102ddc915f0592d7f5a2f34174a

SHA256
ab596d5f7c0bdc9d832662f4778c66e53cf1a4f29526705717bc4017beb0ce76

SHA512
566990a3ee02a014679f7b1a50a4f70e27d97739e10e2643424f3e157653d8f134b7d1057b65fad905cef97cdcc4a28feb3595295b6c92ddbf9b6fe9727cfdec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mszmcn0e\mszmcn0e.0.cs

Filesize
236B

MD5
42be26b2c8233637da81de8e467fdea3

SHA1
73b478db569ba802315ce03153d6633550ac930a

SHA256
45dc235fed868d5710f0b37d699a2d35e22f727ea8eeb3175b5092d77aeb8ffd

SHA512
b07ca5b11de52f775e87305f4cac53b6c1c269bd7ed4c939c2affde42ed4407a46b47cbe2fe659b83105cdf8a0eeada2d3487cea07f465b52234f8dab60cc29a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mszmcn0e\mszmcn0e.cmdline

Filesize
667B

MD5
5729b7df8aa4cc8488ffbfdce22416d4

SHA1
2e6e3b548b239b32288b32e8b77249a4386d30e3

SHA256
38576991f221a1323241ffec2212d3514ae35dba29fbb7b82f62058e4b44ef2e

SHA512
975cbf448dd41353ac16dfb1d8392c9643bf9e1d804daddb0a4b3b5754121c5e9571c8751ad6b7745d4c1fb19979df90b4ceba0438e92d457cda1e2f4214c9fe

Download Submit
memory/852-51-0x000000001AD30000-0x000000001B012000-memory.dmp

Filesize
2.9MB

Download
memory/852-49-0x0000000002500000-0x0000000002534000-memory.dmp

Filesize
208KB

Download
memory/852-60-0x000007FEF4CF0000-0x000007FEF56DC000-memory.dmp

Filesize
9.9MB

Download
memory/852-59-0x0000000002560000-0x0000000002576000-memory.dmp

Filesize
88KB

Download
memory/852-58-0x000000001AB10000-0x000000001AB5A000-memory.dmp

Filesize
296KB

Download
memory/852-57-0x000000001B300000-0x000000001B3A6000-memory.dmp

Filesize
664KB

Download
memory/852-55-0x0000000002620000-0x00000000026A0000-memory.dmp

Filesize
512KB

Download
memory/852-56-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/852-53-0x000007FEF4CF0000-0x000007FEF56DC000-memory.dmp

Filesize
9.9MB

Download
memory/852-54-0x0000000002860000-0x00000000028A8000-memory.dmp

Filesize
288KB

Download
memory/852-52-0x0000000002540000-0x000000000255C000-memory.dmp

Filesize
112KB

Download
memory/2360-35-0x00000000026C0000-0x00000000026DC000-memory.dmp

Filesize
112KB

Download
memory/2360-34-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2360-40-0x0000000002810000-0x0000000002826000-memory.dmp

Filesize
88KB

Download
memory/2360-41-0x000007FEF4CF0000-0x000007FEF56DC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-30-0x00000000023E0000-0x0000000002414000-memory.dmp

Filesize
208KB

Download
memory/2360-31-0x000007FEF4CF0000-0x000007FEF56DC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-33-0x000000001AD70000-0x000000001B052000-memory.dmp

Filesize
2.9MB

Download
memory/2360-38-0x0000000002BD0000-0x0000000002C76000-memory.dmp

Filesize
664KB

Download
memory/2360-32-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2360-37-0x0000000002630000-0x0000000002638000-memory.dmp

Filesize
32KB

Download
memory/2360-39-0x00000000027C0000-0x000000000280A000-memory.dmp

Filesize
296KB

Download
memory/2360-36-0x00000000026E0000-0x0000000002728000-memory.dmp

Filesize
288KB

Download
memory/2432-23-0x0000000003E70000-0x0000000003E78000-memory.dmp

Filesize
32KB

Download
memory/2432-50-0x000000001E520000-0x000000001E5A0000-memory.dmp

Filesize
512KB

Download
memory/2432-8-0x000007FEF4CF0000-0x000007FEF56DC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-9-0x0000000004D70000-0x0000000004DB8000-memory.dmp

Filesize
288KB

Download
memory/2432-10-0x000000001E520000-0x000000001E5A0000-memory.dmp

Filesize
512KB

Download
memory/2432-42-0x000007FEF4CF0000-0x000007FEF56DC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-25-0x0000000005110000-0x0000000005172000-memory.dmp

Filesize
392KB

Download
memory/2432-62-0x000007FEF4CF0000-0x000007FEF56DC000-memory.dmp

Filesize
9.9MB

Download