r77 | 95c3212ceba92fcd3603232f23b6748bd24bc2575ee1047170ac0d1ca44fcd13

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe
Size

36KB
MD5

f25897326beee04afba384bc50e0c35b
SHA1

5085a4d48444be7f4a7ec1dd4f4810d3ce5869cb
SHA256

95c3212ceba92fcd3603232f23b6748bd24bc2575ee1047170ac0d1ca44fcd13
SHA512

85def6bc6209971cf42efac5f62112a086e9f85b15a49142d335eb6093ded27962a952bf03801ee09a210bad45d7a008202031b135ff02770ee715708a7d56e0
SSDEEP

768:Qi/8POyOVXow3UVnnK9Fi9k13ebvMSPIl1C3T:QNPlOVXow3UVnKKOMb0PU3T

Score

10^/10

r77 evasion persistence rootkit

Malware Config

Signatures

r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 2 IoCs

Detects the payload of the r77 rootkit.

Processes:

resource	yara_rule
C:\System\r77-x64.dll	r77_payload
C:\System\r77-x86.dll	r77_payload

Downloads MZ/PE file
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3404 netsh.exe

pid	process
3404	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

$77-System.exef25897326beee04afba384bc50e0c35b_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	$77-System.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

$77-System.exe

pid process

2636 $77-System.exe
Loads dropped DLL 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exenetsh.exe

pid process

4688
3108 powershell.exe
3572
556 powershell.exe
5012
3932 powershell.exe
3196
3008 powershell.exe
4936
3484
2452
3696
3056
2280
3404 netsh.exe

pid	process
2636	$77-System.exe

pid	process
4688
3108	powershell.exe
3572
556	powershell.exe
5012
3932	powershell.exe
3196
3008	powershell.exe
4936
3484
2452
3696
3056
2280
3404	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-System = "\\System\\$77-System.exe"	f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-System = "\\System\\$77-System.exe"	f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

33 raw.githubusercontent.com
37 raw.githubusercontent.com
53 discord.com
54 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
33	raw.githubusercontent.com
37	raw.githubusercontent.com
53	discord.com
54	discord.com

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

powershell.exe$77-System.exepowershell.exepowershell.exepowershell.exenetsh.exe

pid	process
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
556	powershell.exe
556	powershell.exe
556	powershell.exe
556	powershell.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
2636	$77-System.exe
3404	netsh.exe
3404	netsh.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

powershell.exe$77-System.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	2636	$77-System.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: 33	2636	$77-System.exe
Token: SeIncBasePriorityPrivilege	2636	$77-System.exe
Token: 33	2636	$77-System.exe
Token: SeIncBasePriorityPrivilege	2636	$77-System.exe
Token: 33	2636	$77-System.exe
Token: SeIncBasePriorityPrivilege	2636	$77-System.exe
Token: 33	2636	$77-System.exe
Token: SeIncBasePriorityPrivilege	2636	$77-System.exe
Token: 33	2636	$77-System.exe
Token: SeIncBasePriorityPrivilege	2636	$77-System.exe
Token: 33	2636	$77-System.exe
Token: SeIncBasePriorityPrivilege	2636	$77-System.exe
Token: 33	2636	$77-System.exe
Token: SeIncBasePriorityPrivilege	2636	$77-System.exe
Token: 33	2636	$77-System.exe
Token: SeIncBasePriorityPrivilege	2636	$77-System.exe
Token: 33	2636	$77-System.exe
Token: SeIncBasePriorityPrivilege	2636	$77-System.exe
Token: 33	2636	$77-System.exe
Token: SeIncBasePriorityPrivilege	2636	$77-System.exe
Token: 33	2636	$77-System.exe
Token: SeIncBasePriorityPrivilege	2636	$77-System.exe
Token: 33	2636	$77-System.exe
Token: SeIncBasePriorityPrivilege	2636	$77-System.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe$77-System.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3416 wrote to memory of 2636	3416	f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe	$77-System.exe
PID 3416 wrote to memory of 2636	3416	f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe	$77-System.exe
PID 2636 wrote to memory of 2604	2636	$77-System.exe	cmd.exe
PID 2636 wrote to memory of 2604	2636	$77-System.exe	cmd.exe
PID 2604 wrote to memory of 3108	2604	cmd.exe	powershell.exe
PID 2604 wrote to memory of 3108	2604	cmd.exe	powershell.exe
PID 2636 wrote to memory of 5096	2636	$77-System.exe	cmd.exe
PID 2636 wrote to memory of 5096	2636	$77-System.exe	cmd.exe
PID 5096 wrote to memory of 556	5096	cmd.exe	powershell.exe
PID 5096 wrote to memory of 556	5096	cmd.exe	powershell.exe
PID 2636 wrote to memory of 3528	2636	$77-System.exe	cmd.exe
PID 2636 wrote to memory of 3528	2636	$77-System.exe	cmd.exe
PID 3528 wrote to memory of 3932	3528	cmd.exe	powershell.exe
PID 3528 wrote to memory of 3932	3528	cmd.exe	powershell.exe
PID 2636 wrote to memory of 4236	2636	$77-System.exe	cmd.exe
PID 2636 wrote to memory of 4236	2636	$77-System.exe	cmd.exe
PID 4236 wrote to memory of 3008	4236	cmd.exe	powershell.exe
PID 4236 wrote to memory of 3008	4236	cmd.exe	powershell.exe
PID 2636 wrote to memory of 624	2636	$77-System.exe	cmd.exe
PID 2636 wrote to memory of 624	2636	$77-System.exe	cmd.exe
PID 624 wrote to memory of 4212	624	cmd.exe	attrib.exe
PID 624 wrote to memory of 4212	624	cmd.exe	attrib.exe
PID 2636 wrote to memory of 428	2636	$77-System.exe	cmd.exe
PID 2636 wrote to memory of 428	2636	$77-System.exe	cmd.exe
PID 428 wrote to memory of 3964	428	cmd.exe	attrib.exe
PID 428 wrote to memory of 3964	428	cmd.exe	attrib.exe
PID 2636 wrote to memory of 4024	2636	$77-System.exe	cmd.exe
PID 2636 wrote to memory of 4024	2636	$77-System.exe	cmd.exe
PID 4024 wrote to memory of 4244	4024	cmd.exe	attrib.exe
PID 4024 wrote to memory of 4244	4024	cmd.exe	attrib.exe
PID 2636 wrote to memory of 3304	2636	$77-System.exe	cmd.exe
PID 2636 wrote to memory of 3304	2636	$77-System.exe	cmd.exe
PID 3304 wrote to memory of 4876	3304	cmd.exe	attrib.exe
PID 3304 wrote to memory of 4876	3304	cmd.exe	attrib.exe
PID 2636 wrote to memory of 2352	2636	$77-System.exe	cmd.exe
PID 2636 wrote to memory of 2352	2636	$77-System.exe	cmd.exe
PID 2352 wrote to memory of 2804	2352	cmd.exe	attrib.exe
PID 2352 wrote to memory of 2804	2352	cmd.exe	attrib.exe
PID 2636 wrote to memory of 3404	2636	$77-System.exe	netsh.exe
PID 2636 wrote to memory of 3404	2636	$77-System.exe	netsh.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

4876 attrib.exe
2804 attrib.exe
4212 attrib.exe
3964 attrib.exe
4244 attrib.exe

pid	process
4876	attrib.exe
2804	attrib.exe
4212	attrib.exe
3964	attrib.exe
4244	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f25897326beee04afba384bc50e0c35b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3416
- C:\System\$77-System.exe
  "C:\System\$77-System.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System'
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3108
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System.exe'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System.exe'
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:556
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System\r77-x64.dll'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System\r77-x64.dll'
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System\r77-x86.dll'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath '\System\r77-x86.dll'
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3008
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c attrib +h +r +s "\System"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\system32\attrib.exe
      attrib +h +r +s "\System"
      4⤵
      Views/modifies file attributes
      PID:4212
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c attrib +h +r +s "\System\$77-System.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\system32\attrib.exe
      attrib +h +r +s "\System\$77-System.exe"
      4⤵
      Views/modifies file attributes
      PID:3964
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\system32\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System.exe"
      4⤵
      Views/modifies file attributes
      PID:4244
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c attrib +h +r +s "\System\r77-x64.dll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Windows\system32\attrib.exe
      attrib +h +r +s "\System\r77-x64.dll"
      4⤵
      Views/modifies file attributes
      PID:4876
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c attrib +h +r +s "\System\r77-x86.dll"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Windows\system32\attrib.exe
      attrib +h +r +s "\System\r77-x86.dll"
      4⤵
      Views/modifies file attributes
      PID:2804
- - C:\Windows\SYSTEM32\netsh.exe
    netsh firewall delete allowedprogram "C:\System\$77-System.exe"
    3⤵
    - Modifies Windows Firewall
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\System\$77-System.exe

Filesize
36KB

MD5
f25897326beee04afba384bc50e0c35b

SHA1
5085a4d48444be7f4a7ec1dd4f4810d3ce5869cb

SHA256
95c3212ceba92fcd3603232f23b6748bd24bc2575ee1047170ac0d1ca44fcd13

SHA512
85def6bc6209971cf42efac5f62112a086e9f85b15a49142d335eb6093ded27962a952bf03801ee09a210bad45d7a008202031b135ff02770ee715708a7d56e0

Download Submit
C:\System\r77-x64.dll

Filesize
147KB

MD5
1b8bd653321cf3cbc786e563555fbc75

SHA1
5638efe0476c8c1b74c6604db419be814d1d90a0

SHA256
919a332e85d7c32a6f0a1bdd15b211b8b273b73fe05a553ea0f230a0958586c7

SHA512
bafdbc8413828c5427983fa0e9403a2d9a88d0ad2f27f92842310852d273f2d2c9a0c6f9f64e1aac03fadf49f9a3bcf58c6b7c8b06debcce46536114cde0175b

Download Submit
C:\System\r77-x86.dll

Filesize
114KB

MD5
4a35aaf2d4ab47f5ea6f75d2de75c831

SHA1
007676d2097defe7f793f9fb1ffe2f48c0c94ac0

SHA256
173f74176d13c235d744f9e32d658f6301a6b1aa81a014060ba763b55e516fe3

SHA512
b933b208b761260217462c5b27a6e00583c564d2def2f80fca140a2fe054cbd61bae483b9bb282fab0f23eda3f775bcc76a204f16884150b7f100f9c0bb5fc93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rpisu0ks.klq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/556-87-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/556-72-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/556-84-0x0000023EE1950000-0x0000023EE1960000-memory.dmp

Filesize
64KB

Download
memory/556-79-0x00007FF886400000-0x00007FF886EC1000-memory.dmp

Filesize
10.8MB

Download
memory/556-73-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/556-88-0x00007FF886400000-0x00007FF886EC1000-memory.dmp

Filesize
10.8MB

Download
memory/2636-121-0x000000001BFC0000-0x000000001BFD0000-memory.dmp

Filesize
64KB

Download
memory/2636-89-0x00007FF886400000-0x00007FF886EC1000-memory.dmp

Filesize
10.8MB

Download
memory/2636-15-0x00007FF886400000-0x00007FF886EC1000-memory.dmp

Filesize
10.8MB

Download
memory/2636-68-0x000000001BFC0000-0x000000001BFD0000-memory.dmp

Filesize
64KB

Download
memory/3008-112-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/3008-128-0x00007FF886400000-0x00007FF886EC1000-memory.dmp

Filesize
10.8MB

Download
memory/3008-127-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/3008-116-0x00007FF886400000-0x00007FF886EC1000-memory.dmp

Filesize
10.8MB

Download
memory/3008-113-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/3108-60-0x000001A2A7090000-0x000001A2A70B2000-memory.dmp

Filesize
136KB

Download
memory/3108-61-0x00007FF886400000-0x00007FF886EC1000-memory.dmp

Filesize
10.8MB

Download
memory/3108-66-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/3108-62-0x000001A2BF650000-0x000001A2BF660000-memory.dmp

Filesize
64KB

Download
memory/3108-50-0x00007FF8A45C0000-0x00007FF8A45C1000-memory.dmp

Filesize
4KB

Download
memory/3108-49-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/3108-67-0x00007FF886400000-0x00007FF886EC1000-memory.dmp

Filesize
10.8MB

Download
memory/3108-48-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/3108-63-0x000001A2BF650000-0x000001A2BF660000-memory.dmp

Filesize
64KB

Download
memory/3404-139-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/3404-138-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/3404-140-0x00007FF8A45C0000-0x00007FF8A45C1000-memory.dmp

Filesize
4KB

Download
memory/3404-141-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/3416-1-0x00007FF886400000-0x00007FF886EC1000-memory.dmp

Filesize
10.8MB

Download
memory/3416-14-0x00007FF886400000-0x00007FF886EC1000-memory.dmp

Filesize
10.8MB

Download
memory/3416-0-0x0000000000F30000-0x0000000000F40000-memory.dmp

Filesize
64KB

Download
memory/3932-94-0x00000229581A0000-0x00000229581B0000-memory.dmp

Filesize
64KB

Download
memory/3932-109-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/3932-108-0x00007FF886400000-0x00007FF886EC1000-memory.dmp

Filesize
10.8MB

Download
memory/3932-106-0x00007FF886400000-0x00007FF886EC1000-memory.dmp

Filesize
10.8MB

Download
memory/3932-95-0x00000229581A0000-0x00000229581B0000-memory.dmp

Filesize
64KB

Download
memory/3932-93-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download
memory/3932-92-0x00007FF8A45D0000-0x00007FF8A47C5000-memory.dmp

Filesize
2.0MB

Download