b5a3849571b0cc3ea9b516c3356e3395be395fa24221a33b1b03ce8dd95fe606

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 02:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
Size

184KB
MD5

904f09df15ac0e3ca394b60a2548e24e
SHA1

bb1a34b52ec026d2e093d58ec67ca110c5189409
SHA256

b5a3849571b0cc3ea9b516c3356e3395be395fa24221a33b1b03ce8dd95fe606
SHA512

2802491b5006fee39e1cb3be4d9a84c392e31efd969ecf026e7a3d713c1ec561472600ad24be5e0e8e7f37d162bdbdfffd65f184cf1e55637dd17627edb7b52e
SSDEEP

3072:H/IBtQnE7OhssdWJ5jy392aCmCbBqww0FaF9TkosuwXSM78sfN4usfsdiUAvvzX:Kqvhssdu5jyYaCmCQmFaFqosOsfN4uLM

Score

9^/10

defense_evasion execution impact persistence ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Deletes itself 1 IoCs

pid	Process
2740	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2208	xiibt.exe
3064	xiibt.exe

Loads dropped DLL 3 IoCs

pid	Process
3052	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
3052	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
2208	xiibt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\{6D5C5238-FC7C-EEAD-388F-C1E400820853} = "C:\\Users\\Admin\\AppData\\Roaming\\Naand\\xiibt.exe"	Dwm.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs

pid	Process
1120	taskhost.exe
1120	taskhost.exe
1120	taskhost.exe
1120	taskhost.exe
1176	Dwm.exe
1176	Dwm.exe
1176	Dwm.exe
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
860	DllHost.exe
860	DllHost.exe
860	DllHost.exe
3064	xiibt.exe
3064	xiibt.exe
3064	xiibt.exe
3064	xiibt.exe
1596	DllHost.exe
1596	DllHost.exe
1596	DllHost.exe
1924	DllHost.exe
1924	DllHost.exe
1924	DllHost.exe
3032	DllHost.exe
3032	DllHost.exe
3032	DllHost.exe
2168	DllHost.exe
2168	DllHost.exe
2168	DllHost.exe
1292	DllHost.exe
1292	DllHost.exe
1292	DllHost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 3052	1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	28
PID 2208 set thread context of 3064	2208	xiibt.exe	31

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2780	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
2208	xiibt.exe
3064	xiibt.exe
3064	xiibt.exe
1176	Dwm.exe
1176	Dwm.exe
1176	Dwm.exe
1176	Dwm.exe
1176	Dwm.exe
1176	Dwm.exe
1176	Dwm.exe
1176	Dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1072	DllHost.exe
Token: SeBackupPrivilege	1920	vssvc.exe
Token: SeRestorePrivilege	1920	vssvc.exe
Token: SeAuditPrivilege	1920	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2564	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 3052	1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 3052	1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 3052	1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 3052	1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 3052	1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 3052	1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 3052	1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 3052	1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 3052	1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	28
PID 1444 wrote to memory of 3052	1444	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	28
PID 3052 wrote to memory of 2208	3052	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	29
PID 3052 wrote to memory of 2208	3052	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	29
PID 3052 wrote to memory of 2208	3052	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	29
PID 3052 wrote to memory of 2208	3052	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	29
PID 3052 wrote to memory of 2740	3052	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2740	3052	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2740	3052	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	30
PID 3052 wrote to memory of 2740	3052	904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe	30
PID 2208 wrote to memory of 3064	2208	xiibt.exe	31
PID 2208 wrote to memory of 3064	2208	xiibt.exe	31
PID 2208 wrote to memory of 3064	2208	xiibt.exe	31
PID 2208 wrote to memory of 3064	2208	xiibt.exe	31
PID 2208 wrote to memory of 3064	2208	xiibt.exe	31
PID 2208 wrote to memory of 3064	2208	xiibt.exe	31
PID 2208 wrote to memory of 3064	2208	xiibt.exe	31
PID 2208 wrote to memory of 3064	2208	xiibt.exe	31
PID 2208 wrote to memory of 3064	2208	xiibt.exe	31
PID 2208 wrote to memory of 3064	2208	xiibt.exe	31
PID 3064 wrote to memory of 1120	3064	xiibt.exe	19
PID 3064 wrote to memory of 1120	3064	xiibt.exe	19
PID 3064 wrote to memory of 1120	3064	xiibt.exe	19
PID 3064 wrote to memory of 1176	3064	xiibt.exe	20
PID 3064 wrote to memory of 1176	3064	xiibt.exe	20
PID 3064 wrote to memory of 1176	3064	xiibt.exe	20
PID 3064 wrote to memory of 1248	3064	xiibt.exe	21
PID 3064 wrote to memory of 1248	3064	xiibt.exe	21
PID 3064 wrote to memory of 1248	3064	xiibt.exe	21
PID 3064 wrote to memory of 1072	3064	xiibt.exe	23
PID 3064 wrote to memory of 1072	3064	xiibt.exe	23
PID 3064 wrote to memory of 1072	3064	xiibt.exe	23
PID 3064 wrote to memory of 2564	3064	xiibt.exe	32
PID 3064 wrote to memory of 2564	3064	xiibt.exe	32
PID 3064 wrote to memory of 2564	3064	xiibt.exe	32
PID 1120 wrote to memory of 2780	1120	taskhost.exe	33
PID 1120 wrote to memory of 2780	1120	taskhost.exe	33
PID 1120 wrote to memory of 2780	1120	taskhost.exe	33
PID 1176 wrote to memory of 3064	1176	Dwm.exe	31
PID 1176 wrote to memory of 3064	1176	Dwm.exe	31
PID 1176 wrote to memory of 3064	1176	Dwm.exe	31
PID 1176 wrote to memory of 860	1176	Dwm.exe	37
PID 1176 wrote to memory of 860	1176	Dwm.exe	37
PID 1176 wrote to memory of 860	1176	Dwm.exe	37
PID 1176 wrote to memory of 1596	1176	Dwm.exe	38
PID 1176 wrote to memory of 1596	1176	Dwm.exe	38
PID 1176 wrote to memory of 1596	1176	Dwm.exe	38
PID 1176 wrote to memory of 1924	1176	Dwm.exe	41
PID 1176 wrote to memory of 1924	1176	Dwm.exe	41
PID 1176 wrote to memory of 1924	1176	Dwm.exe	41
PID 1176 wrote to memory of 3032	1176	Dwm.exe	42
PID 1176 wrote to memory of 3032	1176	Dwm.exe	42
PID 1176 wrote to memory of 3032	1176	Dwm.exe	42
PID 1176 wrote to memory of 2168	1176	Dwm.exe	43
PID 1176 wrote to memory of 2168	1176	Dwm.exe	43
PID 1176 wrote to memory of 2168	1176	Dwm.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2780

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1248
- C:\Users\Admin\AppData\Local\Temp\904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\904f09df15ac0e3ca394b60a2548e24e_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Users\Admin\AppData\Roaming\Naand\xiibt.exe
      "C:\Users\Admin\AppData\Roaming\Naand\xiibt.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Users\Admin\AppData\Roaming\Naand\xiibt.exe
        
        "C:\Users\Admin\AppData\Roaming\Naand\xiibt.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3064
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_57e56545.bat"
      4⤵
      Deletes itself
      PID:2740

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "588204049137380188917831261221671902835-2993734741587051143-26509457-1750408368"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:860

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1924

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2168

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
6bf07bdec2445820e5d7e5defa0db3ff

SHA1
4340ee485726733118c0f0b2f6dec0af45b27402

SHA256
40848459e64f747bf7df3d146cb1dc44f49fe87dc76399fab0886e2f7fcdeec2

SHA512
14083edd2fcf112f3df711f0542bf7f445bfdbb03f91ce054e23f55c6d43fa6481d7638775fb584c6b2292e8b98a7a76dd451e349796bb2eb743d741154c358f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_57e56545.bat

Filesize
272B

MD5
8c9cb5f454671566c48c8dd5fa1a525d

SHA1
f72411a7540abe4fe2780e6b59ff17aa2a910ef1

SHA256
52872d36258073a51ad8d34631c6c79a0e633315bb32047925b65c9586bc1b15

SHA512
6cfb5f8a01bba36b8b7de9f725700270962738f939d4823d2a88477d24b52352556c73269d92c6315678626f1d21e1a8bedecc4b5137d6290e1535bb4ab7e724

Download Submit
\Users\Admin\AppData\Roaming\Naand\xiibt.exe

Filesize
67KB

MD5
80b161b16474e8b16882563ab621efa7

SHA1
b11d47f719b38d97a279704c2a14f209e76a9e79

SHA256
24b46027889ec0c8686eda9eb69391017005f9384b4dd740aab99ad52a9e321f

SHA512
803c2280e896b9f27ac0bfff3a1249f8ed654c072f9a75e1dada0a21e98f9ba170761b1c6d14be0307312b6b53964ece2324a59b62f48ac09ac5a232ee6d87d8

Download Submit
memory/1072-62-0x0000000000250000-0x0000000000267000-memory.dmp

Filesize
92KB

Download
memory/1072-60-0x0000000000250000-0x0000000000267000-memory.dmp

Filesize
92KB

Download
memory/1072-75-0x0000000000250000-0x0000000000267000-memory.dmp

Filesize
92KB

Download
memory/1072-58-0x0000000000250000-0x0000000000267000-memory.dmp

Filesize
92KB

Download
memory/1120-41-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1120-72-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1120-35-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1120-39-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1120-70-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1120-71-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1120-37-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1120-74-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1120-73-0x0000000000490000-0x00000000004A7000-memory.dmp

Filesize
92KB

Download
memory/1176-46-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/1176-76-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/1176-77-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/1176-48-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/1176-44-0x00000000002C0000-0x00000000002D7000-memory.dmp

Filesize
92KB

Download
memory/1248-53-0x0000000002540000-0x0000000002557000-memory.dmp

Filesize
92KB

Download
memory/1248-55-0x0000000002540000-0x0000000002557000-memory.dmp

Filesize
92KB

Download
memory/1248-51-0x0000000002540000-0x0000000002557000-memory.dmp

Filesize
92KB

Download
memory/2208-13-0x00000000004E0000-0x000000000057F000-memory.dmp

Filesize
636KB

Download
memory/2208-15-0x0000000000660000-0x000000000078D000-memory.dmp

Filesize
1.2MB

Download
memory/2208-16-0x0000000000A50000-0x0000000000B59000-memory.dmp

Filesize
1.0MB

Download
memory/2208-12-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download
memory/2208-21-0x0000000002120000-0x0000000002137000-memory.dmp

Filesize
92KB

Download
memory/2208-14-0x0000000000240000-0x000000000025F000-memory.dmp

Filesize
124KB

Download
memory/2564-69-0x00000000001E0000-0x00000000001F7000-memory.dmp

Filesize
92KB

Download
memory/2564-67-0x00000000001E0000-0x00000000001F7000-memory.dmp

Filesize
92KB

Download
memory/2564-65-0x00000000001E0000-0x00000000001F7000-memory.dmp

Filesize
92KB

Download
memory/3052-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3052-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3052-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3052-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3064-27-0x00000000004F0000-0x000000000058F000-memory.dmp

Filesize
636KB

Download
memory/3064-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3064-30-0x00000000007A0000-0x0000000000811000-memory.dmp

Filesize
452KB

Download
memory/3064-29-0x0000000000670000-0x000000000079D000-memory.dmp

Filesize
1.2MB

Download
memory/3064-28-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/3064-26-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/3064-32-0x0000000002130000-0x0000000002239000-memory.dmp

Filesize
1.0MB

Download
memory/3064-33-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3064-34-0x0000000003BD0000-0x0000000003BE7000-memory.dmp

Filesize
92KB

Download
memory/3064-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3064-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download