5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847.ps1
Size

7.7MB
MD5

aa2034838226e4fa458cb479330d3df1
SHA1

5d17be875fcb82a808c5314c20a27f221b787c48
SHA256

5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847
SHA512

01d80e3c1e65881882ca47c7967eb78613aa50de1cb0869545206410d1edab6b15de389f2f4372a3351395692e792a5c7c6cc002db1ce0f12d49da905c998946
SSDEEP

24576:cfn0m/OPb9o/Ha4KZZQLFq487s/0H+VXQ5qDrtj6Bnoi4LD2/Qy4IyQr+KJn04vk:Y

Score

10^/10

evasion execution trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://onedrive.live.com/Download?cid=8BDBA39CCF6B0487&resid=8BDBA39CCF6B0487%21115&authkey=AKzKYXDKF87dXao

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2380	powershell.exe
3060	powershell.exe
3032	powershell.exe
1496	powershell.exe
568	powershell.exe
2976	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
448	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2380	powershell.exe
2380	powershell.exe
2380	powershell.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
3032	powershell.exe
1496	powershell.exe
568	powershell.exe
2976	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2984	2380	powershell.exe	32
PID 2380 wrote to memory of 2984	2380	powershell.exe	32
PID 2380 wrote to memory of 2984	2380	powershell.exe	32
PID 2984 wrote to memory of 3060	2984	WScript.exe	33
PID 2984 wrote to memory of 3060	2984	WScript.exe	33
PID 2984 wrote to memory of 3060	2984	WScript.exe	33
PID 3060 wrote to memory of 1936	3060	powershell.exe	35
PID 3060 wrote to memory of 1936	3060	powershell.exe	35
PID 3060 wrote to memory of 1936	3060	powershell.exe	35
PID 3060 wrote to memory of 2736	3060	powershell.exe	36
PID 3060 wrote to memory of 2736	3060	powershell.exe	36
PID 3060 wrote to memory of 2736	3060	powershell.exe	36
PID 1936 wrote to memory of 2944	1936	WScript.exe	37
PID 1936 wrote to memory of 2944	1936	WScript.exe	37
PID 1936 wrote to memory of 2944	1936	WScript.exe	37
PID 2944 wrote to memory of 3032	2944	cmd.exe	39
PID 2944 wrote to memory of 3032	2944	cmd.exe	39
PID 2944 wrote to memory of 3032	2944	cmd.exe	39
PID 3032 wrote to memory of 3056	3032	powershell.exe	40
PID 3032 wrote to memory of 3056	3032	powershell.exe	40
PID 3032 wrote to memory of 3056	3032	powershell.exe	40
PID 2940 wrote to memory of 2044	2940	mshta.exe	43
PID 2940 wrote to memory of 2044	2940	mshta.exe	43
PID 2940 wrote to memory of 2044	2940	mshta.exe	43
PID 2044 wrote to memory of 1980	2044	cmd.exe	45
PID 2044 wrote to memory of 1980	2044	cmd.exe	45
PID 2044 wrote to memory of 1980	2044	cmd.exe	45
PID 1980 wrote to memory of 2004	1980	WScript.exe	46
PID 1980 wrote to memory of 2004	1980	WScript.exe	46
PID 1980 wrote to memory of 2004	1980	WScript.exe	46
PID 2004 wrote to memory of 1496	2004	cmd.exe	49
PID 2004 wrote to memory of 1496	2004	cmd.exe	49
PID 2004 wrote to memory of 1496	2004	cmd.exe	49
PID 1908 wrote to memory of 448	1908	mshta.exe	50
PID 1908 wrote to memory of 448	1908	mshta.exe	50
PID 1908 wrote to memory of 448	1908	mshta.exe	50
PID 1096 wrote to memory of 2568	1096	taskeng.exe	54
PID 1096 wrote to memory of 2568	1096	taskeng.exe	54
PID 1096 wrote to memory of 2568	1096	taskeng.exe	54
PID 2568 wrote to memory of 568	2568	WScript.exe	55
PID 2568 wrote to memory of 568	2568	WScript.exe	55
PID 2568 wrote to memory of 568	2568	WScript.exe	55
PID 1096 wrote to memory of 2904	1096	taskeng.exe	58
PID 1096 wrote to memory of 2904	1096	taskeng.exe	58
PID 1096 wrote to memory of 2904	1096	taskeng.exe	58
PID 2904 wrote to memory of 2976	2904	WScript.exe	59
PID 2904 wrote to memory of 2976	2904	WScript.exe	59
PID 2904 wrote to memory of 2976	2904	WScript.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c2e9058fe49f3581203de4f335fdfd6314f5680692dbccf290d6ef594db9847.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\sys.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\sys.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\Favorites\a.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\Favorites\b.ps1
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\system32\cmstp.exe
        
        "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\3o4ginta.inf
        7⤵
        
        PID:3056
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn administartor /sc minute /st 00:10 /tr C:\Users\Admin\Favorites\System.vbs
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2736

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""cmd.exe /c start """""""" """"%USERPROFILE%\Favorites\Assembly.vbs"""""",0:close")
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\Favorites\Assembly.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Favorites\Assembly.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\Favorites\x.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\Favorites\x.ps1
        5⤵
        UAC bypass
        Drops file in System32 directory
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496

C:\Windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""taskkill /IM cmstp.exe /F"", 0, true:close")
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:448

C:\Windows\system32\taskeng.exe
taskeng.exe {D5959D38-ACA3-47B9-AD46-19F29D71C8B9} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\Favorites\System.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\micro.ps1
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\Favorites\System.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & C:\Users\Admin\Favorites\micro.ps1
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea732b35de23aa10d587f6abd2e4aa00

SHA1
764c09e49839208a9598c6b5ec30c8869b878124

SHA256
61495c2a7d919c5cf224814c056c375d041965a82fc85fc70a56d0cf57dd391b

SHA512
0b47ffe9cb013d9bb009aa7741443a202c7fe6349d978884ac9bafad91d8e53eaafdcaf55baefb437bcc4b0a4281e0c8a85dc12fbc52396784fd5c12c5ce93e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z7U5JUCV1B61XSHY7PVQ.temp

Filesize
7KB

MD5
8a87e3e2d9d3efe953fb53a544cf466e

SHA1
4b3451edbdabb9a3b8d3175a522ed34dc76106e3

SHA256
1ca99d8f07ec8fee784b00e2ee9600bbf313a23de0079d372092d44278175660

SHA512
4f7506407e31420d95045df18b5cc45e75ddbc8253959b47665005504e333d7053aa79a0679afe583207875753c916ff0e7f0b086f0d497cbb5a18e35eeb95a8

Download Submit
C:\Users\Admin\Favorites\Assembly.vbs

Filesize
331B

MD5
66d268811c166c82aaef2f52450b0c73

SHA1
f7810c1003732c440b986718a8217dd733e88f74

SHA256
581df8170200c95d38ce78eba4e9942d47cad443bbc0148954e48df04eec3b34

SHA512
36de3a5f59ee7a531832ae7e43997a3019ad8a15b0d1b321e589a85d77af27dab80b90a0ef5c978c4fffcc4d32fe8d870f60e9cf3e5bff302e4292bfc6196830

Download Submit
C:\Users\Admin\Favorites\System.vbs

Filesize
121B

MD5
dada8407cf4051919362d16a6d735cde

SHA1
8a2788926f97dbd59c99ad51b3383c59992c6c2e

SHA256
ee512a4266049b505b2b5c6c4c7bd66baadd37eda61bfe7f31f6cfcc1c955a77

SHA512
42c6b1fac8502e3b21cbd6cda11601afc55ca539db03667eec7c839bc33c70ed1a6aeba5a3c9684951143658b17183c2782bec8a0108b345c0ac2aebdaa8fc9f

Download Submit
C:\Users\Admin\Favorites\UAC-B.dll

Filesize
11KB

MD5
cc6ba6fc273dbfbb5c9698c0cf4719b9

SHA1
a2b3433b728b0874ec69d8a629d5f0dd05c0946d

SHA256
320316cdda2aa0e8709472a2b8eb8debcd0f8bb6f9af4d4d4b3bc67068ceebe7

SHA512
fe2fe2f150fbf619dd7616c86c93a42446b7c915b92fb865971dcf7dd595c6483da7386ce40b99802dc0942068bd1703821e0e3b15a6ebe557619cf6fa413c61

Download Submit
C:\Users\Admin\Favorites\a.bat

Filesize
86B

MD5
4625a049cd6ea721b706699ab3c36dff

SHA1
dbb82c9e8cb7bdcf617e7c4e158d031275b5ec24

SHA256
c751a3cb67ab1c75f1de6e24b7193123cc815524c538973110d1f6027da24dc0

SHA512
35674c3c1d6c449b3716ddf2ca8733e255a8f642723186a847694fb936b50a91e6bd7ab7f6edf1489592a583109739a4f0c12769823e2fc163860eeb7004b6c0

Download Submit
C:\Users\Admin\Favorites\a.vbs

Filesize
485B

MD5
5ce49e20c572f2b6d4b43fc61a6906ec

SHA1
170185b8ab9fc4749f28e5796999c23b50be89dc

SHA256
d6a43aad0aa8e510f01409921c8b0b5c8d93d51d1f7f39340db775c164686412

SHA512
c49e14c094e4d5e108aa50889a9fb06428a3d7a1f74d868c9b7d37f35658a64ea205b00681ad83aef428113fdf6fead8ef98dd1e6b38d84b8306765025c2e8e3

Download Submit
C:\Users\Admin\Favorites\b.ps1

Filesize
173B

MD5
e1d9cbc41ffacef02695df17824a82e0

SHA1
970ae087b8a3d11fb3e2a9b8de1592a166436fa7

SHA256
61571d1fd0000c02eef19b7dd6e452e2f9eba2e947f4c96d781e79d35802043f

SHA512
3b4034b2072a309adeb1af8b540023791262915f4b1347f4aa27f8aedcbbb6e1126c1a4d5f1db1ce2ad5638d24d7ba3025a8451c291241db2f2a99b0832f620a

Download Submit
C:\Users\Admin\Favorites\micro.ps1

Filesize
889KB

MD5
6aebe5e40338074dcdf1a2fdf5ec052c

SHA1
0affad0eab774562a022100f11c367e83b72c4b2

SHA256
03b5c1eab769693201ca761bd2050ddd7bad82925fa19015701560aa05e5c296

SHA512
7f7ac71e80557184ea78f75d1f436a9f4808e4f0bf555fe6fd4a924b1f982931c0c8a7345df6df717fe99b60534e948e5994acdeab172c5a778ecdf99eda4774

Download Submit
C:\Users\Admin\Favorites\micro.ps1

Filesize
444KB

MD5
33e535c339dfe5328e4f6244151a6938

SHA1
24da1a168d3196928278d737cb01e6ddb3958e7f

SHA256
6e55e21f7d21c41dc3635782947a3bcbb60ebf8e047048bcac537150c28f4735

SHA512
81a764be599c62f11767cb5a23bc7dd3ed91ec1640c8de16504523921829c7f000491b19728c74a0ea074d501fe582e6eb1048ccc55e632b0d6163daccda3122

Download Submit
C:\Users\Admin\Favorites\sys.ps1

Filesize
19KB

MD5
bb0c7df40c2493ce9325882fc7d4b499

SHA1
e23d118eb3eeb81e22b5e110705f37fa8cd0d133

SHA256
6ab29a186284082a8e82a5a28c1f994af22d365e67b8c43f6a39389f08998dd4

SHA512
a220c8f21c8fd4e98b76866fb32f898d62e8828f70fdfe4cae61263341fb1436c51e6a7cd394a0e3d6d1e5348e8a3a7b6ca1315bd200fb311c9476e56f44aa03

Download Submit
C:\Users\Admin\Favorites\sys.vbs

Filesize
119B

MD5
a8c65c2b9b22070a4d49894328b313ed

SHA1
4518f72c768e128118b9ba32b27c4b083e2b500c

SHA256
dd078ad41f7f10601742a499715ea9ec9250b327c8875b5be5ae3cd34e629f7c

SHA512
ab056005c9c49d62b37c551c18fd11ec9fef3de0b4e0e5fdad8c965737445b439200fdbef94544c6a65a8ed299d870a01229f09f0c2eecb793afa47de5affc4b

Download Submit
C:\Users\Admin\Favorites\x.bat

Filesize
86B

MD5
03fc58bceab448c9f183fbe86fed1f11

SHA1
07f3d54b0b40755e8f58f5fdab95049def6578e3

SHA256
6062f0e764ccd855b61ba49720065dfd6f6c6864c4eb1e9dce95ba8a293fd756

SHA512
c0e9aec7a6c5aaae3b018d44f1fbdc1939026ce16fad20211a0521e3db9e470d842508b7d2167672e1585bafeb4b2f1fe694ca96ddb9137ff9e5d3b4ca53ea4f

Download Submit
C:\Users\Admin\Favorites\x.ps1

Filesize
567B

MD5
e9859d3134c68db3134a6ca7df484344

SHA1
f4eec5ee9aa11a82d19bdb78a174c574669fd1d8

SHA256
a4aaf6c64969788732b20c79c1299719b84a52eddda13778a672195bbfba4a6c

SHA512
47982ddf074418c350790f5f7d53edddbbb47e7768939ebf88f4812b01f241c8bff509dbd9a8e6232eb6ec7f8b0344a1a59474ea45da0c80af9f04ba21498cdb

Download Submit
C:\Windows\temp\3o4ginta.inf

Filesize
834B

MD5
09c0056318d62ee84963c66ae83d6c1b

SHA1
625936963d4a0059daff7222a1628198be9b7a4f

SHA256
25b2a55bade39fe6d90e0fb06068062a95af522f62d743454ffa4ddd478781d8

SHA512
b03301fcafbc905ac7724b5ee878208c4c7dc039b02edcfc00e51742c868ab4cf3f830dbbe52b314ee24f8d87f39b6c9eb3e6c188ddc75a9b52f7dfab85cb2d0

Download Submit
memory/2380-16-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-15-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-8-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-29-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-17-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-5-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2380-14-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-9-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-6-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/2380-4-0x000007FEF5EAE000-0x000007FEF5EAF000-memory.dmp

Filesize
4KB

Download
memory/2380-12-0x000007FEF5EAE000-0x000007FEF5EAF000-memory.dmp

Filesize
4KB

Download
memory/2380-7-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-13-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/2380-10-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-56-0x0000000002B60000-0x0000000002B6A000-memory.dmp

Filesize
40KB

Download
memory/3060-37-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/3060-36-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download