Analysis
-
max time kernel
118s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 03:58
Static task
static1
Behavioral task
behavioral1
Sample
2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
CabDLL.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
CabDLL.dll
Resource
win10v2004-20240426-en
General
-
Target
2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe
-
Size
238KB
-
MD5
2d38d15d58e0b48403b2b407d8d60520
-
SHA1
7a608aa2e08932ea2c3593961b6485b3d34d452d
-
SHA256
8c683635aa513fd4a30545446fd4bf4439f42d54c7c733ab9a533522f6d084a6
-
SHA512
5aacf2f1b70f9ce3e91a9908da961183dd87e4e450a4479b5833ecd6afd0927cf41fe91d946075954c4c1abe14d8c2503439353aed0c7ff27546135bc6a5b84c
-
SSDEEP
3072:KNdm6/Xbi5XJC/O45Riu9ShhIuiGKSLtNO9axj/LT5yFP26Mt3fZNXTWy813p:Kn/L+GOmF8hFKSZ/1yFujJPW3p
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\README.hta
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 1544 580 mshta.exe 1546 580 mshta.exe 1548 580 mshta.exe -
Contacts a large (517) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 608 cmd.exe -
Loads dropped DLL 3 IoCs
Processes:
2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exepid process 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpCE76.bmp" 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exedescription pid process target process PID 1680 set thread context of 2564 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe -
Drops file in Program Files directory 6 IoCs
Processes:
2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\towpath 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1068 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exepid process 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exeWMIC.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2424 WMIC.exe Token: SeSecurityPrivilege 2424 WMIC.exe Token: SeTakeOwnershipPrivilege 2424 WMIC.exe Token: SeLoadDriverPrivilege 2424 WMIC.exe Token: SeSystemProfilePrivilege 2424 WMIC.exe Token: SeSystemtimePrivilege 2424 WMIC.exe Token: SeProfSingleProcessPrivilege 2424 WMIC.exe Token: SeIncBasePriorityPrivilege 2424 WMIC.exe Token: SeCreatePagefilePrivilege 2424 WMIC.exe Token: SeBackupPrivilege 2424 WMIC.exe Token: SeRestorePrivilege 2424 WMIC.exe Token: SeShutdownPrivilege 2424 WMIC.exe Token: SeDebugPrivilege 2424 WMIC.exe Token: SeSystemEnvironmentPrivilege 2424 WMIC.exe Token: SeRemoteShutdownPrivilege 2424 WMIC.exe Token: SeUndockPrivilege 2424 WMIC.exe Token: SeManageVolumePrivilege 2424 WMIC.exe Token: 33 2424 WMIC.exe Token: 34 2424 WMIC.exe Token: 35 2424 WMIC.exe Token: SeIncreaseQuotaPrivilege 2424 WMIC.exe Token: SeSecurityPrivilege 2424 WMIC.exe Token: SeTakeOwnershipPrivilege 2424 WMIC.exe Token: SeLoadDriverPrivilege 2424 WMIC.exe Token: SeSystemProfilePrivilege 2424 WMIC.exe Token: SeSystemtimePrivilege 2424 WMIC.exe Token: SeProfSingleProcessPrivilege 2424 WMIC.exe Token: SeIncBasePriorityPrivilege 2424 WMIC.exe Token: SeCreatePagefilePrivilege 2424 WMIC.exe Token: SeBackupPrivilege 2424 WMIC.exe Token: SeRestorePrivilege 2424 WMIC.exe Token: SeShutdownPrivilege 2424 WMIC.exe Token: SeDebugPrivilege 2424 WMIC.exe Token: SeSystemEnvironmentPrivilege 2424 WMIC.exe Token: SeRemoteShutdownPrivilege 2424 WMIC.exe Token: SeUndockPrivilege 2424 WMIC.exe Token: SeManageVolumePrivilege 2424 WMIC.exe Token: 33 2424 WMIC.exe Token: 34 2424 WMIC.exe Token: 35 2424 WMIC.exe Token: SeBackupPrivilege 2224 vssvc.exe Token: SeRestorePrivilege 2224 vssvc.exe Token: SeAuditPrivilege 2224 vssvc.exe Token: SeDebugPrivilege 1068 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mshta.exepid process 580 mshta.exe 580 mshta.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 1680 wrote to memory of 2564 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe PID 1680 wrote to memory of 2564 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe PID 1680 wrote to memory of 2564 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe PID 1680 wrote to memory of 2564 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe PID 1680 wrote to memory of 2564 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe PID 1680 wrote to memory of 2564 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe PID 1680 wrote to memory of 2564 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe PID 1680 wrote to memory of 2564 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe PID 1680 wrote to memory of 2564 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe PID 1680 wrote to memory of 2564 1680 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe PID 2564 wrote to memory of 2636 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe cmd.exe PID 2564 wrote to memory of 2636 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe cmd.exe PID 2564 wrote to memory of 2636 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe cmd.exe PID 2564 wrote to memory of 2636 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe cmd.exe PID 2636 wrote to memory of 2424 2636 cmd.exe WMIC.exe PID 2636 wrote to memory of 2424 2636 cmd.exe WMIC.exe PID 2636 wrote to memory of 2424 2636 cmd.exe WMIC.exe PID 2564 wrote to memory of 580 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe mshta.exe PID 2564 wrote to memory of 580 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe mshta.exe PID 2564 wrote to memory of 580 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe mshta.exe PID 2564 wrote to memory of 580 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe mshta.exe PID 2564 wrote to memory of 608 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe cmd.exe PID 2564 wrote to memory of 608 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe cmd.exe PID 2564 wrote to memory of 608 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe cmd.exe PID 2564 wrote to memory of 608 2564 2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe cmd.exe PID 608 wrote to memory of 1068 608 cmd.exe taskkill.exe PID 608 wrote to memory of 1068 608 cmd.exe taskkill.exe PID 608 wrote to memory of 1068 608 cmd.exe taskkill.exe PID 608 wrote to memory of 1472 608 cmd.exe PING.EXE PID 608 wrote to memory of 1472 608 cmd.exe PING.EXE PID 608 wrote to memory of 1472 608 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe"2⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "2d38d15d58e0b48403b2b407d8d60520_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\README.htaFilesize
61KB
MD59bc8ceef383b54fb041c79e2a6b96b72
SHA1bc9e44c5886424a4f050d1c017aa924df4c42482
SHA256c2a00360d38261839627f3c6192fa8c602451fc9ebf888d10a43f8e177e93a79
SHA512ed8e6fbc5fa5cec2a60c9c8f260b1f4d02e29ce75ade76fc84e1bbab92612a586f7e237b1718ec7589535187f3607545cb749e12669d823a1b7c44d4614534bc
-
\Users\Admin\AppData\Local\Temp\nsy5EB.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
\Users\Admin\AppData\Roaming\CabDLL.dllFilesize
28KB
MD5a4c07c7c2328612f32465ed4350fc6b1
SHA1578e751f602ed19336406e85e59fdc807e8e5e47
SHA2561fb5fd45067a68ca5cd7428ff2ac81cb5b090ee48383e3ab771d89d08eb10332
SHA51224990ceb668f03410ee62fcf47cfae57a0c5cd1dc09308f8b839c9bcb3ae20c332fdd9ab4a1e63996035b2c835a2aba07b1a38d5a94a47f4432d2c781d711283
-
memory/2564-29-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-313-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2564-25-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-23-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-27-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-274-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-37-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-42-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-43-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-45-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-47-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-46-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-21-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-330-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-33-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-35-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-277-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-280-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-283-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-286-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-289-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-292-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-295-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-298-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-301-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-304-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-307-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-310-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-271-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-320-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2564-268-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB