Overview
overview
10Static
static
3511bf43e72...18.exe
windows7-x64
10511bf43e72...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Ren-UTF-8~...7f8.js
windows7-x64
3Ren-UTF-8~...7f8.js
windows10-2004-x64
3URC%20Anno...ng.pdf
windows7-x64
1URC%20Anno...ng.pdf
windows10-2004-x64
1js_k4EXAqY...Uro.js
windows7-x64
3js_k4EXAqY...Uro.js
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 19:28
Static task
static1
Behavioral task
behavioral1
Sample
511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Ren-UTF-8~zYhWKCjIx0J6H23_Rjq4MtNoUQHhxnspNhq_MRQ37f8.js
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Ren-UTF-8~zYhWKCjIx0J6H23_Rjq4MtNoUQHhxnspNhq_MRQ37f8.js
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
URC%20Announces%20Completion%20of%20New%20Financing.pdf
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
URC%20Announces%20Completion%20of%20New%20Financing.pdf
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
js_k4EXAqYgoEBC9_cGJZZJJ_4u1fRozpivgWMEoL-lUro.js
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
js_k4EXAqYgoEBC9_cGJZZJJ_4u1fRozpivgWMEoL-lUro.js
Resource
win10v2004-20240508-en
General
-
Target
511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe
-
Size
271KB
-
MD5
511bf43e720a8cf9131a1ba0ab89d089
-
SHA1
1ac25149aaa08db57d87e4fe0a3389da72752dc6
-
SHA256
b04fcd4778f72c0a66bd4319b54bc722365a4783ac2347bc77602f19e64da13c
-
SHA512
6f55a75aed1d0192a5207c9680a9b81e33f6f8ad4b85aaabcd8017d139352ca15a926a5239480d3b249ec936ae7352911b5ad560202316da725be6dc2b89a33e
-
SSDEEP
6144:vfgFQoFek+uf8ingJDcp2L4ZacdAjuM98X/NPfAuZ:XtoGSVp2LBZPYNAuZ
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\README.hta
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 3272 2164 mshta.exe 3274 2164 mshta.exe 3276 2164 mshta.exe -
Contacts a large (1093) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2044 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exepid process 1976 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpB53B.bmp" 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exedescription pid process target process PID 1976 set thread context of 2652 1976 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe -
Drops file in Program Files directory 6 IoCs
Processes:
511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 848 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exepid process 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exepid process 1976 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exeWMIC.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2448 WMIC.exe Token: SeSecurityPrivilege 2448 WMIC.exe Token: SeTakeOwnershipPrivilege 2448 WMIC.exe Token: SeLoadDriverPrivilege 2448 WMIC.exe Token: SeSystemProfilePrivilege 2448 WMIC.exe Token: SeSystemtimePrivilege 2448 WMIC.exe Token: SeProfSingleProcessPrivilege 2448 WMIC.exe Token: SeIncBasePriorityPrivilege 2448 WMIC.exe Token: SeCreatePagefilePrivilege 2448 WMIC.exe Token: SeBackupPrivilege 2448 WMIC.exe Token: SeRestorePrivilege 2448 WMIC.exe Token: SeShutdownPrivilege 2448 WMIC.exe Token: SeDebugPrivilege 2448 WMIC.exe Token: SeSystemEnvironmentPrivilege 2448 WMIC.exe Token: SeRemoteShutdownPrivilege 2448 WMIC.exe Token: SeUndockPrivilege 2448 WMIC.exe Token: SeManageVolumePrivilege 2448 WMIC.exe Token: 33 2448 WMIC.exe Token: 34 2448 WMIC.exe Token: 35 2448 WMIC.exe Token: SeIncreaseQuotaPrivilege 2448 WMIC.exe Token: SeSecurityPrivilege 2448 WMIC.exe Token: SeTakeOwnershipPrivilege 2448 WMIC.exe Token: SeLoadDriverPrivilege 2448 WMIC.exe Token: SeSystemProfilePrivilege 2448 WMIC.exe Token: SeSystemtimePrivilege 2448 WMIC.exe Token: SeProfSingleProcessPrivilege 2448 WMIC.exe Token: SeIncBasePriorityPrivilege 2448 WMIC.exe Token: SeCreatePagefilePrivilege 2448 WMIC.exe Token: SeBackupPrivilege 2448 WMIC.exe Token: SeRestorePrivilege 2448 WMIC.exe Token: SeShutdownPrivilege 2448 WMIC.exe Token: SeDebugPrivilege 2448 WMIC.exe Token: SeSystemEnvironmentPrivilege 2448 WMIC.exe Token: SeRemoteShutdownPrivilege 2448 WMIC.exe Token: SeUndockPrivilege 2448 WMIC.exe Token: SeManageVolumePrivilege 2448 WMIC.exe Token: 33 2448 WMIC.exe Token: 34 2448 WMIC.exe Token: 35 2448 WMIC.exe Token: SeBackupPrivilege 2676 vssvc.exe Token: SeRestorePrivilege 2676 vssvc.exe Token: SeAuditPrivilege 2676 vssvc.exe Token: SeShutdownPrivilege 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe Token: SeDebugPrivilege 848 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mshta.exepid process 2164 mshta.exe 2164 mshta.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 1976 wrote to memory of 2652 1976 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe PID 1976 wrote to memory of 2652 1976 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe PID 1976 wrote to memory of 2652 1976 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe PID 1976 wrote to memory of 2652 1976 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe PID 1976 wrote to memory of 2652 1976 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe PID 2652 wrote to memory of 2532 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe cmd.exe PID 2652 wrote to memory of 2532 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe cmd.exe PID 2652 wrote to memory of 2532 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe cmd.exe PID 2652 wrote to memory of 2532 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe cmd.exe PID 2532 wrote to memory of 2448 2532 cmd.exe WMIC.exe PID 2532 wrote to memory of 2448 2532 cmd.exe WMIC.exe PID 2532 wrote to memory of 2448 2532 cmd.exe WMIC.exe PID 2652 wrote to memory of 2164 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe mshta.exe PID 2652 wrote to memory of 2164 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe mshta.exe PID 2652 wrote to memory of 2164 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe mshta.exe PID 2652 wrote to memory of 2164 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe mshta.exe PID 2652 wrote to memory of 2044 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe cmd.exe PID 2652 wrote to memory of 2044 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe cmd.exe PID 2652 wrote to memory of 2044 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe cmd.exe PID 2652 wrote to memory of 2044 2652 511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe cmd.exe PID 2044 wrote to memory of 848 2044 cmd.exe taskkill.exe PID 2044 wrote to memory of 848 2044 cmd.exe taskkill.exe PID 2044 wrote to memory of 848 2044 cmd.exe taskkill.exe PID 2044 wrote to memory of 1616 2044 cmd.exe PING.EXE PID 2044 wrote to memory of 1616 2044 cmd.exe PING.EXE PID 2044 wrote to memory of 1616 2044 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe"2⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "511bf43e720a8cf9131a1ba0ab89d089_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\README.htaFilesize
66KB
MD51e10ccacd0588ac84b55c0e533eb6170
SHA160edac9ece52e3e2a6cd396259e438abf22c82ce
SHA256100a343e0b8365e67daa06c1b695ae78a0eb6700bebe6bf02cc4d92516c3faba
SHA5128b137477cfbbbf1dcfe75b747794e4bac67aea07f8cf4c98de989428f83367cb7c602b6d79e1253d8a510d20e024d7ecc7a917d40279222f720072b736962105
-
\Users\Admin\AppData\Local\Temp\nsy15A.tmp\System.dllFilesize
11KB
MD5ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00
-
memory/1976-20-0x0000000001D70000-0x0000000001D9D000-memory.dmpFilesize
180KB
-
memory/1976-15-0x0000000001D70000-0x0000000001D9D000-memory.dmpFilesize
180KB
-
memory/2652-218-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-221-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-26-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-27-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-28-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-33-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-34-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-19-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-205-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-208-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-211-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-214-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-17-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-21-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-224-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-227-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-230-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-233-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-236-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-239-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-242-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-245-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-248-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-252-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-253-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-254-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-260-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2652-272-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB