Analysis
-
max time kernel
142s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 12:57
Static task
static1
Behavioral task
behavioral1
Sample
54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Crypto.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Crypto.dll
Resource
win10v2004-20240508-en
General
-
Target
54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe
-
Size
240KB
-
MD5
54d105a742ae07f7f55d30738a7b014f
-
SHA1
a36767f17476133be1529e832b2be11a4cb8ee6c
-
SHA256
c36a3c1d92892fb3fc4d8cba4e5f55fb4f027a0e61b351eee3c343a9cdbcd723
-
SHA512
972fed4bece6945527a450f43a39f1ca2a339fdbe9782ddd73cef5c71b217d0a54fb90e0ef2b53f3ed4cc6262548e2da47cee781378e542dfe1f10453cc3214b
-
SSDEEP
6144:Yn/L+VE11MHqeo1k5b2LDkTbuD4VDwjc3/r+:uaE1CF0moAnubjc3/r+
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\README.hta
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 3 IoCs
Processes:
mshta.exeflow pid process 1544 1344 mshta.exe 1546 1344 mshta.exe 1548 1344 mshta.exe -
Contacts a large (517) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 956 cmd.exe -
Loads dropped DLL 3 IoCs
Processes:
54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exepid process 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp4A3A.bmp" 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exedescription pid process target process PID 2356 set thread context of 2688 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe -
Drops file in Program Files directory 6 IoCs
Processes:
54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\DESIGNER.ONE 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\ 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1876 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exepid process 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exeWMIC.exevssvc.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2568 WMIC.exe Token: SeSecurityPrivilege 2568 WMIC.exe Token: SeTakeOwnershipPrivilege 2568 WMIC.exe Token: SeLoadDriverPrivilege 2568 WMIC.exe Token: SeSystemProfilePrivilege 2568 WMIC.exe Token: SeSystemtimePrivilege 2568 WMIC.exe Token: SeProfSingleProcessPrivilege 2568 WMIC.exe Token: SeIncBasePriorityPrivilege 2568 WMIC.exe Token: SeCreatePagefilePrivilege 2568 WMIC.exe Token: SeBackupPrivilege 2568 WMIC.exe Token: SeRestorePrivilege 2568 WMIC.exe Token: SeShutdownPrivilege 2568 WMIC.exe Token: SeDebugPrivilege 2568 WMIC.exe Token: SeSystemEnvironmentPrivilege 2568 WMIC.exe Token: SeRemoteShutdownPrivilege 2568 WMIC.exe Token: SeUndockPrivilege 2568 WMIC.exe Token: SeManageVolumePrivilege 2568 WMIC.exe Token: 33 2568 WMIC.exe Token: 34 2568 WMIC.exe Token: 35 2568 WMIC.exe Token: SeIncreaseQuotaPrivilege 2568 WMIC.exe Token: SeSecurityPrivilege 2568 WMIC.exe Token: SeTakeOwnershipPrivilege 2568 WMIC.exe Token: SeLoadDriverPrivilege 2568 WMIC.exe Token: SeSystemProfilePrivilege 2568 WMIC.exe Token: SeSystemtimePrivilege 2568 WMIC.exe Token: SeProfSingleProcessPrivilege 2568 WMIC.exe Token: SeIncBasePriorityPrivilege 2568 WMIC.exe Token: SeCreatePagefilePrivilege 2568 WMIC.exe Token: SeBackupPrivilege 2568 WMIC.exe Token: SeRestorePrivilege 2568 WMIC.exe Token: SeShutdownPrivilege 2568 WMIC.exe Token: SeDebugPrivilege 2568 WMIC.exe Token: SeSystemEnvironmentPrivilege 2568 WMIC.exe Token: SeRemoteShutdownPrivilege 2568 WMIC.exe Token: SeUndockPrivilege 2568 WMIC.exe Token: SeManageVolumePrivilege 2568 WMIC.exe Token: 33 2568 WMIC.exe Token: 34 2568 WMIC.exe Token: 35 2568 WMIC.exe Token: SeBackupPrivilege 1648 vssvc.exe Token: SeRestorePrivilege 1648 vssvc.exe Token: SeAuditPrivilege 1648 vssvc.exe Token: SeDebugPrivilege 1876 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mshta.exepid process 1344 mshta.exe 1344 mshta.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 2356 wrote to memory of 2688 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe PID 2356 wrote to memory of 2688 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe PID 2356 wrote to memory of 2688 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe PID 2356 wrote to memory of 2688 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe PID 2356 wrote to memory of 2688 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe PID 2356 wrote to memory of 2688 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe PID 2356 wrote to memory of 2688 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe PID 2356 wrote to memory of 2688 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe PID 2356 wrote to memory of 2688 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe PID 2356 wrote to memory of 2688 2356 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe PID 2688 wrote to memory of 2464 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe cmd.exe PID 2688 wrote to memory of 2464 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe cmd.exe PID 2688 wrote to memory of 2464 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe cmd.exe PID 2688 wrote to memory of 2464 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe cmd.exe PID 2464 wrote to memory of 2568 2464 cmd.exe WMIC.exe PID 2464 wrote to memory of 2568 2464 cmd.exe WMIC.exe PID 2464 wrote to memory of 2568 2464 cmd.exe WMIC.exe PID 2688 wrote to memory of 1344 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe mshta.exe PID 2688 wrote to memory of 1344 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe mshta.exe PID 2688 wrote to memory of 1344 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe mshta.exe PID 2688 wrote to memory of 1344 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe mshta.exe PID 2688 wrote to memory of 956 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe cmd.exe PID 2688 wrote to memory of 956 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe cmd.exe PID 2688 wrote to memory of 956 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe cmd.exe PID 2688 wrote to memory of 956 2688 54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe cmd.exe PID 956 wrote to memory of 1876 956 cmd.exe taskkill.exe PID 956 wrote to memory of 1876 956 cmd.exe taskkill.exe PID 956 wrote to memory of 1876 956 cmd.exe taskkill.exe PID 956 wrote to memory of 2880 956 cmd.exe PING.EXE PID 956 wrote to memory of 2880 956 cmd.exe PING.EXE PID 956 wrote to memory of 2880 956 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe"2⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic.exe shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\README.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im "54d105a742ae07f7f55d30738a7b014f_JaffaCakes118.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\C_Enabled.pngFilesize
2KB
MD5cab21a439c746bc3e144e6b7ccf98580
SHA16d9d82e0f9a3e0da757e0b6b309ec6ed09ee78ee
SHA256d6dc1975bb3fe67a5551376676bb4b521b94bc1dec75fb7287cabcd6dad57909
SHA51237bad841c8b06d09d61a18d3e511aa400a02623a29dc09f1fd7b5680ff8945ac9aded320854e05cbfa5f68098b7184f7095dc2e8f2790d9b534dfb32b2f92a0c
-
C:\Users\Admin\AppData\Roaming\README.htaFilesize
61KB
MD5b6a0b8992c5f23b598bdc3c8029cecdf
SHA19c908b76bd883c88a5f1253498b5a33025bab2ad
SHA2563ea766ec14b94cb0516b6406825b5df10a513c45c28aab80e590ef3e12a2f35d
SHA5124cd7d30ee9675d097f587deb36d40e059a9ac9849bad368a7ac7f82234d84446be4c74ffd2d189c8d3f27ee178aa8d825230daad4b0453855e7a72168e458560
-
\Users\Admin\AppData\Local\Temp\nsy7659.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
\Users\Admin\AppData\Roaming\Crypto.dllFilesize
11KB
MD5d7abc2b77ed9178f00c2bef667a988da
SHA166f2f2ea1161f2f48b5df3a49fd3e43651642237
SHA2568708aad9e59923e1b7830e763c5a42107449a378a6f355d46d58e8c85e44f8d2
SHA5120dc6b4719ad872402573960f6be6e14f80cd5a000d240bd7a171d625833eac2c9c6d44e1c145d5d28b6dc4a4920174f2c19f76efa1f3d33ecca59994f6ec324f
-
memory/2356-33-0x0000000001E40000-0x0000000001E4C000-memory.dmpFilesize
48KB
-
memory/2688-328-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-334-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-22-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-20-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-26-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-36-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-38-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-43-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-44-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-47-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-48-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-28-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2688-32-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-331-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-24-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-337-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-340-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-343-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-346-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-349-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-352-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-355-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-358-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-361-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-364-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-367-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-370-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-373-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-375-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-381-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB
-
memory/2688-391-0x0000000000400000-0x0000000000431000-memory.dmpFilesize
196KB