Overview
overview
10Static
static
36f2f7f2ce0...18.exe
windows7-x64
106f2f7f2ce0...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
10Setupres.exe
windows7-x64
9Setupres.exe
windows10-2004-x64
9VMProtectSDK32.dll
windows7-x64
1VMProtectSDK32.dll
windows10-2004-x64
1ipras.vbs
windows7-x64
8ipras.vbs
windows10-2004-x64
8Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Setup.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Setup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Setupres.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Setupres.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
VMProtectSDK32.dll
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
VMProtectSDK32.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
ipras.vbs
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
ipras.vbs
Resource
win10v2004-20240226-en
General
-
Target
6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe
-
Size
4.2MB
-
MD5
6f2f7f2ce0ef33d170cf9ee67265770d
-
SHA1
beb2c4bd2ab65ed67028a1a8db92750c624d7eb8
-
SHA256
4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb
-
SHA512
11e01409e4038e812f5351753f498e3a179d7a8e209f7d652682198796fab226406e4b613a669cac379513d689d0f920050d7a7e6a362470c5599169481b00fc
-
SSDEEP
98304:BXDf8Q9Ymb74VAMgbMHWIZ/CA3VFSLVnqzGHsSM:BTf8QSSQiA2IZd3XUVnJ0
Malware Config
Extracted
cryptbot
biss01.info
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
Setup.exeSetupres.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setupres.exe -
Blocklisted process makes network request 3 IoCs
Processes:
CScript.exeflow pid process 7 3364 CScript.exe 9 3364 CScript.exe 11 3364 CScript.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup.exeSetupres.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setupres.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setupres.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Setupres.exeSetup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Setupres.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Setup.exe -
Executes dropped EXE 2 IoCs
Processes:
Setup.exeSetupres.exepid process 2344 Setup.exe 392 Setupres.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Setup.exeSetupres.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine Setup.exe Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine Setupres.exe -
Loads dropped DLL 2 IoCs
Processes:
6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exepid process 4048 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe 4048 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 44 bitbucket.org 104 bitbucket.org 6 iplogger.org 7 iplogger.org 43 bitbucket.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Setup.exeSetupres.exepid process 2344 Setup.exe 392 Setupres.exe -
Drops file in Program Files directory 8 IoCs
Processes:
6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Sir\Xd\Setup.exe 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe File created C:\Program Files (x86)\Sir\Xd\Setupres.exe 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe File created C:\Program Files (x86)\Sir\Xd\Project1.dpr 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe File created C:\Program Files (x86)\Sir\Xd\Project1.res 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe File created C:\Program Files (x86)\Sir\Xd\Unit1.pas 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe File created C:\Program Files (x86)\Sir\Xd\VMProtectSDK.pas 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe File created C:\Program Files (x86)\Sir\Xd\VMProtectSDK32.dll 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe File created C:\Program Files (x86)\Sir\Xd\ipras.vbs 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4852 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup.exeSetupres.exepid process 2344 Setup.exe 2344 Setup.exe 392 Setupres.exe 392 Setupres.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Setup.exepid process 2344 Setup.exe 2344 Setup.exe 2344 Setup.exe 2344 Setup.exe 2344 Setup.exe 2344 Setup.exe 2344 Setup.exe 2344 Setup.exe 2344 Setup.exe 2344 Setup.exe 2344 Setup.exe 2344 Setup.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exeSetup.execmd.exedescription pid process target process PID 4048 wrote to memory of 2344 4048 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe Setup.exe PID 4048 wrote to memory of 2344 4048 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe Setup.exe PID 4048 wrote to memory of 2344 4048 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe Setup.exe PID 4048 wrote to memory of 3364 4048 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe CScript.exe PID 4048 wrote to memory of 3364 4048 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe CScript.exe PID 4048 wrote to memory of 3364 4048 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe CScript.exe PID 4048 wrote to memory of 392 4048 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe Setupres.exe PID 4048 wrote to memory of 392 4048 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe Setupres.exe PID 4048 wrote to memory of 392 4048 6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe Setupres.exe PID 2344 wrote to memory of 672 2344 Setup.exe cmd.exe PID 2344 wrote to memory of 672 2344 Setup.exe cmd.exe PID 2344 wrote to memory of 672 2344 Setup.exe cmd.exe PID 672 wrote to memory of 4852 672 cmd.exe timeout.exe PID 672 wrote to memory of 4852 672 cmd.exe timeout.exe PID 672 wrote to memory of 4852 672 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Sir\Xd\Setup.exe"C:\Program Files (x86)\Sir\Xd\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\freismlDR & timeout 2 & del /f /q "C:\Program Files (x86)\Sir\Xd\Setup.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Sir\Xd\ipras.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
-
C:\Program Files (x86)\Sir\Xd\Setupres.exe"C:\Program Files (x86)\Sir\Xd\Setupres.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Sir\Xd\Setup.exeFilesize
2.2MB
MD5112612c1ceaf7965ed7beb7d2341e0e2
SHA14a2e3df41d122e0ab2e4d8b774e806554f4a6296
SHA256b5ee04d73e9cfa30a1719d2cbf9d17e76a5c8dc6149f9bb571365d5ee5b00072
SHA5125ebf8b9f98497c35629d6924e03ca5d7661fea4ff5ae46ae56c56111f38d3af2ad51818d4363985424991e53663d1b96c366d84cbeb34dbecf641e7d09c1eeba
-
C:\Program Files (x86)\Sir\Xd\Setupres.exeFilesize
2.0MB
MD5e75b71aa66f4177b62485503809ec837
SHA18203e06f29d51c25b2af48c62fa6074c58958660
SHA256f2ac71dbbc1ec524d93811dd4cd64edc5c836be379fa9cfd565af7ba45cfe80c
SHA5122761d0880e60a87b9cca31cd533f626b218ddf9939dbd751cc468904500d19a59e63c09af0f44ede21bbf8a416ec05b08ac7f6629cf7de1072323b349d9df2f7
-
C:\Program Files (x86)\Sir\Xd\ipras.vbsFilesize
126B
MD5b802ff9244875f69db2fae0f78e92b10
SHA149385a89cd575894a29fbda969b99cc1f5cf8076
SHA256a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e
-
C:\ProgramData\freismlDR\47283761.txtFilesize
156B
MD5b5089e0c5a3d5377e9bd19c0557ef04e
SHA19402e326be3d240e234c06892b15c24e93c93eb8
SHA256d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5
SHA512942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13
-
C:\ProgramData\freismlDR\Files\_Info.txtFilesize
7KB
MD502a3781ec5d9d401ec36851cbcb60248
SHA1538b24770e27be760798d4fe7b4cff7a4a920441
SHA25602dcf5d5d736877bf19d96eb9885de4065b676503160a9699589d296f82f1ce8
SHA512134a1ae331325ae43bd50e12c81ace2d89a0daac499ce001e6ca0dc1d590e2e0878a0bf6d4931fc1c41b255da7966036b4958da3c62cec451350605e0036cd4d
-
C:\ProgramData\freismlDR\Files\_Screen.jpgFilesize
54KB
MD5de3b9b813f8502042d94684e2e85630d
SHA1438f827b0698ef1ab1599fbd054880e0ff9f3ed7
SHA256b5825691af5e2b91ac03f1cd623064204c01a9491a233a1aab45d846935c9836
SHA512b7704788adc64c4fd85ca794ae5acb210dbd4f0a1efcb494fff60cdec67af84d0c81835a31c713b70731e97a0776676c9bb732df2cfb83639d16e3546295a76b
-
C:\ProgramData\freismlDR\MOZ_CO~1.DBFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\ProgramData\freismlDR\PX4GmqenAhsZ.zipFilesize
49KB
MD50596a8f45b08b8e7041123d3c4e227f5
SHA1bbbf8d8bae47e932cef668541259e19e3fa949a1
SHA256a1f9afe4c77b28b27b31b5b5fe43f466e45947ece2f8baaec33847ea9d9b0dce
SHA51273477bf034914ad3171b5389b13fd3b96442f98dbe99a0b5e19cc5bec59c74f9649146feb1a27a5e2a09faa309527565f48003078b20c274811f610aa7e55c56
-
C:\Users\Admin\AppData\Local\Temp\nsj43E0.tmp\UAC.dllFilesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
C:\Users\Admin\AppData\Local\Temp\nsj43E0.tmp\nsExec.dllFilesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
-
C:\Users\Admin\AppData\Roaming\tybgrfed.exeFilesize
13KB
MD5ec484f9cc53099afb402b0e952474b14
SHA11239a64fc607797ed38ca5b955ff83bbd6d0f52b
SHA25673aa6a82b807b1f84cc878d3b4a3952468a0d305b4fdfb21187aa97093abdbf6
SHA51231791712cc244d4c7cd5e32df9d601cbf5be465cc09ad2eeef63590f8d707c0bb58df9778c867faa31c77ebbd31f444b89a4c5286d2f22404a552bafd177bd2f
-
C:\Users\Admin\AppData\Roaming\yhtgrfecd.exeFilesize
13KB
MD511d0137ab130a1ce7add001fabaea388
SHA1d3d75255c78814861808dd0a5869037e033227ec
SHA256b37f77e95e49cffeb540d070e75624cc3cb4439f0df37e2d00e378b7f4789d62
SHA512988c3032c82c0c3a78e3838574335a70907f7fcc69218aa0e6fff1fc9667eb987a335c314f8c2c354d8dafd0eec7267d4b774bb240861b5d31a77b8020c8289b
-
memory/392-49-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-222-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-200-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-244-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-248-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-252-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-225-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-240-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-185-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-218-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-256-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-260-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-191-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-190-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-204-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/392-264-0x0000000000400000-0x000000000091C000-memory.dmpFilesize
5.1MB
-
memory/2344-199-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-203-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-197-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-189-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-216-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-187-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-220-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-184-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-224-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-178-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-52-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-239-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-39-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-243-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-32-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/2344-247-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-33-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/2344-251-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-34-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/2344-255-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-38-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-259-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-35-0x00000000009D1000-0x0000000000A30000-memory.dmpFilesize
380KB
-
memory/2344-262-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-31-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/2344-267-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB
-
memory/2344-23-0x0000000077184000-0x0000000077186000-memory.dmpFilesize
8KB
-
memory/2344-21-0x00000000009D0000-0x0000000000F07000-memory.dmpFilesize
5.2MB