Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 00:42
Static task
static1
Behavioral task
behavioral1
Sample
7b1f0563576b3c5af9f4b6faf07529bb_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7b1f0563576b3c5af9f4b6faf07529bb_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
7b1f0563576b3c5af9f4b6faf07529bb_JaffaCakes118.exe
-
Size
328KB
-
MD5
7b1f0563576b3c5af9f4b6faf07529bb
-
SHA1
a604fffc91898085c5978c5c09ab375140902c20
-
SHA256
1ea8ef6762ff35035136847b8d52f181a10831ba519bb4f8662396f55d3aaa2f
-
SHA512
139e6ec33f9651586511807993d91d8aebfa59750df1be6a6a663ad8d36a32623246dae0627ebd397e76c80a46794d637b8953924ecc1cafcaa09fdbbd962ed5
-
SSDEEP
6144:nd6a9GdC+9G33XV4nPZ9dQZrV3qh3vhF/J8wR9b4V/f/xWs0/WEFb865QrTQg5v:d6a9+C+I3novdaVOxhb4VMsOdg5v
Malware Config
Extracted
Protocol: smtp- Host:
mail.gandi.net - Port:
587 - Username:
[email protected] - Password:
@@yahoo.com@@
Signatures
-
NirSoft MailPassView 8 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/2404-30-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/2404-33-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/2404-32-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/2404-27-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/2404-25-0x0000000000400000-0x0000000000488000-memory.dmp MailPassView behavioral1/memory/1580-50-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1580-51-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/1580-53-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 8 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/2404-30-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/2404-33-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/2404-32-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/2404-27-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/2404-25-0x0000000000400000-0x0000000000488000-memory.dmp WebBrowserPassView behavioral1/memory/324-54-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/324-57-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/324-55-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2404-30-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/2404-33-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/2404-32-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/2404-27-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/2404-25-0x0000000000400000-0x0000000000488000-memory.dmp Nirsoft behavioral1/memory/1580-50-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1580-51-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1580-53-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/324-54-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/324-57-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/324-55-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 2616 svchost.exe 2404 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
7b1f0563576b3c5af9f4b6faf07529bb_JaffaCakes118.exesvchost.exepid process 2164 7b1f0563576b3c5af9f4b6faf07529bb_JaffaCakes118.exe 2616 svchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Load = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DwiDesk\\svchost.lnk" reg.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
svchost.exesvchost.exedescription pid process target process PID 2616 set thread context of 2404 2616 svchost.exe svchost.exe PID 2616 set thread context of 1452 2616 svchost.exe MSBuild.exe PID 2404 set thread context of 1580 2404 svchost.exe vbc.exe PID 2404 set thread context of 324 2404 svchost.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 svchost.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exeMSBuild.exepid process 2616 svchost.exe 2616 svchost.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe 1452 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
svchost.exesvchost.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 2616 svchost.exe Token: SeDebugPrivilege 2404 svchost.exe Token: SeDebugPrivilege 1452 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 2404 svchost.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
7b1f0563576b3c5af9f4b6faf07529bb_JaffaCakes118.exesvchost.execmd.exesvchost.exedescription pid process target process PID 2164 wrote to memory of 2616 2164 7b1f0563576b3c5af9f4b6faf07529bb_JaffaCakes118.exe svchost.exe PID 2164 wrote to memory of 2616 2164 7b1f0563576b3c5af9f4b6faf07529bb_JaffaCakes118.exe svchost.exe PID 2164 wrote to memory of 2616 2164 7b1f0563576b3c5af9f4b6faf07529bb_JaffaCakes118.exe svchost.exe PID 2164 wrote to memory of 2616 2164 7b1f0563576b3c5af9f4b6faf07529bb_JaffaCakes118.exe svchost.exe PID 2616 wrote to memory of 2568 2616 svchost.exe cmd.exe PID 2616 wrote to memory of 2568 2616 svchost.exe cmd.exe PID 2616 wrote to memory of 2568 2616 svchost.exe cmd.exe PID 2616 wrote to memory of 2568 2616 svchost.exe cmd.exe PID 2568 wrote to memory of 1868 2568 cmd.exe reg.exe PID 2568 wrote to memory of 1868 2568 cmd.exe reg.exe PID 2568 wrote to memory of 1868 2568 cmd.exe reg.exe PID 2568 wrote to memory of 1868 2568 cmd.exe reg.exe PID 2616 wrote to memory of 2404 2616 svchost.exe svchost.exe PID 2616 wrote to memory of 2404 2616 svchost.exe svchost.exe PID 2616 wrote to memory of 2404 2616 svchost.exe svchost.exe PID 2616 wrote to memory of 2404 2616 svchost.exe svchost.exe PID 2616 wrote to memory of 2404 2616 svchost.exe svchost.exe PID 2616 wrote to memory of 2404 2616 svchost.exe svchost.exe PID 2616 wrote to memory of 2404 2616 svchost.exe svchost.exe PID 2616 wrote to memory of 2404 2616 svchost.exe svchost.exe PID 2616 wrote to memory of 2404 2616 svchost.exe svchost.exe PID 2616 wrote to memory of 1452 2616 svchost.exe MSBuild.exe PID 2616 wrote to memory of 1452 2616 svchost.exe MSBuild.exe PID 2616 wrote to memory of 1452 2616 svchost.exe MSBuild.exe PID 2616 wrote to memory of 1452 2616 svchost.exe MSBuild.exe PID 2616 wrote to memory of 1452 2616 svchost.exe MSBuild.exe PID 2616 wrote to memory of 1452 2616 svchost.exe MSBuild.exe PID 2616 wrote to memory of 1452 2616 svchost.exe MSBuild.exe PID 2616 wrote to memory of 1452 2616 svchost.exe MSBuild.exe PID 2616 wrote to memory of 1452 2616 svchost.exe MSBuild.exe PID 2404 wrote to memory of 1580 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 1580 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 1580 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 1580 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 1580 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 1580 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 1580 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 1580 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 1580 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 1580 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 324 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 324 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 324 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 324 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 324 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 324 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 324 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 324 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 324 2404 svchost.exe vbc.exe PID 2404 wrote to memory of 324 2404 svchost.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b1f0563576b3c5af9f4b6faf07529bb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7b1f0563576b3c5af9f4b6faf07529bb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.exe" -n2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.lnk" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.lnk" /f4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\TarB5A0.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\fl.txtFilesize
11B
MD5d1c56374fff0243832b8696d133b7861
SHA1f4d236fdec2fd03914189c3b26e5cb0dfea9d761
SHA2568e8eab0b4bfdc35c5f238935b81298e43970ee6818e9629d725297ebf03838a6
SHA512e74cbfc425b9779b79dfb6b53dbf3d1451f9f35a766cc5167932b95c9bdb5288b65f9886fbdf3c3b180bf3a8360bfa1ef577b63e3443cae04b49e7ece433c452
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\DwiDesk\svchost.exeFilesize
328KB
MD57b1f0563576b3c5af9f4b6faf07529bb
SHA1a604fffc91898085c5978c5c09ab375140902c20
SHA2561ea8ef6762ff35035136847b8d52f181a10831ba519bb4f8662396f55d3aaa2f
SHA512139e6ec33f9651586511807993d91d8aebfa59750df1be6a6a663ad8d36a32623246dae0627ebd397e76c80a46794d637b8953924ecc1cafcaa09fdbbd962ed5
-
memory/324-55-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/324-57-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/324-54-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1452-42-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1452-47-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1452-46-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1452-45-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1452-44-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/1452-36-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1452-38-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1452-40-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1580-51-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1580-50-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1580-53-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2164-1-0x0000000000C70000-0x0000000000CC8000-memory.dmpFilesize
352KB
-
memory/2164-2-0x0000000074DE0000-0x00000000754CE000-memory.dmpFilesize
6.9MB
-
memory/2164-3-0x0000000004290000-0x00000000042E8000-memory.dmpFilesize
352KB
-
memory/2164-16-0x0000000074DE0000-0x00000000754CE000-memory.dmpFilesize
6.9MB
-
memory/2164-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmpFilesize
4KB
-
memory/2404-49-0x0000000000690000-0x0000000000698000-memory.dmpFilesize
32KB
-
memory/2404-23-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2404-22-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2404-30-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2404-33-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2404-32-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2404-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2404-27-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2404-25-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2616-17-0x0000000074DE0000-0x00000000754CE000-memory.dmpFilesize
6.9MB
-
memory/2616-15-0x00000000000D0000-0x0000000000128000-memory.dmpFilesize
352KB
-
memory/2616-59-0x0000000074DE0000-0x00000000754CE000-memory.dmpFilesize
6.9MB