Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 07:30
Static task
static1
Behavioral task
behavioral1
Sample
040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe
-
Size
115KB
-
MD5
040b4afe44ae7bb9ebe08445c2bed93a
-
SHA1
9e4ed8f203c42ee51432b61c45b8d53eb939c2b0
-
SHA256
1598031e1fa133953d15523f253a5183076f81446f9ecf6d81b68b62e010b198
-
SHA512
a319c52ed39875b0337217954d9fc34c9d4aca705d8875e8cfc11020bc21114eda589b20c399c5dd92544bccf7b4ab42919b67673b6f7e3e1d8fb2b285f77205
-
SSDEEP
1536:+qoBQ+Utg3KQ0wxuWz00gzbqOMxpYb2f1AE39/UIf0E1+AQcyQ7u29qkbGNkjbQ2:+q6cmxu9QYgptQE1z9RykjbnKVn5+
Malware Config
Extracted
metasploit
encoder/fnstenv_mov
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies security service 2 TTPs 20 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" regedit.exe -
Executes dropped EXE 10 IoCs
Processes:
windeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exepid process 2676 windeft.exe 3032 windeft.exe 2620 windeft.exe 2736 windeft.exe 2976 windeft.exe 1184 windeft.exe 956 windeft.exe 2548 windeft.exe 2028 windeft.exe 776 windeft.exe -
Loads dropped DLL 20 IoCs
Processes:
040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exepid process 2768 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe 2768 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe 2676 windeft.exe 2676 windeft.exe 3032 windeft.exe 3032 windeft.exe 2620 windeft.exe 2620 windeft.exe 2736 windeft.exe 2736 windeft.exe 2976 windeft.exe 2976 windeft.exe 1184 windeft.exe 1184 windeft.exe 956 windeft.exe 956 windeft.exe 2548 windeft.exe 2548 windeft.exe 2028 windeft.exe 2028 windeft.exe -
Drops file in System32 directory 22 IoCs
Processes:
windeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exewindeft.exe040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exewindeft.exedescription ioc process File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File opened for modification C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe File created C:\Windows\SysWOW64\windeft.exe windeft.exe -
Runs .reg file with regedit 11 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exepid process 840 regedit.exe 2712 regedit.exe 2436 regedit.exe 1464 regedit.exe 2936 regedit.exe 2072 regedit.exe 1412 regedit.exe 1520 regedit.exe 2212 regedit.exe 1660 regedit.exe 2464 regedit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.execmd.exewindeft.execmd.exewindeft.execmd.exewindeft.execmd.exewindeft.execmd.exewindeft.exedescription pid process target process PID 2768 wrote to memory of 2248 2768 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe cmd.exe PID 2768 wrote to memory of 2248 2768 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe cmd.exe PID 2768 wrote to memory of 2248 2768 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe cmd.exe PID 2768 wrote to memory of 2248 2768 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe cmd.exe PID 2248 wrote to memory of 840 2248 cmd.exe regedit.exe PID 2248 wrote to memory of 840 2248 cmd.exe regedit.exe PID 2248 wrote to memory of 840 2248 cmd.exe regedit.exe PID 2248 wrote to memory of 840 2248 cmd.exe regedit.exe PID 2768 wrote to memory of 2676 2768 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe windeft.exe PID 2768 wrote to memory of 2676 2768 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe windeft.exe PID 2768 wrote to memory of 2676 2768 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe windeft.exe PID 2768 wrote to memory of 2676 2768 040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe windeft.exe PID 2676 wrote to memory of 1604 2676 windeft.exe cmd.exe PID 2676 wrote to memory of 1604 2676 windeft.exe cmd.exe PID 2676 wrote to memory of 1604 2676 windeft.exe cmd.exe PID 2676 wrote to memory of 1604 2676 windeft.exe cmd.exe PID 1604 wrote to memory of 1412 1604 cmd.exe regedit.exe PID 1604 wrote to memory of 1412 1604 cmd.exe regedit.exe PID 1604 wrote to memory of 1412 1604 cmd.exe regedit.exe PID 1604 wrote to memory of 1412 1604 cmd.exe regedit.exe PID 2676 wrote to memory of 3032 2676 windeft.exe windeft.exe PID 2676 wrote to memory of 3032 2676 windeft.exe windeft.exe PID 2676 wrote to memory of 3032 2676 windeft.exe windeft.exe PID 2676 wrote to memory of 3032 2676 windeft.exe windeft.exe PID 3032 wrote to memory of 1680 3032 windeft.exe cmd.exe PID 3032 wrote to memory of 1680 3032 windeft.exe cmd.exe PID 3032 wrote to memory of 1680 3032 windeft.exe cmd.exe PID 3032 wrote to memory of 1680 3032 windeft.exe cmd.exe PID 1680 wrote to memory of 2712 1680 cmd.exe regedit.exe PID 1680 wrote to memory of 2712 1680 cmd.exe regedit.exe PID 1680 wrote to memory of 2712 1680 cmd.exe regedit.exe PID 1680 wrote to memory of 2712 1680 cmd.exe regedit.exe PID 3032 wrote to memory of 2620 3032 windeft.exe windeft.exe PID 3032 wrote to memory of 2620 3032 windeft.exe windeft.exe PID 3032 wrote to memory of 2620 3032 windeft.exe windeft.exe PID 3032 wrote to memory of 2620 3032 windeft.exe windeft.exe PID 2620 wrote to memory of 2704 2620 windeft.exe cmd.exe PID 2620 wrote to memory of 2704 2620 windeft.exe cmd.exe PID 2620 wrote to memory of 2704 2620 windeft.exe cmd.exe PID 2620 wrote to memory of 2704 2620 windeft.exe cmd.exe PID 2704 wrote to memory of 1520 2704 cmd.exe regedit.exe PID 2704 wrote to memory of 1520 2704 cmd.exe regedit.exe PID 2704 wrote to memory of 1520 2704 cmd.exe regedit.exe PID 2704 wrote to memory of 1520 2704 cmd.exe regedit.exe PID 2620 wrote to memory of 2736 2620 windeft.exe windeft.exe PID 2620 wrote to memory of 2736 2620 windeft.exe windeft.exe PID 2620 wrote to memory of 2736 2620 windeft.exe windeft.exe PID 2620 wrote to memory of 2736 2620 windeft.exe windeft.exe PID 2736 wrote to memory of 1956 2736 windeft.exe cmd.exe PID 2736 wrote to memory of 1956 2736 windeft.exe cmd.exe PID 2736 wrote to memory of 1956 2736 windeft.exe cmd.exe PID 2736 wrote to memory of 1956 2736 windeft.exe cmd.exe PID 1956 wrote to memory of 2212 1956 cmd.exe regedit.exe PID 1956 wrote to memory of 2212 1956 cmd.exe regedit.exe PID 1956 wrote to memory of 2212 1956 cmd.exe regedit.exe PID 1956 wrote to memory of 2212 1956 cmd.exe regedit.exe PID 2736 wrote to memory of 2976 2736 windeft.exe windeft.exe PID 2736 wrote to memory of 2976 2736 windeft.exe windeft.exe PID 2736 wrote to memory of 2976 2736 windeft.exe windeft.exe PID 2736 wrote to memory of 2976 2736 windeft.exe windeft.exe PID 2976 wrote to memory of 2816 2976 windeft.exe cmd.exe PID 2976 wrote to memory of 2816 2976 windeft.exe cmd.exe PID 2976 wrote to memory of 2816 2976 windeft.exe cmd.exe PID 2976 wrote to memory of 2816 2976 windeft.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg3⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 460 "C:\Users\Admin\AppData\Local\Temp\040b4afe44ae7bb9ebe08445c2bed93a_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 536 "C:\Windows\SysWOW64\windeft.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg5⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 540 "C:\Windows\SysWOW64\windeft.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 544 "C:\Windows\SysWOW64\windeft.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg7⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 548 "C:\Windows\SysWOW64\windeft.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat7⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 552 "C:\Windows\SysWOW64\windeft.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat8⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg9⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 556 "C:\Windows\SysWOW64\windeft.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat9⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 560 "C:\Windows\SysWOW64\windeft.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat10⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg11⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 564 "C:\Windows\SysWOW64\windeft.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat11⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\windeft.exeC:\Windows\system32\windeft.exe 568 "C:\Windows\SysWOW64\windeft.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\a.bat12⤵
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg13⤵
- Modifies security service
- Runs .reg file with regedit
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
574B
MD55020988c301a6bf0c54a293ddf64837c
SHA15b65e689a2988b9a739d53565b2a847f20d70f09
SHA256a123ebc1fac86713cdd7c4a511e022783a581ea02ba65ea18360555706ae5f2d
SHA512921a07597f8c82c65c675f5b09a2552c7e2e8c65c8df59eebbe9aff0bfe439ad93f5efc97ba521be31299323051d61ead6a3f0be27302dc0f728b7a844fb2fcf
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
476B
MD5a5d4cddfecf34e5391a7a3df62312327
SHA104a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA2568961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA51248024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
1KB
MD5c1e5f93e2bee9ca33872764d8889de23
SHA1167f65adfc34a0e47cb7de92cc5958ee8905796a
SHA2568f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a
SHA512482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
2KB
MD5e6d8af5aed642209c88269bf56af50ae
SHA1633d40da997074dc0ed10938ebc49a3aeb3a7fc8
SHA256550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec
SHA5126949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf
-
C:\Users\Admin\AppData\Local\Temp\1.regFilesize
1KB
MD5a57e37dfb6f88b2d04424936ed0b4afb
SHA135e2f81486b8420b88b7693ad3e92f846367cb12
SHA256411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d
SHA51241f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448
-
C:\a.batFilesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904
-
\Windows\SysWOW64\windeft.exeFilesize
115KB
MD5040b4afe44ae7bb9ebe08445c2bed93a
SHA19e4ed8f203c42ee51432b61c45b8d53eb939c2b0
SHA2561598031e1fa133953d15523f253a5183076f81446f9ecf6d81b68b62e010b198
SHA512a319c52ed39875b0337217954d9fc34c9d4aca705d8875e8cfc11020bc21114eda589b20c399c5dd92544bccf7b4ab42919b67673b6f7e3e1d8fb2b285f77205
-
memory/776-1259-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/776-1249-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/776-1369-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/956-884-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/956-994-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/956-998-0x0000000002940000-0x0000000002A7E000-memory.dmpFilesize
1.2MB
-
memory/956-1001-0x0000000002940000-0x0000000002A7E000-memory.dmpFilesize
1.2MB
-
memory/1184-869-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1184-750-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1184-883-0x0000000002820000-0x000000000295E000-memory.dmpFilesize
1.2MB
-
memory/1184-759-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/1184-881-0x0000000002820000-0x000000000295E000-memory.dmpFilesize
1.2MB
-
memory/2028-1248-0x0000000002920000-0x0000000002A5E000-memory.dmpFilesize
1.2MB
-
memory/2028-1257-0x0000000002920000-0x0000000002A5E000-memory.dmpFilesize
1.2MB
-
memory/2028-1134-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2028-1123-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2028-1244-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2548-1009-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2548-999-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2548-1119-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2548-1125-0x0000000002890000-0x00000000029CE000-memory.dmpFilesize
1.2MB
-
memory/2548-1133-0x0000000002890000-0x00000000029CE000-memory.dmpFilesize
1.2MB
-
memory/2620-507-0x00000000028B0000-0x00000000029EE000-memory.dmpFilesize
1.2MB
-
memory/2620-508-0x00000000028B0000-0x00000000029EE000-memory.dmpFilesize
1.2MB
-
memory/2620-494-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2620-384-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2620-375-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2676-250-0x0000000002940000-0x0000000002A7E000-memory.dmpFilesize
1.2MB
-
memory/2676-129-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2676-240-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2676-239-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2676-245-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2676-249-0x0000000002940000-0x0000000002A7E000-memory.dmpFilesize
1.2MB
-
memory/2736-509-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2736-498-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2736-623-0x00000000028B0000-0x00000000029EE000-memory.dmpFilesize
1.2MB
-
memory/2736-619-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2736-624-0x00000000028B0000-0x00000000029EE000-memory.dmpFilesize
1.2MB
-
memory/2768-244-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2768-131-0x0000000002880000-0x00000000029BE000-memory.dmpFilesize
1.2MB
-
memory/2768-163-0x0000000002880000-0x00000000029BE000-memory.dmpFilesize
1.2MB
-
memory/2768-1-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2768-4-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2768-0-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2976-633-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2976-749-0x0000000002990000-0x0000000002ACE000-memory.dmpFilesize
1.2MB
-
memory/2976-748-0x0000000002990000-0x0000000002ACE000-memory.dmpFilesize
1.2MB
-
memory/2976-744-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/2976-625-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/3032-374-0x0000000002870000-0x00000000029AE000-memory.dmpFilesize
1.2MB
-
memory/3032-370-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/3032-251-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB
-
memory/3032-260-0x0000000000400000-0x000000000053DAFB-memory.dmpFilesize
1.2MB