Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 04:09
Static task
static1
Behavioral task
behavioral1
Sample
18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe
-
Size
271KB
-
MD5
18b9ffa8777c84994dd00d55d1d9f279
-
SHA1
67687a599890925fd59698e574b9f4d27b5ea33e
-
SHA256
44523c55625993a786873e2ff8fcec8a09733b1d62bb8bbe3ba70472630fc531
-
SHA512
92872fb6c9ce0e3ff12393c4e735f59c5edd4db2dd86980b58d021c499dfb0d0b8608f87493c4f169106501b48f2fb84f80cfac19d8fb87cbf8c0971247cd232
-
SSDEEP
6144:Wpq2BEEea7c8L7C7FB+P72WfxX2iGZTbIeLFLjs3glZ4Z:WgqEEea7tL7C7LxWffGvjeglZ4Z
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
msvcnu32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msvcnu32.exe -
ModiLoader Second Stage 16 IoCs
Processes:
resource yara_rule behavioral2/memory/2352-92-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-110-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-115-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-118-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-120-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-124-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-128-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-132-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-136-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-140-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-144-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-148-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-152-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-156-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-160-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/3852-164-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe26834.exe95534.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 26834.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 95534.exe -
Executes dropped EXE 4 IoCs
Processes:
26834.exe95534.exesvchost.exemsvcnu32.exepid process 4200 26834.exe 2352 95534.exe 4708 svchost.exe 3852 msvcnu32.exe -
Loads dropped DLL 7 IoCs
Processes:
26834.exesvchost.exemsvcnu32.exepid process 4200 26834.exe 4708 svchost.exe 3852 msvcnu32.exe 3852 msvcnu32.exe 3852 msvcnu32.exe 3852 msvcnu32.exe 3852 msvcnu32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\95534.exe upx behavioral2/memory/2352-33-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/2352-92-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-110-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-115-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-118-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-120-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-124-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-128-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-132-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-136-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-140-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-144-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-148-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-152-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-156-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-160-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3852-164-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
26834.exemsvcnu32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe" 26834.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msvcnu32 = "C:\\Windows\\msvcnu32.exe" msvcnu32.exe -
Processes:
95534.exemsvcnu32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 95534.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA msvcnu32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msvcnu32.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\T: svchost.exe -
Drops file in System32 directory 4 IoCs
Processes:
26834.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\vcmgcd32.dl_ 26834.exe File created C:\Windows\SysWOW64\vcmgcd32.dll 26834.exe File opened for modification C:\Windows\SysWOW64\vcmgcd32.dl_ svchost.exe File opened for modification C:\Windows\SysWOW64\vcmgcd32.dll svchost.exe -
Drops file in Program Files directory 12 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe svchost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe svchost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe svchost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe svchost.exe File opened for modification C:\PROGRAM FILES (X86)\COMMON FILES\JAVA\JAVA UPDATE\JUSCHED.EXE svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
msvcnu32.exesvchost.exe26834.exe95534.exedescription ioc process File created C:\Windows\cmsetac.dll msvcnu32.exe File opened for modification C:\WINDOWS\MSVCNU32.EXE svchost.exe File opened for modification C:\Windows\SYSTEM.INI 26834.exe File created C:\Windows\msvcnu32.exe 95534.exe File opened for modification C:\Windows\msvcnu32.exe 95534.exe File created C:\Windows\ntdtcstp.dll msvcnu32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
26834.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 26834.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
svchost.exemsvcnu32.exepid process 4708 svchost.exe 4708 svchost.exe 3852 msvcnu32.exe 3852 msvcnu32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
95534.exevssvc.exemsvcnu32.exedescription pid process Token: SeDebugPrivilege 2352 95534.exe Token: SeBackupPrivilege 2656 vssvc.exe Token: SeRestorePrivilege 2656 vssvc.exe Token: SeAuditPrivilege 2656 vssvc.exe Token: SeDebugPrivilege 3852 msvcnu32.exe Token: SeDebugPrivilege 3852 msvcnu32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
26834.exesvchost.exemsvcnu32.exepid process 4200 26834.exe 4708 svchost.exe 3852 msvcnu32.exe 3852 msvcnu32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe26834.exe95534.exedescription pid process target process PID 1540 wrote to memory of 4200 1540 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 26834.exe PID 1540 wrote to memory of 4200 1540 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 26834.exe PID 1540 wrote to memory of 4200 1540 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 26834.exe PID 1540 wrote to memory of 2352 1540 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 95534.exe PID 1540 wrote to memory of 2352 1540 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 95534.exe PID 1540 wrote to memory of 2352 1540 18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe 95534.exe PID 4200 wrote to memory of 4708 4200 26834.exe svchost.exe PID 4200 wrote to memory of 4708 4200 26834.exe svchost.exe PID 4200 wrote to memory of 4708 4200 26834.exe svchost.exe PID 2352 wrote to memory of 3852 2352 95534.exe msvcnu32.exe PID 2352 wrote to memory of 3852 2352 95534.exe msvcnu32.exe PID 2352 wrote to memory of 3852 2352 95534.exe msvcnu32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
msvcnu32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msvcnu32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18b9ffa8777c84994dd00d55d1d9f279_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\26834.exe"C:\Users\Admin\AppData\Local\Temp\26834.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\95534.exe"C:\Users\Admin\AppData\Local\Temp\95534.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\msvcnu32.exe"C:\Windows\msvcnu32.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\26834.exeFilesize
142KB
MD535aff1b50d81dbcd833b6c23ee192894
SHA185ef9c2be6669a2ee8b52988b1ecc50cac5f7f3b
SHA2568f2fa965e1ef653c1f2514d8a5a234ca7fb5a26d101f815f98adbf4307643e79
SHA5121530072a370c3ceb3e0d9428feeb4eea342604911f2f1963c905a09aa53aaec5707bcf72f70b86f577e4d7834c4101c2377abd4e1d02fff91d5cf647e44faafb
-
C:\Users\Admin\AppData\Local\Temp\95534.exeFilesize
109KB
MD53a1f155b71223ef8f617d73b2aad273b
SHA157df3e31536ac258e01c2f66c980468b83313f1f
SHA256898250c781d1a65e41db8817d02f11955d28215c9d432c06260706863a1b4921
SHA51256678ba5afc8e63884f3e568e9297b7f88e904376b2cafc763f9d01b544f1d1a6fa5cf18f33205fbffa1c65a8c9cfb49f251976903f20520ee43698f077e112c
-
C:\Windows\SYSTEM.INIFilesize
259B
MD55141c4bc0236745336acd19764f463ee
SHA162c569217b64d20d5683c9854de86434b29cbad6
SHA2563e12c485b9f4a99290f2d88d24c5cb152fa899628b816118f1a148f4f53869e3
SHA5120b15f8cad28cc30d100df808d80740ede7fa98717f15e76a055fbc837e15d85897ac27ebc3ca5299ad4637a2a246fc79c6e0d790488e0a86fad6de79a03303b4
-
C:\Windows\SysWOW64\vcmgcd32.dl_Filesize
17KB
MD565ec81c36efd75f8e4490b0d42aa2ced
SHA19be34710a967a4ecd5a7e6be0568bf8e2d9be007
SHA256021dde0dc1ee1a9fd800a889885e91f345acc916fb852850f0adb0257903fa04
SHA5127ece65926ca500015b0722e2c0d071124dc951accad36390a4aee62da72ecf592e54ff815e5de056696102a6a397d6b9c5d59e263efee7e1582e303348194bdd
-
C:\Windows\SysWOW64\vcmgcd32.dllFilesize
36KB
MD5ae22ca9f11ade8e362254b452cc07f78
SHA14b3cb548c547d3be76e571e0579a609969b05975
SHA25620cbcc9d1e6bd3c7ccacbe81fd26551b2ccfc02c00e8f948b9e9016c8b401db6
SHA5129e1c725758a284ec9132f393a0b27b019a7dde32dc0649b468152876b1c77b195abc9689b732144d8c5b4d0b5fcb960a3074264cab75e6681932d3da2a644bc1
-
C:\Windows\cmsetac.dllFilesize
33KB
MD5c970ccd2d8f5f335a07b950f0b474ac2
SHA132b16e0ed9aa94f56aecf5f74e9a6ad73d288ad4
SHA256d6cfd2c79f82f44cfc32b7d1a2e54c3bdb68c0cc1a086785d61df9a4e860ca24
SHA5120803a9d966b300458583a8d56019cc69fd9cd365fd48141cac1a3cbf8690371ff5584de4317e27d20438c9678bb24ed363c849b7816f1d6def0b258ddd8c5c61
-
C:\Windows\ntdtcstp.dllFilesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
memory/1540-4-0x00007FF80BC70000-0x00007FF80C611000-memory.dmpFilesize
9.6MB
-
memory/1540-0-0x00007FF80BF25000-0x00007FF80BF26000-memory.dmpFilesize
4KB
-
memory/1540-5-0x000000001C350000-0x000000001C3EC000-memory.dmpFilesize
624KB
-
memory/1540-3-0x000000001C150000-0x000000001C1F6000-memory.dmpFilesize
664KB
-
memory/1540-35-0x00007FF80BC70000-0x00007FF80C611000-memory.dmpFilesize
9.6MB
-
memory/1540-2-0x000000001BBD0000-0x000000001C09E000-memory.dmpFilesize
4.8MB
-
memory/1540-1-0x00007FF80BC70000-0x00007FF80C611000-memory.dmpFilesize
9.6MB
-
memory/2352-33-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2352-92-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2352-89-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/3852-140-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-144-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-164-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-160-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-156-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-103-0x00000000023A0000-0x00000000023AE000-memory.dmpFilesize
56KB
-
memory/3852-152-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-108-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB
-
memory/3852-148-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-110-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-111-0x0000000000970000-0x0000000000978000-memory.dmpFilesize
32KB
-
memory/3852-112-0x00000000023A0000-0x00000000023AE000-memory.dmpFilesize
56KB
-
memory/3852-136-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-115-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-118-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-132-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-120-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-128-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3852-124-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4200-18-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4200-67-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4200-68-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB
-
memory/4200-32-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB
-
memory/4708-113-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-109-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-139-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-135-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-143-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-80-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB
-
memory/4708-147-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-127-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-151-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-155-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-131-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-159-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-70-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-163-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4708-123-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB