Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 11:22
Static task
static1
Behavioral task
behavioral1
Sample
bbaaca3df24ceb257d22854cac390f46_JaffaCakes118.rtf
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
bbaaca3df24ceb257d22854cac390f46_JaffaCakes118.rtf
Resource
win10v2004-20240508-en
General
-
Target
bbaaca3df24ceb257d22854cac390f46_JaffaCakes118.rtf
-
Size
973KB
-
MD5
bbaaca3df24ceb257d22854cac390f46
-
SHA1
42eabeb3ee7475b1a68babe2aa96118c6c3e6e1e
-
SHA256
5c7e88f3840237ba479019cc2c86421db7f695c13dfeffe7f2db121158e42d81
-
SHA512
abc5b31f99bd39862fa6adad60191bcb26f9fcfd72c12bb67dca62dc6064858ee67b4bc8498a2eaf629a820bb2528d0a8a534c3a2375735008c5c4f4223e041e
-
SSDEEP
24576:s4zQaPkDpZdKUUyUn6HaNpKwD0gpV6HwR:J
Malware Config
Extracted
formbook
3.8
xa
laplayaencantada.net
francesemartin.biz
mydailyadverts.biz
themansiononwalnut.com
kccoin.net
lighthousenw.net
ideadubai.com
coat.ink
happiestmarriage101.com
god16.com
datecleanse.com
559453.top
nagwarerecords.com
xn--husw9zrks.com
welfarereform.net
grupocastedia.com
aqua-armor.online
hopugo.com
mylovesociety.com
exploremusicjax.com
allizo-finance.com
tcfdwx.com
sc.company
gpkpdbj.com
sbawar.com
truemed-shop.com
logantherapy.com
mjstfy.men
gahannalionsroar.com
nativelychicoil.com
seepalmdeserthomesforsale.com
bigsuvfan.live
baoxianxian.com
pakietowaniewakacji.com
slot44.online
johncparsons2.net
wanjiahuishou.com
healthcare-analytics-uk.com
awoara.com
aspenpic.com
godlysaw.cat
6xv2ebf.info
eczvpo.men
gzjrkj.net
softland.biz
customercarehelp.net
6095rr.com
salshowdocesesalgados.com
sckltm.info
wykmall.com
networksupport.world
170crestviewdrive.com
tahchinfoods.com
vqovi.info
patrickheffernanlighting.com
oilheatcare.com
smallcapwonder.com
6figureacademic.com
jsthxp.men
strengthexplain.net
commentchatva.com
multiuniverstring.com
coolveer.com
provenexecs.net
mansiobbok.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2640 2852 cmd.exe WINWORD.EXE -
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3032-24-0x0000000000400000-0x0000000000475000-memory.dmp formbook behavioral1/memory/3032-27-0x0000000000400000-0x0000000000475000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
exe.exepid process 3032 exe.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2640 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
netsh.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KRWXSZIXGV = "C:\\Program Files (x86)\\X2dg\\IconCacherffpsz.exe" netsh.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
exe.exenetsh.exedescription pid process target process PID 3032 set thread context of 1216 3032 exe.exe Explorer.EXE PID 1636 set thread context of 1216 1636 netsh.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
netsh.exedescription ioc process File opened for modification C:\Program Files (x86)\X2dg\IconCacherffpsz.exe netsh.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2708 taskkill.exe -
Processes:
netsh.exeWINWORD.EXEdescription ioc process Key created \Registry\User\S-1-5-21-39690363-730359138-1046745555-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2852 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
exe.exenetsh.exepid process 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 3032 exe.exe 1636 netsh.exe 1636 netsh.exe 1636 netsh.exe 1636 netsh.exe 1636 netsh.exe 1636 netsh.exe 1636 netsh.exe 1636 netsh.exe 1636 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
exe.exenetsh.exepid process 3032 exe.exe 3032 exe.exe 3032 exe.exe 1636 netsh.exe 1636 netsh.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
taskkill.exeexe.exeExplorer.EXEnetsh.exedescription pid process Token: SeDebugPrivilege 2708 taskkill.exe Token: SeDebugPrivilege 3032 exe.exe Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeDebugPrivilege 1636 netsh.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2852 WINWORD.EXE 2852 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEcmd.execmd.execmd.exedescription pid process target process PID 2852 wrote to memory of 2640 2852 WINWORD.EXE cmd.exe PID 2852 wrote to memory of 2640 2852 WINWORD.EXE cmd.exe PID 2852 wrote to memory of 2640 2852 WINWORD.EXE cmd.exe PID 2852 wrote to memory of 2640 2852 WINWORD.EXE cmd.exe PID 2640 wrote to memory of 3032 2640 cmd.exe exe.exe PID 2640 wrote to memory of 3032 2640 cmd.exe exe.exe PID 2640 wrote to memory of 3032 2640 cmd.exe exe.exe PID 2640 wrote to memory of 3032 2640 cmd.exe exe.exe PID 2640 wrote to memory of 2708 2640 cmd.exe taskkill.exe PID 2640 wrote to memory of 2708 2640 cmd.exe taskkill.exe PID 2640 wrote to memory of 2708 2640 cmd.exe taskkill.exe PID 2640 wrote to memory of 2708 2640 cmd.exe taskkill.exe PID 2640 wrote to memory of 2988 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2988 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2988 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2988 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2528 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2528 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2528 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2528 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2952 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2952 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2952 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2952 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2164 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2164 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2164 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2164 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1740 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1740 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1740 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1740 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2468 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2468 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2468 2640 cmd.exe reg.exe PID 2640 wrote to memory of 2468 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1996 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1996 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1996 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1996 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1116 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1116 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1116 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1116 2640 cmd.exe reg.exe PID 2640 wrote to memory of 1508 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 1508 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 1508 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 1508 2640 cmd.exe cmd.exe PID 1508 wrote to memory of 584 1508 cmd.exe reg.exe PID 1508 wrote to memory of 584 1508 cmd.exe reg.exe PID 1508 wrote to memory of 584 1508 cmd.exe reg.exe PID 1508 wrote to memory of 584 1508 cmd.exe reg.exe PID 2640 wrote to memory of 568 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 568 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 568 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 568 2640 cmd.exe cmd.exe PID 568 wrote to memory of 664 568 cmd.exe reg.exe PID 568 wrote to memory of 664 568 cmd.exe reg.exe PID 568 wrote to memory of 664 568 cmd.exe reg.exe PID 568 wrote to memory of 664 568 cmd.exe reg.exe PID 2640 wrote to memory of 332 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 332 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 332 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 332 2640 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bbaaca3df24ceb257d22854cac390f46_JaffaCakes118.rtf"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\task.bat3⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exe.exeC:\Users\Admin\AppData\Local\Temp\exe.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f4⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f4⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f4⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f4⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f4⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f4⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f4⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"4⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"4⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"4⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"4⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"4⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"4⤵
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"5⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\exe.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\exe.exeFilesize
448KB
MD5a98ad56c847fca4da5b855bd1769e43b
SHA1e11cac2e8d5861bd2423633eb18610d9350c29e7
SHA256a8907640e46c8801627308581705a44407f60e251b0472965628a22cad9d3b4f
SHA512be5237f5ed05d97524c3dca04e3146129fdb4b534bde21b0380da1d704e20802413e733274e5b20127abe95f3864fca96efaf0b0d2d6c956bf143e5f9f862b38
-
C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sctFilesize
423B
MD537d1f4b225ea7008a1a5c0641d99a8a0
SHA152885e4d80a630d7975d4cb979f7fe75805c1453
SHA25658ed6afc4e6b704e28a95bf35150ff767582e71f996009531dd81fe5251c4b7b
SHA5127572f2e8df62c2abf30ab45a8bc83af9008b11933d3a745dfb9ad3687089872cd1b7eeb2e1a1a941014257a9b349d189c662b34f980d40d734561e5211125578
-
C:\Users\Admin\AppData\Local\Temp\task.batFilesize
2KB
MD587aa6f8b236f77ea6ba2960e339a2418
SHA1de6de0f0344693ff9fbc1c342867afee5bce3725
SHA256cd0170e8e982ec7e87a916d1fd137a7e056c97f64b269eb7696b361bc9c7d1b2
SHA512132dc475f5189d3f63fcbbff5dd7e74a8262270121710a936b91e450979b67e6f205123c5cd063fe01520cf0d67c7082f5dbff04261aeb48776e6e9c9ce0d7d8
-
C:\Users\Admin\AppData\Roaming\LLAMPA5E\LLAlogim.jpegFilesize
72KB
MD5e515043b919b1fc24aa0774d6db7ae5c
SHA10217c5093d5934525fa7f985001f0fdb768e8aac
SHA2561228c4881989f90e14c38e72b831ca069a0146f4d069bbd4d3cec9d0d8b1df7f
SHA51257fe3340fb1f15848a2f36dff2603204d1099f20368b6c14aa4fe42a7696666b16cfb9d9cc11025b462c1fbac85c674134ada24b27975895bbed4ab10f4d8b8e
-
C:\Users\Admin\AppData\Roaming\LLAMPA5E\LLAlogri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\LLAMPA5E\LLAlogrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
memory/1216-25-0x0000000002E40000-0x0000000002F40000-memory.dmpFilesize
1024KB
-
memory/1216-32-0x0000000006A70000-0x0000000006B37000-memory.dmpFilesize
796KB
-
memory/1636-26-0x0000000000910000-0x000000000092B000-memory.dmpFilesize
108KB
-
memory/2852-0-0x000000002F601000-0x000000002F602000-memory.dmpFilesize
4KB
-
memory/2852-23-0x000000007173D000-0x0000000071748000-memory.dmpFilesize
44KB
-
memory/2852-2-0x000000007173D000-0x0000000071748000-memory.dmpFilesize
44KB
-
memory/2852-1-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/3032-27-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/3032-24-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB