Analysis
-
max time kernel
61s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 02:25
Static task
static1
Behavioral task
behavioral1
Sample
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe
-
Size
380KB
-
MD5
18737b20ca2a0bcf0232b95229848466
-
SHA1
8af1dfa28307544dd3fbd7124702d2586ebf4b3a
-
SHA256
e3a4af22b0ede7f828047006daea93264dbe240d4d7f6c64152a33610142f988
-
SHA512
3e265b2a600ed420fee6e0d10981c476cfa95339668db4471fa92b98990d61103ddc2ea0f53a7455b7131352a34e6f0520476b064423446d111d4a8d26eabf88
-
SSDEEP
6144:0JzXTQXmPq7hxcxEApZniZDnvN+2ekPam0V69RjSBBpQyKdU/wz/OGP5lDfpo:qMXmPq7heESUw2mxxBpUW/wz/OGPP6
Malware Config
Extracted
latentbot
darkbluecomet.zapto.org
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
winupdate.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winupdate.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winupdate.exe -
Processes:
winupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2720 attrib.exe 2464 attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
winupdate.exewinupdate.exepid process 2680 winupdate.exe 2512 winupdate.exe -
Loads dropped DLL 8 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exewinupdate.exewinupdate.exepid process 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 2680 winupdate.exe 2680 winupdate.exe 2680 winupdate.exe 2680 winupdate.exe 2512 winupdate.exe 2512 winupdate.exe 2512 winupdate.exe -
Processes:
resource yara_rule behavioral1/memory/2992-4-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2992-5-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2992-8-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2992-10-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2992-9-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2992-11-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2992-12-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2992-13-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2992-25-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2512-42-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2512-46-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2512-47-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2512-49-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2512-52-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2512-51-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2512-50-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2512-48-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2512-53-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2512-54-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral1/memory/2512-55-0x0000000000400000-0x00000000004B9000-memory.dmp upx -
Processes:
winupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exewinupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" winupdate.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exewinupdate.exedescription pid process target process PID 2912 set thread context of 2992 2912 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2680 set thread context of 2512 2680 winupdate.exe winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winupdate.exepid process 2512 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeSecurityPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeSystemtimePrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeBackupPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeRestorePrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeShutdownPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeDebugPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeUndockPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeManageVolumePrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeImpersonatePrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: 33 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: 34 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: 35 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2512 winupdate.exe Token: SeSecurityPrivilege 2512 winupdate.exe Token: SeTakeOwnershipPrivilege 2512 winupdate.exe Token: SeLoadDriverPrivilege 2512 winupdate.exe Token: SeSystemProfilePrivilege 2512 winupdate.exe Token: SeSystemtimePrivilege 2512 winupdate.exe Token: SeProfSingleProcessPrivilege 2512 winupdate.exe Token: SeIncBasePriorityPrivilege 2512 winupdate.exe Token: SeCreatePagefilePrivilege 2512 winupdate.exe Token: SeBackupPrivilege 2512 winupdate.exe Token: SeRestorePrivilege 2512 winupdate.exe Token: SeShutdownPrivilege 2512 winupdate.exe Token: SeDebugPrivilege 2512 winupdate.exe Token: SeSystemEnvironmentPrivilege 2512 winupdate.exe Token: SeChangeNotifyPrivilege 2512 winupdate.exe Token: SeRemoteShutdownPrivilege 2512 winupdate.exe Token: SeUndockPrivilege 2512 winupdate.exe Token: SeManageVolumePrivilege 2512 winupdate.exe Token: SeImpersonatePrivilege 2512 winupdate.exe Token: SeCreateGlobalPrivilege 2512 winupdate.exe Token: 33 2512 winupdate.exe Token: 34 2512 winupdate.exe Token: 35 2512 winupdate.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exewinupdate.exewinupdate.exepid process 2912 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 2680 winupdate.exe 2512 winupdate.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe18737b20ca2a0bcf0232b95229848466_JaffaCakes118.execmd.execmd.execmd.exewinupdate.exedescription pid process target process PID 2912 wrote to memory of 2992 2912 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2912 wrote to memory of 2992 2912 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2912 wrote to memory of 2992 2912 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2912 wrote to memory of 2992 2912 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2912 wrote to memory of 2992 2912 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2912 wrote to memory of 2992 2912 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2912 wrote to memory of 2992 2912 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2912 wrote to memory of 2992 2912 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2992 wrote to memory of 2488 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 2488 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 2488 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 2488 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 2548 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 2548 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 2548 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 2548 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 2488 wrote to memory of 2464 2488 cmd.exe attrib.exe PID 2488 wrote to memory of 2464 2488 cmd.exe attrib.exe PID 2488 wrote to memory of 2464 2488 cmd.exe attrib.exe PID 2488 wrote to memory of 2464 2488 cmd.exe attrib.exe PID 2548 wrote to memory of 2720 2548 cmd.exe attrib.exe PID 2548 wrote to memory of 2720 2548 cmd.exe attrib.exe PID 2548 wrote to memory of 2720 2548 cmd.exe attrib.exe PID 2548 wrote to memory of 2720 2548 cmd.exe attrib.exe PID 2992 wrote to memory of 2680 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe winupdate.exe PID 2992 wrote to memory of 2680 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe winupdate.exe PID 2992 wrote to memory of 2680 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe winupdate.exe PID 2992 wrote to memory of 2680 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe winupdate.exe PID 2992 wrote to memory of 2680 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe winupdate.exe PID 2992 wrote to memory of 2680 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe winupdate.exe PID 2992 wrote to memory of 2680 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe winupdate.exe PID 2992 wrote to memory of 1820 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 1820 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 1820 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 2992 wrote to memory of 1820 2992 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 1820 wrote to memory of 2364 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 2364 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 2364 1820 cmd.exe PING.EXE PID 1820 wrote to memory of 2364 1820 cmd.exe PING.EXE PID 2680 wrote to memory of 2512 2680 winupdate.exe winupdate.exe PID 2680 wrote to memory of 2512 2680 winupdate.exe winupdate.exe PID 2680 wrote to memory of 2512 2680 winupdate.exe winupdate.exe PID 2680 wrote to memory of 2512 2680 winupdate.exe winupdate.exe PID 2680 wrote to memory of 2512 2680 winupdate.exe winupdate.exe PID 2680 wrote to memory of 2512 2680 winupdate.exe winupdate.exe PID 2680 wrote to memory of 2512 2680 winupdate.exe winupdate.exe PID 2680 wrote to memory of 2512 2680 winupdate.exe winupdate.exe PID 2680 wrote to memory of 2512 2680 winupdate.exe winupdate.exe PID 2680 wrote to memory of 2512 2680 winupdate.exe winupdate.exe PID 2680 wrote to memory of 2512 2680 winupdate.exe winupdate.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2464 attrib.exe 2720 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windupdt\winupdate.exeFilesize
380KB
MD518737b20ca2a0bcf0232b95229848466
SHA18af1dfa28307544dd3fbd7124702d2586ebf4b3a
SHA256e3a4af22b0ede7f828047006daea93264dbe240d4d7f6c64152a33610142f988
SHA5123e265b2a600ed420fee6e0d10981c476cfa95339668db4471fa92b98990d61103ddc2ea0f53a7455b7131352a34e6f0520476b064423446d111d4a8d26eabf88
-
memory/2512-51-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2512-54-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2512-53-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2512-48-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2512-50-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2512-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2512-52-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2512-49-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2512-47-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2512-46-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2512-55-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2512-42-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2992-9-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2992-25-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2992-14-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2992-13-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2992-12-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2992-11-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2992-2-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2992-10-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2992-8-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2992-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2992-5-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2992-4-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB