Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 02:25
Static task
static1
Behavioral task
behavioral1
Sample
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe
-
Size
380KB
-
MD5
18737b20ca2a0bcf0232b95229848466
-
SHA1
8af1dfa28307544dd3fbd7124702d2586ebf4b3a
-
SHA256
e3a4af22b0ede7f828047006daea93264dbe240d4d7f6c64152a33610142f988
-
SHA512
3e265b2a600ed420fee6e0d10981c476cfa95339668db4471fa92b98990d61103ddc2ea0f53a7455b7131352a34e6f0520476b064423446d111d4a8d26eabf88
-
SSDEEP
6144:0JzXTQXmPq7hxcxEApZniZDnvN+2ekPam0V69RjSBBpQyKdU/wz/OGP5lDfpo:qMXmPq7heESUw2mxxBpUW/wz/OGPP6
Malware Config
Extracted
latentbot
darkbluecomet.zapto.org
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
winupdate.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winupdate.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe -
Processes:
winupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1824 attrib.exe 2724 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
winupdate.exewinupdate.exepid process 3080 winupdate.exe 5016 winupdate.exe -
Processes:
resource yara_rule behavioral2/memory/4144-3-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/4144-2-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/4144-4-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/4144-5-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/4144-6-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/4144-10-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/4144-68-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-76-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-75-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-80-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-79-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-78-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-77-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-81-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-82-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-83-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-84-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-85-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-86-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-87-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-88-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-89-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-90-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-91-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-92-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-93-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-94-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-95-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/5016-96-0x0000000000400000-0x00000000004B9000-memory.dmp upx -
Processes:
winupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exewinupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" winupdate.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exewinupdate.exedescription pid process target process PID 2876 set thread context of 4144 2876 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 3080 set thread context of 5016 3080 winupdate.exe winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winupdate.exepid process 5016 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeSecurityPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeSystemtimePrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeBackupPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeRestorePrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeShutdownPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeDebugPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeUndockPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeManageVolumePrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeImpersonatePrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: 33 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: 34 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: 35 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: 36 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 5016 winupdate.exe Token: SeSecurityPrivilege 5016 winupdate.exe Token: SeTakeOwnershipPrivilege 5016 winupdate.exe Token: SeLoadDriverPrivilege 5016 winupdate.exe Token: SeSystemProfilePrivilege 5016 winupdate.exe Token: SeSystemtimePrivilege 5016 winupdate.exe Token: SeProfSingleProcessPrivilege 5016 winupdate.exe Token: SeIncBasePriorityPrivilege 5016 winupdate.exe Token: SeCreatePagefilePrivilege 5016 winupdate.exe Token: SeBackupPrivilege 5016 winupdate.exe Token: SeRestorePrivilege 5016 winupdate.exe Token: SeShutdownPrivilege 5016 winupdate.exe Token: SeDebugPrivilege 5016 winupdate.exe Token: SeSystemEnvironmentPrivilege 5016 winupdate.exe Token: SeChangeNotifyPrivilege 5016 winupdate.exe Token: SeRemoteShutdownPrivilege 5016 winupdate.exe Token: SeUndockPrivilege 5016 winupdate.exe Token: SeManageVolumePrivilege 5016 winupdate.exe Token: SeImpersonatePrivilege 5016 winupdate.exe Token: SeCreateGlobalPrivilege 5016 winupdate.exe Token: 33 5016 winupdate.exe Token: 34 5016 winupdate.exe Token: 35 5016 winupdate.exe Token: 36 5016 winupdate.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exewinupdate.exewinupdate.exepid process 2876 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 3080 winupdate.exe 5016 winupdate.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe18737b20ca2a0bcf0232b95229848466_JaffaCakes118.execmd.execmd.exewinupdate.execmd.exedescription pid process target process PID 2876 wrote to memory of 4144 2876 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2876 wrote to memory of 4144 2876 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2876 wrote to memory of 4144 2876 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2876 wrote to memory of 4144 2876 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2876 wrote to memory of 4144 2876 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2876 wrote to memory of 4144 2876 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2876 wrote to memory of 4144 2876 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 2876 wrote to memory of 4144 2876 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe PID 4144 wrote to memory of 2028 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 4144 wrote to memory of 2028 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 4144 wrote to memory of 2028 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 4144 wrote to memory of 876 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 4144 wrote to memory of 876 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 4144 wrote to memory of 876 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 876 wrote to memory of 1824 876 cmd.exe attrib.exe PID 876 wrote to memory of 1824 876 cmd.exe attrib.exe PID 876 wrote to memory of 1824 876 cmd.exe attrib.exe PID 2028 wrote to memory of 2724 2028 cmd.exe attrib.exe PID 2028 wrote to memory of 2724 2028 cmd.exe attrib.exe PID 2028 wrote to memory of 2724 2028 cmd.exe attrib.exe PID 4144 wrote to memory of 3080 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe winupdate.exe PID 4144 wrote to memory of 3080 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe winupdate.exe PID 4144 wrote to memory of 3080 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe winupdate.exe PID 4144 wrote to memory of 428 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 4144 wrote to memory of 428 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 4144 wrote to memory of 428 4144 18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe cmd.exe PID 3080 wrote to memory of 5016 3080 winupdate.exe winupdate.exe PID 3080 wrote to memory of 5016 3080 winupdate.exe winupdate.exe PID 3080 wrote to memory of 5016 3080 winupdate.exe winupdate.exe PID 3080 wrote to memory of 5016 3080 winupdate.exe winupdate.exe PID 3080 wrote to memory of 5016 3080 winupdate.exe winupdate.exe PID 3080 wrote to memory of 5016 3080 winupdate.exe winupdate.exe PID 3080 wrote to memory of 5016 3080 winupdate.exe winupdate.exe PID 3080 wrote to memory of 5016 3080 winupdate.exe winupdate.exe PID 428 wrote to memory of 3940 428 cmd.exe PING.EXE PID 428 wrote to memory of 3940 428 cmd.exe PING.EXE PID 428 wrote to memory of 3940 428 cmd.exe PING.EXE -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1824 attrib.exe 2724 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\18737b20ca2a0bcf0232b95229848466_JaffaCakes118.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4204,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windupdt\winupdate.exeFilesize
380KB
MD518737b20ca2a0bcf0232b95229848466
SHA18af1dfa28307544dd3fbd7124702d2586ebf4b3a
SHA256e3a4af22b0ede7f828047006daea93264dbe240d4d7f6c64152a33610142f988
SHA5123e265b2a600ed420fee6e0d10981c476cfa95339668db4471fa92b98990d61103ddc2ea0f53a7455b7131352a34e6f0520476b064423446d111d4a8d26eabf88
-
memory/4144-3-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4144-2-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4144-4-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4144-5-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4144-6-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4144-10-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/4144-68-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-81-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-86-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-80-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-79-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-78-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-77-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-76-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-82-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-83-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-84-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-85-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-75-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-87-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-88-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-89-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-90-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-91-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-92-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-93-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-94-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-95-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/5016-96-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB