Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 12:58
Static task
static1
Behavioral task
behavioral1
Sample
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe
-
Size
100KB
-
MD5
1b6361d297f7566627fbdc7210f3677b
-
SHA1
71e9a459b3411cdded8bde271768c30d3297d624
-
SHA256
5e996c8d3e0698155e4cd5667b05bac6ba502768d6d52c55b4d4af946665835f
-
SHA512
a7b56512064e1dfeb2bdb419808a0d69746d1b1b7b28bd5a0c6351c9f84f3cd3f2cc1ae293255c620c451e375b32c4766aa625da89ee839e8b2f5251acf2c770
-
SSDEEP
1536:iCFyYNLN3pH9IfzipfR6Za74OxXqHTg7sdwVJS/zbDJSqkH3Oe/Wk8NOISOXq:TgYNLNZdIfzip52jOOUsnFWHeXkvIS
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Processes:
resource yara_rule behavioral2/memory/5052-1-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-8-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-4-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-3-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-11-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-10-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-14-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-13-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-15-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-16-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-17-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-18-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-19-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-20-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-22-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-23-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-24-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-26-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-27-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-30-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-29-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-34-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-36-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-38-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-39-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-42-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-47-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-48-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-51-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-53-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-55-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-57-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-58-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-59-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-60-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-61-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-62-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-67-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-68-0x0000000002190000-0x000000000321E000-memory.dmp upx behavioral2/memory/5052-70-0x0000000002190000-0x000000000321E000-memory.dmp upx -
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription ioc process File opened (read-only) \??\R: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\V: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\W: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\Y: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\E: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\P: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\S: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\U: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\K: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\M: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\Q: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\X: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\I: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\J: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\L: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\N: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\O: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\T: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\Z: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\G: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened (read-only) \??\H: 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription ioc process File opened for modification C:\autorun.inf 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification F:\autorun.inf 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Drops file in Program Files directory 13 IoCs
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exepid process 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Token: SeDebugPrivilege 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription pid process target process PID 5052 wrote to memory of 776 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe fontdrvhost.exe PID 5052 wrote to memory of 784 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe fontdrvhost.exe PID 5052 wrote to memory of 60 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe dwm.exe PID 5052 wrote to memory of 2644 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe sihost.exe PID 5052 wrote to memory of 2652 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe svchost.exe PID 5052 wrote to memory of 2748 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe taskhostw.exe PID 5052 wrote to memory of 3480 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Explorer.EXE PID 5052 wrote to memory of 3612 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe svchost.exe PID 5052 wrote to memory of 3792 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe DllHost.exe PID 5052 wrote to memory of 3880 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe StartMenuExperienceHost.exe PID 5052 wrote to memory of 3948 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe RuntimeBroker.exe PID 5052 wrote to memory of 4040 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe SearchApp.exe PID 5052 wrote to memory of 3868 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe RuntimeBroker.exe PID 5052 wrote to memory of 2272 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe TextInputHost.exe PID 5052 wrote to memory of 4356 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe RuntimeBroker.exe PID 5052 wrote to memory of 3352 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 3808 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 2440 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 1252 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 2744 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 776 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe fontdrvhost.exe PID 5052 wrote to memory of 784 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe fontdrvhost.exe PID 5052 wrote to memory of 60 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe dwm.exe PID 5052 wrote to memory of 2644 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe sihost.exe PID 5052 wrote to memory of 2652 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe svchost.exe PID 5052 wrote to memory of 2748 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe taskhostw.exe PID 5052 wrote to memory of 3480 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Explorer.EXE PID 5052 wrote to memory of 3612 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe svchost.exe PID 5052 wrote to memory of 3792 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe DllHost.exe PID 5052 wrote to memory of 3880 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe StartMenuExperienceHost.exe PID 5052 wrote to memory of 3948 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe RuntimeBroker.exe PID 5052 wrote to memory of 4040 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe SearchApp.exe PID 5052 wrote to memory of 3868 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe RuntimeBroker.exe PID 5052 wrote to memory of 2272 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe TextInputHost.exe PID 5052 wrote to memory of 4356 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe RuntimeBroker.exe PID 5052 wrote to memory of 3352 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 3808 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 2440 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 1252 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 2744 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 776 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe fontdrvhost.exe PID 5052 wrote to memory of 784 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe fontdrvhost.exe PID 5052 wrote to memory of 60 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe dwm.exe PID 5052 wrote to memory of 2644 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe sihost.exe PID 5052 wrote to memory of 2652 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe svchost.exe PID 5052 wrote to memory of 2748 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe taskhostw.exe PID 5052 wrote to memory of 3480 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe Explorer.EXE PID 5052 wrote to memory of 3612 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe svchost.exe PID 5052 wrote to memory of 3792 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe DllHost.exe PID 5052 wrote to memory of 3880 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe StartMenuExperienceHost.exe PID 5052 wrote to memory of 3948 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe RuntimeBroker.exe PID 5052 wrote to memory of 4040 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe SearchApp.exe PID 5052 wrote to memory of 3868 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe RuntimeBroker.exe PID 5052 wrote to memory of 2272 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe TextInputHost.exe PID 5052 wrote to memory of 4356 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe RuntimeBroker.exe PID 5052 wrote to memory of 3352 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 3808 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 2440 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 1252 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 2744 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 4856 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe msedge.exe PID 5052 wrote to memory of 776 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe fontdrvhost.exe PID 5052 wrote to memory of 784 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe fontdrvhost.exe PID 5052 wrote to memory of 60 5052 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe dwm.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b6361d297f7566627fbdc7210f3677b_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffef866ceb8,0x7ffef866cec4,0x7ffef866ced02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2284,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1872,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=2544 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4056,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4364 /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\erllv.exeFilesize
100KB
MD5a0fec6a995e95d52989b5cd0f278a06c
SHA15c6f8805564c65df1dba55eb9f8a2476b1d097cc
SHA25690777702dee1f229f0383876b41980eed8583950ad7180f64b5785e4a977e61e
SHA512d1863584c73a3ea916b8662de310500dcc0244ebce2af22d475fdff462e290f0825ddefb9abbf39b3215d93345ca5ee99bb33fde15c0cfbb8d946d5df90f19e1
-
memory/5052-26-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-70-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-6-0x00000000032A0000-0x00000000032A2000-memory.dmpFilesize
8KB
-
memory/5052-4-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-3-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-7-0x00000000032B0000-0x00000000032B1000-memory.dmpFilesize
4KB
-
memory/5052-9-0x00000000032A0000-0x00000000032A2000-memory.dmpFilesize
8KB
-
memory/5052-11-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-10-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-12-0x00000000032A0000-0x00000000032A2000-memory.dmpFilesize
8KB
-
memory/5052-14-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-13-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-15-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-16-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-17-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-18-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-27-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-20-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-22-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-23-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-24-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-0-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/5052-29-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-8-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-19-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-34-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-36-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-38-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-39-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-42-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-47-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-48-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-51-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-53-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-55-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-57-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-58-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-59-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-60-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-61-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-62-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-63-0x00000000032A0000-0x00000000032A2000-memory.dmpFilesize
8KB
-
memory/5052-67-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-68-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-30-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB
-
memory/5052-1-0x0000000002190000-0x000000000321E000-memory.dmpFilesize
16.6MB