Analysis
-
max time kernel
130s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 08:25
Static task
static1
Behavioral task
behavioral1
Sample
2e3794c246b2692357c84d67a63eee8a_JaffaCakes118.msi
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2e3794c246b2692357c84d67a63eee8a_JaffaCakes118.msi
Resource
win10v2004-20240508-en
General
-
Target
2e3794c246b2692357c84d67a63eee8a_JaffaCakes118.msi
-
Size
916KB
-
MD5
2e3794c246b2692357c84d67a63eee8a
-
SHA1
6e4831f1fff710b0b85db2284077d1babcfff07c
-
SHA256
e32e5feb177767ae1460812431ca445d2878a94d7730b75954787ae56f279c90
-
SHA512
1830636041c17abe43ebbeac806176177a3c3e509c9b7bc1b66166c14ccf42f82743f73edabd19be729b0b09a31736e149c16962f1c36fc273223a7c58a6f5f0
-
SSDEEP
12288:xEm8Elt9sHIoUJWgt46eeZZJEIdHH4hiXmVOJ8Ah3yUr2:xEytTQgtl7ZZGiHqi2omA
Malware Config
Extracted
lokibot
http://31.220.2.120/~jhjgr/wp/wp-admin/includes/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSI3729.tmpdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSI3729.tmp Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI3729.tmp Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI3729.tmp -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MSI3729.tmpdescription pid process target process PID 2668 set thread context of 2828 2668 MSI3729.tmp MSI3729.tmp -
Drops file in Windows directory 10 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\f76363d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI36E8.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f76363d.msi msiexec.exe File created C:\Windows\Installer\f763640.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI3729.tmp msiexec.exe File opened for modification C:\Windows\Installer\f763640.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Executes dropped EXE 2 IoCs
Processes:
MSI3729.tmpMSI3729.tmppid process 2668 MSI3729.tmp 2828 MSI3729.tmp -
Loads dropped DLL 1 IoCs
Processes:
MSI3729.tmppid process 2668 MSI3729.tmp -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2348 msiexec.exe 2348 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 62 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exeMSI3729.tmpdescription pid process Token: SeShutdownPrivilege 1768 msiexec.exe Token: SeIncreaseQuotaPrivilege 1768 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeSecurityPrivilege 2348 msiexec.exe Token: SeCreateTokenPrivilege 1768 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1768 msiexec.exe Token: SeLockMemoryPrivilege 1768 msiexec.exe Token: SeIncreaseQuotaPrivilege 1768 msiexec.exe Token: SeMachineAccountPrivilege 1768 msiexec.exe Token: SeTcbPrivilege 1768 msiexec.exe Token: SeSecurityPrivilege 1768 msiexec.exe Token: SeTakeOwnershipPrivilege 1768 msiexec.exe Token: SeLoadDriverPrivilege 1768 msiexec.exe Token: SeSystemProfilePrivilege 1768 msiexec.exe Token: SeSystemtimePrivilege 1768 msiexec.exe Token: SeProfSingleProcessPrivilege 1768 msiexec.exe Token: SeIncBasePriorityPrivilege 1768 msiexec.exe Token: SeCreatePagefilePrivilege 1768 msiexec.exe Token: SeCreatePermanentPrivilege 1768 msiexec.exe Token: SeBackupPrivilege 1768 msiexec.exe Token: SeRestorePrivilege 1768 msiexec.exe Token: SeShutdownPrivilege 1768 msiexec.exe Token: SeDebugPrivilege 1768 msiexec.exe Token: SeAuditPrivilege 1768 msiexec.exe Token: SeSystemEnvironmentPrivilege 1768 msiexec.exe Token: SeChangeNotifyPrivilege 1768 msiexec.exe Token: SeRemoteShutdownPrivilege 1768 msiexec.exe Token: SeUndockPrivilege 1768 msiexec.exe Token: SeSyncAgentPrivilege 1768 msiexec.exe Token: SeEnableDelegationPrivilege 1768 msiexec.exe Token: SeManageVolumePrivilege 1768 msiexec.exe Token: SeImpersonatePrivilege 1768 msiexec.exe Token: SeCreateGlobalPrivilege 1768 msiexec.exe Token: SeBackupPrivilege 2236 vssvc.exe Token: SeRestorePrivilege 2236 vssvc.exe Token: SeAuditPrivilege 2236 vssvc.exe Token: SeBackupPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeRestorePrivilege 3052 DrvInst.exe Token: SeRestorePrivilege 3052 DrvInst.exe Token: SeRestorePrivilege 3052 DrvInst.exe Token: SeRestorePrivilege 3052 DrvInst.exe Token: SeRestorePrivilege 3052 DrvInst.exe Token: SeRestorePrivilege 3052 DrvInst.exe Token: SeRestorePrivilege 3052 DrvInst.exe Token: SeLoadDriverPrivilege 3052 DrvInst.exe Token: SeLoadDriverPrivilege 3052 DrvInst.exe Token: SeLoadDriverPrivilege 3052 DrvInst.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeDebugPrivilege 2828 MSI3729.tmp -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1768 msiexec.exe 1768 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
msiexec.exeMSI3729.tmpdescription pid process target process PID 2348 wrote to memory of 2668 2348 msiexec.exe MSI3729.tmp PID 2348 wrote to memory of 2668 2348 msiexec.exe MSI3729.tmp PID 2348 wrote to memory of 2668 2348 msiexec.exe MSI3729.tmp PID 2348 wrote to memory of 2668 2348 msiexec.exe MSI3729.tmp PID 2668 wrote to memory of 2828 2668 MSI3729.tmp MSI3729.tmp PID 2668 wrote to memory of 2828 2668 MSI3729.tmp MSI3729.tmp PID 2668 wrote to memory of 2828 2668 MSI3729.tmp MSI3729.tmp PID 2668 wrote to memory of 2828 2668 MSI3729.tmp MSI3729.tmp PID 2668 wrote to memory of 2828 2668 MSI3729.tmp MSI3729.tmp PID 2668 wrote to memory of 2828 2668 MSI3729.tmp MSI3729.tmp PID 2668 wrote to memory of 2828 2668 MSI3729.tmp MSI3729.tmp PID 2668 wrote to memory of 2828 2668 MSI3729.tmp MSI3729.tmp PID 2668 wrote to memory of 2828 2668 MSI3729.tmp MSI3729.tmp PID 2668 wrote to memory of 2828 2668 MSI3729.tmp MSI3729.tmp -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
MSI3729.tmpdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSI3729.tmp -
outlook_win_path 1 IoCs
Processes:
MSI3729.tmpdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSI3729.tmp
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2e3794c246b2692357c84d67a63eee8a_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1768
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\Installer\MSI3729.tmp"C:\Windows\Installer\MSI3729.tmp"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\Installer\MSI3729.tmp"C:\Windows\Installer\MSI3729.tmp"3⤵
- Accesses Microsoft Outlook profiles
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2828
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000003DC" "000000000000057C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f763641.rbsFilesize
663B
MD5c45fc7f11389a3c63bed973f0f866168
SHA134979bd902364e899f362cb2ced76a19c325814c
SHA2560ea05b551949a67412685caa51df385b0a6cf234c198fc9187cfaa5259343cf1
SHA51281a5eeac5c2149ea6a4715bd1163df6d078af9aeb3a51f7ae1d10e2987ea2649807eff5fea7c3919591726199270a4efaac7175870f06bd21e1d2c27b1e72eda
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3691908287-3775019229-3534252667-1000\0f5007522459c86e95ffcc62f32308f1_a42634aa-f501-41cf-bed1-b8158857da02Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3691908287-3775019229-3534252667-1000\0f5007522459c86e95ffcc62f32308f1_a42634aa-f501-41cf-bed1-b8158857da02Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Windows\Installer\MSI3729.tmpFilesize
891KB
MD5e3f06e6c77dcf456ed90180f5119e060
SHA1c858224a8f75f824d37428a490d5862e8ba37d22
SHA256ab5eefc8c8cdb7158efbaccfeb8862c7ff9471346614d8c55de29f908ebe9639
SHA512b65cb035b8a1cf80771d76a385f71da8f3d5edb2c4055d0732fc2ad74680af2c363b3229bca799b44825d4aeddcfacefe1cf12148e035a2aee4c71e5a41a5d2d
-
memory/2828-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2828-25-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2828-15-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2828-22-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2828-19-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2828-28-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2828-32-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2828-17-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2828-61-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/2828-79-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB