Overview

overview

10

Static

static

5

b59361e332...18.exe

windows7-x64

10

b59361e332...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 23:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b59361e332e4225f6e6b2689c1187a72_JaffaCakes118.exe

  • Size

    888KB

  • MD5

    b59361e332e4225f6e6b2689c1187a72

  • SHA1

    97971b0503c202a2c4ee1c88dcf85c2bf08fa6f6

  • SHA256

    e8e36723daa8aaeaef03605d1e169e84032c320c67cb2c71177a26dc00d9a281

  • SHA512

    eaef4ced18fd72b770d86916af4a7cfdce73e50aa4a6a53c208256593da28713f52428aad4a73d2627497f4f4d7ea486beaa68ec1fa134cfe9bc32a864c98f3a

  • SSDEEP

    12288:LhhSJRyeHyKAhIV4LoJze68PvanRJkHVphYJGTaTFxfj5ItEByClkRqTHsoo4zkF:LqyeHypU4EJK007QGTojfjqIkF

Score
10/10
modiloaderxtremeratdefense_evasiondiscoveryevasionpersistenceratspywaretrojanupx

Malware Config

Extracted

Family

xtremerat

C2

nerozhack.ddns.com.br

€p ƒalonedevil.no-ip.org

gameszero.dyndns.org

Signatures

  • Detect XtremeRAT payload 12 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • XtremeRAT

    The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    persistencespywareratxtremerat
  • Xtremerat family
    xtremerat
  • ModiLoader Second Stage 11 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • UPX packed file 45 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 14 IoCs
  • Hijack Execution Flow: DLL Search Order Hijacking 1 TTPs

    Possible initial access via DLL redirection search order hijacking.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b59361e332e4225f6e6b2689c1187a72_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b59361e332e4225f6e6b2689c1187a72_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\AppData\Local\Temp\b59361e332e4225f6e6b2689c1187a72_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\b59361e332e4225f6e6b2689c1187a72_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4264
      • C:\Windows\chrome.exe
        "C:\Windows\chrome.exe" \melt "C:\Users\Admin\AppData\Local\Temp\b59361e332e4225f6e6b2689c1187a72_JaffaCakes118.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4936
        • C:\Windows\chrome.exe
          "C:\Windows\chrome.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • System policy modification
          PID:1688
        • C:\Windows\RSOP.exe
          C:\Windows\RSOP.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\RSOP.exe
            "C:\Windows\RSOP.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3872
            • C:\Windows\RSOP.exe
              "C:\Windows\RSOP.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4748
              • C:\Windows\SysWOW64\svchost.exe
                svchost.exe
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4664
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 480
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:2024
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 488
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:4988
              • C:\WINDOWS\SysWOW64\taskmgr.exe
                C:\WINDOWS\system32\taskmgr.exe
                7⤵
                • Loads dropped DLL
                • Adds Run key to start application
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: SetClipboardViewer
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                PID:1900
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1092
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:1984
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1100
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:4488
    • C:\Windows\RSOP.exe
      C:\Windows\RSOP.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Windows\RSOP.exe
        "C:\Windows\RSOP.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1460
        • C:\Windows\RSOP.exe
          "C:\Windows\RSOP.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:764
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            PID:532
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 480
              6⤵
              • Program crash
              PID:8
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 476
              6⤵
              • Program crash
              PID:3432
          • C:\WINDOWS\SysWOW64\taskmgr.exe
            C:\WINDOWS\system32\taskmgr.exe
            5⤵
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4536
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1076
              6⤵
              • Program crash
              PID:4328
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1084
              6⤵
              • Program crash
              PID:3064
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4260
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 532 -ip 532
    1⤵
      PID:4172
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 532 -ip 532
      1⤵
        PID:3508
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4536 -ip 4536
        1⤵
          PID:1632
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4536 -ip 4536
          1⤵
            PID:5052
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4664 -ip 4664
            1⤵
              PID:2800
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4664 -ip 4664
              1⤵
                PID:2744
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1900 -ip 1900
                1⤵
                  PID:3244
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1900 -ip 1900
                  1⤵
                    PID:4144

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Hijack Execution Flow

                  1
                  T1574

                  DLL Search Order Hijacking

                  1
                  T1574.001

                  Privilege Escalation

                  Abuse Elevation Control Mechanism

                  1
                  T1548

                  Bypass User Account Control

                  1
                  T1548.002

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Hijack Execution Flow

                  1
                  T1574

                  DLL Search Order Hijacking

                  1
                  T1574.001

                  Defense Evasion

                  Abuse Elevation Control Mechanism

                  1
                  T1548

                  Bypass User Account Control

                  1
                  T1548.002

                  Hijack Execution Flow

                  1
                  T1574

                  DLL Search Order Hijacking

                  1
                  T1574.001

                  Impair Defenses

                  1
                  T1562

                  Disable or Modify Tools

                  1
                  T1562.001

                  Modify Registry

                  3
                  T1112

                  Credential Access

                  Discovery

                  Query Registry

                  1
                  T1012

                  System Information Discovery

                  3
                  T1082

                  System Location Discovery

                  1
                  T1614

                  System Language Discovery

                  1
                  T1614.001

                  Lateral Movement

                  Collection

                  Command and Control

                  Exfiltration

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\wbhmsmu
                    Filesize

                    9KB

                    MD5

                    1cae2b547a78ece24949e7abc5ce0832

                    SHA1

                    54c4b7d4973c22818f87f8a5c5c145e408c65095

                    SHA256

                    b4efccf8457046aaf4c5b272addd3299003f41ef19bad993ee2be0554a2922ce

                    SHA512

                    786a678a513f09528335b48fc9e87c0c0e12f795090bb76f27a74fed522bcb0bf842c2b649e1bc19d2b22dbbf76a83a5d0df8e70db242e258de97758ebdc56d8

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Wplugin.dll
                    Filesize

                    108KB

                    MD5

                    8847a8302dacc1d6fca61f125c8fe8e0

                    SHA1

                    f399142bbf03660bee1df555ebbf3acc8f658cf0

                    SHA256

                    9c2726defa122089f8251fa104f76d66830f448774ab9bd634adbb6e492e3943

                    SHA512

                    2b028bb4139c352b80db1509d1a3f479a8ef7e9b3b73ddbf62e2d83d4e59adf4a0bd6b9d68409bc0b6fafb7a5f56844fbfed6d00b824a6b370689801ce1c837f

                    Download Submit

                  • C:\Windows\RSOP.exe
                    Filesize

                    300KB

                    MD5

                    a87e455284d5aaf624c6c419fa7f9bed

                    SHA1

                    dd7335f04ef50375b124106cc599d4def55f40ac

                    SHA256

                    3cdc6602fee91dc53c16573cf2f53dbcec491d53a0795312290a804a247a81a3

                    SHA512

                    000fbf010fdcc5d47be1500372d8ca4d2fe399a4c0e1a9299da5e42fa0fae77711f38be13bab1264e8dd78f321ac79fefdcea52953749756f8d33c225842ae32

                    Download Submit

                  • C:\Windows\chrome.exe
                    Filesize

                    888KB

                    MD5

                    b59361e332e4225f6e6b2689c1187a72

                    SHA1

                    97971b0503c202a2c4ee1c88dcf85c2bf08fa6f6

                    SHA256

                    e8e36723daa8aaeaef03605d1e169e84032c320c67cb2c71177a26dc00d9a281

                    SHA512

                    eaef4ced18fd72b770d86916af4a7cfdce73e50aa4a6a53c208256593da28713f52428aad4a73d2627497f4f4d7ea486beaa68ec1fa134cfe9bc32a864c98f3a

                    Download Submit

                  • C:\Windows\cmsetac.dll
                    Filesize

                    33KB

                    MD5

                    f032f510ff1cd8ca94c6888fb2d9adb8

                    SHA1

                    415c7b2bb32df56384c2013391b0332d67ffd7ce

                    SHA256

                    9afcf97e82aea812e4286dfbebf30f11f9dd592cfa2129fea1a869e620acf2cc

                    SHA512

                    982ff9199b7d4ad22f5d899e8b8bfae10347af7a6b510ef8d30cb3a0a7a59a769256c157da4945ad12fbdcba53793875927c88c81f10546a85ce81e1d73dc925

                    Download Submit

                  • C:\Windows\ntdtcstp.dll
                    Filesize

                    7KB

                    MD5

                    67587e25a971a141628d7f07bd40ffa0

                    SHA1

                    76fcd014539a3bb247cc0b761225f68bd6055f6b

                    SHA256

                    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

                    SHA512

                    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

                    Download Submit

                  • memory/532-54-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/532-59-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/764-47-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/764-49-0x0000000000400000-0x00000000004B1000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/764-50-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/764-53-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/1460-37-0x0000000000400000-0x0000000000414000-memory.dmp

                    Filesize

                    80KB

                    Download

                  • memory/1460-40-0x0000000000400000-0x0000000000414000-memory.dmp

                    Filesize

                    80KB

                    Download

                  • memory/1460-44-0x0000000000400000-0x0000000000414000-memory.dmp

                    Filesize

                    80KB

                    Download

                  • memory/1460-52-0x0000000000400000-0x0000000000414000-memory.dmp

                    Filesize

                    80KB

                    Download

                  • memory/1516-0-0x0000000000400000-0x00000000004B1000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/1516-36-0x0000000000400000-0x00000000004B1000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/1688-91-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/1688-101-0x00000000024E0000-0x00000000024EE000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/1688-147-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/1688-157-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/1688-154-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/1688-151-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/1688-148-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/1688-149-0x0000000000A80000-0x0000000000A88000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1688-87-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/1688-160-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/1688-88-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/1688-150-0x00000000024E0000-0x00000000024EE000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/1900-130-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/1900-135-0x0000000000C60000-0x0000000000C6E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/1900-139-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/1900-146-0x0000000000C60000-0x0000000000C6E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/1900-145-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/2540-113-0x0000000000400000-0x00000000004B1000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/2540-112-0x0000000000A30000-0x0000000000A3E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2540-108-0x0000000000A30000-0x0000000000A3E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/3632-33-0x0000000000400000-0x00000000004B1000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/3632-42-0x0000000000400000-0x00000000004B1000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/3872-109-0x0000000000400000-0x0000000000414000-memory.dmp

                    Filesize

                    80KB

                    Download

                  • memory/3872-110-0x0000000000400000-0x0000000000414000-memory.dmp

                    Filesize

                    80KB

                    Download

                  • memory/3872-128-0x0000000000400000-0x0000000000414000-memory.dmp

                    Filesize

                    80KB

                    Download

                  • memory/3872-127-0x0000000000480000-0x000000000048E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/3872-116-0x0000000000480000-0x000000000048E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/4264-34-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/4264-32-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/4264-73-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/4264-31-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/4264-29-0x0000000000400000-0x0000000000451000-memory.dmp

                    Filesize

                    324KB

                    Download

                  • memory/4536-55-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/4536-60-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/4536-58-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/4664-141-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/4664-129-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/4748-131-0x0000000000920000-0x000000000092E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/4748-125-0x0000000000920000-0x000000000092E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/4748-122-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/4748-121-0x0000000010000000-0x000000001004D000-memory.dmp

                    Filesize

                    308KB

                    Download

                  • memory/4936-90-0x0000000000400000-0x00000000004B1000-memory.dmp

                    Filesize

                    708KB

                    Download