Analysis

  • max time kernel
    152s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 17:47

General

  • Target

    474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe

  • Size

    221KB

  • MD5

    474f76977fa109dd9a1a8a7e51c49659

  • SHA1

    aed91b01397c5a067201e0eed886f7fe2acdc02e

  • SHA256

    1c77bceb256e2c7e570830558b2084008f961483981d352b874af0e6e2ee3f10

  • SHA512

    997f426de2c1942c7eb2efee57946eaa50f0f67e3cf1603b9e9ebf4bf9e09008172c74ca30b34943c25e0dc64815749f474ececc4ac84d5ef2217dd4efb0a1e8

  • SSDEEP

    6144:zwHysaOmXtsnUpyzaAV+vCQ+xTGth9/oG:oaOmXanUpSV+vCQ+xTob/z

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Contacts a large (527) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies Control Panel 4 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe"
      2⤵
      • Adds policy Run key to start application
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe
        "C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe
          "C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe"
          4⤵
          • Adds policy Run key to start application
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies Control Panel
          • Suspicious use of AdjustPrivilegeToken
          PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        /d /c taskkill /t /f /im "474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe" > NUL
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1760
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /t /f /im "474f76977fa109dd9a1a8a7e51c49659_JaffaCakes118.exe"
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5000
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1868
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2668
    • C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe
      C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:488
      • C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe
        C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3364

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Network Service Discovery

    1
    T1046

    System Information Discovery

    1
    T1082

    Remote System Discovery

    1
    T1018

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsv3862.tmp\System.dll
      Filesize

      11KB

      MD5

      a436db0c473a087eb61ff5c53c34ba27

      SHA1

      65ea67e424e75f5065132b539c8b2eda88aa0506

      SHA256

      75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

      SHA512

      908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

    • C:\Users\Admin\AppData\Roaming\403.htm
      Filesize

      1KB

      MD5

      394a5c0cee0392d04fad577c6766f06b

      SHA1

      16197acb33ddc2e8c5d1f7fc04aaa0cf1f26b95f

      SHA256

      ed1e1c39e647d0aa8b950c98ff6ba2e7d551927263e45d4ba86b8747ce5149ee

      SHA512

      9027e504499d057097c2b149ae3743519178cb570c48d4f0dd5cc735554199ad2525915af3b8e4ff1bafc471ebe3cefcd4760fc6c2c5a9e8f7bfde5805a89397

    • C:\Users\Admin\AppData\Roaming\9.gif
      Filesize

      923B

      MD5

      89ef56055c93539c44f2a59def331ff8

      SHA1

      68de36276c6482f4a596b9881be44625fce0996e

      SHA256

      e3274dae4562db681c6e7ef3f4f52dbbd86c25d8810d919d7b7a89bd57af53f8

      SHA512

      6a6c36641ab25b6f39a8eb33f3ea65af7afaa4c24005aeed27eaba69aab105dd9a41c11a130af5269874a8aded230273ab681cd124513ba4664ad364a0e27e90

    • C:\Users\Admin\AppData\Roaming\Adobe-CNS1-6
      Filesize

      4KB

      MD5

      632dcddcbedcb4c38a4cffabd99dedf3

      SHA1

      c033e731c067d0732961f656d9bee65f46da9594

      SHA256

      70942bcd54b48fcc2ebdfd19da8031c9c5b4c710f5d2543f12b3f0fe0f4d2592

      SHA512

      ea04f016d74c3da10d2aaefc400f99a3b76d0ea4591995d8eb418a32a955552e2ed13c365fecec65ab52938dd99982dc794df89d200fba231b85d2ed2269cd2e

    • C:\Users\Admin\AppData\Roaming\Adobe-Korea1-0
      Filesize

      3KB

      MD5

      41a6fcc09060a5ac59c9b48e4cffdf66

      SHA1

      79a83a69c8d994f27fb44f315c755839d997ad1d

      SHA256

      a3cc88d1aec75afa3677e069ffe35d24498e587f7eb3730d9976d16ef04f044d

      SHA512

      9d15801891b745eaf62411015db16ea13dc20294c97de71a877f91ae62161a7cf530cf10209d89f31d66f67ba2d4142f02b00f006de56a7fb16b5d9d1efba369

    • C:\Users\Admin\AppData\Roaming\Bl soft CG9 CG2.ADO
      Filesize

      524B

      MD5

      4965e28a04e6047d390e8798dce77eb6

      SHA1

      8abe2196dfcb8fcf664c036b6f55acad0a638a6f

      SHA256

      425f1c29b829c23c1728cabe2bedb7b9d00298749c1530c932ac1f96d93c07fe

      SHA512

      c9b12151f06aee6b86a538f1057c1d201bb75db1094b93a4e3d4a94dbd292b2dda7ffe74b99d2c60b2eb994f04c6e5137de7e8ebb3edd65661bf5e1278056c8f

    • C:\Users\Admin\AppData\Roaming\Damascus
      Filesize

      1KB

      MD5

      93657662177fdc9183a0fd632790c0ae

      SHA1

      5586f64b641545aa2610b3bcd5df7750a17955de

      SHA256

      a353644ae75ca0a454a56caa9a442e361f1097ff429d035fc7ba73e87650e21e

      SHA512

      c0a0deb8e5773c783e3656084fb751847b71b2b1e6b2bf489f31f97100e4c629c0266c10d3f1a75c6811a2a195308d564d7216be8bce01b8ec5dda3a5096eb93

    • C:\Users\Admin\AppData\Roaming\Darker.alv
      Filesize

      630B

      MD5

      7f2d29a5e3ded93d9a3bdadf45ccec15

      SHA1

      2e03d94db3ab943514a3e61e79fb7fa22f9e1155

      SHA256

      4f56ea00303af5b79de9a12422a764a6d7942c369a0ecf5bb4dc945a7f545ec7

      SHA512

      2a07cb08608f3fc15f00cc4a151cf2eb757e69a35f8f9e5a9f03e60e28b1122a4df5f3f891fb6a48c060d181b1457e360a29fa569fe7fda213c71ae12a7ed5a4

    • C:\Users\Admin\AppData\Roaming\DumpLog.dll
      Filesize

      26KB

      MD5

      a7071875105cb81943f72ecb7c3d10f1

      SHA1

      7353fbdda3fed9bb8dbec6df39547bdac910c185

      SHA256

      8eecdcb35325eaad230f69747759a7eac9642be32be799db28cbaf4e076769b5

      SHA512

      31a24168d9a37cbff1ee93d2d69e6d50545625e5d2751cd68286aad099894402cbdea1fe2995adc2e721e97dceed213c1886332e2130597b409ac2350e5edac2

    • C:\Users\Admin\AppData\Roaming\Escudo.qBC
      Filesize

      125KB

      MD5

      60eddd78af5fb9e8236f86ee672eb97d

      SHA1

      f76a5f7400e193f53683553e6562262521a32a74

      SHA256

      354b3fa35d71922a72c3d9b55a53099948d135bb7d49366d106e9a938786ffc6

      SHA512

      22ebbe27e3e524792478a9f3e63c42d9b391a604bbcf870dbe3ffc195e693fd47a2830e3ee995d0d561d59c67ecfcfea3f17d5497c063ffed838d9968eb38377

    • C:\Users\Admin\AppData\Roaming\GMT+7
      Filesize

      27B

      MD5

      11f8e73ad57571383afa5eaf6bc0456a

      SHA1

      65a736dddd8e9a3f1dd6fbe999b188910b5f7931

      SHA256

      0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e

      SHA512

      578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\wecutil.lnk
      Filesize

      1KB

      MD5

      e4d7131a9282e7072604a17b2ca11190

      SHA1

      2fd74c6244b106074a395bfadcb1f9f3e3deaaec

      SHA256

      32990b0f3b447ac9bb304f66fca5cffb010afee848a2a4dd6235f53e4ad0b0f6

      SHA512

      6ad2c0b36311238658d589c244b7c231b98f6ed0795a3bc41e58de8d63687ce2bfb56929a28f4775910177b19fb9327e649675e1ab00c6eac9592ac95f8cdb51

    • C:\Users\Admin\AppData\Roaming\SildMajorgeneralship.U
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • C:\Users\Admin\AppData\Roaming\appcmd.xml
      Filesize

      3KB

      MD5

      a1abf60add7c54a1a444e83b523f8095

      SHA1

      ac7571cde28c55642f44f35e25fb66597233636f

      SHA256

      24c63a00a384d26a929c3285e41822631a846c5c69627360dec267b35c55410a

      SHA512

      a8b35138bc9495ad7ef64dc0c4bbe1fda1f4bf34530c77080be9f54ccfadac96b3a45eb018dc3ef30bdbf6013ec8b0ffd18475516ea680a6308008806d4374d7

    • C:\Users\Admin\AppData\Roaming\arbortext.extensions.xml
      Filesize

      1KB

      MD5

      b7a3d5891858ec987692f843d0da635e

      SHA1

      144dfcf7282b499e4b07b3b4ae10bbb5dc23e08c

      SHA256

      a021af7e7c49f2c338f12e715d4e2f853f4f53327dadb73b11d089fb43bf6a85

      SHA512

      c7bb9f9f0cec125ae61617bc2b6ce1b449b736d7bf5d776605d830a4a2e2e9b7957de4b1d146faa403e169052eb54af00f551e392bdc286c190e62df3df3f7f6

    • C:\Users\Admin\AppData\Roaming\arrow_right_disabled.png
      Filesize

      1KB

      MD5

      399856c91725d77cf54be89fb5736f42

      SHA1

      b368497d9c460757b466d08cd2487aea335e52f2

      SHA256

      5000bb746100b29ac857d20248f373d0bfc2bad66c88043e27a68dd0dd7313c9

      SHA512

      3169bf57a46a6900c05c67a3bdd86cbc282fe9a64b5adc784d1097c4d6527ba06eb0ebc0902b953c1664a0a61157d7e34494debabec7dfcc9a2b42e73d419848

    • C:\Users\Admin\AppData\Roaming\axf.extensions.xml
      Filesize

      1KB

      MD5

      af841ee6aa03ff9847d5bdd00473ff90

      SHA1

      2ef974619172b802252ffac7576a3762f6236dd1

      SHA256

      7a28d8ac66543a242f64890404d706d649224b6b43fd4f8f0c20455052b7dc41

      SHA512

      a48523b843a06fe158dc4ca3d9c5ba2346261d33f0515fb2018bec52cb4315f06981d5cb658dad5f4d83c2af49cc36f6c55cb746386b0bfbf8863c0c3b70c9ac

    • C:\Users\Admin\AppData\Roaming\battery.png
      Filesize

      4KB

      MD5

      1ed001d1427fa0a32e4ab6cb81d01ce3

      SHA1

      1a933f36ca48c52ff8085f272c7d66dd249154a5

      SHA256

      e4ead39126138a19651b074531a4dd312a86d0e3addd1ac8c943814b106453b0

      SHA512

      8d279f3dd7b0b5d778b4852e0b5fa3c5bf688a487d581c303813de6bf8edf0395de1559d3cd3a24f7782e491ef1108078bcdbb0c43c837c442b098cc106721b2

    • C:\Users\Admin\AppData\Roaming\data_transfer.png
      Filesize

      1KB

      MD5

      6dcfd632eb0a8124ea05a92209e73bab

      SHA1

      094612b281c4d378ec3def211d60a259bcb41fca

      SHA256

      0b7e998b98af82bbf0e9f8916aa5e1614a3e42d7a79cd2877c7c72690a42272e

      SHA512

      581f7f73592c3cf0999a76a2400e0d385330d0594f12c1fe7e37cdef492fd2eafafaec2b6310000efac34c507a1bc660a7e9d38158c888e3869d19ca3f74acab

    • C:\Users\Admin\AppData\Roaming\en-US.pak
      Filesize

      4KB

      MD5

      375253e9ff91d59171322445c14873ab

      SHA1

      6c2dd2a90b40d7d35f0baa8f762761deae6903ff

      SHA256

      2f5e83acc8bbb76507342f6e7d22728113519e86cc645170035148dc36074951

      SHA512

      ac0762dc5b49da6c26728af8809527dfc1576771728d09426b9459f0cf20dd5982c2054fe1b999c2fbf9e0139c340aa56c2e7867a873620c2c5a839e0a5280f6

    • C:\Users\Admin\AppData\Roaming\external-link.gif
      Filesize

      71B

      MD5

      bae65d05d67c86148948fdf7a773a207

      SHA1

      37313e079df4ee9020c2ff14eedee17b65ac6880

      SHA256

      67ce0e5ca8696537cb2c4fce9e8e945c6134e36945c719c879b9b7288bcd5d96

      SHA512

      09e4b5d0328b02adeca1855c37235007e6d711f835fcccddcc2ed2b0dc5de6cd32a3ac07c97140e376c1e71a362fd59dafe41db697187ecd9bf636d8f8655e46

    • C:\Users\Admin\AppData\Roaming\flash.icon1.ico
      Filesize

      2KB

      MD5

      5b6d410767b3f51805b65bd53047ddff

      SHA1

      7eae072adbc3b102a3e06873f643e5e11674d936

      SHA256

      c665dbded35fd10240134d7199cba83e69eedeb893fdffa73235e5f3ceaacaa3

      SHA512

      45a409739c6f7ef6444d0fd80134941a20806b7248336b5bc76f757107fd0637f292b2827c0b90c26c1bc5ee4fb6658a1a1d6c2a23b55b8b8bd550a2671c04f4

    • C:\Users\Admin\AppData\Roaming\forward_disabled.png
      Filesize

      1KB

      MD5

      875ff3260a35602560fa96c60aab9b09

      SHA1

      457c51cb571ed8c2f66860b884b3897094832563

      SHA256

      e6ca6d6e4408a85d06dec320917eaface8871796c5bc5c7974d99b8415e49e2e

      SHA512

      aab5a58ee6147c1d2dd40722d6ca56df336d49103f08c123936a8efe2f3250a5ce1d0e90c1c54edbb82e1014213aa78b74ea3570c3c53d9a3ad36af37e42d09f

    • C:\Users\Admin\AppData\Roaming\goURL_lr_photoshop_en.csv
      Filesize

      510B

      MD5

      72846352548853b375cd1966c5b25a3a

      SHA1

      c51c6d5641dfcabdb6569e071c502deacda8d2d1

      SHA256

      97f1d4f62e381f8f65d3e7d3da9f3c5d8194c73a2d30a2d08057d0d5ce30e130

      SHA512

      b4c5a4be9a676323e3f1df1eed60761def150a91e237d830c96413770397df3138176ffb1374580b10abb1466bebc8f8aef99d0a44be0fa29ac5edce3cf9874e

    • C:\Users\Admin\AppData\Roaming\microseism.rjh
      Filesize

      62KB

      MD5

      7be3aa61e943269fd4f504dcd95e7016

      SHA1

      8bcc960f9128d1ff1004174f4f78dd839a5a1684

      SHA256

      92c02f210805bd497e288299ee3da1b46cff3c93da4f5f5af7f65f6e83b5429d

      SHA512

      aa858e3f0e8aaf77b70aea820d808ca01860f0d1e27c93ad361a27830848ed64677327d12c75bd6860434f5be8e98b7f865aa40a00d3429b8831991cd2cd5b69

    • C:\Users\Admin\AppData\Roaming\variability.kpd
      Filesize

      63KB

      MD5

      59b666941a1ca106c9d3a0bf58b7b7d4

      SHA1

      392e93b08a658dea9e24a5ef34e5daf591c43247

      SHA256

      b9ea6983a6eec38a0e120361ca843da7a9f52de1569b5dbab19bd4b90b4a0ab1

      SHA512

      0bc1592ceb10c2e1b774ad357f97ef3757b86a3c1c5ecb89b35be5231330b7c0b02ab36223edcd8b06776ec5540e3183c2378d8a229263454cc53ddb3a99a1a7

    • C:\Users\Admin\AppData\Roaming\{7B88A631-9DB0-95C8-FE5C-A999350AECED}\wecutil.exe
      Filesize

      221KB

      MD5

      474f76977fa109dd9a1a8a7e51c49659

      SHA1

      aed91b01397c5a067201e0eed886f7fe2acdc02e

      SHA256

      1c77bceb256e2c7e570830558b2084008f961483981d352b874af0e6e2ee3f10

      SHA512

      997f426de2c1942c7eb2efee57946eaa50f0f67e3cf1603b9e9ebf4bf9e09008172c74ca30b34943c25e0dc64815749f474ececc4ac84d5ef2217dd4efb0a1e8

    • memory/488-186-0x0000000002160000-0x000000000216A000-memory.dmp
      Filesize

      40KB

    • memory/1360-42-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/1360-43-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/1360-40-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/1360-38-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/1360-51-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/1392-124-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/1392-119-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/1392-120-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/1392-122-0x0000000003880000-0x0000000003881000-memory.dmp
      Filesize

      4KB

    • memory/1392-118-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/1392-125-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/1392-128-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/1572-112-0x0000000003010000-0x000000000301A000-memory.dmp
      Filesize

      40KB

    • memory/3364-194-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/3364-195-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

    • memory/4248-34-0x00000000022A0000-0x00000000022AA000-memory.dmp
      Filesize

      40KB