Analysis Overview
SHA256
a8031971999f9b8332c545a15a0b9c0cb5eccc62ccf11d11ce280bee08c797df
Threat Level: Likely malicious
The file 97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
NirSoft WebBrowserPassView
Nirsoft
NirSoft MailPassView
Executes dropped EXE
Drops startup file
Loads dropped DLL
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 10:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 10:44
Reported
2024-06-05 10:46
Platform
win7-20240221-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LaWREOPRXWUDMThR.lnk | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1992 set thread context of 2592 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 2592 set thread context of 2000 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2592 set thread context of 2340 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe PfFOZGIJAYdNeUFLDeL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- CmdLine Args
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Mail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Web.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | mail.investigateinterpol.net | udp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeL
| MD5 | a759aa534f50dedcba4f00a1055e7a23 |
| SHA1 | 4360b142cad45cf266e27b0000d61c7a21286180 |
| SHA256 | ad45347ba9a6515801ebd8e4dcf54efc8d2f6397c577978d3b37154e925474d4 |
| SHA512 | 9ead4511393ceb253308254d3852ebf4c2fe970d78a289922ae54cca718f6974f03523462d0dc685d89859b35b930abd520904d604e2bc1610138e98783bc2c4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LaWREOPRXWUD
| MD5 | af71b0c666ff11288ed1c89e40557d68 |
| SHA1 | 77336099fdef38214ec97b5299a92faa1f01a47d |
| SHA256 | 045188a402aca551111e5423b4aea3f647abe6148999a2c48590392f3a69e88c |
| SHA512 | 22f861dae7b9b0ab9552129fad44e035ad2229052cc403db80dc6be596668aa7f65cc95ac5ae0026017e00d03420bd3b3fc6a6b48ba9409807e335c2792af485 |
memory/1992-19-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2592-20-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2592-28-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2592-29-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2592-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2592-22-0x0000000000400000-0x000000000047C000-memory.dmp
memory/2592-34-0x0000000073DB2000-0x0000000073DB4000-memory.dmp
memory/2592-37-0x0000000073DB0000-0x000000007435B000-memory.dmp
memory/2000-44-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2000-38-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2000-53-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2000-52-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2000-50-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2000-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2000-46-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2000-42-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2000-40-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2000-56-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2340-57-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2340-69-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2340-71-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2340-68-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Web.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2340-63-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2340-61-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2340-59-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2340-65-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2592-73-0x0000000073DB2000-0x0000000073DB4000-memory.dmp
memory/2592-74-0x0000000073DB0000-0x000000007435B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 10:44
Reported
2024-06-05 10:46
Platform
win10v2004-20240508-en
Max time kernel
134s
Max time network
133s
Command Line
Signatures
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LaWREOPRXWUDMThR.lnk | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2204 set thread context of 1456 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
| PID 1456 set thread context of 1616 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1456 set thread context of 4740 | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97e8516d8f563f9116c460b223e1c8a7_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe PfFOZGIJAYdNeUFLDeL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- CmdLine Args
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Mail.txt"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3960,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:8
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\Web.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.8.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | mail.investigateinterpol.net | udp |
| BE | 88.221.83.250:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.investigateinterpol.net | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeLha.exe
| MD5 | 71d8f6d5dc35517275bc38ebcc815f9f |
| SHA1 | cae4e8c730de5a01d30aabeb3e5cb2136090ed8d |
| SHA256 | fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b |
| SHA512 | 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PfFOZGIJAYdNeUFLDeL
| MD5 | a759aa534f50dedcba4f00a1055e7a23 |
| SHA1 | 4360b142cad45cf266e27b0000d61c7a21286180 |
| SHA256 | ad45347ba9a6515801ebd8e4dcf54efc8d2f6397c577978d3b37154e925474d4 |
| SHA512 | 9ead4511393ceb253308254d3852ebf4c2fe970d78a289922ae54cca718f6974f03523462d0dc685d89859b35b930abd520904d604e2bc1610138e98783bc2c4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LaWREOPRXWUD
| MD5 | af71b0c666ff11288ed1c89e40557d68 |
| SHA1 | 77336099fdef38214ec97b5299a92faa1f01a47d |
| SHA256 | 045188a402aca551111e5423b4aea3f647abe6148999a2c48590392f3a69e88c |
| SHA512 | 22f861dae7b9b0ab9552129fad44e035ad2229052cc403db80dc6be596668aa7f65cc95ac5ae0026017e00d03420bd3b3fc6a6b48ba9409807e335c2792af485 |
memory/1456-19-0x0000000000540000-0x00000000005BC000-memory.dmp
memory/2204-17-0x0000000002630000-0x0000000002631000-memory.dmp
memory/1456-23-0x00000000730F2000-0x00000000730F3000-memory.dmp
memory/1456-27-0x00000000730F0000-0x00000000736A1000-memory.dmp
memory/1456-28-0x00000000730F0000-0x00000000736A1000-memory.dmp
memory/1456-29-0x00000000730F0000-0x00000000736A1000-memory.dmp
memory/1616-32-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1616-34-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1616-35-0x0000000000420000-0x00000000004E9000-memory.dmp
memory/1616-37-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4740-38-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4740-39-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Web.txt
| MD5 | b9daf88205e7429feaceda806bd561d2 |
| SHA1 | 1893c80e74cfea9914343c6e4213393804a92dd1 |
| SHA256 | efa03262d4c3f5a46ab526946b8c7450d37eff4b5f8d53b43468655eea8cc027 |
| SHA512 | 649ba70698611bd66aa91e40aaa81327a60efc098c1705729f9eb316c18e9bcca6af2363b24f8ac4aea5d25f12303833aedaada6fd26f1eebb86711a4e9baaf1 |
memory/4740-46-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1456-47-0x00000000730F2000-0x00000000730F3000-memory.dmp
memory/1456-48-0x00000000730F0000-0x00000000736A1000-memory.dmp
memory/1456-49-0x00000000730F0000-0x00000000736A1000-memory.dmp