Malware Analysis Report

2024-10-18 23:16

Sample ID 240710-lvksas1bkj
Target 343a265bfdb9b15f6b99db339112d799_JaffaCakes118
SHA256 45b183f3ab8e0ad421664b353e4951aa08d3f2e0ee0667a5b10d4dba5e5bb691
Tags
snakekeylogger collection keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45b183f3ab8e0ad421664b353e4951aa08d3f2e0ee0667a5b10d4dba5e5bb691

Threat Level: Known bad

The file 343a265bfdb9b15f6b99db339112d799_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

snakekeylogger collection keylogger spyware stealer

Snake Keylogger

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 09:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 09:51

Reported

2024-07-10 09:59

Platform

win7-20240708-en

Max time kernel

119s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A checkip.dyndns.org N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 2052 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 2052 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 2052 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 2052 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 2052 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 2052 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 2052 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 2052 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 2052 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 2504 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2504 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2504 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe
PID 2504 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Windows\SysWOW64\WerFault.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uDmbaTfu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6BB.tmp"

C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 1104

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 freegeoip.app udp
US 172.67.160.84:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp

Files

memory/2052-0-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

memory/2052-1-0x0000000001020000-0x00000000010D8000-memory.dmp

memory/2052-2-0x0000000073F70000-0x000000007465E000-memory.dmp

memory/2052-3-0x00000000005D0000-0x00000000005DA000-memory.dmp

memory/2052-4-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

memory/2052-5-0x0000000073F70000-0x000000007465E000-memory.dmp

memory/2052-6-0x0000000004F10000-0x0000000004FA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA6BB.tmp

MD5 a8b25345b15a2ecf281db45129c85183
SHA1 a40b5b77147fa2ce2071b50936fff120e3144386
SHA256 e9125e08592fd9ea01729d4c1bb2d6e9ec90be5ff117d43d015e64c69767358b
SHA512 39a1f4bd579d624516fc0374cb4a6dc962fd138e95c874fd1fa1e7c224164e466db9b506020f1ec9110abd327f2ef6ebd499c7d35fdeb674e73e8019458b63f0

memory/2504-12-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2504-22-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2504-27-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2504-29-0x0000000073F70000-0x000000007465E000-memory.dmp

memory/2052-28-0x0000000073F70000-0x000000007465E000-memory.dmp

memory/2504-24-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2504-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2504-18-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2504-16-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2504-14-0x0000000000400000-0x000000000046A000-memory.dmp

memory/2504-30-0x0000000073F70000-0x000000007465E000-memory.dmp

memory/2504-31-0x0000000073F70000-0x000000007465E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 09:51

Reported

2024-07-10 09:58

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 660 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 660 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 660 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 660 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 660 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 660 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 660 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 660 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 660 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 660 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe
PID 660 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uDmbaTfu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD32A.tmp"

C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1596 -ip 1596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1816

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:443 ipbase.com tcp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 8.8.8.8:53 189.85.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/660-0-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

memory/660-1-0x0000000000FF0000-0x00000000010A8000-memory.dmp

memory/660-2-0x0000000005980000-0x0000000005A1C000-memory.dmp

memory/660-3-0x0000000005FD0000-0x0000000006574000-memory.dmp

memory/660-4-0x0000000005A20000-0x0000000005AB2000-memory.dmp

memory/660-5-0x0000000005920000-0x000000000592A000-memory.dmp

memory/660-6-0x0000000005C50000-0x0000000005CA6000-memory.dmp

memory/660-7-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/660-8-0x0000000005C20000-0x0000000005C2A000-memory.dmp

memory/660-9-0x0000000074E0E000-0x0000000074E0F000-memory.dmp

memory/660-10-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/660-11-0x0000000006720000-0x00000000067B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD32A.tmp

MD5 1bd269e9a33328a9325cdcfe20e83307
SHA1 0690069d7498d23638453812c1ca8635c836bc63
SHA256 1a3e457399584d872a3c85886ffbc1ecd918d72d5ebe3453dbd343c951b98f94
SHA512 da0779a8a693e73090b3db13f971c35762b89c2b8c5fb43d4788dd68fe9f5f643662efe7d8d68f9f03a93c75967ab2932493c7e064335d4a3953ddf92b3951ef

memory/1596-17-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\343a265bfdb9b15f6b99db339112d799_JaffaCakes118.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/660-21-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/1596-20-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/1596-22-0x0000000074E00000-0x00000000755B0000-memory.dmp

memory/1596-23-0x0000000006A50000-0x0000000006C12000-memory.dmp

memory/1596-24-0x0000000074E00000-0x00000000755B0000-memory.dmp