Analysis Overview
SHA256
605f67c5e7026c95358b6fd2d661a2bd6226b483376c3fabafc15ebcbb2f7489
Threat Level: Known bad
The file d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Cybergate family
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
UPX packed file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-07 05:27
Signatures
Cybergate family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-07 05:27
Reported
2024-09-07 05:30
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| N/A | 192.168.0.11:80 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| N/A | 192.168.0.11:80 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 192.168.0.11:80 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| N/A | 192.168.0.11:80 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 192.168.0.11:80 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 192.168.0.11:80 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 192.168.0.11:80 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 192.168.0.11:80 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/116-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/116-4-0x0000000024010000-0x0000000024051000-memory.dmp
memory/116-7-0x0000000024060000-0x00000000240A1000-memory.dmp
memory/3664-9-0x0000000000D50000-0x0000000000D51000-memory.dmp
memory/3664-8-0x0000000000850000-0x0000000000851000-memory.dmp
memory/116-28-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3664-56-0x0000000003460000-0x0000000003461000-memory.dmp
memory/116-53-0x0000000024060000-0x00000000240A1000-memory.dmp
memory/3664-58-0x0000000024060000-0x00000000240A1000-memory.dmp
memory/3664-57-0x0000000024060000-0x00000000240A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 8462217436d90c6837b66fb2e43abdf8 |
| SHA1 | c16d247b8c7c0a8a3921c3eb8337f86a93a3712b |
| SHA256 | d9904a8fab5e6b06d716b5775aefb6a24b10f932e443a79c905d90d8758020e8 |
| SHA512 | 71cbc4d87ab0f3f9bbffe8d250aafa73b368be94e65162146742a536059bfb6a83f030cbf8209731f8849bb572e7f383807cdd3787dc895dd1d716948508bba1 |
\??\c:\dir\install\install\server.exe
| MD5 | d12d1e38e6a85de4ea5c89633f529d16 |
| SHA1 | 6964b0a9fa2b0a986751ab48de4ec1b8589853d0 |
| SHA256 | 605f67c5e7026c95358b6fd2d661a2bd6226b483376c3fabafc15ebcbb2f7489 |
| SHA512 | 53bf9b27fbb0dc89f6169b849de78f67c9fe60e93f86b2cb08cd76dcdbe274c00f968df851a1c8e646ad9bd45d2ff01e7343dfb988fe21c19633de216f86b810 |
memory/116-63-0x00000000240B0000-0x00000000240F1000-memory.dmp
memory/116-65-0x0000000024100000-0x0000000024141000-memory.dmp
memory/820-115-0x0000000024100000-0x0000000024141000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | 4362e21af8686f5ebba224768d292a5b |
| SHA1 | 504510a4d10e230dcd1605ab3342525b38a10933 |
| SHA256 | b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3 |
| SHA512 | f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850 |
memory/116-127-0x0000000000400000-0x0000000000440000-memory.dmp
memory/3664-138-0x0000000024060000-0x00000000240A1000-memory.dmp
memory/820-139-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 9a57ebc071c9665a0d3fd87cd3d54223 |
| SHA1 | ccbcded6e1218bb8e9c543ec9b33721157976bc6 |
| SHA256 | 958223110fc2cc5b88d5ee4494efc5757a9368e17a08322f1cbc8ef213dfc833 |
| SHA512 | 024016039a4ac0ea9730d25d11ea3dbdddc4f1bb8f01722ea39e317ed27e26ce6b2608a62f19a5c92fe1376fa20028b549b2542be8f10f153d75b672eacd1bd7 |
memory/820-149-0x0000000024100000-0x0000000024141000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-07 05:27
Reported
2024-09-07 05:30
Platform
win7-20240708-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:\\dir\\install\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "c:\\dir\\install\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:\\dir\\install\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:\\dir\\install\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d12d1e38e6a85de4ea5c89633f529d16_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.0.11:80 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 192.168.0.11:80 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 192.168.0.11:80 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 192.168.0.11:80 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 192.168.0.11:80 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 192.168.0.11:80 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 192.168.0.11:80 | tcp | |
| N/A | 127.0.0.1:81 | tcp | |
| N/A | 192.168.0.11:80 | tcp |
Files
memory/1080-0-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1220-4-0x0000000002610000-0x0000000002611000-memory.dmp
memory/1080-3-0x0000000024010000-0x0000000024051000-memory.dmp
memory/852-192-0x0000000000160000-0x0000000000161000-memory.dmp
memory/852-235-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/1080-266-0x0000000000400000-0x0000000000440000-memory.dmp
memory/852-412-0x0000000024060000-0x00000000240A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 8462217436d90c6837b66fb2e43abdf8 |
| SHA1 | c16d247b8c7c0a8a3921c3eb8337f86a93a3712b |
| SHA256 | d9904a8fab5e6b06d716b5775aefb6a24b10f932e443a79c905d90d8758020e8 |
| SHA512 | 71cbc4d87ab0f3f9bbffe8d250aafa73b368be94e65162146742a536059bfb6a83f030cbf8209731f8849bb572e7f383807cdd3787dc895dd1d716948508bba1 |
\??\c:\dir\install\install\server.exe
| MD5 | d12d1e38e6a85de4ea5c89633f529d16 |
| SHA1 | 6964b0a9fa2b0a986751ab48de4ec1b8589853d0 |
| SHA256 | 605f67c5e7026c95358b6fd2d661a2bd6226b483376c3fabafc15ebcbb2f7489 |
| SHA512 | 53bf9b27fbb0dc89f6169b849de78f67c9fe60e93f86b2cb08cd76dcdbe274c00f968df851a1c8e646ad9bd45d2ff01e7343dfb988fe21c19633de216f86b810 |
memory/2872-437-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1080-677-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Users\Admin\AppData\Roaming\logs.dat
| MD5 | 4362e21af8686f5ebba224768d292a5b |
| SHA1 | 504510a4d10e230dcd1605ab3342525b38a10933 |
| SHA256 | b1b2cc9a6bf77f9e56955acbbce253c70fc25b92d1e150d9928b9183b19b93b3 |
| SHA512 | f2ee4b95d5c50b533de93f21f9d73a75ab8c755ab9f343b4848bd92b6827e76dc5e17fe27b0f2ad2049a1ee0fe20d0cb0398b1973277b85e84b6af004e945850 |
memory/852-698-0x0000000024060000-0x00000000240A1000-memory.dmp
memory/2872-708-0x0000000000400000-0x0000000000440000-memory.dmp