Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    123s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 06:39

General

  • Target

    eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe

  • Size

    99KB

  • MD5

    eac6cb2a4a60d7db2618acb63ba47bfe

  • SHA1

    226ed23500be40bf1e0f79757c15d8a0d731b725

  • SHA256

    11e2647b14f26ffbb40a729eeb9e958d1e732bf682f6d209a22c75b84b275859

  • SHA512

    e1599c1c39013b989a94e1cf9d7715fb65e08c366928f9548169c27a1cb1243d4c4f87bc4e830dc93c3922798f0f5f75f502017bb2181a510096f7c82432ac15

  • SSDEEP

    768:WkpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn6jkvORFUWCn7wRu5mEf:vkQJcqwmIfj+ECJGCkvONymEn6zSDIw

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Password Policy Discovery 1 TTPs

    Attempt to access detailed information about the password policy used within an enterprise network.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Domain Trust Discovery 1 TTPs

    Attempt gathering information on domain trust relationships.

  • Permission Groups Discovery: Domain Groups 1 TTPs

    Attempt to find domain-level groups and permission settings.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

  • Discovers systems in the same network 1 TTPs 4 IoCs
  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eac6cb2a4a60d7db2618acb63ba47bfe_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\ProgramData\Application Data\wmimgmt.exe
      "C:\ProgramData\Application Data\wmimgmt.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\SysWOW64\findstr.exe
          findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2112
        • C:\Windows\SysWOW64\chcp.com
          chcp
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2300
        • C:\Windows\SysWOW64\net.exe
          net user
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2296
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 user
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2268
        • C:\Windows\SysWOW64\net.exe
          net localgroup administrators
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 localgroup administrators
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2768
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2844
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers system information
          PID:2780
        • C:\Windows\SysWOW64\reg.exe
          reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2196
        • C:\Windows\SysWOW64\find.exe
          find "REG_"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2000
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2248
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2428
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1376
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2580
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
          4⤵
            PID:1632
          • C:\Windows\SysWOW64\reg.exe
            reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1680
          • C:\Windows\SysWOW64\reg.exe
            reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2856
          • C:\Windows\SysWOW64\reg.exe
            reg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2812
          • C:\Windows\SysWOW64\reg.exe
            reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s
            4⤵
            • Accesses Microsoft Outlook accounts
            • System Location Discovery: System Language Discovery
            PID:1820
          • C:\Windows\SysWOW64\reg.exe
            reg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s
            4⤵
              PID:1912
            • C:\Windows\SysWOW64\reg.exe
              reg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1148
            • C:\Windows\SysWOW64\net.exe
              net user Admin
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1756
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 user Admin
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1880
            • C:\Windows\SysWOW64\net.exe
              net user Admin /domain
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1864
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 user Admin /domain
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1548
            • C:\Windows\SysWOW64\net.exe
              net group
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1528
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 group
                5⤵
                • System Location Discovery: System Language Discovery
                PID:1952
            • C:\Windows\SysWOW64\net.exe
              net group /domain
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1244
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 group /domain
                5⤵
                • System Location Discovery: System Language Discovery
                PID:744
            • C:\Windows\SysWOW64\net.exe
              net group "domain admins"
              4⤵
              • System Location Discovery: System Language Discovery
              PID:296
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 group "domain admins"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:288
            • C:\Windows\SysWOW64\net.exe
              net group "domain admins" /domain
              4⤵
                PID:2948
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 group "domain admins" /domain
                  5⤵
                    PID:3068
                • C:\Windows\SysWOW64\net.exe
                  net group "domain computers"
                  4⤵
                  • System Location Discovery: System Language Discovery
                  PID:3044
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 group "domain computers"
                    5⤵
                      PID:2092
                  • C:\Windows\SysWOW64\net.exe
                    net group "domain computers" /domain
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:2356
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 group "domain computers" /domain
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:2336
                  • C:\Windows\SysWOW64\net.exe
                    net group "domain controllers"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:2276
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 group "domain controllers"
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:2240
                  • C:\Windows\SysWOW64\net.exe
                    net group "domain controllers" /domain
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:2352
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 group "domain controllers" /domain
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:2272
                  • C:\Windows\SysWOW64\ipconfig.exe
                    ipconfig /all
                    4⤵
                    • System Location Discovery: System Language Discovery
                    • Gathers network information
                    PID:860
                  • C:\Windows\SysWOW64\NETSTAT.EXE
                    netstat -ano
                    4⤵
                    • System Location Discovery: System Language Discovery
                    • System Network Connections Discovery
                    • Gathers network information
                    • Suspicious use of AdjustPrivilegeToken
                    PID:900
                  • C:\Windows\SysWOW64\ARP.EXE
                    arp -a
                    4⤵
                    • Network Service Discovery
                    • System Location Discovery: System Language Discovery
                    PID:284
                  • C:\Windows\SysWOW64\NETSTAT.EXE
                    netstat -r
                    4⤵
                    • System Location Discovery: System Language Discovery
                    • Gathers network information
                    PID:2316
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:2932
                      • C:\Windows\SysWOW64\ROUTE.EXE
                        C:\Windows\system32\route.exe print
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:824
                  • C:\Windows\SysWOW64\net.exe
                    net start
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1076
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:2028
                  • C:\Windows\SysWOW64\net.exe
                    net use
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1332
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo n"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:268
                  • C:\Windows\SysWOW64\net.exe
                    net share
                    4⤵
                      PID:1500
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 share
                        5⤵
                          PID:540
                      • C:\Windows\SysWOW64\net.exe
                        net view /domain
                        4⤵
                        • System Location Discovery: System Language Discovery
                        • Discovers systems in the same network
                        PID:532
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:584
                      • C:\Windows\SysWOW64\find.exe
                        find /i /v "------"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:2036
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:740
                      • C:\Windows\SysWOW64\find.exe
                        find /i /v "domain"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:2256
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:1352
                      • C:\Windows\SysWOW64\find.exe
                        find /i /v "¬A╛╣"
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:1676
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:656
                      • C:\Windows\SysWOW64\find.exe
                        find /i /v "░⌡ªµª¿"
                        4⤵
                          PID:1028
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:2072
                        • C:\Windows\SysWOW64\find.exe
                          find /i /v "├ⁿ┴ε"
                          4⤵
                            PID:2132
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:808
                          • C:\Windows\SysWOW64\find.exe
                            find /i /v "completed successfully"
                            4⤵
                              PID:2464
                            • C:\Windows\SysWOW64\net.exe
                              net view /domain:"WORKGROUP"
                              4⤵
                              • System Location Discovery: System Language Discovery
                              • Discovers systems in the same network
                              PID:2224
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "
                              4⤵
                                PID:684
                              • C:\Windows\SysWOW64\find.exe
                                find "\\"
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:1660
                              • C:\Windows\SysWOW64\net.exe
                                net view \\CCJBVTGQ
                                4⤵
                                • Discovers systems in the same network
                                PID:2212
                              • C:\Windows\SysWOW64\net.exe
                                net view \\CCJBVTGQ
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Discovers systems in the same network
                                PID:1292
                              • C:\Windows\SysWOW64\find.exe
                                find "Disk"
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:1232
                              • C:\Windows\SysWOW64\PING.EXE
                                ping -n 1 CCJBVTGQ
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • System Network Configuration Discovery: Internet Connection Discovery
                                • Runs ping.exe
                                PID:2540
                              • C:\Windows\SysWOW64\findstr.exe
                                findstr /i "Pinging Reply Request Unknown"
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • System Network Configuration Discovery: Internet Connection Discovery
                                PID:2136

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\wmimgmt.exe

                          Filesize

                          99KB

                          MD5

                          eac6cb2a4a60d7db2618acb63ba47bfe

                          SHA1

                          226ed23500be40bf1e0f79757c15d8a0d731b725

                          SHA256

                          11e2647b14f26ffbb40a729eeb9e958d1e732bf682f6d209a22c75b84b275859

                          SHA512

                          e1599c1c39013b989a94e1cf9d7715fb65e08c366928f9548169c27a1cb1243d4c4f87bc4e830dc93c3922798f0f5f75f502017bb2181a510096f7c82432ac15

                        • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

                          Filesize

                          49B

                          MD5

                          2aab214cfdd98a617d0ea9d44028d612

                          SHA1

                          8b9f2a39214582f3b15bb47bd7b726140c085114

                          SHA256

                          6c7f2fa81a1e8dd1e3c55c7c92f60a66c6b049418d592b07b71586ad048bb979

                          SHA512

                          1ce093858634932ee7687810731bcb0ec888d6e299d6ff6b93f7730a5a7552c82e512d63090dbfb884526491608493db01e7224aed61cc7638900f864bd74445

                        • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

                          Filesize

                          7KB

                          MD5

                          e0999245fe0d08c7454594dc695ee500

                          SHA1

                          dc5449395e3b91b5d6d9ec30284e545a518ca822

                          SHA256

                          46d21ac64ec059254b2a8ddd817c9149ac71099ce4dbf56a2cb27dfcee9f9062

                          SHA512

                          f9e027b3996480625712d6b6acd01f71ea9a34a69625c5402103babe3be4503165f2445afe4ae5f71fda6bba623aece1b153341ad0aa39ff97ece31cb9514a33

                        • C:\Users\Admin\AppData\Local\Temp\INFO.TXT

                          Filesize

                          24.9MB

                          MD5

                          9527538092bb2f9073579e36acd6e733

                          SHA1

                          694a7f1ca42bf4f8e1f5a965bb0ddf97ff65dc90

                          SHA256

                          4676439ed050fe66c1e307bd20e2b0cac7ee6031e3966b0c9d8a0658ab81a648

                          SHA512

                          bc815cad9892f884b11454ec73373256b2248deeea8151793db8f3d4650f4e64a0282ff6426340ad2fb4df2cf0d6c16f26ed0030f70e65b51f01e34f17ec41ae

                        • C:\Users\Admin\AppData\Local\Temp\drivers.p

                          Filesize

                          15B

                          MD5

                          4ff8e80638f36abd8fb131c19425317b

                          SHA1

                          358665afaf5f88dfebcdb7c56e963693c520c136

                          SHA256

                          6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

                          SHA512

                          d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

                        • C:\Users\Admin\AppData\Local\Temp\ghi.bat

                          Filesize

                          4KB

                          MD5

                          b91bc08162fbc3445c5424b77183b807

                          SHA1

                          52b2a60db40cdcc655648a65210ed26219c033e1

                          SHA256

                          7cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a

                          SHA512

                          2f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35

                        • C:\Users\Admin\AppData\Local\Temp\s.log

                          Filesize

                          153B

                          MD5

                          b256c8a481b065860c2812e742f50250

                          SHA1

                          51ddf02764fb12d88822450e8a27f9deac85fe54

                          SHA256

                          b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12

                          SHA512

                          f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360

                        • C:\Users\Admin\AppData\Local\Temp\t.log

                          Filesize

                          72B

                          MD5

                          59f2768506355d8bc50979f6d64ded26

                          SHA1

                          b2d315b3857bec8335c526a08d08d6a1b5f5c151

                          SHA256

                          7f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569

                          SHA512

                          e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028

                        • C:\Users\Admin\AppData\Local\Temp\t.log

                          Filesize

                          64B

                          MD5

                          e29f80bf6f6a756e0bc6d7f5189a9bb2

                          SHA1

                          acdd1032b7dc189f8e68b390fe6fd964618acd72

                          SHA256

                          8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7

                          SHA512

                          f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

                        • C:\Users\Admin\AppData\Local\Temp\workgrp.tmp

                          Filesize

                          234B

                          MD5

                          56b14ddb1bd62d1b712e03f36a58a34a

                          SHA1

                          23bbe61061ea923ef9c1a461a839611b50984bba

                          SHA256

                          5af7f06b5d6cd2db7306b606699551f43010131171543758fc49276bcc8cc519

                          SHA512

                          adfc6a9070d77a15fe10566d0ff3146a2e12abcf987704ee05f28058451cb9f60df90aa8b5c52af98bd7ffbd25fb4d16e0f16d44b2541dd0bbcde03365afda0e

                        • memory/2532-0-0x0000000000400000-0x0000000000420000-memory.dmp

                          Filesize

                          128KB

                        • memory/2532-9-0x0000000000400000-0x0000000000420000-memory.dmp

                          Filesize

                          128KB

                        • memory/3028-95-0x0000000000400000-0x0000000000420000-memory.dmp

                          Filesize

                          128KB