Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2024, 14:19

General

  • Target

    7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe

  • Size

    404KB

  • MD5

    7f85f00af073eeaba1e19077285ae933

  • SHA1

    8ab10781d4965f97ba6fba83f651aa63b547168a

  • SHA256

    e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984

  • SHA512

    e05ee6247bf1074166cecaa6254e12ecf278dd0156871803982d6541c0f55dfa06479bd2660c7ef7beb4e1a31a0d5612be7fba8c417e9bfc86e2da13460befd6

  • SSDEEP

    6144:+tiKbV4FeQ277LUnc2Emm4FSM1A4N87E/hTOZsSNBMlxUAFvnMB8ZN4Gb/Deg7o9:gi86Q/QnFlA+8FExF0B8ZeYeg7QnNxwa

Malware Config

Signatures

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 5 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks for any installed AV software in registry 1 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 5 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: Clear Persistence 1 TTPs 5 IoCs

    remove IFEO.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops autorun.inf file 1 TTPs 13 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 21 IoCs
  • UPX packed file 33 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_JaffaCakes118.exe"
    1⤵
    • Event Triggered Execution: Image File Execution Options Injection
    • Checks computer location settings
    • Adds Run key to start application
    • Checks for any installed AV software in registry
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Indicator Removal: Clear Persistence
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3160
    • C:\Windows\SysWOW64\cacls.exe
      "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1684
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c echo ok
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5076
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Windows\SysWOW64\com\smss.exe
        C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2268
    • \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
      "c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log"
      2⤵
      • Event Triggered Execution: Image File Execution Options Injection
      • Checks computer location settings
      • Executes dropped EXE
      • Checks for any installed AV software in registry
      • Checks whether UAC is enabled
      • Enumerates connected drives
      • Indicator Removal: Clear Persistence
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5048
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2796
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1196
      • C:\Windows\SysWOW64\cacls.exe
        "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c echo ok
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3220
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:316
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3472
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~^|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4636
        • C:\Windows\SysWOW64\com\smss.exe
          C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~|c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe
          4⤵
          • Executes dropped EXE
          PID:3984
      • C:\Windows\SysWOW64\com\lsass.exe
        "C:\Windows\system32\com\lsass.exe"
        3⤵
        • Event Triggered Execution: Image File Execution Options Injection
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks for any installed AV software in registry
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Indicator Removal: Clear Persistence
        • Drops autorun.inf file
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3164
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4496
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3300
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3372
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3636
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4296
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c echo ok
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2132
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3720
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2096
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1412
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3620
          • C:\Windows\SysWOW64\com\smss.exe
            C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif
            5⤵
            • Executes dropped EXE
            PID:5020
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3220
          • C:\Windows\SysWOW64\com\smss.exe
            C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
            5⤵
            • Executes dropped EXE
            PID:3724
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4788
          • C:\Windows\SysWOW64\com\smss.exe
            C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif
            5⤵
            • Executes dropped EXE
            PID:3428
        • C:\Windows\SysWOW64\com\smss.exe
          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
          4⤵
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Indicator Removal: Clear Persistence
          • System Location Discovery: System Language Discovery
          PID:3312
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1180
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4104
        • C:\Windows\SysWOW64\ping.exe
          ping.exe -f -n 1 www.baidu.com
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2448
      • C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe
        "C:\Users\Admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe"
        3⤵
        • Executes dropped EXE
        PID:4132
      • C:\Windows\SysWOW64\com\lsass.exe
        ^c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log
        3⤵
        • Event Triggered Execution: Image File Execution Options Injection
        • Checks computer location settings
        • Executes dropped EXE
        • Checks for any installed AV software in registry
        • Checks whether UAC is enabled
        • Enumerates connected drives
        • Indicator Removal: Clear Persistence
        • Drops autorun.inf file
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1204
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1944
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5084
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1120
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4092
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4992
        • C:\Windows\SysWOW64\cacls.exe
          "C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2024
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c echo ok
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4780
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3116

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\NetApi00.sys

          Filesize

          4KB

          MD5

          8e336906e90cb3558fb9704d0921e27a

          SHA1

          59ad8af4982e287954ecf0afaa2f28bc1ba578bc

          SHA256

          7c9b6f4a222d9b110ff7abecd2cd9ae7d4a7c8229e5c8b5a39da007127735897

          SHA512

          0a6a13daccd9f149ef5417d87ff0d9dee0564fe42dcb2cd61782dc5af744e218f68c04ed2705eba8ab3c2867af81ad487f58efe3d620cd30c433e0d382efed24

        • C:\Users\Admin\AppData\Local\Temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.exe.log

          Filesize

          404KB

          MD5

          7f85f00af073eeaba1e19077285ae933

          SHA1

          8ab10781d4965f97ba6fba83f651aa63b547168a

          SHA256

          e71216b9f84d5dd86e752c2ff501080f3ac49a76ceba7258635599b690c0c984

          SHA512

          e05ee6247bf1074166cecaa6254e12ecf278dd0156871803982d6541c0f55dfa06479bd2660c7ef7beb4e1a31a0d5612be7fba8c417e9bfc86e2da13460befd6

        • C:\Windows\SysWOW64\Com\lsass.exe

          Filesize

          80KB

          MD5

          4c17312e44a4000a782a5c71b04b5faa

          SHA1

          47c4c0f3b80f809957ddff48b28211d992f3e9f5

          SHA256

          a059aa3b5462a3d602fe29590dd8ca78fbb9e90f3402a3e41e2688d08d552341

          SHA512

          8ea955e5cdb2ba2cac15018a82b270f3eabce3d311123fc5e39c7b5f3606782a56811086ca4bb10196e9664df88c8d1609fa3bc259cf7dee0fb1ce70cc5a0c14

        • C:\Windows\SysWOW64\Com\netcfg.000

          Filesize

          44KB

          MD5

          d3777f588e34bbc50a1c08d472b94a83

          SHA1

          abcbccde250c3a142347efc32c5a89869ead61f4

          SHA256

          0b10b6bdf21f31107be9140d4e8c1120c60e057421aee2a17b4b674f2b7d2b0b

          SHA512

          8701d268b2ea969bf4a21a13f6898d6ff21752f51bb1cbe24017422f5835a4ec5423c398f0593226affa3a2e353ff2fc30c6ec239bcc4bc3e7b09dd3f42b67cc

        • C:\Windows\SysWOW64\Com\smss.exe

          Filesize

          21KB

          MD5

          ecc52a71f452d05a30b9b521d8ed9025

          SHA1

          fcf04b2927dffb263e6ba1c138ddc58b40dd9f3e

          SHA256

          f571a4589569bdcf3c2ef031e300cee025680ff239a5cbe9ab8ed9342d0329e0

          SHA512

          d1d1a38cd4d9eccc887fd1e616b176c8a231d526f606b0579aa86c88d03c9adbcb3e133ee3e03d73f2c11f87af3f71efdccfa63f2e5d370c7279b523e838854f

        • C:\Windows\SysWOW64\dnsq.dll

          Filesize

          23KB

          MD5

          c08ba4c0a84a6d5dbd2f8c99ecfe7116

          SHA1

          a031a2147851c856eff0161a266e33410aa94604

          SHA256

          7ee24ac81046fc2e214423d816b9f805992a4aa2d9a3f9567699142e69bc863f

          SHA512

          ddd4da03ef846c8addd3e7168c08c3ce8d354c5d82e4dd94903e918338745f5f8ec47cb6688df482e0afd68f28c4fbd2e48a3d2cae52f145cc451a77532d7f01

        • \??\c:\users\admin\appdata\local\temp\7f85f00af073eeaba1e19077285ae933_jaffacakes118.~

          Filesize

          243KB

          MD5

          1cf46cbf40ec16bef528ebc2fd7f03dc

          SHA1

          54069df6e6d11b93dca22d8461b9588302f912c6

          SHA256

          d2694a4d43613b3f304a23502249e29cb6746cddae79b5a667b5b319c1ae5dbf

          SHA512

          fecce695232c69ff961239f42c9637d2990ba3bbd5fc9d5709eed153e33a66d2caff05f782d5d9afd84957bb1828ea53e683e78ef4c99b382ea335d15eec2dea

        • memory/1064-0-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1064-15-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1204-46-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-96-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-74-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-31-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-132-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-104-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-59-0x0000000010000000-0x0000000010012000-memory.dmp

          Filesize

          72KB

        • memory/1716-124-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-120-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-116-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-108-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-78-0x0000000010000000-0x0000000010012000-memory.dmp

          Filesize

          72KB

        • memory/1716-79-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-112-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-100-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-84-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-88-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/1716-92-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/2268-8-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2268-11-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/2900-35-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

        • memory/3312-83-0x0000000010000000-0x0000000010012000-memory.dmp

          Filesize

          72KB

        • memory/3312-81-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3428-73-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3724-71-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/3984-27-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

        • memory/5020-68-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB