Analysis Overview
SHA256
51d0bc63f05586fc726d57103a8067636dcfcef391cc15025cde2d82cc83dcfd
Threat Level: Known bad
The file 4afb95d53f83e1dea370b2f501307dda_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Modifies Installed Components in the registry
Adds policy Run key to start application
ASPack v2.12-2.42
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-16 12:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 12:06
Reported
2024-05-16 12:08
Platform
win7-20240508-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Windows\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Windows\services.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Windows\services.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\SysWOW64\winkey.dll | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\reginv.dll | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\sservice.exe | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| File created | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Windows\services.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe"
C:\Windows\SysWOW64\fservice.exe
C:\Windows\system32\fservice.exe
C:\Windows\services.exe
C:\Windows\services.exe -XP
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | gmail.com | udp |
Files
memory/2280-0-0x0000000000260000-0x0000000000261000-memory.dmp
\Windows\SysWOW64\fservice.exe
| MD5 | 4afb95d53f83e1dea370b2f501307dda |
| SHA1 | 25bdb482d40b3b9d29b36774c4bcc3fd090f0624 |
| SHA256 | 51d0bc63f05586fc726d57103a8067636dcfcef391cc15025cde2d82cc83dcfd |
| SHA512 | f8f6297f44dd6c898d32b03ec98a2ad43058850047d04524cbbe9de78afb59f013330f92e9006430a5414c07ce10a9fc2cd3b93d41d8b29899bfc3957199ec36 |
memory/2976-12-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2988-22-0x0000000000260000-0x0000000000261000-memory.dmp
\Windows\SysWOW64\winkey.dll
| MD5 | b4c72da9fd1a0dcb0698b7da97daa0cd |
| SHA1 | b25a79e8ea4c723c58caab83aed6ea48de7ed759 |
| SHA256 | 45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f |
| SHA512 | f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066 |
memory/2988-26-0x0000000010000000-0x000000001000B000-memory.dmp
\Windows\SysWOW64\reginv.dll
| MD5 | 562e0d01d6571fa2251a1e9f54c6cc69 |
| SHA1 | 83677ad3bc630aa6327253c7b3deffbd4a8ce905 |
| SHA256 | c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6 |
| SHA512 | 166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea |
memory/2976-33-0x0000000000400000-0x00000000005F8000-memory.dmp
memory/2280-36-0x0000000000400000-0x00000000005F8000-memory.dmp
memory/2988-38-0x0000000010000000-0x000000001000B000-memory.dmp
memory/2988-37-0x0000000000400000-0x00000000005F8000-memory.dmp
memory/2988-41-0x0000000000260000-0x0000000000261000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 12:06
Reported
2024-05-16 12:08
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
127s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\services.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Windows\services.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Windows\services.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\SysWOW64\winkey.dll | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\reginv.dll | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Windows\services.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4808 wrote to memory of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | C:\Windows\SysWOW64\fservice.exe |
| PID 4808 wrote to memory of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | C:\Windows\SysWOW64\fservice.exe |
| PID 4808 wrote to memory of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe | C:\Windows\SysWOW64\fservice.exe |
| PID 1428 wrote to memory of 3240 | N/A | C:\Windows\SysWOW64\fservice.exe | C:\Windows\services.exe |
| PID 1428 wrote to memory of 3240 | N/A | C:\Windows\SysWOW64\fservice.exe | C:\Windows\services.exe |
| PID 1428 wrote to memory of 3240 | N/A | C:\Windows\SysWOW64\fservice.exe | C:\Windows\services.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4afb95d53f83e1dea370b2f501307dda_JaffaCakes118.exe"
C:\Windows\SysWOW64\fservice.exe
C:\Windows\system32\fservice.exe
C:\Windows\services.exe
C:\Windows\services.exe -XP
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4488,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tcp | |
| US | 8.8.8.8:53 | gmail.com | udp |
| US | 8.8.8.8:53 | alt1.l.google.gmail.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4808-0-0x0000000000D10000-0x0000000000D11000-memory.dmp
C:\Windows\SysWOW64\fservice.exe
| MD5 | 4afb95d53f83e1dea370b2f501307dda |
| SHA1 | 25bdb482d40b3b9d29b36774c4bcc3fd090f0624 |
| SHA256 | 51d0bc63f05586fc726d57103a8067636dcfcef391cc15025cde2d82cc83dcfd |
| SHA512 | f8f6297f44dd6c898d32b03ec98a2ad43058850047d04524cbbe9de78afb59f013330f92e9006430a5414c07ce10a9fc2cd3b93d41d8b29899bfc3957199ec36 |
memory/1428-8-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/3240-17-0x0000000002570000-0x0000000002571000-memory.dmp
memory/3240-21-0x0000000010000000-0x000000001000B000-memory.dmp
C:\Windows\SysWOW64\winkey.dll
| MD5 | b4c72da9fd1a0dcb0698b7da97daa0cd |
| SHA1 | b25a79e8ea4c723c58caab83aed6ea48de7ed759 |
| SHA256 | 45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f |
| SHA512 | f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066 |
C:\Windows\SysWOW64\reginv.dll
| MD5 | 562e0d01d6571fa2251a1e9f54c6cc69 |
| SHA1 | 83677ad3bc630aa6327253c7b3deffbd4a8ce905 |
| SHA256 | c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6 |
| SHA512 | 166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea |
memory/1428-31-0x0000000000400000-0x00000000005F8000-memory.dmp
memory/4808-33-0x0000000000400000-0x00000000005F8000-memory.dmp
memory/3240-35-0x0000000010000000-0x000000001000B000-memory.dmp
memory/3240-34-0x0000000000400000-0x00000000005F8000-memory.dmp
memory/3240-38-0x0000000002570000-0x0000000002571000-memory.dmp
memory/3240-36-0x0000000000400000-0x00000000005F8000-memory.dmp