Analysis Overview
SHA256
4f7590d4268af785ccd289d634ff6074815e0835c9e6e45756d7b9f3c526b159
Threat Level: Known bad
The file 4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Detects PlugX payload
PlugX
Loads dropped DLL
Deletes itself
Executes dropped EXE
Unsigned PE
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-05-16 20:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 20:06
Reported
2024-05-16 20:09
Platform
win7-20240419-en
Max time kernel
149s
Max time network
141s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hc.exe | N/A |
| N/A | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
| N/A | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hc.exe | N/A |
| N/A | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
| N/A | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\WpadDecisionTime = 60caa3c2cca7da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\fe-99-13-52-c7-4d | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d\WpadDecisionTime = 60caa3c2cca7da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d\WpadDetectedUrl | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\WpadNetworkName = "Network 3" | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45004600430032003400420030003200380036003300360044003200380036000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\hc.exe
C:\Users\Admin\AppData\Local\Temp\hc.exe
C:\ProgramData\hkcmd\hc.exe
"C:\ProgramData\hkcmd\hc.exe" 100 1624
C:\ProgramData\hkcmd\hc.exe
"C:\ProgramData\hkcmd\hc.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 2764
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | msn.catalogipdate.com | udp |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | udp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | udp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | udp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | udp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | udp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | udp |
Files
\Users\Admin\AppData\Local\Temp\hccutils.dll
| MD5 | 1dd363b3564929d0bc336571dec74cf0 |
| SHA1 | 21c953538bba7749bcc3ce049b2df9df396bc2b7 |
| SHA256 | 88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e |
| SHA512 | 0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a |
C:\Users\Admin\AppData\Local\Temp\hc.exe
| MD5 | 23f2c3dbdb65c898a11e7f4ddc598a10 |
| SHA1 | cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c |
| SHA256 | a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677 |
| SHA512 | 0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a |
memory/1936-0-0x0000000000080000-0x00000000000BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hccutils.DLL.res
| MD5 | 81693011cb717a15ad364a7344f8ffcf |
| SHA1 | 0e26b1b58c3a8f978874fd86762af11208999fb3 |
| SHA256 | 01d5786b31dbb6855f089ae4569c40d5b99b4aed9462053358572898d797b6aa |
| SHA512 | 10ff4a7af7c8bd30b696ca1d2c9d3f7d29ed9a79f45264a0442d64cbc81a6e0945842c24d44e97a96a8db3686d9e00f9d0f73799e90620a74ed6ba7b58dded53 |
memory/1624-12-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1624-11-0x0000000000410000-0x0000000000411000-memory.dmp
memory/1624-13-0x0000000000560000-0x000000000058D000-memory.dmp
memory/2608-31-0x0000000000400000-0x000000000042D000-memory.dmp
memory/2608-32-0x00000000005F0000-0x000000000061D000-memory.dmp
memory/2620-35-0x0000000001C80000-0x0000000001CAD000-memory.dmp
memory/2764-39-0x00000000000C0000-0x00000000000C2000-memory.dmp
memory/2764-38-0x00000000000A0000-0x00000000000BB000-memory.dmp
memory/2764-36-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2620-42-0x0000000001C80000-0x0000000001CAD000-memory.dmp
memory/2764-45-0x0000000000200000-0x000000000022D000-memory.dmp
memory/2764-59-0x0000000000200000-0x000000000022D000-memory.dmp
memory/2764-58-0x0000000000200000-0x000000000022D000-memory.dmp
memory/2764-57-0x0000000000200000-0x000000000022D000-memory.dmp
memory/2764-56-0x0000000000200000-0x000000000022D000-memory.dmp
memory/2764-60-0x0000000000200000-0x000000000022D000-memory.dmp
memory/2764-55-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2764-44-0x0000000000200000-0x000000000022D000-memory.dmp
memory/1624-43-0x0000000000560000-0x000000000058D000-memory.dmp
memory/2764-61-0x0000000000200000-0x000000000022D000-memory.dmp
memory/2764-40-0x0000000000200000-0x000000000022D000-memory.dmp
memory/2764-41-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2764-62-0x0000000000200000-0x000000000022D000-memory.dmp
memory/2764-65-0x0000000000200000-0x000000000022D000-memory.dmp
memory/2608-66-0x00000000005F0000-0x000000000061D000-memory.dmp
memory/2972-75-0x0000000000360000-0x000000000038D000-memory.dmp
memory/2972-78-0x0000000000360000-0x000000000038D000-memory.dmp
memory/2972-77-0x0000000000360000-0x000000000038D000-memory.dmp
memory/2972-76-0x0000000000070000-0x0000000000071000-memory.dmp
memory/2764-79-0x0000000000200000-0x000000000022D000-memory.dmp
memory/2764-85-0x0000000000200000-0x000000000022D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 20:06
Reported
2024-05-16 20:09
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hc.exe | N/A |
| N/A | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
| N/A | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hc.exe | N/A |
| N/A | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
| N/A | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 34003200320038004600340042004300360039003200360032004500460034000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\hkcmd\hc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4cd11a2596c130a0428b7360d2be2f64_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\hc.exe
C:\Users\Admin\AppData\Local\Temp\hc.exe
C:\ProgramData\hkcmd\hc.exe
"C:\ProgramData\hkcmd\hc.exe" 100 60
C:\ProgramData\hkcmd\hc.exe
"C:\ProgramData\hkcmd\hc.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 228
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 222.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | msn.catalogipdate.com | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 104.61.62.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:12345 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | udp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | udp | |
| N/A | 127.0.0.1:12345 | tcp | |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | udp | |
| US | 8.8.8.8:53 | msn.catalogipdate.com | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | udp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | tcp | |
| N/A | 127.0.0.1:12345 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\hc.exe
| MD5 | 23f2c3dbdb65c898a11e7f4ddc598a10 |
| SHA1 | cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c |
| SHA256 | a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677 |
| SHA512 | 0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a |
memory/852-4-0x0000000000FB0000-0x0000000000FEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hccutils.DLL.res
| MD5 | 81693011cb717a15ad364a7344f8ffcf |
| SHA1 | 0e26b1b58c3a8f978874fd86762af11208999fb3 |
| SHA256 | 01d5786b31dbb6855f089ae4569c40d5b99b4aed9462053358572898d797b6aa |
| SHA512 | 10ff4a7af7c8bd30b696ca1d2c9d3f7d29ed9a79f45264a0442d64cbc81a6e0945842c24d44e97a96a8db3686d9e00f9d0f73799e90620a74ed6ba7b58dded53 |
memory/60-11-0x0000000000400000-0x000000000042D000-memory.dmp
memory/60-10-0x0000000000410000-0x0000000000411000-memory.dmp
memory/60-12-0x0000000001F60000-0x0000000001F8D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hccutils.dll
| MD5 | 1dd363b3564929d0bc336571dec74cf0 |
| SHA1 | 21c953538bba7749bcc3ce049b2df9df396bc2b7 |
| SHA256 | 88ab31fb0d56ffe438f21fcce81a1df35554236ef2152c34b91bf5247ab35b7e |
| SHA512 | 0ba2583a5ea404cd4f6d5fb9b62ce590eb6244435d3a14586423e9ee7c116047fbb68d588f3e1ecee76d9dd7285805676f5f023baabe4bbdec34a5e754d9a70a |
memory/4116-30-0x0000000002190000-0x00000000021BD000-memory.dmp
memory/4116-31-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1340-35-0x0000000000C60000-0x0000000000C8D000-memory.dmp
memory/1340-34-0x0000000000400000-0x000000000042D000-memory.dmp
memory/1340-37-0x0000000000C60000-0x0000000000C8D000-memory.dmp
memory/228-36-0x0000000000EB0000-0x0000000000EDD000-memory.dmp
memory/228-50-0x0000000000EB0000-0x0000000000EDD000-memory.dmp
memory/228-53-0x0000000000EB0000-0x0000000000EDD000-memory.dmp
memory/60-54-0x0000000001F60000-0x0000000001F8D000-memory.dmp
memory/228-58-0x0000000000EB0000-0x0000000000EDD000-memory.dmp
memory/228-57-0x0000000000EB0000-0x0000000000EDD000-memory.dmp
memory/228-56-0x0000000000EB0000-0x0000000000EDD000-memory.dmp
memory/228-55-0x0000000000EB0000-0x0000000000EDD000-memory.dmp
memory/228-52-0x0000000000EB0000-0x0000000000EDD000-memory.dmp
memory/228-49-0x0000000000EB0000-0x0000000000EDD000-memory.dmp
memory/228-38-0x0000000000EB0000-0x0000000000EDD000-memory.dmp
memory/228-51-0x0000000000890000-0x0000000000891000-memory.dmp
memory/228-61-0x0000000000EB0000-0x0000000000EDD000-memory.dmp
memory/4116-62-0x0000000002190000-0x00000000021BD000-memory.dmp
memory/4604-63-0x00000000025D0000-0x00000000025FD000-memory.dmp
memory/4604-66-0x00000000025D0000-0x00000000025FD000-memory.dmp
memory/4604-65-0x00000000025D0000-0x00000000025FD000-memory.dmp
memory/4604-64-0x0000000000C40000-0x0000000000C41000-memory.dmp
memory/228-67-0x0000000000EB0000-0x0000000000EDD000-memory.dmp
memory/4604-69-0x0000000000A90000-0x0000000000A91000-memory.dmp
memory/228-74-0x0000000000EB0000-0x0000000000EDD000-memory.dmp