Analysis Overview
SHA256
a329186a1a23e168fb7dbfc731a4c5bdc66c21e679bb904e5090f21f2db6d015
Threat Level: Known bad
The file ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Credentials from Password Stores: Credentials from Web Browsers
Adds policy Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-30 09:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 09:28
Reported
2024-08-30 09:31
Platform
win7-20240729-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Formbook
Credentials from Password Stores: Credentials from Web Browsers
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LTXTXDZ00XV = "C:\\Program Files (x86)\\Qyx28chtp\\IconCacheulodufw8.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2688 set thread context of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe |
| PID 1652 set thread context of 1372 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | C:\Windows\Explorer.EXE |
| PID 1652 set thread context of 1372 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | C:\Windows\Explorer.EXE |
| PID 288 set thread context of 1372 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Qyx28chtp\IconCacheulodufw8.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2257386474-3982792636-3902186748-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\SysWOW64\rundll32.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\fan" & exit
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.franck-medale.com | udp |
| FR | 217.70.184.38:80 | www.franck-medale.com | tcp |
| FR | 217.70.184.38:80 | www.franck-medale.com | tcp |
| US | 8.8.8.8:53 | www.bjfyzl.com | udp |
| HK | 154.218.175.46:80 | www.bjfyzl.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
| MD5 | 7573bf8132ac06b36d6687bbd37cd8fa |
| SHA1 | a26f0a134671e69e71bff2a0f7808452473d27ea |
| SHA256 | 7de138af3c37163beb8be29bd44695e0be5cba34306c94906084a0e9eb24ea7b |
| SHA512 | 63ee9d40afe01761a8b08076d2e1a78961e1040e2158f65b2fde81a7411f63e26066337c84f3e7ab8d096052bf757c2226737668ef451e35212138f33be6aa05 |
memory/2688-20-0x00000000741B1000-0x00000000741B2000-memory.dmp
memory/2688-21-0x00000000741B0000-0x000000007475B000-memory.dmp
memory/2688-22-0x00000000741B0000-0x000000007475B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nwhrrxoeoaonmsiyy.png
| MD5 | 3891dd0974efc07cbcdc25bca0d08252 |
| SHA1 | 5bb32d8dd341c6fdbb856352570ffcb60ca5a65e |
| SHA256 | 4cfd900e14e56b8b5570e9b370733d2c37da8edc8058ddf35dcb5044ae1d9e70 |
| SHA512 | cdf55d9ebb16418df4c523dded7fb6edd618f8875f9b1e472d9ab0c9b10df3025a7d10c7d82af7081f9d8f1b0f11a6a1cd64c4ab3958bd5d8939e378a3b6f913 |
memory/2688-24-0x00000000741B0000-0x000000007475B000-memory.dmp
memory/2688-25-0x00000000741B0000-0x000000007475B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uvenagxehdo.xml
| MD5 | 4321bdacfc299dede7b38875345d0e47 |
| SHA1 | dd6bd849d1eb16a98f0b6076f9bf03001b436e7b |
| SHA256 | 00ac6970e7b56bed0b937613dff2213f980d311c4bbd7a1d8fda271de8727d30 |
| SHA512 | 189bb38c5ee0b213834fc31cf30d179d6fd1521966a4b14df31ab2d479e773f6cb7f17c3406472290eac46db38674efba7225cf234a207be45c3ec88e7614dbd |
memory/1652-28-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1652-32-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1652-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1652-29-0x0000000000400000-0x000000000042A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk
| MD5 | 4d119176f4728a1b3228dac26134c486 |
| SHA1 | 1652a93a1998ac806b69347b9368abc6123a6ebc |
| SHA256 | 4369c2c21b3a02ce29a0a889c4e94a4f6a9a7466a961a54c26dba65a8e5d4a28 |
| SHA512 | 2d83623a7d765245bf38dabdc15186dc163ac67af8a702146b1415291ca49f98925e741ce92c0f450b749a0575da8daed81c809dc4c7b52b63d395931169ba59 |
memory/1652-45-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1372-46-0x0000000006FB0000-0x00000000070DF000-memory.dmp
memory/1652-47-0x0000000000400000-0x000000000042A000-memory.dmp
memory/288-48-0x00000000009E0000-0x00000000009EE000-memory.dmp
memory/288-50-0x00000000009E0000-0x00000000009EE000-memory.dmp
memory/1372-55-0x0000000007F00000-0x0000000008037000-memory.dmp
C:\Users\Admin\AppData\Roaming\87M688PE\87Mlogri.ini
| MD5 | d63a82e5d81e02e399090af26db0b9cb |
| SHA1 | 91d0014c8f54743bba141fd60c9d963f869d76c9 |
| SHA256 | eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae |
| SHA512 | 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad |
C:\Users\Admin\AppData\Roaming\87M688PE\87Mlogim.jpeg
| MD5 | 8d7e4b7c76a05a81e223a5a329bc486e |
| SHA1 | 707d9308e8082f8733a8cbd011af35435d8306d4 |
| SHA256 | 49e65123fb08fd2e6e1671382954e87c19b48ea2fc8fb9b54fa3908da8a9d327 |
| SHA512 | dc5dabea041bf2f3cf0421c410f56028d5bfad54778fd1cee25c4049ea975701de7f45cff4a2a1c711d8f73e7d84aa6f7389ca5de2025b3f3c505712b6a1eab5 |
C:\Users\Admin\AppData\Roaming\87M688PE\87Mlogrv.ini
| MD5 | ba3b6bc807d4f76794c4b81b09bb9ba5 |
| SHA1 | 24cb89501f0212ff3095ecc0aba97dd563718fb1 |
| SHA256 | 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507 |
| SHA512 | ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-30 09:28
Reported
2024-08-30 09:31
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 664 set thread context of 4864 | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe |
| PID 4616 set thread context of 3368 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\fan" & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.azadkashmir.net | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | www.urbanenergyservices.com | udp |
| US | 8.8.8.8:53 | www.bjfyzl.com | udp |
| HK | 154.218.175.46:80 | www.bjfyzl.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
| MD5 | 7573bf8132ac06b36d6687bbd37cd8fa |
| SHA1 | a26f0a134671e69e71bff2a0f7808452473d27ea |
| SHA256 | 7de138af3c37163beb8be29bd44695e0be5cba34306c94906084a0e9eb24ea7b |
| SHA512 | 63ee9d40afe01761a8b08076d2e1a78961e1040e2158f65b2fde81a7411f63e26066337c84f3e7ab8d096052bf757c2226737668ef451e35212138f33be6aa05 |
memory/664-16-0x0000000072792000-0x0000000072793000-memory.dmp
memory/664-17-0x0000000072790000-0x0000000072D41000-memory.dmp
memory/664-18-0x0000000072790000-0x0000000072D41000-memory.dmp
memory/664-20-0x0000000072790000-0x0000000072D41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nwhrrxoeoaonmsiyy.png
| MD5 | 3891dd0974efc07cbcdc25bca0d08252 |
| SHA1 | 5bb32d8dd341c6fdbb856352570ffcb60ca5a65e |
| SHA256 | 4cfd900e14e56b8b5570e9b370733d2c37da8edc8058ddf35dcb5044ae1d9e70 |
| SHA512 | cdf55d9ebb16418df4c523dded7fb6edd618f8875f9b1e472d9ab0c9b10df3025a7d10c7d82af7081f9d8f1b0f11a6a1cd64c4ab3958bd5d8939e378a3b6f913 |
memory/664-21-0x0000000072792000-0x0000000072793000-memory.dmp
memory/664-22-0x0000000072790000-0x0000000072D41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uvenagxehdo.xml
| MD5 | 4321bdacfc299dede7b38875345d0e47 |
| SHA1 | dd6bd849d1eb16a98f0b6076f9bf03001b436e7b |
| SHA256 | 00ac6970e7b56bed0b937613dff2213f980d311c4bbd7a1d8fda271de8727d30 |
| SHA512 | 189bb38c5ee0b213834fc31cf30d179d6fd1521966a4b14df31ab2d479e773f6cb7f17c3406472290eac46db38674efba7225cf234a207be45c3ec88e7614dbd |
memory/4864-24-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4864-34-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4616-33-0x0000000000D40000-0x0000000000D9A000-memory.dmp
memory/4616-35-0x0000000000D40000-0x0000000000D9A000-memory.dmp
memory/3368-39-0x0000000008B70000-0x0000000008C42000-memory.dmp