Analysis Overview
SHA256
87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5
Threat Level: Known bad
The file 87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe was found to be: Known bad.
Malicious Activity Summary
Blackshades payload
Modifies firewall policy service
Blackshades
Blackshades family
Adds policy Run key to start application
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-01 19:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-01 19:45
Reported
2025-02-01 19:47
Platform
win7-20241010-en
Max time kernel
45s
Max time network
121s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe
"C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe"
Network
Files
memory/2700-4-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2700-14-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2700-2-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2700-58-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2700-26-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2700-38-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2700-68-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2700-76-0x00000000003F0000-0x00000000003F2000-memory.dmp
memory/2700-167-0x0000000000450000-0x0000000000452000-memory.dmp
memory/2700-164-0x0000000000440000-0x0000000000442000-memory.dmp
memory/2700-161-0x00000000003F0000-0x00000000003F2000-memory.dmp
memory/2700-50050-0x0000000000450000-0x0000000000452000-memory.dmp
memory/2700-50048-0x0000000000440000-0x0000000000442000-memory.dmp
memory/2700-50047-0x00000000003F0000-0x00000000003F2000-memory.dmp
memory/2700-714330-0x0000000000550000-0x0000000000650000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-01 19:45
Reported
2025-02-01 19:47
Platform
win10v2004-20250129-en
Max time kernel
119s
Max time network
115s
Command Line
Signatures
Blackshades
Blackshades family
Blackshades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogonr\\winlogonr.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\DJXMLHG7SI.exe = "C:\\Users\\Admin\\AppData\\Roaming\\DJXMLHG7SI.exe:*:Enabled:Windows Messanger" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\DJXMLHG7SI.exe" | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA7D4AA4-AA9A-CF2C-C399-0A7A12E929AA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\DJXMLHG7SI.exe" | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{AA7D4AA4-AA9A-CF2C-C399-0A7A12E929AA} | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{AA7D4AA4-AA9A-CF2C-C399-0A7A12E929AA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\DJXMLHG7SI.exe" | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA7D4AA4-AA9A-CF2C-C399-0A7A12E929AA} | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogonr\\winlogonr.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\DJXMLHG7SI.exe" | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\DJXMLHG7SI.exe" | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 916 set thread context of 4960 | N/A | C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe | C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe |
| PID 4744 set thread context of 1016 | N/A | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe |
| PID 4744 set thread context of 1604 | N/A | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe
"C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe"
C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe
"C:\Users\Admin\AppData\Local\Temp\87badcd6432832843c5ebf3945cca832ed5aadba41766cb041f4ce2f5521cff5N.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LTHIB.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /f
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
"C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DJXMLHG7SI.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DJXMLHG7SI.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\DJXMLHG7SI.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\DJXMLHG7SI.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe:*:Enabled:Windows Messanger" /f
C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kreuz.hopto.org | udp |
| US | 8.8.8.8:53 | kreuz.hopto.org | udp |
| US | 8.8.8.8:53 | 1kreuz.hopto.org | udp |
| US | 8.8.8.8:53 | 2kreuz.hopto.org | udp |
| FR | 78.159.135.230:43194 | 2kreuz.hopto.org | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3kreuz.hopto.org | udp |
| US | 8.8.8.8:53 | 4kreuz.hopto.org | udp |
Files
memory/916-2-0x0000000002B20000-0x0000000002B22000-memory.dmp
memory/916-3-0x0000000002B30000-0x0000000002B32000-memory.dmp
memory/916-4-0x0000000002B50000-0x0000000002B52000-memory.dmp
memory/916-5-0x0000000002B80000-0x0000000002B82000-memory.dmp
memory/916-6-0x0000000002B90000-0x0000000002B92000-memory.dmp
memory/916-7-0x0000000002BA0000-0x0000000002BA2000-memory.dmp
memory/4960-8-0x0000000000400000-0x000000000040B000-memory.dmp
memory/916-9-0x0000000002B20000-0x0000000002B22000-memory.dmp
memory/4960-11-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4960-13-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LTHIB.txt
| MD5 | 6831b89d0b8dc3e07588d733e75c122b |
| SHA1 | 8c70088c3224bbaf535ed19ec0f6bd5231c543be |
| SHA256 | 9fe102f2c6dff35f03787b85f725d12347cf491c897730a7f2e818f65177ffc2 |
| SHA512 | 699fb44a25032ee4ad0ace1f941c826b333baddb65049c22e80b272909e85f4c8a00fef73fe2d97fa8998a0b6969b13461237bfc1e8f9bf711849d17d0cda6da |
C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
| MD5 | f64f883a91a4bc64c23e57ebf85cb7a1 |
| SHA1 | 315b09442618df63e4e263564723891c38bf0c6c |
| SHA256 | 991c30ef09e30a32af4b66639b5803ac2aeee66aed008e6e7460a9f1e4b7ceee |
| SHA512 | 67ecd2d444b975f1b970fb9c2406751a8a43a2318560317b5cc933e44d5f09333211ade715f88d52d255d15793e43c2a2e9763e5fcc9b660cd034f2d837626c7 |
memory/4960-39-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4744-41-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4744-42-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4744-43-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4744-44-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1604-47-0x0000000000400000-0x000000000047B000-memory.dmp
memory/1604-55-0x0000000000400000-0x000000000047B000-memory.dmp
memory/1604-52-0x0000000000400000-0x000000000047B000-memory.dmp
memory/4744-59-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4960-63-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1016-68-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1604-69-0x0000000000400000-0x000000000047B000-memory.dmp
memory/1604-75-0x0000000000400000-0x000000000047B000-memory.dmp
memory/1604-80-0x0000000000400000-0x000000000047B000-memory.dmp
memory/1604-84-0x0000000000400000-0x000000000047B000-memory.dmp
memory/1604-88-0x0000000000400000-0x000000000047B000-memory.dmp
memory/1604-93-0x0000000000400000-0x000000000047B000-memory.dmp
memory/1604-97-0x0000000000400000-0x000000000047B000-memory.dmp
memory/1604-101-0x0000000000400000-0x000000000047B000-memory.dmp