Malware Analysis Report

2024-12-07 21:04

Sample ID 220825-tl6x6sfddr
Target xB0 2022000622.jar
SHA256 018f9f07e9a997c88dabdc3d15e8332ac7cdcb73bd35a45929ed4631fd2ce2ae
Tags
adwind trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

018f9f07e9a997c88dabdc3d15e8332ac7cdcb73bd35a45929ed4631fd2ce2ae

Threat Level: Known bad

The file xB0 2022000622.jar was found to be: Known bad.

Malicious Activity Summary

adwind trojan

AdWind

Checks computer location settings

Drops file in System32 directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-25 16:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-25 16:09

Reported

2022-08-25 16:19

Platform

win7-20220812-en

Max time kernel

598s

Max time network

437s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\xB0 2022000622.jar"

Signatures

AdWind

trojan adwind

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\test.txt C:\Program Files\Java\jre7\bin\java.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre7\bin\java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 976 wrote to memory of 1644 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 976 wrote to memory of 1644 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 976 wrote to memory of 1644 N/A C:\Windows\system32\java.exe C:\Windows\system32\wscript.exe
PID 1644 wrote to memory of 900 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1644 wrote to memory of 900 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1644 wrote to memory of 900 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1644 wrote to memory of 1160 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1644 wrote to memory of 1160 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1644 wrote to memory of 1160 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 1160 wrote to memory of 584 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1160 wrote to memory of 584 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1160 wrote to memory of 584 N/A C:\Program Files\Java\jre7\bin\javaw.exe C:\Program Files\Java\jre7\bin\java.exe
PID 584 wrote to memory of 1172 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 1172 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 1172 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1172 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1172 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1172 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 584 wrote to memory of 1680 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 1680 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 1680 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1680 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1680 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1680 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 584 wrote to memory of 1612 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 584 wrote to memory of 1612 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 584 wrote to memory of 1612 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 584 wrote to memory of 996 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 996 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 996 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\xB0 2022000622.jar"

C:\Windows\system32\wscript.exe

wscript C:\Users\Admin\xzkekuvpqa.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\NyRSpZnNCB.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\pewjjncz.txt"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.41146282394790812822267099264672813.class

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8070636039465895996.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8070636039465895996.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6531287569283293898.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6531287569283293898.vbs

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\system32\cmd.exe

cmd.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp

Files

memory/976-54-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

memory/1644-64-0x0000000000000000-mapping.dmp

memory/976-66-0x0000000002090000-0x0000000005090000-memory.dmp

C:\Users\Admin\xzkekuvpqa.js

MD5 a54ae3e83accf4573e5f566364e52ea0
SHA1 581208061d0df7dc409fe4d1217407b46a4a417f
SHA256 ab6bfa3dc65e89dba54203f2520f0d1508ce8a898909f95691fb0d9d769b9a1d
SHA512 c48f67e891eab10e53da37a680c40de3d165b41bddfa37f21ee257578e0dd1326d20208616ef60a7dfdce077ce8e1bf1a5906c9428ba405afc82da7db60430ac

memory/900-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\NyRSpZnNCB.js

MD5 b9d39af61c76b1293ded1801442abd78
SHA1 076ac05e971a9e58a3ae025cbb3c321bc834609b
SHA256 981db32077ddd37fde8bb871c928bcfce6aeee3b21443ce78da51dd8e81ec46d
SHA512 1ec271a8f7153a395de705be248d7977775690550c4da63a74c49372098a34bfb453b4f2c1980c8c5cab56ace0a6c98977b691b3c00a7f2837108e74bd158139

memory/1160-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\pewjjncz.txt

MD5 e830b7dfd0056c301fbc558bcc6f82e6
SHA1 396ee374edf10aac43db7fdd9475dc45a8b4d26e
SHA256 663e38a1e005ef7b5a14d314ef45618bd165e1588fc1249cdd2baaa1858a8967
SHA512 dbd53826eb5fd91f7ffa73f0d67363061ecdf8ba5004d20d84222d98142f9e57fc4c501193e917a8d03393081dd26a4b410edfc191f46ee8afd4c4333287aba2

memory/1160-84-0x0000000002240000-0x0000000005240000-memory.dmp

memory/584-83-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.41146282394790812822267099264672813.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

memory/584-93-0x00000000020F0000-0x00000000050F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2591564548-2301609547-1748242483-1000\83aa4cc77f591dfc2374580bbd95f6ba_cea0eab3-c223-4f79-bf84-9af11aecddbc

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/1172-98-0x0000000000000000-mapping.dmp

memory/1648-99-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive8070636039465895996.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

memory/1680-101-0x0000000000000000-mapping.dmp

memory/1368-102-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive6531287569283293898.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

memory/1612-104-0x0000000000000000-mapping.dmp

memory/976-105-0x0000000002090000-0x0000000005090000-memory.dmp

memory/996-106-0x0000000000000000-mapping.dmp

memory/1160-107-0x0000000002240000-0x0000000005240000-memory.dmp

memory/584-108-0x00000000020F0000-0x00000000050F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-25 16:09

Reported

2022-08-25 16:19

Platform

win10v2004-20220812-en

Max time kernel

36s

Max time network

92s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\xB0 2022000622.jar"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SYSTEM32\wscript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Windows\SYSTEM32\wscript.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\xB0 2022000622.jar"

C:\Windows\SYSTEM32\wscript.exe

wscript C:\Users\Admin\xzkekuvpqa.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\NyRSpZnNCB.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\absdnpsfkf.txt"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.92508354255371347852107456751735020.class

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 8.238.24.126:80 tcp
NL 104.80.225.205:443 tcp

Files

memory/5060-141-0x0000000002450000-0x0000000003450000-memory.dmp

memory/540-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\xzkekuvpqa.js

MD5 a54ae3e83accf4573e5f566364e52ea0
SHA1 581208061d0df7dc409fe4d1217407b46a4a417f
SHA256 ab6bfa3dc65e89dba54203f2520f0d1508ce8a898909f95691fb0d9d769b9a1d
SHA512 c48f67e891eab10e53da37a680c40de3d165b41bddfa37f21ee257578e0dd1326d20208616ef60a7dfdce077ce8e1bf1a5906c9428ba405afc82da7db60430ac

memory/4236-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\NyRSpZnNCB.js

MD5 b9d39af61c76b1293ded1801442abd78
SHA1 076ac05e971a9e58a3ae025cbb3c321bc834609b
SHA256 981db32077ddd37fde8bb871c928bcfce6aeee3b21443ce78da51dd8e81ec46d
SHA512 1ec271a8f7153a395de705be248d7977775690550c4da63a74c49372098a34bfb453b4f2c1980c8c5cab56ace0a6c98977b691b3c00a7f2837108e74bd158139

memory/544-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\absdnpsfkf.txt

MD5 e830b7dfd0056c301fbc558bcc6f82e6
SHA1 396ee374edf10aac43db7fdd9475dc45a8b4d26e
SHA256 663e38a1e005ef7b5a14d314ef45618bd165e1588fc1249cdd2baaa1858a8967
SHA512 dbd53826eb5fd91f7ffa73f0d67363061ecdf8ba5004d20d84222d98142f9e57fc4c501193e917a8d03393081dd26a4b410edfc191f46ee8afd4c4333287aba2

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 c6d938cb467979e04002247a6256d4ea
SHA1 b668a5bc5e0e99d7d8ef3878d521a3027b76900d
SHA256 d08d1b0a03233a21233be4edde3612401c3211acf470f1cc7a1929f316cb3770
SHA512 1bc9f52cbb716bcb325b071856d2dc97d6038ae9a02012cf420d6777ac4c098f169cd24cc8feb1f0fdb3d4ea9d60e1482d3a45ba0b1850a49fff341d6da7ca3c

memory/544-159-0x0000000002A60000-0x0000000003A60000-memory.dmp

memory/1256-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.92508354255371347852107456751735020.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 d8e0b43d50059402d2f8975e768636b0
SHA1 9bd7535479ea0e6b7de07e70b605060322ef1747
SHA256 ee85bcba06a4db4b32461022f4832f06a376be5445c913a7c1c4bf69655fad97
SHA512 3950e44009b5d26f63354a3876133bedeae0a3381876516a7ad53ca9dcabcc1ef3ce7cff5a6254099a371d09e8b298eac4333b9c36f3cdea760dc26e111460f9

memory/1256-172-0x0000000002DB0000-0x0000000003DB0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\83aa4cc77f591dfc2374580bbd95f6ba_e32e1c79-b88e-4709-94fb-81034ca3398e

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/544-185-0x0000000002A60000-0x0000000003A60000-memory.dmp

memory/544-188-0x0000000002A60000-0x0000000003A60000-memory.dmp

memory/544-189-0x0000000002A60000-0x0000000003A60000-memory.dmp

memory/1256-190-0x0000000002DB0000-0x0000000003DB0000-memory.dmp