Malware Analysis Report

2025-08-10 18:07

Sample ID 240507-cepa4sdd4x
Target 4bd87d24066d91830ef74d3aa71a2630_NEAS
SHA256 5dc975b944afea6185e108a1e3e1f8629c8a70d3871b44647e0457f13e962380
Tags
bootkit persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5dc975b944afea6185e108a1e3e1f8629c8a70d3871b44647e0457f13e962380

Threat Level: Shows suspicious behavior

The file 4bd87d24066d91830ef74d3aa71a2630_NEAS was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence spyware stealer

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-07 01:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 01:59

Reported

2024-05-07 02:02

Platform

win7-20231129-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzxqm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzxqm.exe N/A
N/A N/A \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vicity = "c:\\Program Files\\vrzoz\\fkehdnsin.exe \"c:\\Program Files\\vrzoz\\fkehdnsin.dll\",Group" \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\t: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\v: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\y: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\vrzoz C:\Users\Admin\AppData\Local\Temp\uzxqm.exe N/A
File created \??\c:\Program Files\vrzoz\fkehdnsin.dll C:\Users\Admin\AppData\Local\Temp\uzxqm.exe N/A
File created \??\c:\Program Files\vrzoz\fkehdnsin.exe C:\Users\Admin\AppData\Local\Temp\uzxqm.exe N/A
File opened for modification \??\c:\Program Files\vrzoz\fkehdnsin.exe C:\Users\Admin\AppData\Local\Temp\uzxqm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A
N/A N/A \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\vrzoz\fkehdnsin.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzxqm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 2380 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1076 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uzxqm.exe
PID 1076 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uzxqm.exe
PID 1076 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uzxqm.exe
PID 1076 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uzxqm.exe
PID 1420 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\uzxqm.exe \??\c:\Program Files\vrzoz\fkehdnsin.exe
PID 1420 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\uzxqm.exe \??\c:\Program Files\vrzoz\fkehdnsin.exe
PID 1420 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\uzxqm.exe \??\c:\Program Files\vrzoz\fkehdnsin.exe
PID 1420 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\uzxqm.exe \??\c:\Program Files\vrzoz\fkehdnsin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\uzxqm.exe "C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\uzxqm.exe

C:\Users\Admin\AppData\Local\Temp\\uzxqm.exe "C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe"

\??\c:\Program Files\vrzoz\fkehdnsin.exe

"c:\Program Files\vrzoz\fkehdnsin.exe" "c:\Program Files\vrzoz\fkehdnsin.dll",Group C:\Users\Admin\AppData\Local\Temp\uzxqm.exe

Network

Country Destination Domain Proto
US 174.139.57.22:803 tcp
US 174.139.57.22:803 tcp
US 174.139.57.20:3201 tcp
US 174.139.57.21:805 tcp
US 174.139.57.21:805 tcp
US 174.139.57.21:805 tcp
US 174.139.57.21:805 tcp
US 174.139.57.20:3201 tcp
US 174.139.57.20:3201 tcp
US 174.139.57.20:3201 tcp

Files

memory/2380-0-0x0000000000400000-0x0000000000479D2E-memory.dmp

memory/2380-2-0x0000000000400000-0x0000000000479D2E-memory.dmp

\Users\Admin\AppData\Local\Temp\uzxqm.exe

MD5 8a871167515f7dc340c459381f069f45
SHA1 86e840873aba1c14f61685e8601250dcf094cd53
SHA256 40ee1bf75cb81e7cd2964369b29b01dee2293ea3c8b892258411c1a1ffbfea6f
SHA512 7e63719fdff4643f32cea4ffd2b71de49be82871ef96d76bcd6c53ba997272399076292ef7ed6dd4af28a8fd68e1ce22b92ab9c34c75f1f9bf3d469500bd5b75

memory/1076-7-0x0000000000190000-0x000000000020A000-memory.dmp

memory/1420-8-0x0000000000400000-0x0000000000479D2E-memory.dmp

\Program Files\vrzoz\fkehdnsin.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

memory/1420-15-0x0000000000400000-0x0000000000479D2E-memory.dmp

\??\c:\Program Files\vrzoz\fkehdnsin.dll

MD5 78442b2f1caa189413fe121e674827d3
SHA1 377fc5d32a26a91565c1330d30401713e8f63333
SHA256 6c5698b39d2f1b007edef73bf73d33e01cf1aa5662ad99eaaca3b7b698a5a70c
SHA512 b7840d0a757b585ce7dfd99f2f87cb43617b1dbf11315788c98429e0ee5520ed16a6edf2265261efae16e9c3416f553ded65ccd13605fb72a89e180c9fb07ded

memory/2808-21-0x0000000010000000-0x0000000010054000-memory.dmp

memory/2808-22-0x0000000010000000-0x0000000010054000-memory.dmp

memory/2808-24-0x0000000010000000-0x0000000010054000-memory.dmp

memory/2808-25-0x0000000010000000-0x0000000010054000-memory.dmp

memory/2808-26-0x0000000010000000-0x0000000010054000-memory.dmp

memory/2808-28-0x0000000010000000-0x0000000010054000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 01:59

Reported

2024-05-07 02:02

Platform

win10v2004-20240419-en

Max time kernel

140s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tpbpv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tpbpv.exe N/A
N/A N/A \??\c:\Program Files\csrwo\jne.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\Program Files\csrwo\jne.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vicity = "c:\\Program Files\\csrwo\\jne.exe \"c:\\Program Files\\csrwo\\jneuq.dll\",Group" \??\c:\Program Files\csrwo\jne.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\q: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\g: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\h: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\n: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\p: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\r: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\t: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\w: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\b: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\i: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\j: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\k: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\l: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\m: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\x: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\y: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\a: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\z: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\o: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\s: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\u: \??\c:\Program Files\csrwo\jne.exe N/A
File opened (read-only) \??\e: \??\c:\Program Files\csrwo\jne.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\Program Files\csrwo\jne.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\csrwo\jneuq.dll C:\Users\Admin\AppData\Local\Temp\tpbpv.exe N/A
File created \??\c:\Program Files\csrwo\jne.exe C:\Users\Admin\AppData\Local\Temp\tpbpv.exe N/A
File opened for modification \??\c:\Program Files\csrwo\jne.exe C:\Users\Admin\AppData\Local\Temp\tpbpv.exe N/A
File opened for modification \??\c:\Program Files\csrwo C:\Users\Admin\AppData\Local\Temp\tpbpv.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\Program Files\csrwo\jne.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\Program Files\csrwo\jne.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Program Files\csrwo\jne.exe N/A
N/A N/A \??\c:\Program Files\csrwo\jne.exe N/A
N/A N/A \??\c:\Program Files\csrwo\jne.exe N/A
N/A N/A \??\c:\Program Files\csrwo\jne.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Program Files\csrwo\jne.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tpbpv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\tpbpv.exe "C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\tpbpv.exe

C:\Users\Admin\AppData\Local\Temp\\tpbpv.exe "C:\Users\Admin\AppData\Local\Temp\4bd87d24066d91830ef74d3aa71a2630_NEAS.exe"

\??\c:\Program Files\csrwo\jne.exe

"c:\Program Files\csrwo\jne.exe" "c:\Program Files\csrwo\jneuq.dll",Group C:\Users\Admin\AppData\Local\Temp\tpbpv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 174.139.57.22:803 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 174.139.57.20:3201 tcp
US 174.139.57.21:805 tcp
US 174.139.57.21:805 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 174.139.57.21:805 tcp
US 174.139.57.20:3201 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 174.139.57.20:3201 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 174.139.57.20:3201 tcp

Files

memory/3368-0-0x0000000000400000-0x0000000000479D2E-memory.dmp

memory/3368-2-0x0000000000400000-0x0000000000479D2E-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tpbpv.exe

MD5 22c0f7feaee83421119abf987cc9f3b3
SHA1 35b3a4d9d687c60a7ced6e888f84f377730e2123
SHA256 995cdefce1e9c15563136a912676861157873461f3c1336fc4a6f9c9add31e94
SHA512 c7ae94090b16798389149569a4668c24e3e04ad0bf425e3e0272250ccd5062bbe84ce5cb633d77ba36cf72343a8bc706c44534e3c64fc212f36cf641e5dec8ec

C:\Program Files\csrwo\jne.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

\??\c:\Program Files\csrwo\jneuq.dll

MD5 e65470d3de5a50c32675948b724fc96f
SHA1 7b2dcdbebcebadf9b43c68ca67bd53a59bc054c7
SHA256 548f6b741b30679985bfe52cc4ab756ea311c1f9adde42d44f9eec27c0094caa
SHA512 79d4331db3989420b990acaf06140a95a06c91e4afa82c8bb2db1b766bc56bd2f8515888780b580b252a0774c8dc15f5b942438218a10da7f4ecf74dfffc02cb

memory/2628-16-0x0000000010000000-0x0000000010054000-memory.dmp

memory/2628-14-0x0000000010000000-0x0000000010054000-memory.dmp

memory/1708-11-0x0000000000400000-0x0000000000479D2E-memory.dmp

memory/2628-17-0x0000000010000000-0x0000000010054000-memory.dmp