Malware Analysis Report

2025-04-14 02:58

Sample ID 240613-c7fvfavgjl
Target f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a
SHA256 f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a

Threat Level: Shows suspicious behavior

The file f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 02:42

Reported

2024-06-13 02:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718246574" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718246574" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe

"C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp

Files

memory/1140-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 177f4da8702ce3ff6198f84482916fb8
SHA1 0d3787be02cd3e2ebd02ec085f444e11639698fe
SHA256 2c86ca466e6e4979eb3f1e823922bda56d1e0b91698a5bc1f2c878203aca2455
SHA512 6cac524b61089924d3e58bd6dc16c1407474d9610174f7f38d8d9a206e3c3bccf2da2dfb2b011cacac404ffa72a35a612970289b1780625f609c799baa9b190a

C:\Windows\System\rundll32.exe

MD5 d2c0dd76e05e3ed2106089468b2d65a2
SHA1 642967312de7e370e19515651b6cb460bec6e87e
SHA256 13cd0eb0d1b9065937173ff5e79f8b5088e0690d65e60d3782a491366697d2e3
SHA512 8e9c96fe25347aa869797e0ceba8adf0d74ad34a76a24e4fb9eb23dfdfe521b130802e3b2c8ee303f365b2bce51e70ff7bd211645c0c20b79a7ceba5d0dfc69a

memory/1140-13-0x0000000000400000-0x0000000000415A00-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:42

Reported

2024-06-13 02:45

Platform

win7-20240611-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
File created C:\Windows\SysWOW64\¢«.exe C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
File opened for modification C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
File created C:\Windows\SysWOW64\notepad¢¬.exe C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
File created C:\Windows\system\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718246577" C:\Windows\system\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSipv C:\Windows\system\rundll32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718246577" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1" C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*" C:\Windows\system\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1" C:\Windows\system\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe

"C:\Users\Admin\AppData\Local\Temp\f8d63c922d188c032aad8312ce06db468744132b1258ba8c40cc7febab50813a.exe"

C:\Windows\system\rundll32.exe

C:\Windows\system\rundll32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.zigui.org udp
HK 103.251.237.123:80 www.zigui.org tcp

Files

memory/1444-0-0x0000000000400000-0x0000000000415A00-memory.dmp

C:\Windows\SysWOW64\notepad¢¬.exe

MD5 205db5c036d9350f07af4f42a39dda6c
SHA1 dfcae7e31b950a1db81ff8ba27adedfa9d0daafb
SHA256 17b45836d377972081dba3fa7d5865f5e0a95498bac4bf2e6dc407802518ea0b
SHA512 fa2d1ec09511856ef76a3b0b4766b73ffd7c57770c8ef34974de0839dbcb25f509e588d2151f236cbd33460c3ff7c4dcf03112f473ef351c7fc62200c9f93455

\Windows\system\rundll32.exe

MD5 ddfc7025fa09ff38a4dbe898a4358fdd
SHA1 d1add8653aaea87154b24afd2672c5ebe68a35a5
SHA256 93efa74191794465111a7723f79e4c6fbc2fdbc2bd15409b0acec4a67c18b8dc
SHA512 f6599c0f52926d7622d1f7208a79c790b628924546f5f66600de6380ee21e120c53337ec326dd3039556780575871ea0a3dc23fddb112f7e590618fb6951edb8

memory/1444-12-0x00000000002C0000-0x00000000002D6000-memory.dmp

memory/1444-18-0x00000000002C0000-0x00000000002D6000-memory.dmp

memory/1444-20-0x0000000000400000-0x0000000000415A00-memory.dmp

memory/1444-21-0x00000000002C0000-0x00000000002C6000-memory.dmp