Malware Analysis Report

2024-10-18 22:05

Sample ID 240616-3bycqaxcpr
Target 85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5
SHA256 85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5
Tags
upx bootkit persistence spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5

Threat Level: Likely malicious

The file 85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5 was found to be: Likely malicious.

Malicious Activity Summary

upx bootkit persistence spyware stealer

Detects executables containing base64 encoded User Agent

Blocklisted process makes network request

Deletes itself

Executes dropped EXE

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Runs ping.exe

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 23:21

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 23:21

Reported

2024-06-16 23:23

Platform

win7-20240611-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Micro = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\ptvdu\\njxtq.dll\",method" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\ptvdu C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe N/A
File created \??\c:\Program Files\ptvdu\njxtq.dll C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1284 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1284 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1284 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1284 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe
PID 1284 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe
PID 1284 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe
PID 1284 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe
PID 2864 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2864 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe

"C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\uxdntjqwx.exe "C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe

C:\Users\Admin\AppData\Local\Temp\\uxdntjqwx.exe "C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\ptvdu\njxtq.dll",method C:\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe

Network

Country Destination Domain Proto
US 107.163.56.246:18530 107.163.56.246 tcp
US 107.163.56.251:6658 tcp
US 107.163.56.243:18963 107.163.56.243 tcp
US 107.163.56.243:18963 tcp
US 107.163.56.243:18963 tcp
US 107.163.56.251:6658 tcp
US 107.163.56.251:6658 tcp

Files

memory/1688-0-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1688-3-0x0000000000400000-0x000000000044A000-memory.dmp

\Users\Admin\AppData\Local\Temp\uxdntjqwx.exe

MD5 3d776d31259f5dd9d268a6eaa85fa393
SHA1 0fe77f65fe574d2ead7c7145f73987c7f95867da
SHA256 68a6d9d805b326cc3f8b786407b2aa3a00a7cabd00adfd05798d9b6f872b5de9
SHA512 134350208326edc4dae19dd7123d6a47a4ae342802e9fce0efee1216a7bb2f0397a7982e1e5eaf634abfdcfe324d06641bf496f900cd978fcee0bc4ce0345776

memory/2864-10-0x0000000000400000-0x000000000044A000-memory.dmp

\??\c:\Program Files\ptvdu\njxtq.dll

MD5 16574eec8585aeccf3356cf4c8375931
SHA1 2ce97e355ef5e3f20e3188782e317e7113b895e3
SHA256 f663d5c8eddb791b948e3e50c977d8d626bb188ed6c8d90edebf32cee7350115
SHA512 c8de53db42293f07a14d9db025fcc143a5e5635063823ff0ef92b679efbc46c228eedd0fc8443a5838a1eb7a3f3c439162819c1d1e2111eec4c88d6d269678da

memory/3064-16-0x0000000010000000-0x0000000010056000-memory.dmp

memory/3064-21-0x0000000010050000-0x0000000010051000-memory.dmp

memory/3064-20-0x0000000010000000-0x0000000010056000-memory.dmp

memory/3064-18-0x0000000010000000-0x0000000010056000-memory.dmp

memory/3064-22-0x0000000010000000-0x0000000010056000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 23:21

Reported

2024-06-16 23:23

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micro = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\ulmzl\\geyza.dll\",method" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\ulmzl C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe N/A
File created \??\c:\Program Files\ulmzl\geyza.dll C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3764 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3764 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3764 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe
PID 3764 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe
PID 3764 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe
PID 1548 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1548 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1548 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe

"C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\dcmxuy.exe "C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe

C:\Users\Admin\AppData\Local\Temp\\dcmxuy.exe "C:\Users\Admin\AppData\Local\Temp\85116b9534fe3ff0aace7f279b8f431c65068dc3dc3516beb3842253e33724d5.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\ulmzl\geyza.dll",method C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 107.163.56.246:18530 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 107.163.56.251:6658 tcp
US 107.163.56.243:18963 tcp
US 107.163.56.243:18963 tcp
US 107.163.56.243:18963 tcp
US 107.163.56.251:6658 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 107.163.56.251:6658 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.186.170:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 170.186.250.142.in-addr.arpa udp
US 107.163.56.251:6658 tcp

Files

memory/4024-0-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4024-2-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcmxuy.exe

MD5 a1b9ed224cb2f14ff07edb60bee7458a
SHA1 508b5d5d299623e4f434b7895de5faf8c70c06d6
SHA256 2c0d5c85f5589228554ae6ccd7cfdcb70aaf52efff03d20e41b6a8ac6b9c0d87
SHA512 5c9f10f9dbc872a7bcc7ea6c808226f8b755e7e2975d449ed4a234e7fd5d3ac054d7a6f94f2d0ecc6679cbecf90d871719e80274fc9225201b30fb2fe4ddf7b3

memory/1548-6-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1548-8-0x0000000000400000-0x000000000044A000-memory.dmp

\??\c:\Program Files\ulmzl\geyza.dll

MD5 21f3e95ceabc201f87c4527cc2a7de2a
SHA1 9bea9b5d7d58d6dbb9ca81055903f0e0ff073675
SHA256 a4a40afee2e833a5a582d7b9d146d3c3e12fbaf10f522ff51939fbe512a5a8f3
SHA512 2e7c161b885b265ab680f113fd3b6055a3d04651e60be7f69a7a28c9597b36da87d8e50cabf91c99bcea9d27ec4eeba818c69c89f70ec8e066d601a41f72a2d3

memory/1052-13-0x0000000010000000-0x0000000010056000-memory.dmp

memory/1052-14-0x0000000010050000-0x0000000010051000-memory.dmp

memory/1052-11-0x0000000010000000-0x0000000010056000-memory.dmp

memory/1052-15-0x0000000010000000-0x0000000010056000-memory.dmp