Malware Analysis Report

2025-03-15 04:20

Sample ID 241026-a64h1aybmn
Target dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N
SHA256 dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254
Tags
bootkit discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254

Threat Level: Likely malicious

The file dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Blocklisted process makes network request

Executes dropped EXE

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 00:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 00:50

Reported

2024-10-26 00:52

Platform

win7-20240903-en

Max time kernel

112s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\hopoc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\hopoc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\jcocw\\zwvdeg.dll\",DoVirusScan" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\hopoc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe N/A
N/A N/A \??\c:\hopoc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2408 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2408 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2408 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2408 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\hopoc.exe
PID 2408 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\hopoc.exe
PID 2408 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\hopoc.exe
PID 2408 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\hopoc.exe
PID 2764 wrote to memory of 2012 N/A \??\c:\hopoc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2012 N/A \??\c:\hopoc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2012 N/A \??\c:\hopoc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2012 N/A \??\c:\hopoc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2012 N/A \??\c:\hopoc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2012 N/A \??\c:\hopoc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2764 wrote to memory of 2012 N/A \??\c:\hopoc.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe

"C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\hopoc.exe "C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\hopoc.exe

c:\hopoc.exe "C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\jcocw\zwvdeg.dll",DoVirusScan c:\hopoc.exe

Network

Country Destination Domain Proto
US 67.198.215.212:803 tcp
US 67.198.215.212:803 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.213:3204 tcp

Files

memory/2288-0-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2288-2-0x0000000000400000-0x000000000041B000-memory.dmp

\??\c:\hopoc.exe

MD5 ec2c3250367149c70fdfb8bf59e873d6
SHA1 799bcd7bcf4417420bc0c63afdc7932dfd0b8417
SHA256 cb695a193c37be43a14836e3da030913fe13b2eb8e0b301297efc506f9bb1e4f
SHA512 6428c809e5c6b02540a53fb23f365463e72f7337b05a20b9cab0e8a50ffa6599352b2e51d1bfc4b329610346d8f538b8eb392ebd72e0eab8de4fb08961a5695e

memory/2764-6-0x0000000000400000-0x000000000041B000-memory.dmp

\??\c:\jcocw\zwvdeg.dll

MD5 d44df003cd7b4ddc2b58f66d6af9894a
SHA1 165234b8432fa410af2e16a286fea52a664bcd46
SHA256 3f60f5b141fed70c9db160df1b34aa28c62d9aae480029bee14fbe1f635e07e8
SHA512 695266ae7c913291d060c9a7522283d9f113aa05f4105000ec5cd02fb0a102ec74aeee67ad5d660504c1d84c4d2b0eb36de1d551d1aa8bb3b8f06d4a5e509796

memory/2012-14-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2012-13-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2012-11-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2012-15-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2012-17-0x0000000010020000-0x0000000010030000-memory.dmp

memory/2012-18-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2012-19-0x0000000010020000-0x0000000010030000-memory.dmp

memory/2012-20-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2012-24-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2012-25-0x0000000010000000-0x0000000010030000-memory.dmp

memory/2012-26-0x0000000010000000-0x0000000010030000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 00:50

Reported

2024-10-26 00:52

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\bhhfk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\bhhfk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\bdbbo\\ahdwcbmw.dll\",DoVirusScan" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\bhhfk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe N/A
N/A N/A \??\c:\bhhfk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe

"C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\bhhfk.exe "C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\bhhfk.exe

c:\bhhfk.exe "C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\bdbbo\ahdwcbmw.dll",DoVirusScan c:\bhhfk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 67.198.215.212:803 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 67.198.215.213:3204 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 67.198.215.214:805 tcp
US 67.198.215.213:3204 tcp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 67.198.215.213:3204 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 67.198.215.213:3204 tcp

Files

memory/3340-0-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3340-2-0x0000000000400000-0x000000000041B000-memory.dmp

C:\bhhfk.exe

MD5 36cac1878b9f96f38684c8f368acf580
SHA1 a5ba0c29f317dc8b10b7133e2610acef3c725a39
SHA256 a95c8392acfbd38ffbeedc214825b52e9b34003b548718f7214f89afa2032b5d
SHA512 6db866709f203f6a685fb7a312b104414d43fe34cb06892e8e045aa162864fd26c1b1fa2c448f547c6aadf30e06e837ce7ce796b52be45ea4aa3a7c4bd098f7b

memory/3264-7-0x0000000000400000-0x000000000041B000-memory.dmp

\??\c:\bdbbo\ahdwcbmw.dll

MD5 d44df003cd7b4ddc2b58f66d6af9894a
SHA1 165234b8432fa410af2e16a286fea52a664bcd46
SHA256 3f60f5b141fed70c9db160df1b34aa28c62d9aae480029bee14fbe1f635e07e8
SHA512 695266ae7c913291d060c9a7522283d9f113aa05f4105000ec5cd02fb0a102ec74aeee67ad5d660504c1d84c4d2b0eb36de1d551d1aa8bb3b8f06d4a5e509796

memory/876-10-0x0000000010000000-0x0000000010030000-memory.dmp

memory/876-13-0x0000000010020000-0x0000000010030000-memory.dmp

memory/876-11-0x0000000010000000-0x0000000010030000-memory.dmp

memory/876-14-0x0000000010000000-0x0000000010030000-memory.dmp

memory/876-15-0x0000000010020000-0x0000000010030000-memory.dmp

memory/876-16-0x0000000010000000-0x0000000010030000-memory.dmp

memory/876-18-0x0000000010000000-0x0000000010030000-memory.dmp

memory/876-19-0x0000000010000000-0x0000000010030000-memory.dmp

memory/876-20-0x0000000010000000-0x0000000010030000-memory.dmp