Analysis Overview
SHA256
dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254
Threat Level: Likely malicious
The file dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Executes dropped EXE
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Enumerates connected drives
Unsigned PE
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 00:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 00:50
Reported
2024-10-26 00:52
Platform
win7-20240903-en
Max time kernel
112s
Max time network
118s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\hopoc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\hopoc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\jcocw\\zwvdeg.dll\",DoVirusScan" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\hopoc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe | N/A |
| N/A | N/A | \??\c:\hopoc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe
"C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\hopoc.exe "C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\hopoc.exe
c:\hopoc.exe "C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\jcocw\zwvdeg.dll",DoVirusScan c:\hopoc.exe
Network
| Country | Destination | Domain | Proto |
| US | 67.198.215.212:803 | tcp | |
| US | 67.198.215.212:803 | tcp | |
| US | 67.198.215.213:3204 | tcp | |
| US | 67.198.215.214:805 | tcp | |
| US | 67.198.215.214:805 | tcp | |
| US | 67.198.215.214:805 | tcp | |
| US | 67.198.215.214:805 | tcp | |
| US | 67.198.215.213:3204 | tcp | |
| US | 67.198.215.213:3204 | tcp |
Files
memory/2288-0-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2288-2-0x0000000000400000-0x000000000041B000-memory.dmp
\??\c:\hopoc.exe
| MD5 | ec2c3250367149c70fdfb8bf59e873d6 |
| SHA1 | 799bcd7bcf4417420bc0c63afdc7932dfd0b8417 |
| SHA256 | cb695a193c37be43a14836e3da030913fe13b2eb8e0b301297efc506f9bb1e4f |
| SHA512 | 6428c809e5c6b02540a53fb23f365463e72f7337b05a20b9cab0e8a50ffa6599352b2e51d1bfc4b329610346d8f538b8eb392ebd72e0eab8de4fb08961a5695e |
memory/2764-6-0x0000000000400000-0x000000000041B000-memory.dmp
\??\c:\jcocw\zwvdeg.dll
| MD5 | d44df003cd7b4ddc2b58f66d6af9894a |
| SHA1 | 165234b8432fa410af2e16a286fea52a664bcd46 |
| SHA256 | 3f60f5b141fed70c9db160df1b34aa28c62d9aae480029bee14fbe1f635e07e8 |
| SHA512 | 695266ae7c913291d060c9a7522283d9f113aa05f4105000ec5cd02fb0a102ec74aeee67ad5d660504c1d84c4d2b0eb36de1d551d1aa8bb3b8f06d4a5e509796 |
memory/2012-14-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2012-13-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2012-11-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2012-15-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2012-17-0x0000000010020000-0x0000000010030000-memory.dmp
memory/2012-18-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2012-19-0x0000000010020000-0x0000000010030000-memory.dmp
memory/2012-20-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2012-24-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2012-25-0x0000000010000000-0x0000000010030000-memory.dmp
memory/2012-26-0x0000000010000000-0x0000000010030000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 00:50
Reported
2024-10-26 00:52
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\bhhfk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\bhhfk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\bdbbo\\ahdwcbmw.dll\",DoVirusScan" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\bhhfk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe | N/A |
| N/A | N/A | \??\c:\bhhfk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe
"C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\bhhfk.exe "C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\bhhfk.exe
c:\bhhfk.exe "C:\Users\Admin\AppData\Local\Temp\dd377daa97a93747e845ffbabd0678f29c078bd5464552ba7574a81f7babb254N.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\bdbbo\ahdwcbmw.dll",DoVirusScan c:\bhhfk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 67.198.215.212:803 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 67.198.215.213:3204 | tcp | |
| US | 67.198.215.214:805 | tcp | |
| US | 67.198.215.214:805 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 67.198.215.214:805 | tcp | |
| US | 67.198.215.213:3204 | tcp | |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 67.198.215.213:3204 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 67.198.215.213:3204 | tcp |
Files
memory/3340-0-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3340-2-0x0000000000400000-0x000000000041B000-memory.dmp
C:\bhhfk.exe
| MD5 | 36cac1878b9f96f38684c8f368acf580 |
| SHA1 | a5ba0c29f317dc8b10b7133e2610acef3c725a39 |
| SHA256 | a95c8392acfbd38ffbeedc214825b52e9b34003b548718f7214f89afa2032b5d |
| SHA512 | 6db866709f203f6a685fb7a312b104414d43fe34cb06892e8e045aa162864fd26c1b1fa2c448f547c6aadf30e06e837ce7ce796b52be45ea4aa3a7c4bd098f7b |
memory/3264-7-0x0000000000400000-0x000000000041B000-memory.dmp
\??\c:\bdbbo\ahdwcbmw.dll
| MD5 | d44df003cd7b4ddc2b58f66d6af9894a |
| SHA1 | 165234b8432fa410af2e16a286fea52a664bcd46 |
| SHA256 | 3f60f5b141fed70c9db160df1b34aa28c62d9aae480029bee14fbe1f635e07e8 |
| SHA512 | 695266ae7c913291d060c9a7522283d9f113aa05f4105000ec5cd02fb0a102ec74aeee67ad5d660504c1d84c4d2b0eb36de1d551d1aa8bb3b8f06d4a5e509796 |
memory/876-10-0x0000000010000000-0x0000000010030000-memory.dmp
memory/876-13-0x0000000010020000-0x0000000010030000-memory.dmp
memory/876-11-0x0000000010000000-0x0000000010030000-memory.dmp
memory/876-14-0x0000000010000000-0x0000000010030000-memory.dmp
memory/876-15-0x0000000010020000-0x0000000010030000-memory.dmp
memory/876-16-0x0000000010000000-0x0000000010030000-memory.dmp
memory/876-18-0x0000000010000000-0x0000000010030000-memory.dmp
memory/876-19-0x0000000010000000-0x0000000010030000-memory.dmp
memory/876-20-0x0000000010000000-0x0000000010030000-memory.dmp