Malware Analysis Report

2024-12-07 02:01

Sample ID 241111-x6dnxatlds
Target 1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe
SHA256 e5044395f4432ea349408a6e5f835567d7c38b6e6030ee31633469e02ebb669b
Tags
bootkit discovery persistence spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e5044395f4432ea349408a6e5f835567d7c38b6e6030ee31633469e02ebb669b

Threat Level: Likely malicious

The file 1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer upx

Blocklisted process makes network request

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

Deletes itself

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 19:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 19:27

Reported

2024-11-11 19:29

Platform

win7-20241010-en

Max time kernel

112s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\lfkgi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\lfkgi.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\wcinv\\xwcvg.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\lfkgi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe N/A
N/A N/A \??\c:\lfkgi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2184 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2184 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2184 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2184 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\lfkgi.exe
PID 2184 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\lfkgi.exe
PID 2184 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\lfkgi.exe
PID 2184 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\lfkgi.exe
PID 2248 wrote to memory of 2992 N/A \??\c:\lfkgi.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2992 N/A \??\c:\lfkgi.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2992 N/A \??\c:\lfkgi.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2992 N/A \??\c:\lfkgi.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2992 N/A \??\c:\lfkgi.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2992 N/A \??\c:\lfkgi.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 2992 N/A \??\c:\lfkgi.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe

"C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\lfkgi.exe "C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\lfkgi.exe

c:\lfkgi.exe "C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\wcinv\xwcvg.dll",init c:\lfkgi.exe

Network

Country Destination Domain Proto
US 67.198.215.212:803 tcp
US 67.198.215.212:803 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.213:3204 tcp

Files

memory/2500-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2500-2-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\lfkgi.exe

MD5 bc2d7c682355ef2522249f40b98545da
SHA1 9992b8251225d5a4ce9ad624c309960a294ac051
SHA256 dc55eb50a266fb509094f445634b149b78e866f8b212a2b83a6a7f23caebb28b
SHA512 0e4fa91ba410092f0ae33823ea5e97108d4e665eb1948eedf278a3a566fa962235b41a83f65e6a3d40acfaddc4846ef00374c46b8b29b987f2a1a2262423ddd8

memory/2184-4-0x0000000000120000-0x0000000000137000-memory.dmp

memory/2248-7-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\wcinv\xwcvg.dll

MD5 42fe886bcb6460f7c2a46e21ecac5da6
SHA1 7d9a1c9fe17121cf61444da965f29e974a95ede2
SHA256 b6bc7902da0250f6ca920b35b222f6a0fe62102caf05d2a1722c4d3b225a0a9e
SHA512 3d1a7dc1d9ca8a4376302ba20df584ad59b98e0d3b18b06b22d7f5a455833ce124e412fc1922a3b704dcbafa31987cda3115c9a71dd6299683502cebae33567c

memory/2992-15-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2992-14-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2992-12-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2992-16-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2992-21-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2992-22-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2992-23-0x0000000010000000-0x0000000010024000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 19:27

Reported

2024-11-11 19:29

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\twpjvu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\twpjvu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\rehiob\\tlhic.dll\",init" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\twpjvu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe N/A
N/A N/A \??\c:\twpjvu.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe

"C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\twpjvu.exe "C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\twpjvu.exe

c:\twpjvu.exe "C:\Users\Admin\AppData\Local\Temp\1ef6359bccac00b5eaa6cbd8b98d93138706245da928acf387916641ec62c555N.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\rehiob\tlhic.dll",init c:\twpjvu.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 67.198.215.212:803 tcp
US 67.198.215.213:3204 tcp
US 67.198.215.214:805 tcp
US 67.198.215.214:805 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 67.198.215.214:805 tcp
US 67.198.215.213:3204 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 67.198.215.213:3204 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 67.198.215.213:3204 tcp

Files

memory/1724-0-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1724-2-0x0000000000400000-0x0000000000417000-memory.dmp

C:\twpjvu.exe

MD5 5aca5d6dc3c5900fedfec42484bce46a
SHA1 c4d0ae9f84a08371693fc4e06e4e885363a15d79
SHA256 8fc0bdbe6679824ace63bc68a9232c68f51a24b4d962ccdc0abe1d3b99aab352
SHA512 84cfbfc4e15bbb11f92e6c005bb5a5bc13d391f43629183aff8790631d98bfd7422038b78b7860bc965254043181403a072c7dc3972482a2015e5afe28529a44

memory/4484-7-0x0000000000400000-0x0000000000417000-memory.dmp

\??\c:\rehiob\tlhic.dll

MD5 42fe886bcb6460f7c2a46e21ecac5da6
SHA1 7d9a1c9fe17121cf61444da965f29e974a95ede2
SHA256 b6bc7902da0250f6ca920b35b222f6a0fe62102caf05d2a1722c4d3b225a0a9e
SHA512 3d1a7dc1d9ca8a4376302ba20df584ad59b98e0d3b18b06b22d7f5a455833ce124e412fc1922a3b704dcbafa31987cda3115c9a71dd6299683502cebae33567c

memory/2440-10-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2440-11-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2440-13-0x0000000010000000-0x0000000010024000-memory.dmp

memory/2440-15-0x0000000010000000-0x0000000010024000-memory.dmp