Malware Analysis Report

2024-12-07 20:38

Sample ID 241115-z4ybmswlgl
Target sevkanigger.zip
SHA256 237ef7673a0f6438a7d52f1a127e0cca1a7665f27d8fd3f80258d6a3718a948f
Tags
adwind persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

237ef7673a0f6438a7d52f1a127e0cca1a7665f27d8fd3f80258d6a3718a948f

Threat Level: Known bad

The file sevkanigger.zip was found to be: Known bad.

Malicious Activity Summary

adwind persistence trojan

Class file contains resources related to AdWind

AdWind

Adwind family

Adds Run key to start application

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 21:16

Signatures

Adwind family

adwind

Class file contains resources related to AdWind

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-15 21:16

Reported

2024-11-15 21:49

Platform

win11-20241007-en

Max time kernel

443s

Max time network

1166s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\start.cmd"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4304 wrote to memory of 688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4304 wrote to memory of 688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\start.cmd"

C:\Windows\system32\chcp.com

chcp 65001

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 21:16

Reported

2024-11-15 21:47

Platform

win11-20241007-en

Max time kernel

1797s

Max time network

1802s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\sevkanigger.zip"

Signatures

AdWind

trojan adwind

Adwind family

adwind

Class file contains resources related to AdWind

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705459427.tmp" C:\Windows\system32\reg.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\sevkanigger.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar expapasta.jar

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705459427.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705459427.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705459427.tmp" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp

Files

C:\Users\Admin\Desktop\expensive 3.2 crack\start.cmd

MD5 01b8ed92434e95a011e8e8dacba2fd68
SHA1 d1f538dfbab7a19c792b8325b2e9cbcc3cd9937d
SHA256 59a12fd47b56fa697512484117f37bd4a69b733c44614c13153e955581eb6799
SHA512 ce14085421d4902b300370896048a3e901508def1bdd5158a7df286cbc9de32163e3ef67afe416a5879816915ec75badf6604adaf19218b6343467c9391d1f9a

C:\Users\Admin\Desktop\expensive 3.2 crack\expapasta.jar

MD5 adc85420c269bf5e808f6f703611d57c
SHA1 6b899a737504a4568bd7cd4f7dc5fef7a039958f
SHA256 fba508fae28635f44b9933b276e85e2618f7d05dc7fef1282ff49af32d454a02
SHA512 739b900f29da1c2503781048240f7c73367390a2a55fb2e5be204291c7db941a27f65c77ed8c67b0e5c68e2e35e046a8a51ad3f12a46ff72aaa17887c7408fa9

memory/484-8-0x00000220B0B70000-0x00000220B0DE0000-memory.dmp

memory/484-29-0x00000220AF2F0000-0x00000220AF2F1000-memory.dmp

memory/484-34-0x00000220AF2F0000-0x00000220AF2F1000-memory.dmp

memory/484-36-0x00000220B0B70000-0x00000220B0DE0000-memory.dmp

memory/484-39-0x00000220AF2F0000-0x00000220AF2F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 21:16

Reported

2024-11-15 21:48

Platform

win11-20241023-en

Max time kernel

1785s

Max time network

1798s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\expapasta.jar"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731705504161.tmp" C:\Windows\system32\reg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\expensive 3.2 crack\expapasta.jar"

C:\Windows\SYSTEM32\attrib.exe

attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705504161.tmp

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705504161.tmp" /f"

C:\Windows\system32\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705504161.tmp" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 budget-compiled.gl.at.ply.gg udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp
US 147.185.221.22:61672 budget-compiled.gl.at.ply.gg tcp

Files

memory/4112-2-0x0000019727E70000-0x00000197280E0000-memory.dmp

memory/4112-14-0x0000019727E50000-0x0000019727E51000-memory.dmp

memory/4112-16-0x00000197280E0000-0x00000197280F0000-memory.dmp

memory/4112-18-0x00000197280F0000-0x0000019728100000-memory.dmp

memory/4112-20-0x0000019728100000-0x0000019728110000-memory.dmp

memory/4112-22-0x0000019728110000-0x0000019728120000-memory.dmp

memory/4112-24-0x0000019728120000-0x0000019728130000-memory.dmp

memory/4112-26-0x0000019728130000-0x0000019728140000-memory.dmp

memory/4112-29-0x0000019728140000-0x0000019728150000-memory.dmp

memory/4112-32-0x0000019728150000-0x0000019728160000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731705504161.tmp

MD5 adc85420c269bf5e808f6f703611d57c
SHA1 6b899a737504a4568bd7cd4f7dc5fef7a039958f
SHA256 fba508fae28635f44b9933b276e85e2618f7d05dc7fef1282ff49af32d454a02
SHA512 739b900f29da1c2503781048240f7c73367390a2a55fb2e5be204291c7db941a27f65c77ed8c67b0e5c68e2e35e046a8a51ad3f12a46ff72aaa17887c7408fa9

memory/4112-37-0x0000019728160000-0x0000019728170000-memory.dmp

memory/4112-36-0x0000019727E70000-0x00000197280E0000-memory.dmp

memory/4112-38-0x0000019727E50000-0x0000019727E51000-memory.dmp

memory/4112-39-0x00000197280E0000-0x00000197280F0000-memory.dmp

memory/4112-41-0x00000197280F0000-0x0000019728100000-memory.dmp

memory/4112-42-0x0000019728100000-0x0000019728110000-memory.dmp

memory/4112-43-0x0000019728110000-0x0000019728120000-memory.dmp

memory/4112-44-0x0000019728120000-0x0000019728130000-memory.dmp

memory/4112-45-0x0000019728130000-0x0000019728140000-memory.dmp

memory/4112-46-0x0000019728140000-0x0000019728150000-memory.dmp

memory/4112-47-0x0000019728150000-0x0000019728160000-memory.dmp

memory/4112-48-0x0000019728160000-0x0000019728170000-memory.dmp

memory/4112-51-0x0000019728170000-0x0000019728180000-memory.dmp

memory/4112-52-0x0000019727E50000-0x0000019727E51000-memory.dmp

memory/4112-53-0x0000019728170000-0x0000019728180000-memory.dmp

memory/4112-55-0x0000019728180000-0x0000019728190000-memory.dmp

memory/4112-59-0x0000019728190000-0x00000197281A0000-memory.dmp

memory/4112-60-0x0000019728190000-0x00000197281A0000-memory.dmp

memory/4112-64-0x00000197281A0000-0x00000197281B0000-memory.dmp

memory/4112-66-0x00000197281A0000-0x00000197281B0000-memory.dmp

memory/4112-68-0x00000197281B0000-0x00000197281C0000-memory.dmp