Analysis Overview
SHA256
ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8
Threat Level: Known bad
The file ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8 was found to be: Known bad.
Malicious Activity Summary
SystemBC
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Checks BIOS information in registry
Identifies Wine through registry keys
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-10 22:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-10 22:18
Reported
2022-11-10 22:23
Platform
win7-20220812-en
Max time kernel
199s
Max time network
269s
Command Line
Signatures
SystemBC
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\uotw\oloi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\uotw\oloi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\uotw\oloi.exe | N/A |
| N/A | N/A | C:\ProgramData\uotw\oloi.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\uotw\oloi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\uotw\oloi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\uotw\oloi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\uotw\oloi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine | C:\ProgramData\uotw\oloi.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine | C:\ProgramData\uotw\oloi.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| N/A | N/A | C:\ProgramData\uotw\oloi.exe | N/A |
| N/A | N/A | C:\ProgramData\uotw\oloi.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Tasks\oloi.job | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| File created | C:\Windows\Tasks\oloi.job | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| N/A | N/A | C:\ProgramData\uotw\oloi.exe | N/A |
| N/A | N/A | C:\ProgramData\uotw\oloi.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1296 wrote to memory of 1108 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\uotw\oloi.exe |
| PID 1296 wrote to memory of 1108 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\uotw\oloi.exe |
| PID 1296 wrote to memory of 1108 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\uotw\oloi.exe |
| PID 1296 wrote to memory of 1108 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\uotw\oloi.exe |
| PID 1296 wrote to memory of 1488 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\uotw\oloi.exe |
| PID 1296 wrote to memory of 1488 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\uotw\oloi.exe |
| PID 1296 wrote to memory of 1488 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\uotw\oloi.exe |
| PID 1296 wrote to memory of 1488 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\uotw\oloi.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe
"C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {D866A0C4-298C-4D01-9105-63ACF69D5917} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
C:\ProgramData\uotw\oloi.exe
C:\ProgramData\uotw\oloi.exe start2
C:\ProgramData\uotw\oloi.exe
C:\ProgramData\uotw\oloi.exe start2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cryptotab.me | udp |
| US | 23.94.163.16:4001 | cryptotab.me | tcp |
Files
memory/2020-54-0x0000000000400000-0x00000000009E0000-memory.dmp
memory/2020-55-0x00000000756B1000-0x00000000756B3000-memory.dmp
memory/2020-56-0x0000000077C20000-0x0000000077DA0000-memory.dmp
memory/2020-57-0x0000000000400000-0x00000000009E0000-memory.dmp
memory/2020-58-0x0000000077C20000-0x0000000077DA0000-memory.dmp
C:\ProgramData\uotw\oloi.exe
| MD5 | 2175015fd052eac3d6feef4e4ad1bd07 |
| SHA1 | 5a2e91427ede9e558c02ee7186ff68aa491d6def |
| SHA256 | ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8 |
| SHA512 | 1429ae1523856b4bb2c161204d6394235e7df0c1427202dec7745c814dc22feb06da6b6c0c89aa6fc395a5042357720208a509fccf9a785526a1adb6cf0c6c82 |
memory/1108-60-0x0000000000000000-mapping.dmp
C:\ProgramData\uotw\oloi.exe
| MD5 | 2175015fd052eac3d6feef4e4ad1bd07 |
| SHA1 | 5a2e91427ede9e558c02ee7186ff68aa491d6def |
| SHA256 | ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8 |
| SHA512 | 1429ae1523856b4bb2c161204d6394235e7df0c1427202dec7745c814dc22feb06da6b6c0c89aa6fc395a5042357720208a509fccf9a785526a1adb6cf0c6c82 |
memory/1108-62-0x0000000000400000-0x00000000009E0000-memory.dmp
memory/1108-64-0x0000000077C20000-0x0000000077DA0000-memory.dmp
memory/1108-65-0x0000000000400000-0x00000000009E0000-memory.dmp
memory/1108-66-0x0000000077C20000-0x0000000077DA0000-memory.dmp
memory/2020-67-0x0000000077C20000-0x0000000077DA0000-memory.dmp
memory/1108-68-0x0000000077C20000-0x0000000077DA0000-memory.dmp
memory/1488-69-0x0000000000000000-mapping.dmp
C:\ProgramData\uotw\oloi.exe
| MD5 | 2175015fd052eac3d6feef4e4ad1bd07 |
| SHA1 | 5a2e91427ede9e558c02ee7186ff68aa491d6def |
| SHA256 | ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8 |
| SHA512 | 1429ae1523856b4bb2c161204d6394235e7df0c1427202dec7745c814dc22feb06da6b6c0c89aa6fc395a5042357720208a509fccf9a785526a1adb6cf0c6c82 |
memory/1488-71-0x0000000000400000-0x00000000009E0000-memory.dmp
memory/1488-73-0x0000000077C20000-0x0000000077DA0000-memory.dmp
memory/1488-74-0x0000000000400000-0x00000000009E0000-memory.dmp
memory/1488-75-0x0000000077C20000-0x0000000077DA0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-10 22:18
Reported
2022-11-10 22:23
Platform
win10-20220812-en
Max time kernel
198s
Max time network
267s
Command Line
Signatures
SystemBC
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
| N/A | N/A | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| N/A | N/A | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
| N/A | N/A | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\hdowa.job | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| File opened for modification | C:\Windows\Tasks\hdowa.job | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe | N/A |
| N/A | N/A | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
| N/A | N/A | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
| N/A | N/A | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
| N/A | N/A | C:\ProgramData\dqwnjk\hdowa.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe
"C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe"
C:\ProgramData\dqwnjk\hdowa.exe
C:\ProgramData\dqwnjk\hdowa.exe start2
C:\ProgramData\dqwnjk\hdowa.exe
C:\ProgramData\dqwnjk\hdowa.exe start2
Network
| Country | Destination | Domain | Proto |
| FR | 51.11.192.50:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | cryptotab.me | udp |
| US | 23.94.163.16:4001 | cryptotab.me | tcp |
Files
memory/2976-116-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-117-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-118-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-119-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-120-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-121-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-122-0x0000000000400000-0x00000000009E0000-memory.dmp
memory/2976-123-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-124-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-125-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-126-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-127-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-128-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-129-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-130-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-131-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-132-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-133-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-134-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-135-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-136-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-137-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-138-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-139-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-141-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-140-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-142-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-143-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-144-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-145-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-146-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-147-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-148-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-149-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-150-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-151-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-152-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-153-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-154-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-155-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-156-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-157-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-158-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-159-0x0000000000400000-0x00000000009E0000-memory.dmp
memory/2976-160-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-161-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-163-0x0000000000400000-0x00000000009E0000-memory.dmp
memory/2976-164-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-166-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-165-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-162-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-167-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-168-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-169-0x0000000077600000-0x000000007778E000-memory.dmp
memory/2976-170-0x0000000077600000-0x000000007778E000-memory.dmp
C:\ProgramData\dqwnjk\hdowa.exe
| MD5 | 2175015fd052eac3d6feef4e4ad1bd07 |
| SHA1 | 5a2e91427ede9e558c02ee7186ff68aa491d6def |
| SHA256 | ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8 |
| SHA512 | 1429ae1523856b4bb2c161204d6394235e7df0c1427202dec7745c814dc22feb06da6b6c0c89aa6fc395a5042357720208a509fccf9a785526a1adb6cf0c6c82 |
memory/4964-172-0x0000000077600000-0x000000007778E000-memory.dmp
memory/4964-173-0x0000000077600000-0x000000007778E000-memory.dmp
memory/4964-174-0x0000000077600000-0x000000007778E000-memory.dmp
memory/4964-175-0x0000000077600000-0x000000007778E000-memory.dmp
memory/4964-176-0x0000000077600000-0x000000007778E000-memory.dmp
memory/4964-178-0x0000000077600000-0x000000007778E000-memory.dmp
C:\ProgramData\dqwnjk\hdowa.exe
| MD5 | 2175015fd052eac3d6feef4e4ad1bd07 |
| SHA1 | 5a2e91427ede9e558c02ee7186ff68aa491d6def |
| SHA256 | ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8 |
| SHA512 | 1429ae1523856b4bb2c161204d6394235e7df0c1427202dec7745c814dc22feb06da6b6c0c89aa6fc395a5042357720208a509fccf9a785526a1adb6cf0c6c82 |
memory/4964-180-0x0000000077600000-0x000000007778E000-memory.dmp
memory/4964-177-0x0000000077600000-0x000000007778E000-memory.dmp
memory/4964-182-0x0000000077600000-0x000000007778E000-memory.dmp
memory/4964-183-0x0000000077600000-0x000000007778E000-memory.dmp
memory/4964-181-0x0000000077600000-0x000000007778E000-memory.dmp
memory/4964-184-0x0000000077600000-0x000000007778E000-memory.dmp
memory/4964-193-0x0000000000400000-0x00000000009E0000-memory.dmp
memory/4964-216-0x0000000000400000-0x00000000009E0000-memory.dmp
C:\ProgramData\dqwnjk\hdowa.exe
| MD5 | 2175015fd052eac3d6feef4e4ad1bd07 |
| SHA1 | 5a2e91427ede9e558c02ee7186ff68aa491d6def |
| SHA256 | ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8 |
| SHA512 | 1429ae1523856b4bb2c161204d6394235e7df0c1427202dec7745c814dc22feb06da6b6c0c89aa6fc395a5042357720208a509fccf9a785526a1adb6cf0c6c82 |
memory/3336-229-0x0000000000400000-0x00000000009E0000-memory.dmp
memory/3336-259-0x0000000000400000-0x00000000009E0000-memory.dmp