Analysis Overview
SHA256
6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af
Threat Level: Known bad
The file 6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe was found to be: Known bad.
Malicious Activity Summary
Maze
Deletes shadow copies
Windows Defender anti-emulation file check
Drops startup file
Reads user/profile data of web browsers
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-10-12 12:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-12 12:57
Reported
2023-10-16 03:42
Platform
win10v2004-20230915-en
Max time kernel
170s
Max time network
180s
Command Line
Signatures
Maze
Deletes shadow copies
Windows Defender anti-emulation file check
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\aaa_TouchMeNot_.txt | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5vxz0.tmp | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\5vxz0.tmp | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5100 wrote to memory of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 5100 wrote to memory of 1324 | N/A | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | C:\Windows\system32\wbem\wmic.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe
"C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\lqcnq\wg\oq\..\..\..\Windows\jy\..\system32\afik\pdmcn\rlx\..\..\..\wbem\fb\oexer\lvab\..\..\..\wmic.exe" shadowcopy delete
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.209.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| US | 8.8.8.8:53 | 4.114.218.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | 91.218.114.11 | tcp |
| RU | 91.218.114.11:80 | 91.218.114.11 | tcp |
| RU | 91.218.114.25:80 | 91.218.114.25 | tcp |
| RU | 91.218.114.26:80 | tcp | |
| US | 8.8.8.8:53 | 11.114.218.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.114.218.91.in-addr.arpa | udp |
| RU | 91.218.114.26:80 | tcp | |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | 91.218.114.11 | tcp |
| RU | 91.218.114.25:80 | 91.218.114.25 | tcp |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| US | 8.8.8.8:53 | 37.114.218.91.in-addr.arpa | udp |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp |
Files
memory/5100-0-0x0000000000CD0000-0x0000000000D2D000-memory.dmp
memory/5100-5-0x0000000000CD0000-0x0000000000D2D000-memory.dmp
memory/5100-7-0x0000000000CD0000-0x0000000000D2D000-memory.dmp
memory/5100-8-0x0000000000CD0000-0x0000000000D2D000-memory.dmp
memory/5100-12-0x0000000000CD0000-0x0000000000D2D000-memory.dmp
C:\$Recycle.Bin\DECRYPT-FILES.txt
| MD5 | a3ec0f3fac005b100860d9340e5a939c |
| SHA1 | ecff713ad9d548b5442b40ca1a64fdb327627527 |
| SHA256 | 0eaeaa113927f69844e18ef301c2a0e7a0ecd30cd298dd60a23c1ce7feb178ad |
| SHA512 | 6fcf98c2751e7c34cd495f7587329ba0b068ee670facc29c71af494d909c339d8291c5552e39ce4d83422b78618a0c326707c920589dd3c451e5ce42dd7d7bca |
memory/5100-769-0x0000000000CD0000-0x0000000000D2D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-12 12:57
Reported
2023-10-16 03:42
Platform
win7-20230831-en
Max time kernel
157s
Max time network
165s
Command Line
Signatures
Maze
Deletes shadow copies
Windows Defender anti-emulation file check
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\aaa_TouchMeNot_.txt | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sg6bwrs.tmp | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1820 wrote to memory of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1820 wrote to memory of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1820 wrote to memory of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 1820 wrote to memory of 2960 | N/A | C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe | C:\Windows\system32\wbem\wmic.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe
"C:\Users\Admin\AppData\Local\Temp\6a22220c0fe5f578da11ce22945b63d93172b75452996defdc2ff48756bde6af.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbem\wmic.exe
"C:\wfvdb\..\Windows\u\..\system32\ne\..\wbem\svul\xjic\..\..\wmic.exe" shadowcopy delete
Network
| Country | Destination | Domain | Proto |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | 91.218.114.11 | tcp |
| RU | 91.218.114.11:80 | 91.218.114.11 | tcp |
| RU | 91.218.114.25:80 | 91.218.114.25 | tcp |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.4:80 | 91.218.114.4 | tcp |
| RU | 91.218.114.11:80 | 91.218.114.11 | tcp |
| RU | 91.218.114.25:80 | 91.218.114.25 | tcp |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.26:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.31:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.32:80 | tcp | |
| RU | 91.218.114.37:80 | 91.218.114.37 | tcp |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.38:80 | tcp | |
| RU | 91.218.114.77:80 | tcp |
Files
memory/1820-0-0x0000000000180000-0x00000000001DD000-memory.dmp
memory/1820-5-0x0000000000180000-0x00000000001DD000-memory.dmp
memory/1820-7-0x0000000000180000-0x00000000001DD000-memory.dmp
memory/1820-11-0x0000000000180000-0x00000000001DD000-memory.dmp
C:\Users\DECRYPT-FILES.txt
| MD5 | 66ef1014cc66a5f28bac3edc38b37238 |
| SHA1 | ca57d5eabe24a903ccbf53b216b45dfac8e384d3 |
| SHA256 | 805040519533462a8f0e1016371aaafd6422d9c15ce4494726a0738e9cf998e6 |
| SHA512 | 2ee58e756191e170747d0ffd26a09a823153961d9b63da86869ba69be18611fb404c259a89d468093063f5688abb01c657b09d07f5c6aea05c91ed6e82de38f1 |
memory/1820-823-0x0000000000180000-0x00000000001DD000-memory.dmp