Malware Analysis Report

2024-10-23 19:42

Sample ID 240129-ce42kahaaj
Target payment receipts.exe
SHA256 0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8
Tags
darkcloud stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0414ef0adb12bfe054d85f9196cee419bee6a7692187d83239bd5f8ee867c4c8

Threat Level: Known bad

The file payment receipts.exe was found to be: Known bad.

Malicious Activity Summary

darkcloud stealer

DarkCloud

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-29 02:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 02:00

Reported

2024-01-29 02:02

Platform

win7-20231215-en

Max time kernel

143s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"

Signatures

DarkCloud

stealer darkcloud

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1992 set thread context of 2584 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 1992 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 1992 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 1992 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 1992 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 1992 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 1992 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 1992 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 1992 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe

Processes

C:\Users\Admin\AppData\Local\Temp\payment receipts.exe

"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UbaskbOLQNa.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbaskbOLQNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB8E3.tmp"

C:\Users\Admin\AppData\Local\Temp\payment receipts.exe

"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"

Network

N/A

Files

memory/1992-1-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/1992-0-0x0000000000A20000-0x0000000000B1C000-memory.dmp

memory/1992-2-0x0000000000500000-0x0000000000540000-memory.dmp

memory/1992-3-0x0000000000540000-0x0000000000558000-memory.dmp

memory/1992-4-0x0000000000560000-0x0000000000568000-memory.dmp

memory/1992-5-0x0000000000570000-0x000000000057C000-memory.dmp

memory/1992-6-0x00000000078E0000-0x0000000007982000-memory.dmp

memory/1992-7-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/1992-8-0x0000000000500000-0x0000000000540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB8E3.tmp

MD5 463cd327d3e513344550f47f1a84e4b0
SHA1 cab2121180c408fe2b13e0763f6eafad10fb8a4a
SHA256 985f73850f31683037816aa9b2bada09230a3231f1a427ccd695b02ab270dcdf
SHA512 cb6cdbd06cb8a204be1bc7835aa8b0d9aeca6697c349b4a30ed7978576a57813bd4ac7942fda873f5bde7c5772419a206833a5688cf89c41f9058d1ce847b707

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 59bf2f4d6b2d30afc4eb15e5b02c7a33
SHA1 a1cae98570e728c2f772fd7a3abd59197a29bd32
SHA256 6207e0c0c893e4bbea11a5d7e53cffc7ebdc04d97db6bc466b33ca517621f48b
SHA512 8b00b710e8b608de374b835a5e0c4d215e2b0ec4338ca24527bd62bfbbb41756deca66362ed41bae9a7939cff289a2471ba6ba49a7dd88aeeccc7981f9ceb0d6

memory/2584-20-0x0000000000400000-0x0000000000463000-memory.dmp

memory/2584-22-0x0000000000400000-0x0000000000463000-memory.dmp

memory/2584-24-0x0000000000400000-0x0000000000463000-memory.dmp

memory/2584-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2584-30-0x0000000000400000-0x0000000000463000-memory.dmp

memory/1992-33-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/2584-32-0x0000000000400000-0x0000000000463000-memory.dmp

memory/2788-36-0x000000006E900000-0x000000006EEAB000-memory.dmp

memory/2248-37-0x000000006E900000-0x000000006EEAB000-memory.dmp

memory/2248-39-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/2788-38-0x0000000002500000-0x0000000002540000-memory.dmp

memory/2788-40-0x000000006E900000-0x000000006EEAB000-memory.dmp

memory/2248-41-0x000000006E900000-0x000000006EEAB000-memory.dmp

memory/2788-42-0x0000000002500000-0x0000000002540000-memory.dmp

memory/2248-44-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/2584-43-0x0000000000400000-0x0000000000463000-memory.dmp

memory/2788-45-0x0000000002500000-0x0000000002540000-memory.dmp

memory/2248-46-0x000000006E900000-0x000000006EEAB000-memory.dmp

memory/2788-47-0x000000006E900000-0x000000006EEAB000-memory.dmp

memory/2584-48-0x0000000000400000-0x0000000000463000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 02:00

Reported

2024-01-29 02:02

Platform

win10v2004-20231215-en

Max time kernel

136s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"

Signatures

DarkCloud

stealer darkcloud

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\payment receipts.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4120 set thread context of 4320 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4120 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4120 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\schtasks.exe
PID 4120 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\schtasks.exe
PID 4120 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Windows\SysWOW64\schtasks.exe
PID 4120 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 4120 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 4120 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 4120 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 4120 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 4120 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 4120 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe
PID 4120 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\payment receipts.exe C:\Users\Admin\AppData\Local\Temp\payment receipts.exe

Processes

C:\Users\Admin\AppData\Local\Temp\payment receipts.exe

"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbaskbOLQNa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF0C.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UbaskbOLQNa.exe"

C:\Users\Admin\AppData\Local\Temp\payment receipts.exe

"C:\Users\Admin\AppData\Local\Temp\payment receipts.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4120-1-0x0000000000E40000-0x0000000000F3C000-memory.dmp

memory/4120-0-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/4120-2-0x0000000008360000-0x0000000008904000-memory.dmp

memory/4120-3-0x0000000007E50000-0x0000000007EE2000-memory.dmp

memory/4120-4-0x0000000003270000-0x0000000003280000-memory.dmp

memory/4120-5-0x0000000005420000-0x000000000542A000-memory.dmp

memory/4120-6-0x0000000007FE0000-0x000000000807C000-memory.dmp

memory/4120-7-0x0000000008310000-0x0000000008328000-memory.dmp

memory/4120-8-0x0000000008330000-0x0000000008338000-memory.dmp

memory/4120-9-0x0000000008340000-0x000000000834C000-memory.dmp

memory/4120-10-0x0000000009AB0000-0x0000000009B52000-memory.dmp

memory/4120-11-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/4120-12-0x0000000003270000-0x0000000003280000-memory.dmp

memory/860-19-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/860-21-0x00000000052C0000-0x00000000058E8000-memory.dmp

memory/860-20-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/860-18-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/4320-25-0x0000000000400000-0x0000000000463000-memory.dmp

memory/860-26-0x0000000005010000-0x0000000005032000-memory.dmp

memory/3464-24-0x0000000004C10000-0x0000000004C20000-memory.dmp

memory/4320-31-0x0000000000400000-0x0000000000463000-memory.dmp

memory/860-28-0x00000000051B0000-0x0000000005216000-memory.dmp

memory/860-29-0x0000000005AA0000-0x0000000005B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1vh4tcbw.urp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4120-32-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/860-51-0x0000000005B10000-0x0000000005E64000-memory.dmp

memory/3464-23-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/3464-54-0x0000000005F30000-0x0000000005F4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAF0C.tmp

MD5 d6df7fce9939282976ea58139ee301b5
SHA1 ad5b965058b319357def06f59aa779ff975d2a31
SHA256 430a1f95d93cf9fecf9c5357aebd8b3de32259802e575f1b12a84cdc8a83946f
SHA512 538de3a90b23222113d674e417bbd6ed19d696d9ca73df8efac4bb79f540f0fd2d2d071ae83285c806ec3c0f47066e061f7831f76c3a9555914e8331c7bb0276

memory/860-17-0x0000000004B10000-0x0000000004B46000-memory.dmp

memory/3464-55-0x0000000005FE0000-0x000000000602C000-memory.dmp

memory/860-68-0x0000000007090000-0x00000000070AE000-memory.dmp

memory/3464-70-0x000000007F690000-0x000000007F6A0000-memory.dmp

memory/860-81-0x00000000070C0000-0x0000000007163000-memory.dmp

memory/3464-83-0x0000000004C10000-0x0000000004C20000-memory.dmp

memory/860-82-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/860-85-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/3464-84-0x00000000078A0000-0x0000000007F1A000-memory.dmp

memory/3464-86-0x00000000072D0000-0x00000000072DA000-memory.dmp

memory/860-80-0x0000000004C80000-0x0000000004C90000-memory.dmp

memory/3464-87-0x00000000074E0000-0x0000000007576000-memory.dmp

memory/860-88-0x00000000075F0000-0x0000000007601000-memory.dmp

memory/3464-69-0x0000000071720000-0x000000007176C000-memory.dmp

memory/860-58-0x000000007F290000-0x000000007F2A0000-memory.dmp

memory/860-57-0x0000000071720000-0x000000007176C000-memory.dmp

memory/3464-56-0x0000000006500000-0x0000000006532000-memory.dmp

memory/860-89-0x0000000007620000-0x000000000762E000-memory.dmp

memory/860-90-0x0000000007630000-0x0000000007644000-memory.dmp

memory/860-91-0x0000000007730000-0x000000000774A000-memory.dmp

memory/860-92-0x0000000007710000-0x0000000007718000-memory.dmp

memory/3464-99-0x0000000074F30000-0x00000000756E0000-memory.dmp

memory/860-98-0x0000000074F30000-0x00000000756E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 02589664e9c19fc3464143eb02ee6c74
SHA1 db147ba9c9825c6da7e3734e279d58eed478784b
SHA256 8d331ffaa5305613125c0adf8e8480222f68dd52793c6ffed4f790f0dafb61e6
SHA512 bb299f4bb3aa8b09db1de5aba067dd910139df8ee89939c4772a25f2c35d2a08e27e00ec6b33a8477d0d880d25036cd57c926a9cb14c68d6323cca80ee3ba3ec

memory/4320-100-0x0000000000400000-0x0000000000463000-memory.dmp