Analysis Overview
SHA256
e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3
Threat Level: Known bad
The file e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3 was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
UPX packed file
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-07 04:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 04:03
Reported
2024-08-07 04:05
Platform
win7-20240704-en
Max time kernel
147s
Max time network
126s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qyycd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uczeif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bofef.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qyycd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qyycd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uczeif.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qyycd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uczeif.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bofef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qyycd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uczeif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bofef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bofef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bofef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bofef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bofef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bofef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bofef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bofef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bofef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bofef.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe
"C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe"
C:\Users\Admin\AppData\Local\Temp\qyycd.exe
"C:\Users\Admin\AppData\Local\Temp\qyycd.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\uczeif.exe
"C:\Users\Admin\AppData\Local\Temp\uczeif.exe" OK
C:\Users\Admin\AppData\Local\Temp\bofef.exe
"C:\Users\Admin\AppData\Local\Temp\bofef.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1624-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1624-37-0x0000000000526000-0x000000000087A000-memory.dmp
memory/1624-36-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1624-35-0x0000000000350000-0x0000000000351000-memory.dmp
memory/1624-33-0x0000000000350000-0x0000000000351000-memory.dmp
memory/1624-30-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1624-28-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1624-25-0x0000000000330000-0x0000000000331000-memory.dmp
memory/1624-23-0x0000000000330000-0x0000000000331000-memory.dmp
memory/1624-20-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/1624-18-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/1624-41-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1624-15-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1624-13-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1624-11-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1624-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1624-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1624-6-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1624-5-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1624-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1624-1-0x0000000000230000-0x0000000000231000-memory.dmp
\Users\Admin\AppData\Local\Temp\qyycd.exe
| MD5 | 3e2d058553e14876e76dd477f74ebe94 |
| SHA1 | 64dca8e5959278af48a5aa32dde9f9fabddc00ce |
| SHA256 | 305ca66a2174ceb3177b0f3b01a7e41a70fccb5e1f85c68c4d5e66be523a7f6f |
| SHA512 | 5768f2ad4a216cd7168fad6d702d7e6dededde0304de5cba3ab462b1d7fd0d73227e68982871e3e79535435ade56fbd5c69c7a45527160d866f922c831722af3 |
memory/1624-47-0x0000000003D40000-0x000000000482C000-memory.dmp
memory/1624-48-0x0000000003D40000-0x000000000482C000-memory.dmp
memory/2644-53-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 97dcfa2576fd07b0297c2f6f10bf4bd5 |
| SHA1 | 5cef9dfb7c8d0daf2f4b1c0cd11ee9173445769d |
| SHA256 | 29445118d03cee0fae50bd6bbad695fee514206264f77ad9e8a530171e49807d |
| SHA512 | f508987ef9a1e17646914b5af8ad7de379a0089a0010ce2d3a0b80de34eb99ffee4861cd144b3d7a86f2b380de4fcdabb0e9e2af07248dded3e777236301e323 |
memory/1624-62-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1624-94-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2644-87-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2644-85-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2644-82-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2644-93-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2644-80-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2644-95-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 903c0424cd1a108eccb1ab1132db601b |
| SHA1 | 2ce72e5c0313c1c6596835768417be0e443470a7 |
| SHA256 | da4339bea633de40e4383c324948b13cc5411d3a8c818c86fb1d6facc0b47eb8 |
| SHA512 | 50057c4f6b1b965e0ca98471689eba2291bee7bd3c7093cea78d51a51a209413b44d44f0eb24e82bbf07d0b26232941cf228941ec71ebdb315c22b46991f7ae8 |
memory/2644-77-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2644-75-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2644-114-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2644-116-0x0000000003D70000-0x000000000485C000-memory.dmp
memory/2644-117-0x0000000003D70000-0x000000000485C000-memory.dmp
memory/2840-118-0x0000000000400000-0x0000000000EEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\bofef.exe
| MD5 | 1a74710f3155a9ed432ecc7fc34dd4b3 |
| SHA1 | d789cc453a146300d840cc02c341fcbd8f7d5ed9 |
| SHA256 | 9e701fbc2286f5dd8ed033ab340e897dc88448a4294d5da48ead717867c5910a |
| SHA512 | fd37305251331c3a021aed37b79f7d1ad8a16de2e76897c8c0a43342fdd1b4be6fb4f9db3424ce04989c75b2714fc0e39201309aaf9e44bcb8262ee0b1c55423 |
memory/2840-163-0x0000000004210000-0x00000000043A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 0d1c6034a1090fc2c28d488fb0f56b1a |
| SHA1 | 9b5d1440547c047a2ccd761f63ac609ca04d91af |
| SHA256 | ed83d2618b9dbafed85b27e1b78d6c1f56c972340c5f428a8b6fbc33092042b2 |
| SHA512 | d8aa66e7cc8ec880db6958e60d64bd25358fa4b03b798cb34e3075cc636a321580727d31c83d89988fd96a501d7ae15d91471531ab4907e2713d53240978d72d |
memory/1768-165-0x0000000000400000-0x0000000000599000-memory.dmp
memory/2840-173-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/1768-178-0x0000000000400000-0x0000000000599000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 04:03
Reported
2024-08-07 04:05
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\joepy.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\qeqixi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\joepy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qeqixi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zymav.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\joepy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qeqixi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zymav.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe
"C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe"
C:\Users\Admin\AppData\Local\Temp\joepy.exe
"C:\Users\Admin\AppData\Local\Temp\joepy.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\qeqixi.exe
"C:\Users\Admin\AppData\Local\Temp\qeqixi.exe" OK
C:\Users\Admin\AppData\Local\Temp\zymav.exe
"C:\Users\Admin\AppData\Local\Temp\zymav.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/1912-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1912-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
memory/1912-10-0x0000000000526000-0x000000000087A000-memory.dmp
memory/1912-8-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1912-6-0x0000000001020000-0x0000000001021000-memory.dmp
memory/1912-13-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1912-5-0x0000000001010000-0x0000000001011000-memory.dmp
memory/1912-4-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
memory/1912-2-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
memory/1912-7-0x0000000001030000-0x0000000001031000-memory.dmp
memory/1912-1-0x0000000000F80000-0x0000000000F81000-memory.dmp
memory/1912-14-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\joepy.exe
| MD5 | 5807dc63a25d07d9d8dc7d740f88d9ff |
| SHA1 | b0bedeb4829f1a88e660e23cd2738f49cf73ec05 |
| SHA256 | 751a380cb2b6bba7b2d82dacdc57258842b42f2f0b5c38044f5bf6fbf762b718 |
| SHA512 | e2ac0b3e693c7dd8cf1a955954bed4e71c8e78f65ea92dac747c9150b97b082488515343536f7595f0321e8a859ddba598b8e62e51380ac9a4622b68f52add7a |
memory/1104-25-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1912-27-0x0000000000526000-0x000000000087A000-memory.dmp
memory/1912-26-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 97dcfa2576fd07b0297c2f6f10bf4bd5 |
| SHA1 | 5cef9dfb7c8d0daf2f4b1c0cd11ee9173445769d |
| SHA256 | 29445118d03cee0fae50bd6bbad695fee514206264f77ad9e8a530171e49807d |
| SHA512 | f508987ef9a1e17646914b5af8ad7de379a0089a0010ce2d3a0b80de34eb99ffee4861cd144b3d7a86f2b380de4fcdabb0e9e2af07248dded3e777236301e323 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 433f9470cdee864f3a73653a46db9421 |
| SHA1 | d7cc4ad83bde83cfabf0eb3bfd79dff4f0a0f0b2 |
| SHA256 | f4cdc192c6611038f96628258b71ba7cdcb2a6787ff18c2f50d3b9d136de0e85 |
| SHA512 | 51efb2d633529f37bbdafc1773a9ab306a67f6b8e504770e0aab1335e44713d60e7a70a758916c64170cee9354a72d11c16d0f2be2f842267618ccd597bebb49 |
memory/1104-35-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/1104-34-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/1104-33-0x0000000002B60000-0x0000000002B61000-memory.dmp
memory/1104-32-0x0000000002B50000-0x0000000002B51000-memory.dmp
memory/1104-31-0x0000000001180000-0x0000000001181000-memory.dmp
memory/1104-30-0x0000000001170000-0x0000000001171000-memory.dmp
memory/1104-29-0x0000000001160000-0x0000000001161000-memory.dmp
memory/1104-39-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1104-40-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/620-50-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1104-49-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/620-56-0x0000000002C80000-0x0000000002C81000-memory.dmp
memory/620-57-0x0000000002C90000-0x0000000002C91000-memory.dmp
memory/620-58-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/620-54-0x0000000001050000-0x0000000001051000-memory.dmp
memory/620-53-0x0000000001040000-0x0000000001041000-memory.dmp
memory/620-52-0x0000000000F10000-0x0000000000F11000-memory.dmp
memory/620-51-0x0000000000F00000-0x0000000000F01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zymav.exe
| MD5 | ed0504351c0cdda57db5b931880c4647 |
| SHA1 | 9f3eee02ee8e8a3c56731cfc5a74a3f3a04241db |
| SHA256 | 88cf9236a6e132a0e598fc46698f8d20d0cdda865b8e1865f7aaba3b240af153 |
| SHA512 | 7693ccb87abe50745077b6a40f0d5d2b1db81fda3ad760a02e73c2d1faec86dcfa3a7af2b47fb66598e44e62cdc8c0617378801e3629b6039e04c3208ebe23f7 |
memory/4208-71-0x0000000000400000-0x0000000000599000-memory.dmp
memory/620-73-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/4208-75-0x0000000000400000-0x0000000000599000-memory.dmp