Analysis Overview
SHA256
1ae89027de50d26946c2923435726edc6d8cba3cb93ea5154ee93ba60aacf710
Threat Level: Known bad
The file c77fe1a6c83785cd02e105a7ff648010N.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Deletes itself
UPX packed file
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 16:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 16:47
Reported
2024-08-13 16:50
Platform
win10v2004-20240802-en
Max time kernel
115s
Max time network
108s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sycyg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\jiripu.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sycyg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jiripu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yfjox.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\sycyg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jiripu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yfjox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe
"C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe"
C:\Users\Admin\AppData\Local\Temp\sycyg.exe
"C:\Users\Admin\AppData\Local\Temp\sycyg.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\jiripu.exe
"C:\Users\Admin\AppData\Local\Temp\jiripu.exe" OK
C:\Users\Admin\AppData\Local\Temp\yfjox.exe
"C:\Users\Admin\AppData\Local\Temp\yfjox.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2672-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2672-3-0x0000000001030000-0x0000000001031000-memory.dmp
memory/2672-2-0x0000000001020000-0x0000000001021000-memory.dmp
memory/2672-8-0x0000000002DD0000-0x0000000002DD1000-memory.dmp
memory/2672-7-0x0000000002DC0000-0x0000000002DC1000-memory.dmp
memory/2672-6-0x0000000002DB0000-0x0000000002DB1000-memory.dmp
memory/2672-13-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2672-5-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/2672-4-0x0000000001040000-0x0000000001041000-memory.dmp
memory/2672-1-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2672-14-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sycyg.exe
| MD5 | 09c149687b3cd19755db001e301bb958 |
| SHA1 | 87e11584429f065c01450aa398221465848e929e |
| SHA256 | 6c6899a58b83971526ae7474e725034fd63699586a8e0c7eee9f84625343c05d |
| SHA512 | fdcf7ac36f0b08e75b4575db6825be1ceb961cec16448309ffd6078f23a32a8da538ce15cae6bfa4e9dc8b460a57e99345ec235789026c9b045e4e4d7328e3a5 |
memory/1220-25-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2672-26-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2672-27-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | c867c89d1ec7719c3d9a63fff31881e0 |
| SHA1 | 5653a2011d6c3b41276d06f3e88af87cf011dd5a |
| SHA256 | f919a8a11787792d222c2425158bd9b741446bdeb488dd4426f04d5a20c31685 |
| SHA512 | 4864aba5927a9062a2d799a019f7079d440e2db59aea51224e017f142990bf1a834766812b0a5416d6e3d26c7e168901f027b613fc1e61576ffaecd71db0f31a |
memory/1220-36-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 69454f789f0d0c071c6d9a8e6417fc7e |
| SHA1 | 88028cd99d6e086dc86984968e54bf918c685cd3 |
| SHA256 | f533dd5be6580a670302efcdb3580966ee2b6ee8fa09fd8acf5d405814ef2661 |
| SHA512 | 6fe29f8dd9933bbc50d2ba9638da75882777cc9f0708a327b7714d2b03e6b5d1b5aa94b99db424321ff493eb2d64bc6201181d4c0375531e321ed7fb6472af78 |
memory/1220-35-0x0000000002C90000-0x0000000002C91000-memory.dmp
memory/1220-39-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1220-34-0x0000000002C80000-0x0000000002C81000-memory.dmp
memory/1220-33-0x0000000002C70000-0x0000000002C71000-memory.dmp
memory/1220-32-0x0000000002C60000-0x0000000002C61000-memory.dmp
memory/1220-31-0x0000000002B20000-0x0000000002B21000-memory.dmp
memory/1220-30-0x0000000001070000-0x0000000001071000-memory.dmp
memory/1220-29-0x0000000001060000-0x0000000001061000-memory.dmp
memory/1220-48-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3736-50-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/3736-56-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3736-55-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/3736-54-0x0000000001000000-0x0000000001001000-memory.dmp
memory/3736-53-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
memory/3736-52-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
memory/3736-51-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
memory/3736-49-0x0000000000F80000-0x0000000000F81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yfjox.exe
| MD5 | 90e39a799e0f6f039acd46213ce4be0a |
| SHA1 | cdf5cca639a15cc971a013751f229617dd8307c4 |
| SHA256 | e58b161b2fafbfe0bb810b4fdca9a753ab3918f01595da46dcd89b57e25fc458 |
| SHA512 | 855ad67f0b4dd5102bb26874a699049fddecf33ab15a4a66e0dc7631ee5b8c8f83adaa70524dafeccff0c607a0fb5c1e851784884fdbed50ad45cda576386dee |
memory/4172-70-0x0000000000400000-0x0000000000599000-memory.dmp
memory/3736-71-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 0e98e99a8528f48404170366b03c3802 |
| SHA1 | 574bb3f2cc4e2ce64c0dab36887765ed4905c026 |
| SHA256 | 44248028bcfcf46aa99ee6181b47ace3ce819dd22f8e85feb87e7f5adb33e95a |
| SHA512 | 3ee72a799e9339e2fb42204cc282156a55090581f5c2858857a584bdd1a5607336a3efcdcb6e741f4756c3e3f5897bcae0045f7b7902a6f7469d290cc8ceb33c |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/4172-74-0x0000000000400000-0x0000000000599000-memory.dmp
memory/4172-76-0x0000000000400000-0x0000000000599000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 16:47
Reported
2024-08-13 16:50
Platform
win7-20240708-en
Max time kernel
117s
Max time network
93s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zuhor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyudvu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qucoj.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zuhor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zuhor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyudvu.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zuhor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kyudvu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qucoj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zuhor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyudvu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qucoj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qucoj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qucoj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qucoj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qucoj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qucoj.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe
"C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe"
C:\Users\Admin\AppData\Local\Temp\zuhor.exe
"C:\Users\Admin\AppData\Local\Temp\zuhor.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\kyudvu.exe
"C:\Users\Admin\AppData\Local\Temp\kyudvu.exe" OK
C:\Users\Admin\AppData\Local\Temp\qucoj.exe
"C:\Users\Admin\AppData\Local\Temp\qucoj.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2360-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2360-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2360-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2360-5-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2360-6-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2360-36-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2360-41-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2360-39-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2360-35-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2360-33-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2360-30-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2360-28-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2360-25-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2360-23-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2360-20-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2360-18-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2360-15-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2360-13-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2360-11-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2360-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2360-8-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\zuhor.exe
| MD5 | 0fc9b18c26b3f7f8aeee22e9d8580984 |
| SHA1 | 279dd966d5aac1b9ba962e1aff6953a9a181296b |
| SHA256 | d48616dad3b8125af022f41b335bac62b7480501d10f34001656330fc502ef1d |
| SHA512 | 6c810a20538f011523b7b68ad5f83681531993760be90e8d0c2337f3e02bff68f9e6c67fe5b6ff81c1571237054a21271cbe66a02d05e87fbccd586af4badc27 |
memory/2752-59-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2360-60-0x0000000004000000-0x0000000004AEC000-memory.dmp
memory/2360-58-0x0000000004000000-0x0000000004AEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | c867c89d1ec7719c3d9a63fff31881e0 |
| SHA1 | 5653a2011d6c3b41276d06f3e88af87cf011dd5a |
| SHA256 | f919a8a11787792d222c2425158bd9b741446bdeb488dd4426f04d5a20c31685 |
| SHA512 | 4864aba5927a9062a2d799a019f7079d440e2db59aea51224e017f142990bf1a834766812b0a5416d6e3d26c7e168901f027b613fc1e61576ffaecd71db0f31a |
memory/2360-101-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2752-88-0x00000000002B0000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 8f680889cdf5e9c3cc885a33b948708d |
| SHA1 | 6cc8d96006ca68615a1f5a5bdbeec071320e4972 |
| SHA256 | 849ee07c82c24446131ef488b5346ae9e4488d4ba3a0b5967774b3fa42e845e2 |
| SHA512 | 3e9a00873ec35e70455ac1848797539dc76055d9704dce3b373cba10b6eb4950641941d22564207538307d3e9d9b480a30b2806ee06faba9738e293895a00b5f |
memory/2752-86-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2360-84-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2752-82-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2752-80-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2752-77-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2752-75-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2752-103-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2752-115-0x00000000042D0000-0x0000000004DBC000-memory.dmp
memory/2364-116-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2752-113-0x0000000000400000-0x0000000000EEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\qucoj.exe
| MD5 | 47780aeefc4603a1dc2a5c2b750dc025 |
| SHA1 | 72f91e268fe233b67bc2c89d4abffc9dfbd238ac |
| SHA256 | 48b6fd89ebb23d121b98d20a410e3755543137496614a3bf5aa9986ffb1d39f6 |
| SHA512 | 7f7fb404fa93a393f6bd1b3b28497b8cb300eac8254fdeffa6127b929fc54fd7f7304270d484242b184751fcc625b0d78db161c0886e36d52ec8f69607b852c2 |
memory/2364-161-0x00000000047E0000-0x0000000004979000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 8adaca7aa26ed13ed2a4eef0dca4e20d |
| SHA1 | 8040fa3a202b266ed1776e6c96e87e76939e4b7f |
| SHA256 | 21e9934f338efa285de25627879509917a78e9afd48f17dce6b85f6b32213967 |
| SHA512 | 15e59f841b0b8c651e0896d8ca96c6883ea2ad393d31adb3bef3a4274a620ce8c97711aff345515fd27272718fc7e6bfd04902771f5056bb4ef9a8642dfcf542 |
memory/352-171-0x0000000000400000-0x0000000000599000-memory.dmp
memory/2364-170-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/352-176-0x0000000000400000-0x0000000000599000-memory.dmp