Malware Analysis Report

2025-08-05 13:59

Sample ID 210515-sm9xjqrpr6
Target 2.exe
SHA256 9561ae1eae830aed3ade4c339faac7240320f6a01e203b5c0521a9ed09e686fd
Tags
cryptbot discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9561ae1eae830aed3ade4c339faac7240320f6a01e203b5c0521a9ed09e686fd

Threat Level: Known bad

The file 2.exe was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer

CryptBot

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates physical storage devices

Delays execution with timeout.exe

Runs ping.exe

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-05-15 15:04

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-05-15 15:04

Reported

2021-05-15 15:09

Platform

win10v20210408

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2.exe"

Signatures

CryptBot

spyware stealer cryptbot

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4804 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3300 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3440 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3440 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3440 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
PID 3440 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
PID 3440 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
PID 3440 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3440 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3440 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4168 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
PID 4168 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
PID 4168 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
PID 512 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1988 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1988 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Osi.wks

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^LiUOCkNiYaUJhgUGDJZrloHmYxLqOcYNmCEuaoPGLxSLfVHkLUkImvvDmxPiAMzDxupLKNhcTaaPdWleNmgTpdgeuwGYzIyYqgdoLWBXGQOutGjDpMzqnmzrSiE$" Ero.wks

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com

Presto.exe.com s

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 30

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com s

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com"

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 iXmOrOGftABUhdEsRQdO.iXmOrOGftABUhdEsRQdO udp
N/A 8.8.8.8:53 remurm61.top udp
N/A 8.8.8.8:53 mortlk06.top udp

Files

memory/3300-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Osi.wks

MD5 4f58047c137b55372dd36769e29d09ad
SHA1 09b3435804b53d1d5d3eea3dfef94f969bdba4ea
SHA256 8c54825da63a824fdca6123eae3d2e29e774b1462687d438ade3a94d7ee5efde
SHA512 380bca42ab0a3961d5652db99429d09ee33741d9b9e9cf15935ed9478a108626c8a2db216abcca111d640f5934af705701ebe544b9ad3bb0f4d972d8a9dd7a24

memory/3440-116-0x0000000000000000-mapping.dmp

memory/4172-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ero.wks

MD5 bdc5536fd111fd826418bbfda7f7a5f0
SHA1 589468c25a2c5189adbb90dab5d821c4d9cb2b44
SHA256 f0bce88c41bd9de77ec6a64aceeca0db607a877b46671ae7ae50b28f6c2b1b33
SHA512 0579c282b170e6ea3b40c9472ce9012dd4ef7c56819709b62f7a908dd369606fd897080fc5d41788430fa4a9e15c49e2dbe6ab9eb63d9e28ebd23fe89e4d1637

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nemica.wks

MD5 07d322bd401581c8d362b67d1725ae63
SHA1 6cda33809121fd533ad5abde9e94a49b69848f53
SHA256 814e77103cd8b2500fc885218147a710cea433846db9948414c8f533a7c907cb
SHA512 ebbdfb5fe0377f1f896024fc8bc43b72cd55c540b2517a655457fa87b5f63339157fb583728caee8b14fe331b6bf0d162a13e063e5ab33c7e383779049996aed

memory/4168-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

memory/4352-122-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\s

MD5 07d322bd401581c8d362b67d1725ae63
SHA1 6cda33809121fd533ad5abde9e94a49b69848f53
SHA256 814e77103cd8b2500fc885218147a710cea433846db9948414c8f533a7c907cb
SHA512 ebbdfb5fe0377f1f896024fc8bc43b72cd55c540b2517a655457fa87b5f63339157fb583728caee8b14fe331b6bf0d162a13e063e5ab33c7e383779049996aed

memory/512-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sembrava.wks

MD5 e4416d16f0381dca6e7cdf03e6e67bc7
SHA1 95de10de5660b7e946f6ee183ec40040add6fa81
SHA256 3663beb312dcda8bb5c00ff98750625abee45569376e3664facb939d1710dd6a
SHA512 09e893681c4b3450dc339c060dcbbc6e9ffa7b72a880ed1ceadcf6038130315c02002817279ddeb0547583e5390fe03ba4a074acf2ea2ddbad83fd99de787b11

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

memory/512-128-0x0000000000C20000-0x0000000000C21000-memory.dmp

memory/1988-129-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW\files_\SYSTEM~1.TXT

MD5 a601a9a8c7cf97f7f07835fb4fad943f
SHA1 5e78b27f13961a86fc279d94e9663b750771ff2b
SHA256 4eb71b40a71569fba2319fbb3c19d127ad870afdcab62058e6173fe89b6cbe54
SHA512 d8c2a038013aa8d1db4e81e42b4aa823d2c3c6558047c46aa9a24752fa6811ea94369892fe09841bbd9be86148d9e8003781c4b48817ac658bd8b6d6406c8bd2

C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW\files_\SCREEN~1.JPG

MD5 cf1bffad5c30fc1e8525d3dd43579da3
SHA1 00845ce654e333890cb2e6cb927e81c959e6fa6a
SHA256 7720ce853e3f03495cf4f7dfb2aa8b8eeffe89bc4d9bbc52e27f194c484037a6
SHA512 b4e0d6fb1bb612bd84c01d0944289a4d99cd74e426ce6f592cc19505c3b56a520a47358ff0bdfdd3ac324a8cea410776aa93fd79380b4a73d8f4c6770d5efba3

C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW\CMRVUW~1.ZIP

MD5 8240dda1362d0d3aa3f4e23198a51c7e
SHA1 db9c4d66c3f924e98eba9cbded31ab8c9502bd3b
SHA256 5606612f4cb6baf59ee134f7187086602544daa332fd6a29a567f0ddb71889be
SHA512 ab6a02070485fbda993823b12997a4ee7fafed0d5dc4a1431a8650c57119b7358246830b36be6c569c7ca9755acb25f9d646ee33957e50f27c2874e294ee23e5

C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW\_Files\_SCREE~1.JPE

MD5 cf1bffad5c30fc1e8525d3dd43579da3
SHA1 00845ce654e333890cb2e6cb927e81c959e6fa6a
SHA256 7720ce853e3f03495cf4f7dfb2aa8b8eeffe89bc4d9bbc52e27f194c484037a6
SHA512 b4e0d6fb1bb612bd84c01d0944289a4d99cd74e426ce6f592cc19505c3b56a520a47358ff0bdfdd3ac324a8cea410776aa93fd79380b4a73d8f4c6770d5efba3

C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW\_Files\_INFOR~1.TXT

MD5 b8a56824eebf76bf97eba1b5f969dae2
SHA1 23139a9d47ef8599478c205adf4e53e011945c88
SHA256 52266f77d54b1a93dd59dbd1ea91fce1e3e79a8ecb0939a930acbae8f973a581
SHA512 15f1fd29902a0550da65efadabc5aaea28c3b46a859b04d11822c21630082916ae38b7463bc92a2410a8a5a4e29a4b9d91caf1af089d850d860b06a9aa784581

C:\Users\Admin\AppData\Local\Temp\ZPjaKqnxdgdsW\RMIKFZ~1.ZIP

MD5 383691385f52cac4edc79bb5d5cf1206
SHA1 d089c66732b75ee532fcb57d74a481afd466e20e
SHA256 02aa46508ffb86a01baf53cf54e8d8a0ac2ffbb4c84d9b3680bb3889ebf7fa65
SHA512 ce3ad142cb2d5d6a80b3ccdfcc18f4f1826066e29ffbe50673691d46695ada167b66eede2a93dbaf6ed0c8cacfe76081de7e74f7cdc8972daa0b9e052bdcb81a

memory/2500-136-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-05-15 15:04

Reported

2021-05-15 15:09

Platform

win7v20210410

Max time kernel

34s

Max time network

11s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1728 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1728 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1728 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1728 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
PID 1728 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
PID 1728 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
PID 1728 wrote to memory of 1856 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com
PID 1728 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1728 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1728 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1728 wrote to memory of 1720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Osi.wks

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^LiUOCkNiYaUJhgUGDJZrloHmYxLqOcYNmCEuaoPGLxSLfVHkLUkImvvDmxPiAMzDxupLKNhcTaaPdWleNmgTpdgeuwGYzIyYqgdoLWBXGQOutGjDpMzqnmzrSiE$" Ero.wks

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com

Presto.exe.com s

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 30

Network

N/A

Files

memory/2040-60-0x0000000076281000-0x0000000076283000-memory.dmp

memory/1980-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Osi.wks

MD5 4f58047c137b55372dd36769e29d09ad
SHA1 09b3435804b53d1d5d3eea3dfef94f969bdba4ea
SHA256 8c54825da63a824fdca6123eae3d2e29e774b1462687d438ade3a94d7ee5efde
SHA512 380bca42ab0a3961d5652db99429d09ee33741d9b9e9cf15935ed9478a108626c8a2db216abcca111d640f5934af705701ebe544b9ad3bb0f4d972d8a9dd7a24

memory/1728-63-0x0000000000000000-mapping.dmp

memory/1752-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ero.wks

MD5 bdc5536fd111fd826418bbfda7f7a5f0
SHA1 589468c25a2c5189adbb90dab5d821c4d9cb2b44
SHA256 f0bce88c41bd9de77ec6a64aceeca0db607a877b46671ae7ae50b28f6c2b1b33
SHA512 0579c282b170e6ea3b40c9472ce9012dd4ef7c56819709b62f7a908dd369606fd897080fc5d41788430fa4a9e15c49e2dbe6ab9eb63d9e28ebd23fe89e4d1637

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nemica.wks

MD5 07d322bd401581c8d362b67d1725ae63
SHA1 6cda33809121fd533ad5abde9e94a49b69848f53
SHA256 814e77103cd8b2500fc885218147a710cea433846db9948414c8f533a7c907cb
SHA512 ebbdfb5fe0377f1f896024fc8bc43b72cd55c540b2517a655457fa87b5f63339157fb583728caee8b14fe331b6bf0d162a13e063e5ab33c7e383779049996aed

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

memory/1856-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Presto.exe.com

MD5 78ba0653a340bac5ff152b21a83626cc
SHA1 b12da9cb5d024555405040e65ad89d16ae749502
SHA256 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512 efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

memory/1720-70-0x0000000000000000-mapping.dmp