Malware Analysis Report

2025-04-03 08:56

Sample ID 230121-yzzhgadg24
Target Tradingview_Plus_cln.exe
SHA256 cff56386e4dcfec706cfd98b2590109589904ec8404160fa4b890d3106f2e339
Tags
aurora spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cff56386e4dcfec706cfd98b2590109589904ec8404160fa4b890d3106f2e339

Threat Level: Known bad

The file Tradingview_Plus_cln.exe was found to be: Known bad.

Malicious Activity Summary

aurora spyware stealer

Aurora

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-21 20:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-21 20:14

Reported

2023-01-21 20:16

Platform

win7-20221111-en

Max time kernel

26s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"

Signatures

Aurora

stealer aurora

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe
PID 1292 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe
PID 1292 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe
PID 364 wrote to memory of 696 N/A C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe C:\Windows\System32\Wbem\wmic.exe
PID 364 wrote to memory of 696 N/A C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe C:\Windows\System32\Wbem\wmic.exe
PID 364 wrote to memory of 696 N/A C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe C:\Windows\System32\Wbem\wmic.exe
PID 364 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe C:\Windows\system32\cmd.exe
PID 364 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe C:\Windows\system32\cmd.exe
PID 364 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe C:\Windows\system32\cmd.exe
PID 1800 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1800 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1800 wrote to memory of 1768 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 364 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe C:\Windows\system32\cmd.exe
PID 364 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe C:\Windows\system32\cmd.exe
PID 364 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1572 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1572 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe

"C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"

C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe

"C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 servicestarting.hopto.org udp
N/A 2.232.150.231:8081 servicestarting.hopto.org tcp

Files

memory/1292-54-0x0000000000820000-0x0000000001412000-memory.dmp

memory/1292-55-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

\Users\Admin\AppData\Roaming\sakjdhasdkj.exe

MD5 9b6a95488caf9f998ee001cf188d50ca
SHA1 bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256 fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512 d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598

\Users\Admin\AppData\Roaming\sakjdhasdkj.exe

MD5 9b6a95488caf9f998ee001cf188d50ca
SHA1 bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256 fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512 d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598

C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe

MD5 9b6a95488caf9f998ee001cf188d50ca
SHA1 bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256 fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512 d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598

memory/364-58-0x0000000000000000-mapping.dmp

memory/696-60-0x0000000000000000-mapping.dmp

memory/1800-61-0x0000000000000000-mapping.dmp

memory/1768-62-0x0000000000000000-mapping.dmp

memory/1572-63-0x0000000000000000-mapping.dmp

memory/1452-64-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-21 20:14

Reported

2023-01-21 20:16

Platform

win10v2004-20221111-en

Max time kernel

144s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"

Signatures

Aurora

stealer aurora

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe

"C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"

C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe

"C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 servicestarting.hopto.org udp
N/A 2.232.150.231:8081 servicestarting.hopto.org tcp
N/A 8.248.99.254:80 tcp
N/A 93.184.220.29:80 tcp
N/A 2.232.150.231:8081 servicestarting.hopto.org tcp
N/A 104.208.16.90:443 tcp
N/A 8.248.99.254:80 tcp
N/A 8.248.99.254:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.247.211.254:80 tcp

Files

memory/4720-132-0x0000000000420000-0x0000000001012000-memory.dmp

memory/4720-133-0x00007FF9D4410000-0x00007FF9D4ED1000-memory.dmp

memory/504-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe

MD5 9b6a95488caf9f998ee001cf188d50ca
SHA1 bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256 fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512 d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598

C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe

MD5 9b6a95488caf9f998ee001cf188d50ca
SHA1 bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f
SHA256 fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190
SHA512 d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598

memory/4720-137-0x00007FF9D4410000-0x00007FF9D4ED1000-memory.dmp

memory/1032-138-0x0000000000000000-mapping.dmp

memory/344-139-0x0000000000000000-mapping.dmp

memory/3472-140-0x0000000000000000-mapping.dmp

memory/3252-141-0x0000000000000000-mapping.dmp

memory/4988-142-0x0000000000000000-mapping.dmp