Malware Analysis Report

2024-09-23 04:46

Sample ID 230129-ty2h8afa8y
Target c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6
SHA256 c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6
Tags
qulab discovery ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6

Threat Level: Known bad

The file c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6 was found to be: Known bad.

Malicious Activity Summary

qulab discovery ransomware spyware stealer upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

AutoIT Executable

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Script User-Agent

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-01-29 16:28

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-29 16:28

Reported

2023-01-29 16:31

Platform

win7-20220901-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
PID 1304 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
PID 1304 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
PID 1304 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
PID 2036 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe
PID 2036 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe
PID 2036 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe
PID 2036 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe
PID 1988 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
PID 1988 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
PID 1988 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
PID 1988 wrote to memory of 1956 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
PID 1988 wrote to memory of 900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
PID 1988 wrote to memory of 900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
PID 1988 wrote to memory of 900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe
PID 1988 wrote to memory of 900 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe

"C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\ENU_687FE975163BE92E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\*"

C:\Windows\system32\taskeng.exe

taskeng.exe {578F13C7-B993-417F-9356-F9BA17FDEB75} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.telegram.org udp
N/A 8.8.8.8:53 ipapi.co udp
N/A 172.67.69.226:443 ipapi.co tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 89.191.233.38:65233 tcp
N/A 89.191.233.38:65233 tcp
N/A 89.191.233.38:65233 tcp
N/A 89.191.233.38:65233 tcp
N/A 89.191.233.38:65233 tcp
N/A 89.191.233.38:65233 tcp

Files

memory/1304-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

memory/2036-55-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.sqlite3.module.dll

MD5 a6e1b13b0b624094e6fb3a7bedb70930
SHA1 84b58920afd8e88181c4286fa2438af81f097781
SHA256 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA512 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.sqlite3.module.dll

MD5 a6e1b13b0b624094e6fb3a7bedb70930
SHA1 84b58920afd8e88181c4286fa2438af81f097781
SHA256 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA512 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

memory/2036-60-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/2036-59-0x0000000061E00000-0x0000000061ED1000-memory.dmp

\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe

MD5 9c5b4e4fcae7eb410f09c9e46ffb4a6d
SHA1 9d233bbe69676b1064f1deafba8e70a9acc00773
SHA256 0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9
SHA512 59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\Screen.jpg

MD5 06e9e79e83f75903a732e4bf8194512d
SHA1 121f72b924b8157d38ac2893e9fd41ff0729f49f
SHA256 c7e0bf15dd3b768880646f1fceb2d20ca50b6891bc495230af965ea48f003d42
SHA512 f5b094823236ee7084f23af66bbe85bc80e38d02e58fdde47b3a8c520ac3829e5cf31ab3e8193684770134a094193df99366b182c9201bcf36f42b93f3dd6bc6

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\Information.txt

MD5 a28a8b512fa4aed87debc6de13ebeaa5
SHA1 f12be137cd54940bc514d36734cfbe2d036d3286
SHA256 022402fd7129201d04b5bdb0cba3cdb1c4a6db318e132348a562903bb9cd2790
SHA512 96b44cdc765f0e43d93c8af5e0bce8d659296e21510588b26ef3d578885280733543054dd3c123d10a034f67fc5a63f72a1f4dbac7bb412a8d396c258e175001

memory/1656-66-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe

MD5 9c5b4e4fcae7eb410f09c9e46ffb4a6d
SHA1 9d233bbe69676b1064f1deafba8e70a9acc00773
SHA256 0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9
SHA512 59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

memory/1656-62-0x0000000000000000-mapping.dmp

memory/2036-67-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/2036-68-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/1956-69-0x0000000000000000-mapping.dmp

memory/900-71-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-29 16:28

Reported

2023-01-29 16:32

Platform

win10v2004-20221111-en

Max time kernel

158s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe

"C:\Users\Admin\AppData\Local\Temp\c67cb51af4f82de8abd1ccae0594aaadbc5a0cf0200064f66ce6e2579c6a1ad6.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\ENU_801FE97447113F3E9D41.7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\*"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.exe

Network

Country Destination Domain Proto
N/A 72.21.91.29:80 tcp
N/A 84.53.175.11:80 tcp
N/A 20.189.173.3:443 tcp
N/A 8.8.8.8:53 api.telegram.org udp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 8.8.8.8:53 ipapi.co udp
N/A 104.26.9.44:443 ipapi.co tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
N/A 104.26.9.44:443 ipapi.co tcp
N/A 8.8.8.8:53 d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 104.26.8.44:443 ipapi.co tcp
N/A 96.16.53.137:80 tcp
N/A 96.16.53.137:80 tcp
N/A 96.16.53.137:80 tcp
N/A 172.67.69.226:443 ipapi.co tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 149.154.167.220:443 api.telegram.org tcp
N/A 89.191.233.38:65233 tcp

Files

memory/4344-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.sqlite3.module.dll

MD5 a6e1b13b0b624094e6fb3a7bedb70930
SHA1 84b58920afd8e88181c4286fa2438af81f097781
SHA256 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA512 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.sqlite3.module.dll

MD5 a6e1b13b0b624094e6fb3a7bedb70930
SHA1 84b58920afd8e88181c4286fa2438af81f097781
SHA256 3b266088e1eb148534a8f95610e07749f7254f29d19f6f6686a1f0c85c9241bd
SHA512 26c2dffb44b7b0c2eb6e8fde7d5c6dce118af14971552bedeb131436f53edd28da98af8cf219bb7814cf4563624638cf73c7017fc3936b5112ff9f8c43f11591

memory/4344-135-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/4344-136-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/4344-137-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/4344-138-0x0000000061E00000-0x0000000061ED1000-memory.dmp

memory/2896-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\odexl32.module.exe

MD5 9c5b4e4fcae7eb410f09c9e46ffb4a6d
SHA1 9d233bbe69676b1064f1deafba8e70a9acc00773
SHA256 0376139308f3e83a73b76d3938d9c100779a83b98eeb3b3ebacfcbd1cc027fe9
SHA512 59c35d730dc17e790aa4c89f82fd2f64b4d67405c2bdf21d4a9757fa8bfb64461f1247c9da482b310b117f1a24144bf6c612c9f7587577b7a286e2e3de724ee5

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\Information.txt

MD5 fcebb94a0a39c563103f05b9e434039f
SHA1 17e9bfa4d4d8eb3a9e50f0a1ad491102198b95c3
SHA256 3b3b3ae91ea27bba864c8a89f8884774ed28b98d6b7534ab3660c6c0944c102e
SHA512 33932c53f79a5f9ba086dcd2e02c7a813aabf58371996455c28e9ad8d63ce69c3d73dc71eabab7b16d37d4f78dbe7f42ad2f990f37093317ecb26544fe7344a5

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\1\Screen.jpg

MD5 c9dfc0c4a264f1fdfb751010b9fd7642
SHA1 83e74b4daad04f00f70a02196a23bcafd322c5c3
SHA256 abc994678a9a54f23d6c31678705602123576f7445b190ee41cff2469bafb88a
SHA512 bcec2d37536aed04639436aee0cc93931464eaf76f5546543feb54c3359956f073b13d230a6a3d43ee82a690c034cea5c38b85168036a181176f8d90d978fc68

memory/2896-143-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-n..line-tool.resources\ENU_801FE97447113F3E9D41.7z

MD5 8a63c04bc6bdd651aefbdb85c179515a
SHA1 bf3db85373d324e5a0bbc0b0a57cf68e879145b0
SHA256 5d23e53d896a33d8e32c2eba0dc4822450a4ba11cf79f7914adee4e619cd32ce
SHA512 97a8c4545943726e7f9522a682cd7628057260f9106f81532d5ad3293480584f9fd059c5a1e32e50f94474cdf28d613c26b7c83ee5bce85c3c11e61fea88ba9b