Analysis Overview
SHA256
af5eb7b86d17c4a4df7aadc1c391c015e5d95e4fca69a7ab223582f07f0002d1
Threat Level: Known bad
The file r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.bin was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
StormKitty
Stormkitty family
Downloads MZ/PE file
Deletes itself
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Kills process with taskkill
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-23 19:03
Signatures
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-23 19:03
Reported
2023-08-23 19:06
Platform
win7-20230712-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe
"C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA248.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpA248.tmp.bat
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\taskkill.exe
TaskKill /F /IM 2216
C:\Windows\system32\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2216-0-0x00000000001D0000-0x00000000001F4000-memory.dmp
memory/2216-1-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp
memory/2216-2-0x000000001BDC0000-0x000000001BE40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
| MD5 | 6d1c62ec1c2ef722f49b2d8dd4a4df16 |
| SHA1 | 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6 |
| SHA256 | 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c |
| SHA512 | c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2 |
C:\Users\Admin\AppData\Local\Temp\tmpA248.tmp.bat
| MD5 | 98e7746c5e64560e90d969fbb91d3701 |
| SHA1 | ab9eecc76ca08b0e77fc5452df1f3388ec9233fe |
| SHA256 | e86cd78559704ac8df4a2ae95e71a0a32351fcabc756ba55c6676c763b097af1 |
| SHA512 | f977a908953e119575e72cfec6e56cb636697e86ef39b25358c392016e08bd2e2fbf6b53de0dd87f901ca95032b81f9dd6d6e1e5808b4380f13369027e538122 |
memory/2216-10-0x000007FEF5A00000-0x000007FEF63EC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-23 19:03
Reported
2023-08-23 19:06
Platform
win10v2004-20230703-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe
"C:\Users\Admin\AppData\Local\Temp\r163uG0XxKTfeq3Bw5HAFeXZXk-KaaerIjWC8H8AAtE.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpFB64.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpFB64.tmp.bat
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\taskkill.exe
TaskKill /F /IM 1272
C:\Windows\system32\timeout.exe
Timeout /T 2 /Nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/1272-0-0x00000286B8890000-0x00000286B88B4000-memory.dmp
memory/1272-1-0x00007FF8E4800000-0x00007FF8E52C1000-memory.dmp
memory/1272-2-0x00000286D2F60000-0x00000286D2F70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
| MD5 | 6d1c62ec1c2ef722f49b2d8dd4a4df16 |
| SHA1 | 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6 |
| SHA256 | 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c |
| SHA512 | c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2 |
C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\System\Process.txt
| MD5 | 2414383b508edc36839671b29684fc43 |
| SHA1 | c5b4661823a11c1033bd2de13a48a913902d125b |
| SHA256 | 8223e66e8aa0bbad3342e91c85f1be53b3551c0c35400d7900250235143b0401 |
| SHA512 | eca2cfd836aa002ab8ff144be77bed1f84ebe004e4b9a81d34eb304e0193a68a8e2a8f15a887e058037ea59af28fe5da94a45aff7127652397a2c6f6e5f1a904 |
C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\System\Process.txt
| MD5 | 40738b04c25f28f281c4502cdef26ffa |
| SHA1 | 6ed9e8dc49740f76b8dac2a60bee141df6d0cf05 |
| SHA256 | 5879450deaeaa95ee6fcee0b49c14bb08221ef72c7e21ff06a8f472ab8d4150c |
| SHA512 | ba95937817b61880cabedb9d338a90f1ff4ddc353b6f09d97a71963c3292d03465bb0d76749d7ca202d7a811105c0fe79c928ac44592412759949e55269c263b |
C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Browsers\InternetExplorer\Passwords.txt
| MD5 | a70c01a301af5922c13cd6fbaa6606c1 |
| SHA1 | c994d604d4bbc15c661e5165e8cd240879d60083 |
| SHA256 | d6831857c1ccceeb608c0ef58eafc352f57c35d1f7fde7583f7c059a3472d6e2 |
| SHA512 | 721c1e572de47962c52a0bae9fa0a05ccb1f5c1e3a877efc7307f8c71427191c4bfa14284427d219630b217c629e5bc1482c1ed09b35dbd2956fdc0b42732a5a |
C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\System\Process.txt
| MD5 | 0820d74a728c233c20ba3868d65860c4 |
| SHA1 | 3f7e9e2fb5bd5e4229c1ca87e09e9791af0fcd77 |
| SHA256 | b4a6ed02b11a55527e4eda090c13f239d5f9a1c2c39ac456e00a0fa77a6267bd |
| SHA512 | ce266616a54a9f7056274a15ccacd3ca094b3b607913b315386739415a909e218ece65f7ea374103ceab20a185e9c5366f967bb40eb2fcd95541e6a16ad5a94d |
C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\System\Process.txt
| MD5 | 7422f9c28bfa002aff52d88dd8610038 |
| SHA1 | 57256766220f7f3d7b4af477074059bea1a59cea |
| SHA256 | 6294ffabadff13a9da0a0dddec14dee4539ac41b6233b99a19b6b53301ad2fd0 |
| SHA512 | cd2e632cebac47222bfa1a1cdf071a25343c347be43ee35649b3a03877b67a511f0e98b2c61f1d6c18fbd1fa33182af260e643e0bb0ed3db9bbc71f8b8e55401 |
C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\System\Process.txt
| MD5 | f6cf98cd8b76fd6f7b6da835b84a867b |
| SHA1 | 019f4c760f757b159afc00e7f717a14c90ee1ab2 |
| SHA256 | 337ce7687d61ccf0f583bd79cb866c1b819a433cc69700871074f943c7eb9a1a |
| SHA512 | a52cd9648c9bb1319743c23a47c71273080a2f527ef80cb6e693d4f550e4ffb548faeb13c8d69113612a2164b9bef4866b24f3a48d0461fcf158b3afd18ac871 |
memory/1272-158-0x00007FF8E4800000-0x00007FF8E52C1000-memory.dmp
memory/1272-159-0x00000286D2F60000-0x00000286D2F70000-memory.dmp
memory/1272-161-0x00000286D47E0000-0x00000286D4856000-memory.dmp
memory/1272-162-0x00000286D2F60000-0x00000286D2F70000-memory.dmp
C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\System\ProductKey.txt
| MD5 | 71eb5479298c7afc6d126fa04d2a9bde |
| SHA1 | a9b3d5505cf9f84bb6c2be2acece53cb40075113 |
| SHA256 | f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3 |
| SHA512 | 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd |
C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Directories\Videos.txt
| MD5 | 1fddbf1169b6c75898b86e7e24bc7c1f |
| SHA1 | d2091060cb5191ff70eb99c0088c182e80c20f8c |
| SHA256 | a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733 |
| SHA512 | 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d |
C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Directories\Startup.txt
| MD5 | 68c93da4981d591704cea7b71cebfb97 |
| SHA1 | fd0f8d97463cd33892cc828b4ad04e03fc014fa6 |
| SHA256 | 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483 |
| SHA512 | 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402 |
C:\Users\Admin\AppData\Local\93874fa233611467a555494276abeb5e\Admin@KHQJMFWR_en-US\Directories\OneDrive.txt
| MD5 | 966247eb3ee749e21597d73c4176bd52 |
| SHA1 | 1e9e63c2872cef8f015d4b888eb9f81b00a35c79 |
| SHA256 | 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e |
| SHA512 | bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa |
memory/1272-256-0x00000286D2F60000-0x00000286D2F70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpFB64.tmp.bat
| MD5 | 60d560f9ffdbd40f0a5e8e879b66a58f |
| SHA1 | 258676d68655dd279def7aeadee1a41701010226 |
| SHA256 | 1dfc4655c4b09d5bc6125009bb3f71ac83a11bcfc68b9f86a773d0531cc2b886 |
| SHA512 | 948ea2c5e98d359028bb9cf4d7ac957b56a5584e1006d8754dac2e8402c331a7b83b81e7d75206462a6f9729bfa6b96e03a880aeb42b22232347e1aab58e34c2 |
memory/1272-258-0x00007FF8E4800000-0x00007FF8E52C1000-memory.dmp