Malware Analysis Report

2024-09-23 03:45

Sample ID 240624-ydkgessepl
Target Btc Flasher v2.0.exe
SHA256 b1ed11d2354a2bf469e2494636d14034d506cd931d5b6da22fa9c48f09807b66
Tags
stormkitty collection discovery pyinstaller spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b1ed11d2354a2bf469e2494636d14034d506cd931d5b6da22fa9c48f09807b66

Threat Level: Known bad

The file Btc Flasher v2.0.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty collection discovery pyinstaller spyware stealer upx

StormKitty

StormKitty payload

Reads user/profile data of web browsers

Checks computer location settings

UPX packed file

Executes dropped EXE

Loads dropped DLL

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Program crash

Unsigned PE

Detects Pyinstaller

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

outlook_win_path

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-24 19:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 19:40

Reported

2024-06-24 19:43

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\PUMARTNR\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
File created C:\Users\Admin\AppData\Local\PUMARTNR\FileGrabber\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
File created C:\Users\Admin\AppData\Local\PUMARTNR\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe C:\Users\Admin\AppData\Local\Temp\Gouead.exe
PID 1276 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe C:\Users\Admin\AppData\Local\Temp\Gouead.exe
PID 1276 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe C:\Users\Admin\AppData\Local\Temp\Gouead.exe
PID 1276 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe
PID 1276 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe
PID 1276 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe
PID 1276 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe
PID 3048 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Gouead.exe C:\Users\Admin\AppData\Local\Temp\Gouead.exe
PID 3048 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Gouead.exe C:\Users\Admin\AppData\Local\Temp\Gouead.exe
PID 3048 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Gouead.exe C:\Users\Admin\AppData\Local\Temp\Gouead.exe
PID 2616 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2616 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2616 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2616 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe C:\Windows\SysWOW64\WerFault.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe

"C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe"

C:\Users\Admin\AppData\Local\Temp\Gouead.exe

"C:\Users\Admin\AppData\Local\Temp\Gouead.exe"

C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe

"C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe"

C:\Users\Admin\AppData\Local\Temp\Gouead.exe

"C:\Users\Admin\AppData\Local\Temp\Gouead.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 844

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp

Files

memory/1276-0-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

memory/1276-1-0x0000000000C00000-0x000000000272E000-memory.dmp

memory/1276-2-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

\Users\Admin\AppData\Local\Temp\Gouead.exe

MD5 dbdcbe8fc071648721554ccab9cfb5e0
SHA1 0b8fa6f2a850497a3018ae62282b9a952dfd27c9
SHA256 b4348c02f657ca151add247f4918701af7dc97bac0017a85af4500fea5146775
SHA512 ef617f0f49971ecf39fad4688ddeca33dd14f640479c42c9e8a52b3f02c350a5b2b894288930855694b6e7171af9b4ad981d0a7da2c43c98439405354a4803db

C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe

MD5 75f5a13c58a2ea237ecff1f9527f1d75
SHA1 f3d637a400206bde5c5432d322bf0c12abb80b32
SHA256 6e7cc732605bb891505d7f8b322fd2493ea711f982ab6a59e9231a376f784f86
SHA512 41aa26b400681971ec0bddd7bf85357ded90c8cb17e3d814dc921455ca6b8da4d369290a5f7b62594096a3c57f6215913d01538a9381a229bd0a116e376d6966

memory/2616-48-0x000000007448E000-0x000000007448F000-memory.dmp

memory/1276-40-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

memory/2616-72-0x00000000003D0000-0x0000000000426000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI30482\python311.dll

MD5 bd41a26e89fc6bc661c53a2d4af35e3e
SHA1 8b52f7ab62ddb8c484a7da16efad33ce068635f6
SHA256 3cded5180dca1015347fd6ea44dbcc5ddd050adc7adbb99cf2991032320a5359
SHA512 b8dafc262d411e1c315754be4901d507893db04ea2d3f4b71cbdd0dab25d27f9274e7faf85ac880c85522d24fa57da06019c5910622003a305914cf8884ad02f

memory/2828-99-0x000007FEF5A20000-0x000007FEF6009000-memory.dmp

memory/2616-100-0x0000000074480000-0x0000000074B6E000-memory.dmp

memory/2616-232-0x0000000074480000-0x0000000074B6E000-memory.dmp

C:\Users\Admin\AppData\Local\PUMARTNR\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 19:40

Reported

2024-06-24 19:43

Platform

win10v2004-20240226-en

Max time kernel

162s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
File created C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
File created C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gouead.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gouead.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe

"C:\Users\Admin\AppData\Local\Temp\Btc Flasher v2.0.exe"

C:\Users\Admin\AppData\Local\Temp\Gouead.exe

"C:\Users\Admin\AppData\Local\Temp\Gouead.exe"

C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe

"C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe"

C:\Users\Admin\AppData\Local\Temp\Gouead.exe

"C:\Users\Admin\AppData\Local\Temp\Gouead.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.90.14.23.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 freegeoip.app udp
US 8.8.8.8:53 dl.dropboxusercontent.com udp
US 104.21.73.97:443 freegeoip.app tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:443 ipbase.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 189.85.21.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
GB 162.125.64.15:443 dl.dropboxusercontent.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/3964-0-0x00007FFE8AC03000-0x00007FFE8AC05000-memory.dmp

memory/3964-1-0x0000000000640000-0x000000000216E000-memory.dmp

memory/3964-2-0x00007FFE8AC00000-0x00007FFE8B6C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Gouead.exe

MD5 dbdcbe8fc071648721554ccab9cfb5e0
SHA1 0b8fa6f2a850497a3018ae62282b9a952dfd27c9
SHA256 b4348c02f657ca151add247f4918701af7dc97bac0017a85af4500fea5146775
SHA512 ef617f0f49971ecf39fad4688ddeca33dd14f640479c42c9e8a52b3f02c350a5b2b894288930855694b6e7171af9b4ad981d0a7da2c43c98439405354a4803db

C:\Users\Admin\AppData\Local\Temp\Lpqhivtfuc.exe

MD5 75f5a13c58a2ea237ecff1f9527f1d75
SHA1 f3d637a400206bde5c5432d322bf0c12abb80b32
SHA256 6e7cc732605bb891505d7f8b322fd2493ea711f982ab6a59e9231a376f784f86
SHA512 41aa26b400681971ec0bddd7bf85357ded90c8cb17e3d814dc921455ca6b8da4d369290a5f7b62594096a3c57f6215913d01538a9381a229bd0a116e376d6966

memory/3964-29-0x00007FFE8AC00000-0x00007FFE8B6C1000-memory.dmp

memory/696-41-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI11282\python311.dll

MD5 bd41a26e89fc6bc661c53a2d4af35e3e
SHA1 8b52f7ab62ddb8c484a7da16efad33ce068635f6
SHA256 3cded5180dca1015347fd6ea44dbcc5ddd050adc7adbb99cf2991032320a5359
SHA512 b8dafc262d411e1c315754be4901d507893db04ea2d3f4b71cbdd0dab25d27f9274e7faf85ac880c85522d24fa57da06019c5910622003a305914cf8884ad02f

memory/2152-105-0x00007FFE8B190000-0x00007FFE8B779000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI11282\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\_MEI11282\base_library.zip

MD5 20247ea846989c7c6bb987316b4974ca
SHA1 7150ff87bfb600340b8d43a2b116c96712e2c73c
SHA256 147106874a1f6643236bd42980b2280b753592289d54f48e9dc00c775eb5b25a
SHA512 f49ea6921c6dbc63745bee69b4d3434c090fa1d7f6fa76c611a5a64f9abdffc6eb95049375b0ddb4413471cce1c9b4f1194e794746f00c698eec56f6d6617b1e

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\QtWidgets.pyd

MD5 10bd2ddfaa740ab13f3c6cd4a49899a0
SHA1 55f4e4079b26f71e2dea66c346470756d1ec7411
SHA256 0595967a88a6795decc9ea29e66153bdb85dc457dc196ceaf82c701a888431b3
SHA512 273d3804868d2c483412322bd1d02e9bfba474c4dfe5078239e20871d7377460e22993cdaa3f901b2bd1e4d69c6a5f0873b330aa9575fa72fae732495ad23a50

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\Qt5\bin\Qt5Core.dll

MD5 fc41381c96a6f90cf8c08ab2986b87d1
SHA1 b7223f04bb73ff03e265b600a4121452bdfd56a2
SHA256 a1adb40787f16042f03d63bf6de42cf7b9f74f955ab1a368a07cdfed2c5bd859
SHA512 37afc0b900ffeef6ba5c60b6bc10eeba1635f26ee04161a2bbb80d752d03a96102db98ed5a626eb955958b870721762bc398f003ce57a2c127583a139fed7dbd

memory/696-111-0x0000000000DC0000-0x0000000000E16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI11282\python3.DLL

MD5 7442c154565f1956d409092ede9cc310
SHA1 c72f9c99ea56c8fb269b4d6b3507b67e80269c2d
SHA256 95086ac060ffe6933ac04a6aa289b1c7d321f14380315e24ba0d6c4adfa0842b
SHA512 2bf96828534bcdf71e48d1948b989011d8e3ba757c38cc17905a13d3021ea5deb57e2c68d79507a6acbb62be009cfc85b24d14543958dba1d3bc3e4ca7d4f844

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\Qt5\bin\Qt5Widgets.dll

MD5 1a75036560c974258abbb8d2e3a6b7c6
SHA1 e1c627b4474145d1c854689ef91c07eae4e9d7a6
SHA256 8a16ca5d8620ef85bd8af3b28851c7caef198a7f32f1e34cc00c4aeb24bd51f2
SHA512 4760cc6ca1950bdd58c9395906d20fbd867801984513d5759ccc13549dfa055d68298674e36dba6fdcf456e8666a963ede2af30c2f14398722c1746acec1a5e9

memory/2152-120-0x00007FFE8A330000-0x00007FFE8A867000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\Qt5\bin\MSVCP140_1.dll

MD5 0fe6d52eb94c848fe258dc0ec9ff4c11
SHA1 95cc74c64ab80785f3893d61a73b8a958d24da29
SHA256 446c48c1224c289bd3080087fe15d6759416d64f4136addf30086abd5415d83f
SHA512 c39a134210e314627b0f2072f4ffc9b2ce060d44d3365d11d8c1fe908b3b9403ebdd6f33e67d556bd052338d0ed3d5f16b54d628e8290fd3a155f55d36019a86

memory/2152-129-0x00007FFE89AC0000-0x00007FFE8A32A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

MD5 6bc084255a5e9eb8df2bcd75b4cd0777
SHA1 cf071ad4e512cd934028f005cabe06384a3954b6
SHA256 1f0f5f2ce671e0f68cf96176721df0e5e6f527c8ca9cfa98aa875b5a3816d460
SHA512 b822538494d13bda947655af791fed4daa811f20c4b63a45246c8f3befa3ec37ff1aa79246c89174fe35d76ffb636fa228afa4bda0bd6d2c41d01228b151fd89

memory/2152-130-0x0000012EC5460000-0x0000012EC5AA1000-memory.dmp

memory/2152-131-0x00007FFE89470000-0x00007FFE89AB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\Qt5\bin\MSVCP140.dll

MD5 01b946a2edc5cc166de018dbb754b69c
SHA1 dbe09b7b9ab2d1a61ef63395111d2eb9b04f0a46
SHA256 88f55d86b50b0a7e55e71ad2d8f7552146ba26e927230daf2e26ad3a971973c5
SHA512 65dc3f32faf30e62dfdecb72775df870af4c3a32a0bf576ed1aaae4b16ac6897b62b19e01dc2bf46f46fbe3f475c061f79cbe987eda583fee1817070779860e5

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\Qt5\bin\Qt5Gui.dll

MD5 98d918e15895a6c25fcd4bdc1af3eaf3
SHA1 f0848b016d1f40a441ba7a5169c9758eeeb9953b
SHA256 d2dd253a9c13d03852f4be7f3a9e253eb75577e83682efc0f6a1646a431dac7e
SHA512 22104081c711d00826b39a5d5cb4e0947e5ed87cb67fd3fe665f6b52deaad5e2b0823748587ac46e17dc0d2ffbde8b51a92b5eb516964098598f77a02bfe3110

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\sip.cp311-win_amd64.pyd

MD5 e4d211ff89f2a0da05fd1bc0685646ed
SHA1 730b7ffd3caf4b14e038dcb8b9591e53b2ae7208
SHA256 75247400ac98aab66c2d5845cb52536abf39b3ff27d4772503d970763a76e825
SHA512 662bb0315548fb7ac0cf88d5e31dfbc58750451107ecbd7fcb7f2d98ce1723f4e96802c2b343680ddf1305f8ee3b0be5c1e11ad851df39ef0d1cce839300849b

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\QtCore.pyd

MD5 86659b35c40cf7851c17ff216d16cadf
SHA1 0b84110557f412b0a915ef5c6c29cc8466271d0e
SHA256 badcb2bd9fc92b35665f18d1ea07defd1e3ebfc3f6a5af7fc61aabe161d19c42
SHA512 47ef845d9ebbbb63a584e7f25ecd2fba34bdc89b0b03a6454a505e2eb4c5a1be86e9c614a133da075b1f79553ed0347b29baed0e99d8d4816146f80cfb73314d

memory/2152-140-0x00007FFE8AC60000-0x00007FFE8AEF0000-memory.dmp

memory/2152-139-0x00007FFE9B890000-0x00007FFE9B8B8000-memory.dmp

memory/2152-138-0x00007FFE88E70000-0x00007FFE89461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\QtGui.pyd

MD5 2643daee5390c478d48afb8ee2ba295d
SHA1 9cb17f3c878e8f358a124bea93f39587e593db04
SHA256 b10a504dfe023be5c8c0663100de07ca51ad0b3dd4a49c6a42a29d1f12a4e0c7
SHA512 cd2e0122a17b2980414448e7d0b9bf25de328e4ee2a8896be101dede8f416fc53c705049f5e6492f9281c3bd77ca1c741e6bfdfa936cfd787ad910caec0a64e3

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\Qt5\plugins\platforms\qwindows.dll

MD5 4931fcd0e86c4d4f83128dc74e01eaad
SHA1 ac1d0242d36896d4dda53b95812f11692e87d8df
SHA256 3333ba244c97264e3bd19db5953efa80a6e47aaced9d337ac3287ec718162b85
SHA512 0396bccda43856950afe4e7b16e0f95d4d48b87473dc90cf029e6ddfd0777e1192c307cfe424eae6fb61c1b479f0ba1ef1e4269a69c843311a37252cf817d84d

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\Qt5\plugins\platforms\qwebgl.dll

MD5 1edcb08c16d30516483a4cbb7d81e062
SHA1 4760915f1b90194760100304b8469a3b2e97e2bc
SHA256 9c3b2fa2383eeed92bb5810bdcf893ae30fa654a30b453ab2e49a95e1ccf1631
SHA512 0a923495210b2dc6eb1acedaf76d57b07d72d56108fd718bd0368d2c2e78ae7ac848b90d90c8393320a3d800a38e87796965afd84da8c1df6c6b244d533f0f39

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\Qt5\plugins\platforms\qoffscreen.dll

MD5 6407499918557594916c6ab1ffef1e99
SHA1 5a57c6b3ffd51fc5688d5a28436ad2c2e70d3976
SHA256 54097626faae718a4bc8e436c85b4ded8f8fb7051b2b9563a29aee4ed5c32b7b
SHA512 8e8abb563a508e7e75241b9720a0e7ae9c1a59dd23788c74e4ed32a028721f56546792d6cca326f3d6aa0a62fdedc63bf41b8b74187215cd3b26439f40233f4d

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\Qt5\plugins\platforms\qminimal.dll

MD5 2f6d88f8ec3047deaf174002228219ab
SHA1 eb7242bb0fe74ea78a17d39c76310a7cdd1603a8
SHA256 05d1e7364dd2a672df3ca44dd6fd85bed3d3dc239dcfe29bfb464f10b4daa628
SHA512 0a895ba11c81af14b5bd1a04a450d6dcca531063307c9ef076e9c47bd15f4438837c5d425caee2150f3259691f971d6ee61154748d06d29e4e77da3110053b54

memory/2152-142-0x00007FFE88BD0000-0x00007FFE88E68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll

MD5 f66f6e9eda956f72e3bb113407035e61
SHA1 97328524da8e82f5f92878f1c0421b38ecec1e6c
SHA256 e23fbc1bec6ceedfa9fd305606a460d9cac5d43a66d19c0de36e27632fddd952
SHA512 7ff76e83c8d82016ab6bd349f10405f30deebe97e8347c6762eb71a40009f9a2978a0d8d0c054cf7a3d2d377563f6a21b97ddefd50a9ac932d43cc124d7c4918

C:\Users\Admin\AppData\Local\Temp\_MEI11282\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll

MD5 53a85f51054b7d58d8ad7c36975acb96
SHA1 893a757ca01472a96fb913d436aa9f8cfb2a297f
SHA256 d9b21182952682fe7ba63af1df24e23ace592c35b3f31eceef9f0eabeb5881b9
SHA512 35957964213b41f1f21b860b03458404fbf11daf03d102fbea8c2b2f249050cefbb348edc3f22d8ecc3cb8abfdc44215c2dc9da029b4f93a7f40197bd0c16960

memory/2152-163-0x00007FFE89470000-0x00007FFE89AB1000-memory.dmp

memory/2152-160-0x00007FFE8B190000-0x00007FFE8B779000-memory.dmp

memory/2152-166-0x00007FFE8AC60000-0x00007FFE8AEF0000-memory.dmp

memory/2152-165-0x00007FFE9B890000-0x00007FFE9B8B8000-memory.dmp

memory/2152-161-0x00007FFE8A330000-0x00007FFE8A867000-memory.dmp

memory/2152-167-0x00007FFE88BD0000-0x00007FFE88E68000-memory.dmp

memory/2152-164-0x00007FFE88E70000-0x00007FFE89461000-memory.dmp

memory/2152-162-0x00007FFE89AC0000-0x00007FFE8A32A000-memory.dmp

memory/696-183-0x0000000006B30000-0x0000000006BC2000-memory.dmp

memory/696-190-0x0000000007180000-0x0000000007724000-memory.dmp

C:\Users\Admin\AppData\Local\OAILVCNY\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/696-207-0x0000000007F50000-0x0000000007FB6000-memory.dmp

memory/2152-250-0x00007FFE8B190000-0x00007FFE8B779000-memory.dmp

memory/2152-255-0x00007FFE9B890000-0x00007FFE9B8B8000-memory.dmp

memory/2152-253-0x00007FFE89470000-0x00007FFE89AB1000-memory.dmp

memory/2152-254-0x00007FFE88E70000-0x00007FFE89461000-memory.dmp

memory/2152-252-0x00007FFE89AC0000-0x00007FFE8A32A000-memory.dmp

memory/696-291-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

C:\Users\Admin\AppData\Local\OAILVCNY\Process.txt

MD5 d22ba594dfbf2c0b150b0d4591940628
SHA1 8bd70d978700ae2558833a506ca8167a900addf5
SHA256 7d15912ccff9b43959cf2eba4a95cdcaa181e92264947c96a17ef1e1b96ceeea
SHA512 e6d553417c6750c4e0786c388e0c5c789ab0497a1426dff88150256bf9e3cc2a0cd9323dcbaca88ef8f4826ed8ab77bb8f552c47f3d94a373e35fc43d4a79144

memory/2152-320-0x0000012EC5460000-0x0000012EC5AA1000-memory.dmp

C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Desktop\TestPush.txt

MD5 a95e154ad2420516b7aa0dd3dd4b211c
SHA1 776da558ae6dd5548bda3264468b5447f7a7ca3b
SHA256 a6690016745f7dbb5ab895d22b62bd6e598d1462acc558af85cad3a07071252f
SHA512 c6dccc9072be77957ea99b3d8a21282ab35b29d4095b7e797e580001e61c3b03a7856bb6512ec24f8c8e9a294e495a4af04fae72c32209da98223db7e628d645

C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Documents\ApproveRename.xlsx

MD5 51ce174f540dc27c782bd476bb1d719d
SHA1 a29abb6b4ee11dbdcc2c853b1effc3d320cb54cc
SHA256 d99365cbf96316d43afd8263b15a84086de48de1f14cbb8da598be4d1fa28bee
SHA512 6d78f5a845665d438501bb0a814f72663889166e5db3b1aea4a2fe35cacad1c72f8be38504b26e0ab11db9e79c53b41f4ad3d452fcd4a3bd29824d3a7bb1a3e4

C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Downloads\CheckpointGrant.pdf

MD5 e51623f796908807d83fe5c0197e3237
SHA1 0c11a9918dae92ba932f25eb811edcf6c987672f
SHA256 2f60ed4941d65c1a9ca1c6066b50144a007d39b36dbca5560f72e8479b1b9b9d
SHA512 112dc0d37ec83779869cb140ae3b11409f8e725af34c06e6fa355b2a30d4246faa2cdd48b8f49360d5f8d41f7907473850ca834c037233fa7b78baf1cd9864c7

C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Downloads\ConvertFromUnlock.xlsx

MD5 05990949144520cf2014a23bb1820db1
SHA1 997875a7a27cfc8ccc8a9f0eb4522ef6d017cb9f
SHA256 7dd4a80054a624bc03ace9b3e031a998954f8d730f1678af701596a5fc4635bf
SHA512 ed071f3e93fdd24bdad695740e6edca34047171c00027223f38ff02aae18ef9a0784380c98dd5c079e8020b850d707d7666e466e65ab35bc4c167c0dab905103

C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Downloads\RepairResume.css

MD5 17d2a2e13853bb2b216497dc024a612f
SHA1 2fb4b3b40dbcc3e4c89dc62d2b87c7a5b4aac07a
SHA256 c60e378375c29f7d98ff74517238db09b0d52cf6a5fdf9dba4ac05425bdb7866
SHA512 ead01cdbea8cd03f02815ca5274c2d72aa803b477b55b04887a56ff6986262cd8547f7d3d937a44d80e87cdc8d18646140a89cc5adcc02b351ffbe2f334c33d3

C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Pictures\CompareClose.svg

MD5 f757fa10e0b9966aacc632cebc3a080f
SHA1 23df76bb8b797f08ea47a4081d07f55b1bfbd75d
SHA256 9908794bb956347d5ed0dd99d0ead90f1c9d640a2d7f6f05e28f18762c09ef20
SHA512 f5637569ef818012615ece665094aa4753aabd8a11c18b34f06065e45a55215724be2e39a1d9fab6396dea9a9c7380f285fd6337db55b560b8867faa0b64c168

C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Pictures\CompressWait.svg

MD5 f6e80e97e9cb55a127817da5dc8e4030
SHA1 6fcb365d6b181aad7d9f663b7c86dd1ea2dc594b
SHA256 eb5813c27cc88f9df85ed499baae96d6731b6e821f664062417628d8f02f62cf
SHA512 0247e1a3e8bf6459e9ace43897b52f4519ded02802da095d5f5a5e06cbaa071b7593046ed5644ce4c23281980a335986db4686425f8b3061ccbf474197978305

C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Pictures\GroupPing.jpg

MD5 8f7704d2531f1a380747db1bd8b10207
SHA1 022e35a963015cfec1cf70e8daaa4a22895ec179
SHA256 d33dc9c3bc0fec694f90cfd7cc5af9cfd412609649744a365f68589065e836b1
SHA512 8836df9717d13f41b85f4ce7a79c2e7cf92469bb8afc0542515cc67973e5e92da975098876f8d1d7a5a215b3f56fdf65fc9b2919cf4e3d12f056a848b10632ca

C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Pictures\GroupUpdate.svg

MD5 ffc432dc301463dd85509a3fb1ac4bea
SHA1 7ef20b04904fc80a82a8bb5a0a6f99c0fe0dcd2a
SHA256 9382087657196d30b986c4a148f3604afc1ca768292fd1937c71313bf7999f5c
SHA512 5fad0ce2355e694ebed7853b790c2d62108864b1c8a3d374ad942623705ce88be77d6bdfaa9fde60d74de3773b4785fc6897badd23361646ce54fb21bf30937f

C:\Users\Admin\AppData\Local\OAILVCNY\FileGrabber\Pictures\MergePing.jpeg

MD5 055bafa9ef0affd08699d99a7b615023
SHA1 a89e2a794eb7d42e6e23e87ce285f80fa18c8848
SHA256 e3038608837d6d929ebc8555caffd3b98a7a3097d96b16c4a830e6b11e66440c
SHA512 9dca7582b112997e1a912e847b0cff726a5fc39c2ab3d8837f9b4f9f7c93b75c90bf63d8d05cc9eccbed9d0bc35ceaf601823b209955ba1da80a878db2d3e6c3

memory/2152-410-0x00007FFE89AC0000-0x00007FFE8A32A000-memory.dmp

memory/2152-455-0x00007FFE89AC0000-0x00007FFE8A32A000-memory.dmp