Malware Analysis Report

2024-10-23 17:16

Sample ID 240909-y775ksybmr
Target 9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f
SHA256 9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f
Tags
cryptbot credential_access discovery spyware stealer lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f

Threat Level: Known bad

The file 9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f was found to be: Known bad.

Malicious Activity Summary

cryptbot credential_access discovery spyware stealer lumma

Lumma Stealer, LummaC

CryptBot

Credentials from Password Stores: Credentials from Web Browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 20:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 20:26

Reported

2024-09-09 20:29

Platform

win7-20240903-en

Max time kernel

148s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe"

Signatures

CryptBot

spyware stealer cryptbot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
PID 1632 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
PID 1632 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
PID 1632 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
PID 1632 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
PID 1632 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
PID 1632 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
PID 1632 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
PID 2896 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\service123.exe
PID 2896 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\service123.exe
PID 2896 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\service123.exe
PID 2896 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\service123.exe
PID 2896 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Windows\SysWOW64\schtasks.exe
PID 2896 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Windows\SysWOW64\schtasks.exe
PID 2896 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Windows\SysWOW64\schtasks.exe
PID 2896 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Windows\SysWOW64\schtasks.exe
PID 2460 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\service123.exe
PID 2460 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\service123.exe
PID 2460 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\service123.exe
PID 2460 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\service123.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe

"C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe"

C:\Users\Admin\AppData\Local\Temp\service123.exe

"C:\Users\Admin\AppData\Local\Temp\service123.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

C:\Windows\system32\taskeng.exe

taskeng.exe {0A35FC49-CF70-4C16-8980-4FB6795641BD} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\service123.exe

C:\Users\Admin\AppData\Local\Temp\/service123.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 eihtv18sb.top udp
US 8.8.8.8:53 eihtv18sb.top udp
RU 194.87.248.136:80 eihtv18sb.top tcp
RU 194.87.248.136:80 eihtv18sb.top tcp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe

MD5 5776392593245c0f7ffa5d05e0538b4d
SHA1 e03291fc3ec8c72dd2f75d016b9829a33f2bfcc0
SHA256 f4b64977aa021edf0d72c5f93f927115f6370876b21219ad303179230db6b1c2
SHA512 f933ce9ffacfa0826eed707c1c96c54343d87c123b4a5fe6dd910cdb69c8f4e5e8ee6e373af4d6622c4b05b7abeeca822a15e97cf74c083dbbaf194a976d059c

\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe

MD5 cb2bd11ed77164148a475693db0b02f2
SHA1 884a752c92c0f93c7aa2c00aa8c19684ee7b4c50
SHA256 192378774c53b5285cffe591b070bfd303fabf2d6acdc96792b10d1233142494
SHA512 18fd7141e7c44d0e8111dc12a6764a926db4fd7a701c13bbf3d9c76b063478274dfab87951966a585a050a96e33c20858f59d629ce27374a9c0e450aacfef1c5

memory/2896-31-0x0000000000400000-0x000000000106B000-memory.dmp

memory/2896-33-0x0000000000400000-0x000000000106B000-memory.dmp

memory/2896-37-0x0000000000400000-0x000000000106B000-memory.dmp

memory/2896-50-0x0000000000400000-0x000000000106B000-memory.dmp

memory/1864-52-0x0000000001160000-0x0000000001171000-memory.dmp

memory/1864-53-0x0000000074100000-0x000000007423C000-memory.dmp

memory/2128-61-0x0000000001160000-0x0000000001171000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-09 20:26

Reported

2024-09-09 20:29

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe"

Signatures

CryptBot

spyware stealer cryptbot

Lumma Stealer, LummaC

stealer lumma

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\service123.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\service123.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1428 set thread context of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\service123.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
PID 2016 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
PID 2016 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe
PID 1428 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1428 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1428 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1428 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1428 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1428 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1428 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1428 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 1428 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2016 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
PID 2016 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
PID 2016 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe
PID 1648 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\service123.exe
PID 1648 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\service123.exe
PID 1648 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Users\Admin\AppData\Local\Temp\service123.exe
PID 1648 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe

"C:\Users\Admin\AppData\Local\Temp\9f373cdee6065d01164210c338948684703fcf966adab402175117dba115b85f.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe"

C:\Users\Admin\AppData\Local\Temp\service123.exe

"C:\Users\Admin\AppData\Local\Temp\service123.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

C:\Users\Admin\AppData\Local\Temp\service123.exe

C:\Users\Admin\AppData\Local\Temp\/service123.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 professinowpqqz.shop udp
US 172.67.215.93:443 professinowpqqz.shop tcp
US 8.8.8.8:53 93.215.67.172.in-addr.arpa udp
US 8.8.8.8:53 locatedblsoqp.shop udp
US 8.8.8.8:53 traineiwnqo.shop udp
US 8.8.8.8:53 condedqpwqm.shop udp
US 8.8.8.8:53 evoliutwoqm.shop udp
US 8.8.8.8:53 millyscroqwp.shop udp
US 8.8.8.8:53 stagedchheiqwo.shop udp
US 8.8.8.8:53 stamppreewntnq.shop udp
US 8.8.8.8:53 caffegclasiqwp.shop udp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
US 8.8.8.8:53 85.99.22.2.in-addr.arpa udp
US 8.8.8.8:53 eihtv18sb.top udp
US 8.8.8.8:53 tenntysjuxmz.shop udp
US 172.67.141.209:443 tenntysjuxmz.shop tcp
US 8.8.8.8:53 209.141.67.172.in-addr.arpa udp
US 8.8.8.8:53 eihtv18sb.top udp
RU 194.87.248.136:80 eihtv18sb.top tcp
US 8.8.8.8:53 136.248.87.194.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x64.exe

MD5 5776392593245c0f7ffa5d05e0538b4d
SHA1 e03291fc3ec8c72dd2f75d016b9829a33f2bfcc0
SHA256 f4b64977aa021edf0d72c5f93f927115f6370876b21219ad303179230db6b1c2
SHA512 f933ce9ffacfa0826eed707c1c96c54343d87c123b4a5fe6dd910cdb69c8f4e5e8ee6e373af4d6622c4b05b7abeeca822a15e97cf74c083dbbaf194a976d059c

memory/1164-14-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1164-16-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\VC_redist.x86.exe

MD5 cb2bd11ed77164148a475693db0b02f2
SHA1 884a752c92c0f93c7aa2c00aa8c19684ee7b4c50
SHA256 192378774c53b5285cffe591b070bfd303fabf2d6acdc96792b10d1233142494
SHA512 18fd7141e7c44d0e8111dc12a6764a926db4fd7a701c13bbf3d9c76b063478274dfab87951966a585a050a96e33c20858f59d629ce27374a9c0e450aacfef1c5

memory/1164-21-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1164-15-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1164-25-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1648-26-0x0000000000400000-0x000000000106B000-memory.dmp

memory/1648-28-0x0000000000400000-0x000000000106B000-memory.dmp

memory/1648-29-0x0000000000400000-0x000000000106B000-memory.dmp

memory/1648-42-0x0000000000400000-0x000000000106B000-memory.dmp

memory/4996-44-0x00000000000E0000-0x00000000000F1000-memory.dmp

memory/4996-45-0x0000000073340000-0x000000007347C000-memory.dmp

memory/4920-56-0x00000000000E0000-0x00000000000F1000-memory.dmp