Malware Analysis Report

2025-01-02 10:45

Sample ID 210920-g2qvnsdbc2
Target 58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42
SHA256 58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42
Tags
raccoon redline smokeloader udp backdoor discovery evasion infostealer persistence spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42

Threat Level: Known bad

The file 58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42 was found to be: Known bad.

Malicious Activity Summary

raccoon redline smokeloader udp backdoor discovery evasion infostealer persistence spyware stealer themida trojan

Raccoon

RedLine Payload

RedLine

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Themida packer

Checks BIOS information in registry

Reads user/profile data of web browsers

Loads dropped DLL

Reads user/profile data of local email clients

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-20 06:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-20 06:18

Reported

2021-09-20 06:20

Platform

win10v20210408

Max time kernel

151s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe"

Signatures

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\EF8D.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\E54B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\E54B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\EF8D.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\service = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D944.exe" C:\Users\Admin\AppData\Local\Temp\D944.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\E54B.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\EF8D.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E54B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF8D.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D944.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wisbiwi N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wisbiwi N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wisbiwi N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wisbiwi N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D944.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WerFault.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E54B.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EF8D.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F4CE.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe
PID 632 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe
PID 2428 wrote to memory of 2052 N/A N/A C:\Users\Admin\AppData\Local\Temp\D944.exe
PID 2428 wrote to memory of 2052 N/A N/A C:\Users\Admin\AppData\Local\Temp\D944.exe
PID 2428 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\E54B.exe
PID 2428 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\E54B.exe
PID 2428 wrote to memory of 3920 N/A N/A C:\Users\Admin\AppData\Local\Temp\E54B.exe
PID 2428 wrote to memory of 3200 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF8D.exe
PID 2428 wrote to memory of 3200 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF8D.exe
PID 2428 wrote to memory of 3200 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF8D.exe
PID 2428 wrote to memory of 2252 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4CE.exe
PID 2428 wrote to memory of 2252 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4CE.exe
PID 2428 wrote to memory of 2252 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4CE.exe
PID 2428 wrote to memory of 908 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 2428 wrote to memory of 908 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 2428 wrote to memory of 908 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 908 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 908 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 908 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2428 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\700.exe
PID 2428 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\700.exe
PID 2428 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\700.exe
PID 2428 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\Temp\C60.exe
PID 2428 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\Temp\C60.exe
PID 2428 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\Temp\C60.exe
PID 1500 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C60.exe C:\Users\Admin\AppData\Local\Temp\C60.exe
PID 1500 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C60.exe C:\Users\Admin\AppData\Local\Temp\C60.exe
PID 1500 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C60.exe C:\Users\Admin\AppData\Local\Temp\C60.exe
PID 1500 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C60.exe C:\Users\Admin\AppData\Local\Temp\C60.exe
PID 1500 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C60.exe C:\Users\Admin\AppData\Local\Temp\C60.exe
PID 1500 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C60.exe C:\Users\Admin\AppData\Local\Temp\C60.exe
PID 1500 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C60.exe C:\Users\Admin\AppData\Local\Temp\C60.exe
PID 1500 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C60.exe C:\Users\Admin\AppData\Local\Temp\C60.exe
PID 908 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 908 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 908 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 908 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 908 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 908 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 908 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 908 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 908 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 908 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 908 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\FB76.exe C:\Users\Admin\AppData\Local\Temp\FB76.exe
PID 4288 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\wisbiwi C:\Users\Admin\AppData\Roaming\wisbiwi
PID 4288 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\wisbiwi C:\Users\Admin\AppData\Roaming\wisbiwi
PID 4288 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\wisbiwi C:\Users\Admin\AppData\Roaming\wisbiwi
PID 4288 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\wisbiwi C:\Users\Admin\AppData\Roaming\wisbiwi
PID 4288 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\wisbiwi C:\Users\Admin\AppData\Roaming\wisbiwi
PID 4288 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\wisbiwi C:\Users\Admin\AppData\Roaming\wisbiwi

Processes

C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe

"C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe"

C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe

"C:\Users\Admin\AppData\Local\Temp\58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42.exe"

C:\Users\Admin\AppData\Local\Temp\D944.exe

C:\Users\Admin\AppData\Local\Temp\D944.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2052 -s 1604

C:\Users\Admin\AppData\Local\Temp\E54B.exe

C:\Users\Admin\AppData\Local\Temp\E54B.exe

C:\Users\Admin\AppData\Local\Temp\EF8D.exe

C:\Users\Admin\AppData\Local\Temp\EF8D.exe

C:\Users\Admin\AppData\Local\Temp\F4CE.exe

C:\Users\Admin\AppData\Local\Temp\F4CE.exe

C:\Users\Admin\AppData\Local\Temp\FB76.exe

C:\Users\Admin\AppData\Local\Temp\FB76.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\700.exe

C:\Users\Admin\AppData\Local\Temp\700.exe

C:\Users\Admin\AppData\Local\Temp\C60.exe

C:\Users\Admin\AppData\Local\Temp\C60.exe

C:\Users\Admin\AppData\Local\Temp\C60.exe

C:\Users\Admin\AppData\Local\Temp\C60.exe

C:\Users\Admin\AppData\Local\Temp\FB76.exe

C:\Users\Admin\AppData\Local\Temp\FB76.exe

C:\Users\Admin\AppData\Local\Temp\FB76.exe

C:\Users\Admin\AppData\Local\Temp\FB76.exe

C:\Users\Admin\AppData\Roaming\wisbiwi

C:\Users\Admin\AppData\Roaming\wisbiwi

C:\Users\Admin\AppData\Roaming\wisbiwi

C:\Users\Admin\AppData\Roaming\wisbiwi

Network

Country Destination Domain Proto
US 8.8.8.8:53 venerynnet1.top udp
US 8.8.8.8:53 kevonahira2.top udp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 a.uguu.se udp
DE 144.76.201.136:443 a.uguu.se tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 193.56.146.36:80 193.56.146.36 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
NL 190.2.145.108:12608 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 iryarahara.xyz udp
RU 77.246.145.4:80 iryarahara.xyz tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.9.20.20:13441 tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
RU 45.144.67.29:80 kevonahira2.top tcp
US 8.8.8.8:53 telete.in udp
DE 195.201.225.248:443 telete.in tcp
DE 74.119.192.122:80 74.119.192.122 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 104.26.12.31:443 api.ip.sb tcp
US 104.26.12.31:443 api.ip.sb tcp
DE 78.46.130.193:39470 tcp
US 104.26.12.31:443 api.ip.sb tcp
NL 45.67.231.145:10991 tcp
US 104.26.12.31:443 api.ip.sb tcp

Files

memory/632-114-0x0000000000030000-0x0000000000039000-memory.dmp

memory/804-116-0x0000000000402DCE-mapping.dmp

memory/804-115-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2428-117-0x0000000000410000-0x0000000000425000-memory.dmp

memory/2052-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D944.exe

MD5 ee067e8213ac1840757a56959635c1a3
SHA1 e96cf55bf0bbba1a2b0c5ec98f949a02e4325ed8
SHA256 83b6ec39427a30d7b2e7002bce01b9f91596ed66a4151267311936e11e967776
SHA512 4d68db6471addf91b5ea07f285d71f569ddacb8d3715b3766194f1a6590f77de8d1f1d063ff3a587aa93d7778944912cc2e467c05dea9ea1b16bf291c05655e3

C:\Users\Admin\AppData\Local\Temp\D944.exe

MD5 ee067e8213ac1840757a56959635c1a3
SHA1 e96cf55bf0bbba1a2b0c5ec98f949a02e4325ed8
SHA256 83b6ec39427a30d7b2e7002bce01b9f91596ed66a4151267311936e11e967776
SHA512 4d68db6471addf91b5ea07f285d71f569ddacb8d3715b3766194f1a6590f77de8d1f1d063ff3a587aa93d7778944912cc2e467c05dea9ea1b16bf291c05655e3

memory/2052-121-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/2052-123-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

memory/3920-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E54B.exe

MD5 9b739fca61cbe5a22bfe0b77cce75697
SHA1 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd
SHA256 c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201
SHA512 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc

C:\Users\Admin\AppData\Local\Temp\E54B.exe

MD5 9b739fca61cbe5a22bfe0b77cce75697
SHA1 386760ae9e2cea9bf737e48d0d77c5b29ae9b1bd
SHA256 c59cecf273089ec7e37fcc7a55b135067644dc3bd90abb4c6f81d9fd63744201
SHA512 06377ab9e2e666bef740c8c1e7c194d38d60457728efb109bf59e1fbd5a23661acaafae90b7b230d43f067eb5bf806e8cc2eac8d12104d6c14bbac8e39ddb7fc

memory/3920-128-0x00000000779F0000-0x0000000077B7E000-memory.dmp

memory/3920-129-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

memory/3920-131-0x0000000005F30000-0x0000000005F31000-memory.dmp

memory/3920-132-0x00000000058A0000-0x00000000058A1000-memory.dmp

memory/3200-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\EF8D.exe

MD5 2276594f6417179702443734cc89341a
SHA1 2afd398c0408c5c41062a5ca0d43528e9a510ddf
SHA256 4c9c430cdca2a818a7c532a1ba924670bdd01e61f4e7d574123daab677e4c76e
SHA512 cb023e562b73a297eb3f2c1f6577fb33635af0da31d1264a60a664dc59bbce84d723a498dba54be34adffece90aa76ac4e269a3aad50559424b3dfe6ba0bbf85

memory/3920-135-0x0000000005A30000-0x0000000005A31000-memory.dmp

memory/3920-137-0x0000000005920000-0x0000000005921000-memory.dmp

memory/3200-138-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/3920-144-0x0000000005910000-0x0000000005911000-memory.dmp

memory/3200-145-0x00000000779F0000-0x0000000077B7E000-memory.dmp

memory/3200-146-0x0000000005440000-0x0000000005A46000-memory.dmp

memory/2252-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F4CE.exe

MD5 dbb8cc09c83fb1c86f5c69a556377dfd
SHA1 5fe4d2c759bafa0b1327a173b675ca819b617f8f
SHA256 a801c172436a41b7f91b86d202cce42cb78630f254a8f034d264abf61ab0e92d
SHA512 e11d01a6cf1936fe18bc4313cf67d264d69c2e8ce8952c1abfb3a2068146cc60310a9dd05163f8650619ebfcd957faee27ace942d5795797fe6248e06bf2d5ac

C:\Users\Admin\AppData\Local\Temp\F4CE.exe

MD5 dbb8cc09c83fb1c86f5c69a556377dfd
SHA1 5fe4d2c759bafa0b1327a173b675ca819b617f8f
SHA256 a801c172436a41b7f91b86d202cce42cb78630f254a8f034d264abf61ab0e92d
SHA512 e11d01a6cf1936fe18bc4313cf67d264d69c2e8ce8952c1abfb3a2068146cc60310a9dd05163f8650619ebfcd957faee27ace942d5795797fe6248e06bf2d5ac

memory/3200-150-0x0000000005530000-0x0000000005531000-memory.dmp

memory/908-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FB76.exe

MD5 6f89f4c0727ee98f5056839c492fc13f
SHA1 bab3223bc4eda781998e4f7ce27f5e21aec6ab8b
SHA256 eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a
SHA512 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d

C:\Users\Admin\AppData\Local\Temp\FB76.exe

MD5 6f89f4c0727ee98f5056839c492fc13f
SHA1 bab3223bc4eda781998e4f7ce27f5e21aec6ab8b
SHA256 eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a
SHA512 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d

memory/908-155-0x0000000000260000-0x0000000000261000-memory.dmp

memory/908-157-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

memory/2252-158-0x0000000000970000-0x000000000098F000-memory.dmp

memory/908-159-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/2252-161-0x0000000002310000-0x000000000232E000-memory.dmp

memory/908-167-0x0000000004C50000-0x0000000004C51000-memory.dmp

memory/2252-168-0x0000000000460000-0x00000000005AA000-memory.dmp

memory/2252-169-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2252-170-0x0000000004C40000-0x0000000004C41000-memory.dmp

memory/2252-171-0x0000000004C42000-0x0000000004C43000-memory.dmp

memory/2252-172-0x0000000004C43000-0x0000000004C44000-memory.dmp

memory/908-173-0x0000000004AF0000-0x0000000004FEE000-memory.dmp

memory/2252-174-0x0000000004C44000-0x0000000004C46000-memory.dmp

memory/3832-175-0x0000000000000000-mapping.dmp

memory/2736-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\700.exe

MD5 35ec99acde872d7b87a2a4a10bdfcc27
SHA1 b0a909f253d034603e39c976931ab5dd05a69962
SHA256 846d07502acbd6b4000bc3f9ac071439ce82c1c5f5180f07bf754c71a06dd677
SHA512 fc1676c322a7e29962698c645188699df3980fc52a90fbef06ff67f404e35dc61a7850673a932e1d7e946889c99bd41dc267781b73332017ba0f1f725b52af7c

C:\Users\Admin\AppData\Local\Temp\700.exe

MD5 35ec99acde872d7b87a2a4a10bdfcc27
SHA1 b0a909f253d034603e39c976931ab5dd05a69962
SHA256 846d07502acbd6b4000bc3f9ac071439ce82c1c5f5180f07bf754c71a06dd677
SHA512 fc1676c322a7e29962698c645188699df3980fc52a90fbef06ff67f404e35dc61a7850673a932e1d7e946889c99bd41dc267781b73332017ba0f1f725b52af7c

memory/3832-181-0x0000000004720000-0x0000000004721000-memory.dmp

memory/3832-182-0x0000000007290000-0x0000000007291000-memory.dmp

memory/3832-183-0x0000000006C50000-0x0000000006C51000-memory.dmp

memory/3832-184-0x0000000006C52000-0x0000000006C53000-memory.dmp

memory/3832-185-0x0000000007180000-0x0000000007181000-memory.dmp

memory/3832-186-0x0000000007220000-0x0000000007221000-memory.dmp

memory/3832-187-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

memory/3832-188-0x0000000007B30000-0x0000000007B31000-memory.dmp

memory/1500-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C60.exe

MD5 5fa1534cbc496093aa856dde4c536f3c
SHA1 5d9c144f207aa9680b01171bcc6163df35812ae3
SHA256 1547b2363fee87cc5751482fb001074b071fcf3d172181d78787dbb2ee75883f
SHA512 0ef9610d5376d6f3ef9a4a655ff28651b9b2d44beb8f1afb4ffbadfe9cdcc5f80d200be623b01cce66c45ca8f0e71f2751c881c31c48324060f938cfdebf101a

C:\Users\Admin\AppData\Local\Temp\C60.exe

MD5 5fa1534cbc496093aa856dde4c536f3c
SHA1 5d9c144f207aa9680b01171bcc6163df35812ae3
SHA256 1547b2363fee87cc5751482fb001074b071fcf3d172181d78787dbb2ee75883f
SHA512 0ef9610d5376d6f3ef9a4a655ff28651b9b2d44beb8f1afb4ffbadfe9cdcc5f80d200be623b01cce66c45ca8f0e71f2751c881c31c48324060f938cfdebf101a

memory/1500-192-0x0000000000E30000-0x0000000000E31000-memory.dmp

memory/1500-194-0x00000000056A0000-0x00000000056A1000-memory.dmp

memory/1500-195-0x0000000005620000-0x0000000005621000-memory.dmp

memory/3832-196-0x0000000007980000-0x0000000007981000-memory.dmp

memory/1500-199-0x0000000005910000-0x0000000005911000-memory.dmp

memory/2736-200-0x0000000000980000-0x0000000000A10000-memory.dmp

memory/2736-201-0x0000000000400000-0x0000000000493000-memory.dmp

memory/3920-203-0x00000000071D0000-0x00000000071D1000-memory.dmp

memory/3920-204-0x00000000078D0000-0x00000000078D1000-memory.dmp

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

memory/2352-230-0x000000000041C606-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\C60.exe

MD5 5fa1534cbc496093aa856dde4c536f3c
SHA1 5d9c144f207aa9680b01171bcc6163df35812ae3
SHA256 1547b2363fee87cc5751482fb001074b071fcf3d172181d78787dbb2ee75883f
SHA512 0ef9610d5376d6f3ef9a4a655ff28651b9b2d44beb8f1afb4ffbadfe9cdcc5f80d200be623b01cce66c45ca8f0e71f2751c881c31c48324060f938cfdebf101a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C60.exe.log

MD5 41fbed686f5700fc29aaccf83e8ba7fd
SHA1 5271bc29538f11e42a3b600c8dc727186e912456
SHA256 df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437
SHA512 234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

memory/2352-241-0x0000000005270000-0x0000000005876000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/3832-259-0x0000000006C53000-0x0000000006C54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FB76.exe

MD5 6f89f4c0727ee98f5056839c492fc13f
SHA1 bab3223bc4eda781998e4f7ce27f5e21aec6ab8b
SHA256 eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a
SHA512 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d

memory/4980-262-0x000000000041C5E2-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FB76.exe

MD5 6f89f4c0727ee98f5056839c492fc13f
SHA1 bab3223bc4eda781998e4f7ce27f5e21aec6ab8b
SHA256 eb782588d33bbbda006f677802b59b89e6f0bf6615ebfb0957b2a01ff8f2503a
SHA512 8ea43bf8a12912e4f3424bec506ac7ef9cbb5dfc0bc183833c3e2ab4a667e624f174faac1599424e5e0ad185c8e17b1c8d8bb501b4f521dfb2f7f1fb2a14873d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FB76.exe.log

MD5 9e7845217df4a635ec4341c3d52ed685
SHA1 d65cb39d37392975b038ce503a585adadb805da5
SHA256 d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b
SHA512 307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

memory/4980-272-0x0000000005070000-0x0000000005676000-memory.dmp

C:\Users\Admin\AppData\Roaming\wisbiwi

MD5 de94928c74b7e4f60a9a87c304b6fc0a
SHA1 30a9fbd7a2e091b3432559f386b90fd43e25a14b
SHA256 58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42
SHA512 eef781466990de6ab6248e8558718e86b20b96a5f11ebd2f6c5fb49585da5889be5284877be9e2762f2e99855b27d48ba8074e6856d4f9162a7c64294d4cfe81

C:\Users\Admin\AppData\Roaming\wisbiwi

MD5 de94928c74b7e4f60a9a87c304b6fc0a
SHA1 30a9fbd7a2e091b3432559f386b90fd43e25a14b
SHA256 58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42
SHA512 eef781466990de6ab6248e8558718e86b20b96a5f11ebd2f6c5fb49585da5889be5284877be9e2762f2e99855b27d48ba8074e6856d4f9162a7c64294d4cfe81

memory/4392-283-0x0000000000402DCE-mapping.dmp

C:\Users\Admin\AppData\Roaming\wisbiwi

MD5 de94928c74b7e4f60a9a87c304b6fc0a
SHA1 30a9fbd7a2e091b3432559f386b90fd43e25a14b
SHA256 58cef33ea47a3c3d646b127fbe3ce7bb9a8587297fe12c51cd7f9c429d220b42
SHA512 eef781466990de6ab6248e8558718e86b20b96a5f11ebd2f6c5fb49585da5889be5284877be9e2762f2e99855b27d48ba8074e6856d4f9162a7c64294d4cfe81

memory/2428-285-0x0000000000490000-0x00000000004A5000-memory.dmp