Malware Analysis Report

2025-01-18 19:55

Sample ID 220124-bha28ahcd9
Target c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390
SHA256 c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390
Tags
41 1305 sodinokibi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390

Threat Level: Known bad

The file c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390 was found to be: Known bad.

Malicious Activity Summary

41 1305 sodinokibi

Sodinokibi family

Sodinokibi/Revil sample

Enumerates connected drives

Drops file in Windows directory

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-24 01:08

Signatures

Sodinokibi family

sodinokibi

Sodinokibi/Revil sample

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-24 01:08

Reported

2022-01-24 01:25

Platform

win7-en-20211208

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24_newdev.dll_7eb7622f C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f6a00d30a34ae11a_sdbinst.exe.mui_258ad624 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4bf9d57947dd35b9_gpapi.dll.mui_ef0a9748 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2b105891e24eb61_profsvc.dll.mui_32482e9e C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasrtutils_31bf3856ad364e35_6.1.7601.17514_none_6b3b9980011a19de_rtutils.dll_243724ab C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_250c5db92cbbfe4b_crypt32.dll.mui_4268f86a C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-cn_4c840294b551dbf9_comdlg32.dll.mui_ac8e62f4 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-dui70.resources_31bf3856ad364e35_6.1.7600.16385_en-us_619e13eec4db6369_dui70.dll.mui_de5f27e2 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-m..ditevtlog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_59a756fabb56ede3.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_cs-cz_97769b281ba398b8_bootmgr.efi.mui_be5d0075 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1cf4ea268abe27fe_gpsvc.dll.mui_0c160ac2 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..pp-client.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ec4e337f0ce0896b_slc.dll.mui_dc24f809 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-webio.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_8c6fe68c0c8fba1a_webio.dll.mui_e805c4b7 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_en-us_30bc7fe1e159c5d3.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_856144d7e24caf0a.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_961efb4172b82af7_scarddlg.dll.mui_300ae9df C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-oem_31bf3856ad364e35_6.1.7600.16385_none_59590e92c817a4e0_s8514oem.fon_304f98b5 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-936_31bf3856ad364e35_6.1.7600.16385_none_2acfd536b4ed2a23.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_65c533f1c582e47c_perfi.dat_e3a35ecf C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasserver_31bf3856ad364e35_6.1.7601.17514_none_09cf3ec67e6c6b50_rasservermigplugin-dl.man_babd2d8e C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c7424fcfaec8d6b.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_tr-tr_d752a669f3ec89fa_msimsg.dll.mui_72e8994f C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-u..erservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f09dccd4f32812c2.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..tional-codepage-775_31bf3856ad364e35_6.1.7600.16385_none_2ae98cfeb4d93dfc.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-m..ents-mdac.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c8a8ee4f97b7f12.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b79b28ecefa21fda.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7601.17514_es-es_32b8f08dde6f3b12_ncprov.dll.mui_40240de1 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_82dac7a36bd74688.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-truetype-raavi_31bf3856ad364e35_6.1.7600.16385_none_a2d43ed8e3097243.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-w..-encoding.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c49975d6cf9550ff.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_10d22dcfce04430a.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_34a24d8db984d377_appidsvc.dll.mui_6717e231 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_lv-lv_359174e350f0ded0_comctl32.dll.mui_0da4e682 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_e5c0334cfcbb6f1f.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_6.1.7600.16385_none_db04d3f548508fd9_h8514fix.fon_9a1c84fa C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303_ega80737.fon_604f84b5 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-font-fms_31bf3856ad364e35_6.1.7601.17514_none_a5f8bb0ccaefbe07.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-newdev.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cf00a033363ace4b.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6170816be6863ccb_keyiso.dll.mui_4bbf12ff C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_hr-hr_6ed8265c4c3dbb0a.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d2d_31bf3856ad364e35_7.1.7601.16492_none_f6dafd66fdb9c254.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.1.7600.16385_pt-pt_21d625cff367fd81.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-d..lient-dll.resources_31bf3856ad364e35_6.1.7601.17514_en-us_57ee6a4218527f7e_dhcpcore6.dll.mui_27872349 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_tr-tr_14424567ab0c4d42_mlang.dll.mui_2904864a C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-p..ndprintui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d2945884bb037beb.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_bg-bg_5abc71b3b20b3a94.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-commonlog.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6e1909b6145934ca.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8dd8c4f40dc38dd9_wer.dll.mui_e68ddae7 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-kernelbase.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_80e9298bf792ff3e.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-wintrust-dll_31bf3856ad364e35_6.1.7601.17514_none_f1b5a3b0f852fe0e_wintrust.dll_abec426a C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-x..nrollment.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d84bdc3098a2df3d_certenrollctrl.exe.mui_3b48c5a6 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.1.7601.17514_none_227e1c01642654f4_werdiagcontroller.dll_208f2db3 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_6.1.7600.16385_de-de_299cd5b40ed6d155_winresume.exe.mui_ff8b5358 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-d..owmanager.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_34be759892c77101_dwmcore.dll.mui_ebf60d96 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-duser.resources_31bf3856ad364e35_6.1.7600.16385_de-de_283494514da2fa34_duser.dll.mui_3c369ac4 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lddmcore_31bf3856ad364e35_6.1.7601.17514_none_09ee9e0dfa2c4fbd_dxgmms1.sys_9c98a5d4 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_3ddbd9a9605f0519_ui0detect.exe_639495e3 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-mfc42x.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_64fae1eae3516fc5_mfc42.dll.mui_66106d85 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-commonlog_31bf3856ad364e35_6.1.7600.16385_none_da778c54413d0c9c.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..ruetype-new_tai_lue_31bf3856ad364e35_6.1.7600.16385_none_325f57c8c0ee36a8_ntailu.ttf_c1891505 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277_lsasrv.dll_56db747f C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-rasbase_31bf3856ad364e35_6.1.7601.17514_none_6c066d50910ecf5a_netrass.inf_8745cd37 C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-s..resources.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f9fce189b9d4bb7e.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_zh-tw_ac9edb6e6b20299f.manifest C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 105ffbe4c010d801 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe

"C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/1540-54-0x0000000075891000-0x0000000075893000-memory.dmp

memory/1540-55-0x0000000000D60000-0x0000000000E29000-memory.dmp

memory/1540-57-0x0000000002300000-0x000000000242D000-memory.dmp

memory/1540-58-0x0000000000350000-0x000000000036F000-memory.dmp

memory/1540-60-0x00000000000E0000-0x00000000000EA000-memory.dmp

memory/1540-61-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1540-62-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1540-63-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1540-64-0x0000000000160000-0x0000000000166000-memory.dmp

memory/1540-59-0x0000000002610000-0x0000000002719000-memory.dmp

memory/860-65-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

memory/860-67-0x0000000002630000-0x0000000002632000-memory.dmp

memory/860-68-0x0000000002632000-0x0000000002634000-memory.dmp

memory/860-69-0x0000000002634000-0x0000000002637000-memory.dmp

memory/860-66-0x000007FEF3460000-0x000007FEF3FBD000-memory.dmp

memory/860-70-0x000000001B790000-0x000000001BA8F000-memory.dmp

memory/860-71-0x000000000263B000-0x000000000265A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-24 01:08

Reported

2022-01-24 01:25

Platform

win10-en-20211208

Max time kernel

119s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe

"C:\Users\Admin\AppData\Local\Temp\c3669070ec6f303b54314f9301e1294f86afbe22e379773397100d85fc9a4390.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Files

memory/2608-118-0x0000000000710000-0x000000000085A000-memory.dmp

memory/2608-119-0x0000000000710000-0x000000000085A000-memory.dmp

memory/2608-120-0x0000000000710000-0x000000000085A000-memory.dmp

memory/2608-121-0x0000000000A50000-0x0000000000A51000-memory.dmp

memory/2608-122-0x0000000000A60000-0x0000000000A66000-memory.dmp

memory/1328-127-0x00000235B7B60000-0x00000235B7B82000-memory.dmp

memory/1328-131-0x00000235B8660000-0x00000235B86D6000-memory.dmp

memory/1328-143-0x000002359F9A0000-0x00000235B7B60000-memory.dmp

memory/1328-144-0x000002359F9A0000-0x00000235B7B60000-memory.dmp