Malware Analysis Report

2024-11-30 21:51

Sample ID 230205-qqxcrada4t
Target 5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Tags
purecrypter downloader loader persistence aurora stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Threat Level: Known bad

The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.

Malicious Activity Summary

purecrypter downloader loader persistence aurora stealer

Aurora

Detect PureCrypter injector

PureCrypter

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-05 13:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-05 13:28

Reported

2023-02-05 13:31

Platform

win7-20220901-en

Max time kernel

67s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 2032 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 2032 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 2032 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1104 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1104 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1104 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1104 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 940 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 940 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 940 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 940 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1488 wrote to memory of 1160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 940 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 780 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 780 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 780 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 780 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 940 wrote to memory of 640 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Network

N/A

Files

memory/1104-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ef5f4f29baabbf4ee16f3bfc3b9ad877
SHA1 a942211fa49f79010f3ab781f81c177ff62295f5
SHA256 8273e553d97c82fa0c860c361e940c087c771a492c00147cdf75e11b47ce4203
SHA512 d6647a97c86663ef6e78540a354d6c855fabbb1db257d4964090137111161068cef29147748a5391682f976266479647088f7d24fa683cefb3d84cb2a8eb37a4

memory/1104-56-0x0000000075A71000-0x0000000075A73000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 d95bb5633dc64b7a0f06ab402ad96dfd
SHA1 0a9e1978310fb6ef3adfc92ef944ab635af2c58f
SHA256 939613cb1a2802dae07523e3f72ae5225e4caeb2e3495ef73536e718bff3437c
SHA512 76a1a20a85067c15a5d9047feb690c834026db6d84d8b68e4525fff7f7874f77cb8bd9d5ad2819d6b7b0e433038b386803d042935ab82529441d658ff06cdc37

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 34766932e0dac7010613bab774335777
SHA1 e1052a28c7de3eaccfdaa5dade1b090b1c0539a6
SHA256 0260721ad82d31a4e0e1bab1b3fa3fae9f7f50e7d08097431720aaea8b412e02
SHA512 8c5ea7533d4259dc45c2ef3f25170a609f6bd7139c776d01ad651e57f78d2fef5e11d6487ca2a4ecc93f143bf03eea65927161fdf7ffbff2c33679650995991c

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 39d51367326347172731aa011d177093
SHA1 8e3d61ff1ab82cc04ffada4d4f7435802709c1d3
SHA256 0501dfc214e4564ff7d3a41334d26025cdfa513e1a811b6cd55f9ceab15d5f95
SHA512 db4da9c06deb0f47eb3355ec31cb33628402d6e66c39184fcced61a82c0c3aba43b3f3ce63c8fe0181866703ee523ae1cbda7a0a13c90960fb0f784bf03198f1

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 9d2a5acc611bc6560368d9548adb9574
SHA1 ce3aac4df559175c197a687f4c729a4a35e7b259
SHA256 efac29090a98abb3fc50eaf2dcf8aed38955452b94b69a286ac681765fad32fe
SHA512 01803f40d6d2fb03c9edd6475b873c4ac6c9be4606c2b0530ebd6ea5bfdf8fc6c4d08dc7a4982f6f5836181cc75ea1b1d85fac34f33ed7a20c1d7fbf55034ed3

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 0588b89796dca544fc74111e9bef3a2d
SHA1 967e3ab7d71591540e11ab2f9d5083b00cbd2cdb
SHA256 228cf8ce7a0547e5bcbf276505e11c61f032875b8550c975f95969a93e5603a3
SHA512 a54f028711788c7677f64815873f07ba8e7ec8bc85b02a81819d983c5a440180107996ad7fb56d36de7172f30a997f80d7b6905042ad4a2bdb2783ce59c07e33

memory/940-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 28386819554e119caa278b23694fa920
SHA1 53f29c0293c76eb56b68c06ac26bb4cc861711c8
SHA256 9c96b304ea1346d7ba01950ac8a815d1d7f356c1b1fc3761a0247a68437134da
SHA512 389125c82c448489b7021c10cac28365abba9e93377c6229dcd41e22f4d20816da27e2187e4f1fae210394d370caec2293b2c67ed30a6966169b5243aada260e

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 1fa0e82f068c64220d73fcfae25e5e75
SHA1 f8bb13ec314c85f59196736aebb1e531f26701e5
SHA256 4a295384783a0a2da3fe71e3e32e90c570c96250fffc34b9a45c5f2e3d1de28c
SHA512 41188917c6b5e6680c9a18e4a7fc59fa3210192f81a490286c23cfdbc04098bdc0f5c752885f3e8934eeb1dd6598b4366dd384b5a9b4a14e20cf5969c7d9b431

memory/940-65-0x00000000003D0000-0x0000000000B44000-memory.dmp

memory/940-66-0x00000000064C0000-0x0000000006860000-memory.dmp

memory/1696-67-0x0000000000000000-mapping.dmp

memory/1696-69-0x0000000070100000-0x00000000706AB000-memory.dmp

memory/1696-70-0x0000000070100000-0x00000000706AB000-memory.dmp

memory/1696-71-0x0000000070100000-0x00000000706AB000-memory.dmp

memory/1488-72-0x0000000000000000-mapping.dmp

memory/1160-73-0x0000000000000000-mapping.dmp

memory/940-74-0x0000000005420000-0x0000000005592000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 476657ff21e34580bb2ee77ee79927d3
SHA1 921d1ecd24eaf41ad4d23aaca4206588f3357b07
SHA256 357f68a57c23df93b28043c766d850e791c5982422ed8a3b1357ea23b0a2bfb6
SHA512 c07761f92182b6771a92911a3633eb82a61c43dd150a63d45b0d31c9b8d9ed40a66a7f21f9be44b1f84367b6e0cf312393747e9c5b61b28c6b11b29c0ebfd1d4

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 066ddbff582c40d6710315d7e5da5e1a
SHA1 fba27a32722693b3cb495f5aea9d27e874984e4e
SHA256 df34a6174a8dc8e07efd8b230d807752cbbad241e2ca9bf3b59d13373fdc9f0d
SHA512 79013c34e13065690fdabbb1e00961e318a66faea8ab0a51ff094af913c245337aeb751c52d158186a796b5373fe9c868fa16714c70bdfd30e7960f6d6e628ca

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 ad9248a6a9a28b34c3555c1435187a32
SHA1 4c492dc8d200e3e04c4b6201b72b82cc43580b17
SHA256 ca0e4d6af71d3f411ad255ae0e713810a103388b37a238d635ce6c54250b6f5d
SHA512 7cf976279c41e0caf99ae5a4b2c0a2807a35ef632253f9e2e09979dde4f05b77ba1fa350739439af661543ef91d0a05765b21e14fa701d34ed0b7c7906f7f27d

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 938cfc5ba6c322f6d4f1d6c61cfd19ac
SHA1 3fc750baa039d27e906b45f5d2223ef1ab136be5
SHA256 ccdb33f46b1a560b6cee92aa47f32d9a4f572b8689d76cc4af4d82cc8f15502e
SHA512 282cc662c71d2a9e66dcdbb438fffbfea02322cc999ab48bac74231bd40582497705ec70fef8a10cb009553acbd5eed807ee66027ec4e454abc9ce051473f999

memory/1160-85-0x000000006FE40000-0x00000000703EB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 1b7f1466b1e158945581f67b04a382b0
SHA1 183d2c3e5f7c06bda87cb4d7fe3738c0b9151142
SHA256 038614248c0fef3aebde46d5e52bb5e46fae70b9fb2e5fdc860c3877944de1bc
SHA512 294db2b73648c327a84e336968aea98180754aeb6fca25b714e7dee791ebf7d9536110b3d4bfe99fb9cb7bf363a3ca83c24ca64fb0a1e960b0e84e4cebdfa077

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 b9b710354c62b81502cc0e8a6bb42ae0
SHA1 4380e60c029216d1d1bbed567f3bec3673aae1ab
SHA256 62d2c343b799507a9a69412012f560360078677342e466b47a4413124005c049
SHA512 ec202b98e91fda022530152f3e96dc4d7b0764967af7e2ae9f36176bd3d85a4c2dbadb8e1226a3b6d32269348e75310c19ae3d9e41b7196477d7235b65286239

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 af80b22f25afe2826610e2b1fc22e348
SHA1 5d29d382a8867631abea2a592e939e5b5f8e2dfc
SHA256 51fc6135138864b512cd0503ab22127bfa82165584e4de6a01ea222517042764
SHA512 6d20275a4d78f59ae8f3af090bab7650da968c88470a75f9666dac43b61ad2ff7bcd74f670653d09a6a4357949bb315a024410d802efd43c339da9bd95eb73cc

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 066ddbff582c40d6710315d7e5da5e1a
SHA1 fba27a32722693b3cb495f5aea9d27e874984e4e
SHA256 df34a6174a8dc8e07efd8b230d807752cbbad241e2ca9bf3b59d13373fdc9f0d
SHA512 79013c34e13065690fdabbb1e00961e318a66faea8ab0a51ff094af913c245337aeb751c52d158186a796b5373fe9c868fa16714c70bdfd30e7960f6d6e628ca

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 b5e0fa6fbd6da3d35c578dac47eaedc9
SHA1 c548b72aef6e1594cc831fcef4216090a441a02e
SHA256 1bde924b65cf1d0afd51073aa30d9d3e297c67a2e722b2e8d43ff32c6f787557
SHA512 e6469541a886f12a625c47ceea4daaa603aff019a5d820fde766f2246cb3f5f4dbe195e1bca75f116f4ee3eac09c801f01ab129adcfc39f1d4efcfa964e925ac

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 f5d4a17968d54b3d7e344127df4d47f9
SHA1 52546e8653921100797ef10522e9fcd5a29a29a6
SHA256 574c2ba4baa79a1374ffdfb225a6f4931f2f4d4a1739dbfa91cd0f82a765f8fe
SHA512 82727978b1b94bf7d7f0587fe335fda8fc2c34734ee6ba81717381c62bc1521931f1217bc6d436c482ffa6fab35d902c3edb948ee3fcdde3c8a31a459286e251

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 620d65e16991ce0641e59297120fa63d
SHA1 367e6174e01002148bccfe49718445356fb7273c
SHA256 49f9f8231723f684119b4e59761f721d28d9e781d37779d369be3d38c9a7fa26
SHA512 db5f03080477e5134a0b169826a2849c15751c8f75b48c3820cabfdc63bf46910cbaf1ea011911de07df5bb18c8e4ee0ef37cb595867354045800202e33a7282

memory/1160-88-0x000000006FE40000-0x00000000703EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-05 13:28

Reported

2023-02-05 13:31

Platform

win10v2004-20221111-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Aurora

stealer aurora

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4308 set thread context of 3224 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 4364 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 4364 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 636 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 636 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 636 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4308 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 4264 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4264 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4308 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4308 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4308 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4308 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4308 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4308 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4308 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4308 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4308 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 4308 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
IE 20.190.159.75:443 tcp
US 67.27.153.126:80 tcp
NL 104.80.225.205:443 tcp
NL 8.238.24.126:80 tcp
NL 8.238.24.126:80 tcp
DE 45.9.74.11:8081 tcp

Files

memory/636-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

memory/4308-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

memory/4308-138-0x0000000000400000-0x0000000000B74000-memory.dmp

memory/4308-139-0x0000000006AC0000-0x0000000006AE2000-memory.dmp

memory/3588-140-0x0000000000000000-mapping.dmp

memory/3588-141-0x00000000021D0000-0x0000000002206000-memory.dmp

memory/3588-142-0x0000000004CD0000-0x00000000052F8000-memory.dmp

memory/3588-143-0x0000000005370000-0x00000000053D6000-memory.dmp

memory/3588-144-0x0000000005490000-0x00000000054F6000-memory.dmp

memory/3588-145-0x0000000005AE0000-0x0000000005AFE000-memory.dmp

memory/3588-146-0x0000000007360000-0x00000000079DA000-memory.dmp

memory/3588-147-0x0000000005FE0000-0x0000000005FFA000-memory.dmp

memory/4264-148-0x0000000000000000-mapping.dmp

memory/4620-149-0x0000000000000000-mapping.dmp

memory/3224-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 f63b44eadfb46f652e33bc53b185204b
SHA1 4f3d1c17933f487169f3257c84ba661948cbb24d
SHA256 b8aad885ed11827bdd72f93cc49a88fcf73b26ecb871cfa3b6b6aee0abed41d4
SHA512 30e29137792d3fb5015b6feca418861ce7c39f5cefaa8a05a8ead6614cf59decf39dabe9765f608a39e9baf06c753b73170e7147b6c98aa78b9757f771a5631d

memory/3224-151-0x0000000000400000-0x0000000000731000-memory.dmp

memory/3224-155-0x0000000000400000-0x0000000000731000-memory.dmp

memory/3224-156-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cc73a25ef683852af2bad0c0d9b0de94
SHA1 dd7913cfbcc7fad5edac2c9f656467a53663e5f8
SHA256 cc3cf269353a805488336238cc8bc55f9900484e18bd25cee016ab57f3510ce5
SHA512 d40743a0e1f10cd21dfc7b0b113b4d3e579e7784d6b47ae12b44644988c9e42fd1d7cce4fea32a3f7188f615f1bfcb8b45ca5932873007f963eee16c6635df3b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/1452-159-0x0000000000000000-mapping.dmp

memory/4620-160-0x0000000007630000-0x0000000007662000-memory.dmp

memory/4620-161-0x0000000072F40000-0x0000000072F8C000-memory.dmp

memory/4620-162-0x0000000007610000-0x000000000762E000-memory.dmp

memory/4620-163-0x0000000007A10000-0x0000000007A1A000-memory.dmp

memory/4620-164-0x0000000007C60000-0x0000000007CF6000-memory.dmp

memory/3308-165-0x0000000000000000-mapping.dmp

memory/5108-166-0x0000000000000000-mapping.dmp

memory/4680-167-0x0000000000000000-mapping.dmp

memory/5036-168-0x0000000000000000-mapping.dmp

memory/4620-169-0x0000000006110000-0x000000000611E000-memory.dmp

memory/4620-170-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

memory/4620-171-0x0000000007BC0000-0x0000000007BC8000-memory.dmp