Malware Analysis Report

2024-11-30 23:15

Sample ID 230226-2c5yhsag27
Target 51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d
SHA256 51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d
Tags
aurora persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d

Threat Level: Known bad

The file 51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d was found to be: Known bad.

Malicious Activity Summary

aurora persistence spyware stealer

Aurora

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-26 22:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-26 22:27

Reported

2023-02-26 22:32

Platform

win7-20230220-en

Max time kernel

154s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe"

Signatures

Aurora

stealer aurora

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 752 set thread context of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 860 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 860 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 860 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 860 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 752 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 752 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 752 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 752 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 752 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 752 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 752 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 752 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 752 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 752 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 752 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 752 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 752 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 636 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 636 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 636 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 636 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 636 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 672 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 672 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 672 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 636 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1576 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1576 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1576 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe

"C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
NL 94.142.138.112:8081 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

MD5 0f1c71b32b79c69580a2047de48151d5
SHA1 21f5a5060f0681de7d77ad8ef5cac16c61569c92
SHA256 e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98
SHA512 a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

MD5 0f1c71b32b79c69580a2047de48151d5
SHA1 21f5a5060f0681de7d77ad8ef5cac16c61569c92
SHA256 e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98
SHA512 a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

memory/752-60-0x0000000000CB0000-0x0000000001072000-memory.dmp

memory/752-61-0x0000000004E60000-0x0000000005030000-memory.dmp

memory/752-62-0x0000000004E20000-0x0000000004E60000-memory.dmp

memory/752-63-0x0000000005310000-0x0000000005448000-memory.dmp

memory/1448-66-0x0000000002640000-0x0000000002680000-memory.dmp

memory/1448-67-0x0000000002640000-0x0000000002680000-memory.dmp

memory/1448-68-0x0000000002640000-0x0000000002680000-memory.dmp

memory/752-69-0x0000000004E20000-0x0000000004E60000-memory.dmp

memory/1448-70-0x0000000002640000-0x0000000002680000-memory.dmp

memory/1448-71-0x0000000002640000-0x0000000002680000-memory.dmp

memory/1448-72-0x0000000002640000-0x0000000002680000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

MD5 0f1c71b32b79c69580a2047de48151d5
SHA1 21f5a5060f0681de7d77ad8ef5cac16c61569c92
SHA256 e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98
SHA512 a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

memory/636-76-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-75-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-77-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-78-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-79-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-80-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-81-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

MD5 0f1c71b32b79c69580a2047de48151d5
SHA1 21f5a5060f0681de7d77ad8ef5cac16c61569c92
SHA256 e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98
SHA512 a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

memory/636-83-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-86-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-87-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-88-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-89-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-90-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-91-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-92-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-93-0x0000000000400000-0x0000000000731000-memory.dmp

memory/636-94-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

MD5 6a3c2fe239e67cd5804a699b9aa54b07
SHA1 018091f0c903173dec18cd10e0e00889f0717d67
SHA256 160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168
SHA512 aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37

memory/636-126-0x0000000000400000-0x0000000000731000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-26 22:27

Reported

2023-02-26 22:32

Platform

win10-20230220-en

Max time kernel

144s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe"

Signatures

Aurora

stealer aurora

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3436 set thread context of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3492 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3492 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3436 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3436 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3436 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3436 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3436 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3436 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3436 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3436 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3436 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3436 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3436 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3436 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3436 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 3436 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
PID 4636 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4636 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4636 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4636 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3720 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3720 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4636 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 4636 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe C:\Windows\SysWOW64\cmd.exe
PID 4384 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4384 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4384 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe

"C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 52.168.117.169:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
NL 94.142.138.112:8081 tcp
US 8.8.8.8:53 112.138.142.94.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

MD5 0f1c71b32b79c69580a2047de48151d5
SHA1 21f5a5060f0681de7d77ad8ef5cac16c61569c92
SHA256 e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98
SHA512 a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

MD5 0f1c71b32b79c69580a2047de48151d5
SHA1 21f5a5060f0681de7d77ad8ef5cac16c61569c92
SHA256 e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98
SHA512 a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

memory/3436-124-0x0000000000710000-0x0000000000AD2000-memory.dmp

memory/3436-125-0x00000000053A0000-0x0000000005570000-memory.dmp

memory/3436-126-0x0000000005390000-0x00000000053A0000-memory.dmp

memory/3436-127-0x0000000005670000-0x00000000057A8000-memory.dmp

memory/3436-128-0x0000000002DF0000-0x0000000002E12000-memory.dmp

memory/3436-129-0x00000000069E0000-0x0000000006D30000-memory.dmp

memory/3436-130-0x0000000005390000-0x00000000053A0000-memory.dmp

memory/1016-133-0x0000000004D60000-0x0000000004D96000-memory.dmp

memory/1016-134-0x0000000007630000-0x0000000007C58000-memory.dmp

memory/1016-135-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

memory/1016-136-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

memory/1016-137-0x0000000007530000-0x0000000007596000-memory.dmp

memory/1016-138-0x0000000007E40000-0x0000000007EA6000-memory.dmp

memory/1016-139-0x0000000007C80000-0x0000000007C9C000-memory.dmp

memory/1016-140-0x0000000008350000-0x000000000839B000-memory.dmp

memory/1016-141-0x0000000008570000-0x00000000085E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4z1rtqz2.a0l.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1016-156-0x0000000009DC0000-0x000000000A438000-memory.dmp

memory/1016-157-0x0000000009360000-0x000000000937A000-memory.dmp

memory/1016-158-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

memory/1016-159-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

memory/4636-164-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe

MD5 0f1c71b32b79c69580a2047de48151d5
SHA1 21f5a5060f0681de7d77ad8ef5cac16c61569c92
SHA256 e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98
SHA512 a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

memory/4636-168-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4636-169-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4636-170-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4636-171-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4636-172-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4636-173-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4636-174-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 a3eb5f22bc8e7f4060e3ff18c4ac70b9
SHA1 8480869a34c9723063dba9cc8279cf4e7c2bc4cd
SHA256 0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6
SHA512 3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0

memory/4636-203-0x0000000000400000-0x0000000000731000-memory.dmp

memory/4636-207-0x0000000000400000-0x0000000000731000-memory.dmp