Malware Analysis Report

2025-03-15 03:51

Sample ID 230904-2ln2cscb57
Target 5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623
SHA256 5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623
Tags
fatalrat evasion infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623

Threat Level: Known bad

The file 5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623 was found to be: Known bad.

Malicious Activity Summary

fatalrat evasion infostealer rat

FatalRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Fatal Rat payload

Loads dropped DLL

Identifies Wine through registry keys

Executes dropped EXE

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-04 22:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-04 22:40

Reported

2023-09-04 22:42

Platform

win7-20230831-en

Max time kernel

144s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Wine C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1456 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe
PID 1456 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe
PID 1456 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe
PID 1456 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe
PID 1692 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1692 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe

"C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe

"C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

Network

Country Destination Domain Proto
US 193.218.201.159:8082 193.218.201.159 tcp
US 193.218.201.159:8082 193.218.201.159 tcp
US 154.64.6.11:8048 tcp

Files

memory/1456-0-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1456-1-0x00000000777A0000-0x00000000777A2000-memory.dmp

memory/1456-2-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1456-9-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/1456-8-0x0000000004150000-0x0000000004151000-memory.dmp

memory/1456-7-0x0000000004110000-0x0000000004111000-memory.dmp

memory/1456-6-0x0000000004170000-0x0000000004171000-memory.dmp

memory/1456-5-0x00000000020E0000-0x00000000020E1000-memory.dmp

memory/1456-4-0x0000000004160000-0x0000000004161000-memory.dmp

memory/1456-3-0x0000000004130000-0x0000000004131000-memory.dmp

memory/1456-10-0x00000000020D0000-0x00000000020D1000-memory.dmp

memory/1456-11-0x0000000004180000-0x0000000004181000-memory.dmp

memory/2668-14-0x00000000735F0000-0x0000000073B9B000-memory.dmp

memory/2668-15-0x00000000735F0000-0x0000000073B9B000-memory.dmp

memory/1456-16-0x0000000000400000-0x000000000060A000-memory.dmp

memory/2668-17-0x00000000024D0000-0x0000000002510000-memory.dmp

memory/2668-18-0x00000000024D0000-0x0000000002510000-memory.dmp

memory/1456-19-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1456-20-0x0000000000400000-0x000000000060A000-memory.dmp

memory/2668-21-0x00000000735F0000-0x0000000073B9B000-memory.dmp

memory/2668-22-0x00000000024D0000-0x0000000002510000-memory.dmp

memory/2668-23-0x00000000024D0000-0x0000000002510000-memory.dmp

memory/2668-24-0x00000000024D0000-0x0000000002510000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 f1e26b09b4156552a6dc7ebc80df5fc3
SHA1 0da7fadbe955d5cf362f9d3e5984cacc9547b556
SHA256 29029ea75d4f1eed736725adaa25cc8906693d0d58c2afa4541ab11d217066fd
SHA512 226657b349bb269e3f334b762785f96383d37c64d02f9d3d029ff85da867caddf9743a20f638356d388819881d1795c9168496ab6af8dfab7c466ea0cf717547

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JRI9H2I4OA4ZA6AU30ZH.temp

MD5 f1e26b09b4156552a6dc7ebc80df5fc3
SHA1 0da7fadbe955d5cf362f9d3e5984cacc9547b556
SHA256 29029ea75d4f1eed736725adaa25cc8906693d0d58c2afa4541ab11d217066fd
SHA512 226657b349bb269e3f334b762785f96383d37c64d02f9d3d029ff85da867caddf9743a20f638356d388819881d1795c9168496ab6af8dfab7c466ea0cf717547

memory/2504-30-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/2504-31-0x00000000026D0000-0x0000000002710000-memory.dmp

memory/2504-32-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/2504-33-0x00000000026D0000-0x0000000002710000-memory.dmp

memory/1456-34-0x0000000000400000-0x000000000060A000-memory.dmp

memory/2504-35-0x00000000741E0000-0x000000007478B000-memory.dmp

memory/2504-36-0x00000000026D0000-0x0000000002710000-memory.dmp

memory/2504-37-0x00000000026D0000-0x0000000002710000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 f1e26b09b4156552a6dc7ebc80df5fc3
SHA1 0da7fadbe955d5cf362f9d3e5984cacc9547b556
SHA256 29029ea75d4f1eed736725adaa25cc8906693d0d58c2afa4541ab11d217066fd
SHA512 226657b349bb269e3f334b762785f96383d37c64d02f9d3d029ff85da867caddf9743a20f638356d388819881d1795c9168496ab6af8dfab7c466ea0cf717547

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1808-45-0x00000000735F0000-0x0000000073B9B000-memory.dmp

memory/1808-46-0x0000000002800000-0x0000000002840000-memory.dmp

memory/1808-47-0x00000000735F0000-0x0000000073B9B000-memory.dmp

memory/1808-48-0x0000000002800000-0x0000000002840000-memory.dmp

memory/1456-49-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1808-50-0x00000000735F0000-0x0000000073B9B000-memory.dmp

memory/1808-51-0x0000000002800000-0x0000000002840000-memory.dmp

memory/1808-52-0x0000000002800000-0x0000000002840000-memory.dmp

memory/1456-53-0x0000000000400000-0x000000000060A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 f1e26b09b4156552a6dc7ebc80df5fc3
SHA1 0da7fadbe955d5cf362f9d3e5984cacc9547b556
SHA256 29029ea75d4f1eed736725adaa25cc8906693d0d58c2afa4541ab11d217066fd
SHA512 226657b349bb269e3f334b762785f96383d37c64d02f9d3d029ff85da867caddf9743a20f638356d388819881d1795c9168496ab6af8dfab7c466ea0cf717547

memory/1096-59-0x0000000073040000-0x00000000735EB000-memory.dmp

memory/1096-60-0x0000000002760000-0x00000000027A0000-memory.dmp

memory/1096-61-0x0000000073040000-0x00000000735EB000-memory.dmp

memory/1096-62-0x0000000073040000-0x00000000735EB000-memory.dmp

memory/1456-63-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1096-64-0x0000000002760000-0x00000000027A0000-memory.dmp

memory/1456-67-0x0000000004890000-0x0000000004990000-memory.dmp

memory/1456-68-0x0000000004890000-0x0000000004990000-memory.dmp

memory/1456-69-0x0000000010000000-0x0000000010036000-memory.dmp

\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe

MD5 1a173f8fb5505e4b41a4dac9f3cb638a
SHA1 965f6d7d70e00b1f8050b3f3e1b59c5e2a437558
SHA256 5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623
SHA512 aaff59cd2e3c0c5af75a59836b9a94fa6b9a6eaee2a04b36a4825b393d4eafed12c0dfd9639978d80e6a59b3d557560f39e2bdacc60dbf0a7df4885cc3052ea5

C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe

MD5 1a173f8fb5505e4b41a4dac9f3cb638a
SHA1 965f6d7d70e00b1f8050b3f3e1b59c5e2a437558
SHA256 5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623
SHA512 aaff59cd2e3c0c5af75a59836b9a94fa6b9a6eaee2a04b36a4825b393d4eafed12c0dfd9639978d80e6a59b3d557560f39e2bdacc60dbf0a7df4885cc3052ea5

C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe

MD5 1a173f8fb5505e4b41a4dac9f3cb638a
SHA1 965f6d7d70e00b1f8050b3f3e1b59c5e2a437558
SHA256 5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623
SHA512 aaff59cd2e3c0c5af75a59836b9a94fa6b9a6eaee2a04b36a4825b393d4eafed12c0dfd9639978d80e6a59b3d557560f39e2bdacc60dbf0a7df4885cc3052ea5

memory/1456-80-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1456-82-0x0000000004890000-0x0000000004990000-memory.dmp

memory/1692-83-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1692-84-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1692-86-0x0000000004130000-0x0000000004131000-memory.dmp

memory/1692-87-0x0000000004160000-0x0000000004161000-memory.dmp

memory/1692-85-0x0000000004150000-0x0000000004151000-memory.dmp

memory/1692-89-0x0000000004170000-0x0000000004171000-memory.dmp

memory/1692-88-0x0000000004110000-0x0000000004111000-memory.dmp

memory/1692-90-0x00000000040E0000-0x00000000040E1000-memory.dmp

memory/1692-91-0x00000000040F0000-0x00000000040F1000-memory.dmp

memory/1692-92-0x0000000004180000-0x0000000004181000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 f1e26b09b4156552a6dc7ebc80df5fc3
SHA1 0da7fadbe955d5cf362f9d3e5984cacc9547b556
SHA256 29029ea75d4f1eed736725adaa25cc8906693d0d58c2afa4541ab11d217066fd
SHA512 226657b349bb269e3f334b762785f96383d37c64d02f9d3d029ff85da867caddf9743a20f638356d388819881d1795c9168496ab6af8dfab7c466ea0cf717547

memory/1456-99-0x00000000053D0000-0x00000000055DA000-memory.dmp

memory/1692-100-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3012-102-0x00000000026A0000-0x00000000026E0000-memory.dmp

memory/3012-101-0x00000000735F0000-0x0000000073B9B000-memory.dmp

memory/3012-104-0x00000000026A0000-0x00000000026E0000-memory.dmp

memory/3012-103-0x00000000026A0000-0x00000000026E0000-memory.dmp

memory/3012-105-0x00000000735F0000-0x0000000073B9B000-memory.dmp

memory/1692-106-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1692-107-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3012-108-0x00000000735F0000-0x0000000073B9B000-memory.dmp

memory/3012-109-0x00000000026A0000-0x00000000026E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 aa4904368ffa5744a24642e0b064c2e3
SHA1 89cf1b8d49a5897ea18a1d2ee71d49418c9c142b
SHA256 b00190b43f1ef49648f0f92e6572465400e95ec7fc9c4def309dacbe04c79b55
SHA512 b76284244fcfec7c28bda119bf687e27240d5766d32bb9980c513b57cc787b9f2b95b99dcb9dff21d03b13f678bbab72f337b6f230d1a830e5a89d8d99e220c0

memory/1692-121-0x0000000000400000-0x000000000060A000-memory.dmp

C:\Users\Default\Desktop\athletes.exe

MD5 1a173f8fb5505e4b41a4dac9f3cb638a
SHA1 965f6d7d70e00b1f8050b3f3e1b59c5e2a437558
SHA256 5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623
SHA512 aaff59cd2e3c0c5af75a59836b9a94fa6b9a6eaee2a04b36a4825b393d4eafed12c0dfd9639978d80e6a59b3d557560f39e2bdacc60dbf0a7df4885cc3052ea5

C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe

MD5 1a173f8fb5505e4b41a4dac9f3cb638a
SHA1 965f6d7d70e00b1f8050b3f3e1b59c5e2a437558
SHA256 5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623
SHA512 aaff59cd2e3c0c5af75a59836b9a94fa6b9a6eaee2a04b36a4825b393d4eafed12c0dfd9639978d80e6a59b3d557560f39e2bdacc60dbf0a7df4885cc3052ea5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 aa4904368ffa5744a24642e0b064c2e3
SHA1 89cf1b8d49a5897ea18a1d2ee71d49418c9c142b
SHA256 b00190b43f1ef49648f0f92e6572465400e95ec7fc9c4def309dacbe04c79b55
SHA512 b76284244fcfec7c28bda119bf687e27240d5766d32bb9980c513b57cc787b9f2b95b99dcb9dff21d03b13f678bbab72f337b6f230d1a830e5a89d8d99e220c0

memory/1692-138-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1692-142-0x0000000000400000-0x000000000060A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 aa4904368ffa5744a24642e0b064c2e3
SHA1 89cf1b8d49a5897ea18a1d2ee71d49418c9c142b
SHA256 b00190b43f1ef49648f0f92e6572465400e95ec7fc9c4def309dacbe04c79b55
SHA512 b76284244fcfec7c28bda119bf687e27240d5766d32bb9980c513b57cc787b9f2b95b99dcb9dff21d03b13f678bbab72f337b6f230d1a830e5a89d8d99e220c0

memory/1692-153-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1692-159-0x0000000010000000-0x0000000010036000-memory.dmp

memory/1692-164-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1692-167-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1692-168-0x0000000000400000-0x000000000060A000-memory.dmp

memory/1692-169-0x0000000000400000-0x000000000060A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-04 22:40

Reported

2023-09-04 22:42

Platform

win10v2004-20230831-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Wine C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3628 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3628 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe
PID 3628 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe
PID 3628 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe
PID 3392 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3392 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe

"C:\Users\Admin\AppData\Local\Temp\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe

"C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command -

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 193.218.201.159:8082 193.218.201.159 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 159.201.218.193.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 193.218.201.159:8082 193.218.201.159 tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 154.64.6.11:8048 tcp
US 8.8.8.8:53 11.6.64.154.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/3628-0-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3628-1-0x00000000771F4000-0x00000000771F6000-memory.dmp

memory/3628-3-0x0000000004810000-0x0000000004811000-memory.dmp

memory/3628-4-0x0000000004800000-0x0000000004801000-memory.dmp

memory/3628-5-0x00000000047F0000-0x00000000047F1000-memory.dmp

memory/3628-2-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3628-6-0x0000000004830000-0x0000000004831000-memory.dmp

memory/3628-7-0x0000000004820000-0x0000000004821000-memory.dmp

memory/2144-8-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/2144-9-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

memory/2144-10-0x0000000002BF0000-0x0000000002C26000-memory.dmp

memory/2144-11-0x00000000057C0000-0x0000000005DE8000-memory.dmp

memory/2144-12-0x0000000005620000-0x0000000005642000-memory.dmp

memory/2144-13-0x00000000056C0000-0x0000000005726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bsc1q2yz.pcg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2144-14-0x0000000005DF0000-0x0000000005E56000-memory.dmp

memory/3628-24-0x0000000000400000-0x000000000060A000-memory.dmp

memory/2144-25-0x0000000006530000-0x000000000654E000-memory.dmp

memory/2144-26-0x0000000006AA0000-0x0000000006AE4000-memory.dmp

memory/3628-27-0x0000000000400000-0x000000000060A000-memory.dmp

memory/2144-28-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

memory/2144-29-0x0000000007820000-0x0000000007896000-memory.dmp

memory/2144-30-0x0000000007F20000-0x000000000859A000-memory.dmp

memory/2144-31-0x00000000078C0000-0x00000000078DA000-memory.dmp

memory/2144-32-0x0000000007A60000-0x0000000007AF6000-memory.dmp

memory/2144-33-0x0000000007A00000-0x0000000007A22000-memory.dmp

memory/2144-34-0x0000000008B50000-0x00000000090F4000-memory.dmp

memory/3628-35-0x0000000000400000-0x000000000060A000-memory.dmp

memory/2144-36-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/2144-37-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

memory/2144-38-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

memory/2848-40-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/2144-39-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/2848-41-0x0000000002540000-0x0000000002550000-memory.dmp

memory/2848-51-0x0000000002540000-0x0000000002550000-memory.dmp

memory/3628-52-0x0000000000400000-0x000000000060A000-memory.dmp

memory/2848-53-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/2848-54-0x0000000002540000-0x0000000002550000-memory.dmp

memory/2848-55-0x0000000002540000-0x0000000002550000-memory.dmp

memory/2848-57-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3232-58-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3232-59-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/3232-60-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/3628-70-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3232-71-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/3232-72-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3232-73-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/3232-74-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

memory/3628-75-0x0000000000400000-0x000000000060A000-memory.dmp

memory/4612-76-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/4612-78-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/4612-77-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/4612-88-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/4612-89-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/4612-90-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/4612-91-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/3628-92-0x0000000000400000-0x000000000060A000-memory.dmp

memory/4612-95-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3628-96-0x0000000004E70000-0x0000000004F70000-memory.dmp

memory/3628-97-0x0000000004E70000-0x0000000004F70000-memory.dmp

memory/3628-98-0x0000000010000000-0x0000000010036000-memory.dmp

C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe

MD5 1a173f8fb5505e4b41a4dac9f3cb638a
SHA1 965f6d7d70e00b1f8050b3f3e1b59c5e2a437558
SHA256 5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623
SHA512 aaff59cd2e3c0c5af75a59836b9a94fa6b9a6eaee2a04b36a4825b393d4eafed12c0dfd9639978d80e6a59b3d557560f39e2bdacc60dbf0a7df4885cc3052ea5

C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe

MD5 1a173f8fb5505e4b41a4dac9f3cb638a
SHA1 965f6d7d70e00b1f8050b3f3e1b59c5e2a437558
SHA256 5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623
SHA512 aaff59cd2e3c0c5af75a59836b9a94fa6b9a6eaee2a04b36a4825b393d4eafed12c0dfd9639978d80e6a59b3d557560f39e2bdacc60dbf0a7df4885cc3052ea5

C:\Users\Admin\AppData\Local\5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623.exe

MD5 1a173f8fb5505e4b41a4dac9f3cb638a
SHA1 965f6d7d70e00b1f8050b3f3e1b59c5e2a437558
SHA256 5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623
SHA512 aaff59cd2e3c0c5af75a59836b9a94fa6b9a6eaee2a04b36a4825b393d4eafed12c0dfd9639978d80e6a59b3d557560f39e2bdacc60dbf0a7df4885cc3052ea5

memory/3628-114-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3392-116-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3392-117-0x00000000046D0000-0x00000000046D1000-memory.dmp

memory/3392-118-0x00000000046C0000-0x00000000046C1000-memory.dmp

memory/3392-119-0x00000000046B0000-0x00000000046B1000-memory.dmp

memory/3392-120-0x00000000046F0000-0x00000000046F1000-memory.dmp

memory/3392-121-0x00000000046E0000-0x00000000046E1000-memory.dmp

memory/3640-122-0x00000000743D0000-0x0000000074B80000-memory.dmp

memory/3640-123-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/3640-124-0x00000000054A0000-0x00000000054B0000-memory.dmp

memory/3392-134-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3392-137-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3392-154-0x0000000000400000-0x000000000060A000-memory.dmp

C:\Users\Default\Desktop\athletes.exe

MD5 1a173f8fb5505e4b41a4dac9f3cb638a
SHA1 965f6d7d70e00b1f8050b3f3e1b59c5e2a437558
SHA256 5c96016a468b97f80583b04b4d72d5f73576f7bbb9227c24612019377b8b0623
SHA512 aaff59cd2e3c0c5af75a59836b9a94fa6b9a6eaee2a04b36a4825b393d4eafed12c0dfd9639978d80e6a59b3d557560f39e2bdacc60dbf0a7df4885cc3052ea5

memory/3392-173-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3392-190-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3392-193-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3392-199-0x0000000010000000-0x0000000010036000-memory.dmp

memory/3392-205-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3392-207-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3392-208-0x0000000000400000-0x000000000060A000-memory.dmp

memory/3392-209-0x0000000000400000-0x000000000060A000-memory.dmp