Analysis Overview
SHA256
d3141d6f1c8e9ffc38e1f50bfbb6a98b12cfb3928b385d08a3432a11a9eec78d
Threat Level: Known bad
The file NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Detects Healer an antivirus disabler dropper
Healer
RedLine
Executes dropped EXE
Loads dropped DLL
Windows security modification
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-24 20:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-24 20:55
Reported
2023-10-24 20:58
Platform
win7-20231023-en
Max time kernel
178s
Max time network
201s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2740 set thread context of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 83.97.73.129:19068 | tcp | |
| N/A | 83.97.73.129:19068 | tcp | |
| N/A | 83.97.73.129:19068 | tcp | |
| N/A | 83.97.73.129:19068 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
| MD5 | 0e3d2239c4a25a7264ae44a831d81c3b |
| SHA1 | f7fc628a57c60b3bbbf436cc96385da4e1ad11b6 |
| SHA256 | 4ebd7f708933604017190e74268abd7323e95dac8626d1225e90924cb12ff140 |
| SHA512 | def73ad5cb247fb3ebd20b30c4d922482ffbcaa343e461a346fb796919c134eff1e8d38654f8e3cef55a84de1a63a4742abf635b382caa2d2f55e0bf512fd440 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
| MD5 | 0e3d2239c4a25a7264ae44a831d81c3b |
| SHA1 | f7fc628a57c60b3bbbf436cc96385da4e1ad11b6 |
| SHA256 | 4ebd7f708933604017190e74268abd7323e95dac8626d1225e90924cb12ff140 |
| SHA512 | def73ad5cb247fb3ebd20b30c4d922482ffbcaa343e461a346fb796919c134eff1e8d38654f8e3cef55a84de1a63a4742abf635b382caa2d2f55e0bf512fd440 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
| MD5 | 0e3d2239c4a25a7264ae44a831d81c3b |
| SHA1 | f7fc628a57c60b3bbbf436cc96385da4e1ad11b6 |
| SHA256 | 4ebd7f708933604017190e74268abd7323e95dac8626d1225e90924cb12ff140 |
| SHA512 | def73ad5cb247fb3ebd20b30c4d922482ffbcaa343e461a346fb796919c134eff1e8d38654f8e3cef55a84de1a63a4742abf635b382caa2d2f55e0bf512fd440 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
| MD5 | 0e3d2239c4a25a7264ae44a831d81c3b |
| SHA1 | f7fc628a57c60b3bbbf436cc96385da4e1ad11b6 |
| SHA256 | 4ebd7f708933604017190e74268abd7323e95dac8626d1225e90924cb12ff140 |
| SHA512 | def73ad5cb247fb3ebd20b30c4d922482ffbcaa343e461a346fb796919c134eff1e8d38654f8e3cef55a84de1a63a4742abf635b382caa2d2f55e0bf512fd440 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
| MD5 | fd8ac51dc1c2d8b7834a78e0db6ed6a8 |
| SHA1 | c8798848dc8fb611de0e9514ef2c7a8bdb5d976c |
| SHA256 | 5992c5b2b73ca34d4df5089c28ff838b011b8b85137a0185f5fb50de5894019d |
| SHA512 | bd88d89b6d922ae65b15020ee975e25972a5049db7a953bb11df4756facffbbe7137800ad23db76edc75aabdff46866f42262b39fa16968ac8d6b7d4a49351e0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
| MD5 | fd8ac51dc1c2d8b7834a78e0db6ed6a8 |
| SHA1 | c8798848dc8fb611de0e9514ef2c7a8bdb5d976c |
| SHA256 | 5992c5b2b73ca34d4df5089c28ff838b011b8b85137a0185f5fb50de5894019d |
| SHA512 | bd88d89b6d922ae65b15020ee975e25972a5049db7a953bb11df4756facffbbe7137800ad23db76edc75aabdff46866f42262b39fa16968ac8d6b7d4a49351e0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
| MD5 | fd8ac51dc1c2d8b7834a78e0db6ed6a8 |
| SHA1 | c8798848dc8fb611de0e9514ef2c7a8bdb5d976c |
| SHA256 | 5992c5b2b73ca34d4df5089c28ff838b011b8b85137a0185f5fb50de5894019d |
| SHA512 | bd88d89b6d922ae65b15020ee975e25972a5049db7a953bb11df4756facffbbe7137800ad23db76edc75aabdff46866f42262b39fa16968ac8d6b7d4a49351e0 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
| MD5 | fd8ac51dc1c2d8b7834a78e0db6ed6a8 |
| SHA1 | c8798848dc8fb611de0e9514ef2c7a8bdb5d976c |
| SHA256 | 5992c5b2b73ca34d4df5089c28ff838b011b8b85137a0185f5fb50de5894019d |
| SHA512 | bd88d89b6d922ae65b15020ee975e25972a5049db7a953bb11df4756facffbbe7137800ad23db76edc75aabdff46866f42262b39fa16968ac8d6b7d4a49351e0 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
| MD5 | 3aaa25211c35dde49090c60afec1679a |
| SHA1 | a453fc2428636100ce1851a1af869285213b6cb3 |
| SHA256 | 3db7d44dded8a8fe3becfc44572cb11db47392724b2a6df9081a447d98836c70 |
| SHA512 | 951dd188bfe1005c3929bf9537490e919e35f62f9572ef3ca0fb246bd0041a867e4a6989474b598f4cc81f81cf6693d01386e6d58f650c882dfc1dec0b9ea141 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
| MD5 | 3aaa25211c35dde49090c60afec1679a |
| SHA1 | a453fc2428636100ce1851a1af869285213b6cb3 |
| SHA256 | 3db7d44dded8a8fe3becfc44572cb11db47392724b2a6df9081a447d98836c70 |
| SHA512 | 951dd188bfe1005c3929bf9537490e919e35f62f9572ef3ca0fb246bd0041a867e4a6989474b598f4cc81f81cf6693d01386e6d58f650c882dfc1dec0b9ea141 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
| MD5 | 3aaa25211c35dde49090c60afec1679a |
| SHA1 | a453fc2428636100ce1851a1af869285213b6cb3 |
| SHA256 | 3db7d44dded8a8fe3becfc44572cb11db47392724b2a6df9081a447d98836c70 |
| SHA512 | 951dd188bfe1005c3929bf9537490e919e35f62f9572ef3ca0fb246bd0041a867e4a6989474b598f4cc81f81cf6693d01386e6d58f650c882dfc1dec0b9ea141 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
| MD5 | 3aaa25211c35dde49090c60afec1679a |
| SHA1 | a453fc2428636100ce1851a1af869285213b6cb3 |
| SHA256 | 3db7d44dded8a8fe3becfc44572cb11db47392724b2a6df9081a447d98836c70 |
| SHA512 | 951dd188bfe1005c3929bf9537490e919e35f62f9572ef3ca0fb246bd0041a867e4a6989474b598f4cc81f81cf6693d01386e6d58f650c882dfc1dec0b9ea141 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
| MD5 | fca5dc284ff561346aed89cf22e65f3a |
| SHA1 | c4ed9b4b787262731387c3ea1fe607048e479c64 |
| SHA256 | 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73 |
| SHA512 | c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
| MD5 | fca5dc284ff561346aed89cf22e65f3a |
| SHA1 | c4ed9b4b787262731387c3ea1fe607048e479c64 |
| SHA256 | 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73 |
| SHA512 | c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
| MD5 | fca5dc284ff561346aed89cf22e65f3a |
| SHA1 | c4ed9b4b787262731387c3ea1fe607048e479c64 |
| SHA256 | 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73 |
| SHA512 | c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
| MD5 | fca5dc284ff561346aed89cf22e65f3a |
| SHA1 | c4ed9b4b787262731387c3ea1fe607048e479c64 |
| SHA256 | 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73 |
| SHA512 | c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
| MD5 | fca5dc284ff561346aed89cf22e65f3a |
| SHA1 | c4ed9b4b787262731387c3ea1fe607048e479c64 |
| SHA256 | 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73 |
| SHA512 | c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0 |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
| MD5 | fca5dc284ff561346aed89cf22e65f3a |
| SHA1 | c4ed9b4b787262731387c3ea1fe607048e479c64 |
| SHA256 | 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73 |
| SHA512 | c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0 |
memory/2492-44-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2492-45-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2492-49-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2492-51-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2492-52-0x0000000000400000-0x000000000040A000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
| MD5 | 7d8dae05fe03c9a974fa360c6ed466bd |
| SHA1 | 2b99b1aefc805b891128e71d505397589db65046 |
| SHA256 | f5d850e8ca95e93bb5fae3cdca1131b44c598bb92b31601d0bfaf413a9e3cacc |
| SHA512 | 178cc29f1707c9a015b265b8bd56c656ea7226b6533f5e498d82753d4b0ae33f51b2f2e1a3929c0f47e5df672fe7288c42d33129723590521a9e174c3a871636 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
| MD5 | 7d8dae05fe03c9a974fa360c6ed466bd |
| SHA1 | 2b99b1aefc805b891128e71d505397589db65046 |
| SHA256 | f5d850e8ca95e93bb5fae3cdca1131b44c598bb92b31601d0bfaf413a9e3cacc |
| SHA512 | 178cc29f1707c9a015b265b8bd56c656ea7226b6533f5e498d82753d4b0ae33f51b2f2e1a3929c0f47e5df672fe7288c42d33129723590521a9e174c3a871636 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
| MD5 | 7d8dae05fe03c9a974fa360c6ed466bd |
| SHA1 | 2b99b1aefc805b891128e71d505397589db65046 |
| SHA256 | f5d850e8ca95e93bb5fae3cdca1131b44c598bb92b31601d0bfaf413a9e3cacc |
| SHA512 | 178cc29f1707c9a015b265b8bd56c656ea7226b6533f5e498d82753d4b0ae33f51b2f2e1a3929c0f47e5df672fe7288c42d33129723590521a9e174c3a871636 |
memory/2612-57-0x00000000008C0000-0x00000000008CA000-memory.dmp
memory/2612-58-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
memory/2612-59-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
memory/2612-60-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
| MD5 | 6404d3c5153ae0e1d7e242fa31eda8d1 |
| SHA1 | 138b0d7ffc3361614529ca25fb0064e187b92e51 |
| SHA256 | 790daa4b0bdb251922811cad0b9022897b871e41850aa5ab6b6075bc4313bfe1 |
| SHA512 | 92ef5b1b32ddecf45234622a5184e7bfc4288c43ac03d22d50e517096a37da1808d5fc549e917e389abe0cac3cefd9fed01ef2d538b58d528d8e3212f681d316 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
| MD5 | 6404d3c5153ae0e1d7e242fa31eda8d1 |
| SHA1 | 138b0d7ffc3361614529ca25fb0064e187b92e51 |
| SHA256 | 790daa4b0bdb251922811cad0b9022897b871e41850aa5ab6b6075bc4313bfe1 |
| SHA512 | 92ef5b1b32ddecf45234622a5184e7bfc4288c43ac03d22d50e517096a37da1808d5fc549e917e389abe0cac3cefd9fed01ef2d538b58d528d8e3212f681d316 |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
| MD5 | 6404d3c5153ae0e1d7e242fa31eda8d1 |
| SHA1 | 138b0d7ffc3361614529ca25fb0064e187b92e51 |
| SHA256 | 790daa4b0bdb251922811cad0b9022897b871e41850aa5ab6b6075bc4313bfe1 |
| SHA512 | 92ef5b1b32ddecf45234622a5184e7bfc4288c43ac03d22d50e517096a37da1808d5fc549e917e389abe0cac3cefd9fed01ef2d538b58d528d8e3212f681d316 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
| MD5 | 6404d3c5153ae0e1d7e242fa31eda8d1 |
| SHA1 | 138b0d7ffc3361614529ca25fb0064e187b92e51 |
| SHA256 | 790daa4b0bdb251922811cad0b9022897b871e41850aa5ab6b6075bc4313bfe1 |
| SHA512 | 92ef5b1b32ddecf45234622a5184e7bfc4288c43ac03d22d50e517096a37da1808d5fc549e917e389abe0cac3cefd9fed01ef2d538b58d528d8e3212f681d316 |
memory/2876-67-0x00000000001D0000-0x0000000000200000-memory.dmp
memory/2876-68-0x0000000000260000-0x0000000000266000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-24 20:55
Reported
2023-10-24 20:58
Platform
win10v2004-20231020-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
RedLine
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1504 set thread context of 972 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7f5ff5ef22204eeef998ffa38001d0e0.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1504 -ip 1504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 152
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 83.97.73.129:19068 | tcp | |
| N/A | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 126.209.247.8.in-addr.arpa | udp |
| N/A | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| N/A | 83.97.73.129:19068 | tcp | |
| N/A | 83.97.73.129:19068 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| N/A | 83.97.73.129:19068 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
| MD5 | 0e3d2239c4a25a7264ae44a831d81c3b |
| SHA1 | f7fc628a57c60b3bbbf436cc96385da4e1ad11b6 |
| SHA256 | 4ebd7f708933604017190e74268abd7323e95dac8626d1225e90924cb12ff140 |
| SHA512 | def73ad5cb247fb3ebd20b30c4d922482ffbcaa343e461a346fb796919c134eff1e8d38654f8e3cef55a84de1a63a4742abf635b382caa2d2f55e0bf512fd440 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3252201.exe
| MD5 | 0e3d2239c4a25a7264ae44a831d81c3b |
| SHA1 | f7fc628a57c60b3bbbf436cc96385da4e1ad11b6 |
| SHA256 | 4ebd7f708933604017190e74268abd7323e95dac8626d1225e90924cb12ff140 |
| SHA512 | def73ad5cb247fb3ebd20b30c4d922482ffbcaa343e461a346fb796919c134eff1e8d38654f8e3cef55a84de1a63a4742abf635b382caa2d2f55e0bf512fd440 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
| MD5 | fd8ac51dc1c2d8b7834a78e0db6ed6a8 |
| SHA1 | c8798848dc8fb611de0e9514ef2c7a8bdb5d976c |
| SHA256 | 5992c5b2b73ca34d4df5089c28ff838b011b8b85137a0185f5fb50de5894019d |
| SHA512 | bd88d89b6d922ae65b15020ee975e25972a5049db7a953bb11df4756facffbbe7137800ad23db76edc75aabdff46866f42262b39fa16968ac8d6b7d4a49351e0 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4111907.exe
| MD5 | fd8ac51dc1c2d8b7834a78e0db6ed6a8 |
| SHA1 | c8798848dc8fb611de0e9514ef2c7a8bdb5d976c |
| SHA256 | 5992c5b2b73ca34d4df5089c28ff838b011b8b85137a0185f5fb50de5894019d |
| SHA512 | bd88d89b6d922ae65b15020ee975e25972a5049db7a953bb11df4756facffbbe7137800ad23db76edc75aabdff46866f42262b39fa16968ac8d6b7d4a49351e0 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
| MD5 | 3aaa25211c35dde49090c60afec1679a |
| SHA1 | a453fc2428636100ce1851a1af869285213b6cb3 |
| SHA256 | 3db7d44dded8a8fe3becfc44572cb11db47392724b2a6df9081a447d98836c70 |
| SHA512 | 951dd188bfe1005c3929bf9537490e919e35f62f9572ef3ca0fb246bd0041a867e4a6989474b598f4cc81f81cf6693d01386e6d58f650c882dfc1dec0b9ea141 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1908384.exe
| MD5 | 3aaa25211c35dde49090c60afec1679a |
| SHA1 | a453fc2428636100ce1851a1af869285213b6cb3 |
| SHA256 | 3db7d44dded8a8fe3becfc44572cb11db47392724b2a6df9081a447d98836c70 |
| SHA512 | 951dd188bfe1005c3929bf9537490e919e35f62f9572ef3ca0fb246bd0041a867e4a6989474b598f4cc81f81cf6693d01386e6d58f650c882dfc1dec0b9ea141 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
| MD5 | fca5dc284ff561346aed89cf22e65f3a |
| SHA1 | c4ed9b4b787262731387c3ea1fe607048e479c64 |
| SHA256 | 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73 |
| SHA512 | c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5098942.exe
| MD5 | fca5dc284ff561346aed89cf22e65f3a |
| SHA1 | c4ed9b4b787262731387c3ea1fe607048e479c64 |
| SHA256 | 4a49ee1995b0a0d726b4ecefffddaebaa4e7fb8837a56e29deb0553d8fb09b73 |
| SHA512 | c651b37871bd9baa1c65e977f36d746a8adbb60dde2eec496f22c192e61b8db0ca1ec27be5cd8c29f4478d31d83509e583f3306f6f3edefcbd8af4c15b05acb0 |
memory/1504-29-0x0000000000680000-0x0000000000780000-memory.dmp
memory/972-30-0x0000000000400000-0x000000000040A000-memory.dmp
memory/972-35-0x0000000074520000-0x0000000074CD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
| MD5 | 7d8dae05fe03c9a974fa360c6ed466bd |
| SHA1 | 2b99b1aefc805b891128e71d505397589db65046 |
| SHA256 | f5d850e8ca95e93bb5fae3cdca1131b44c598bb92b31601d0bfaf413a9e3cacc |
| SHA512 | 178cc29f1707c9a015b265b8bd56c656ea7226b6533f5e498d82753d4b0ae33f51b2f2e1a3929c0f47e5df672fe7288c42d33129723590521a9e174c3a871636 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3958439.exe
| MD5 | 7d8dae05fe03c9a974fa360c6ed466bd |
| SHA1 | 2b99b1aefc805b891128e71d505397589db65046 |
| SHA256 | f5d850e8ca95e93bb5fae3cdca1131b44c598bb92b31601d0bfaf413a9e3cacc |
| SHA512 | 178cc29f1707c9a015b265b8bd56c656ea7226b6533f5e498d82753d4b0ae33f51b2f2e1a3929c0f47e5df672fe7288c42d33129723590521a9e174c3a871636 |
memory/3696-39-0x0000000000770000-0x000000000077A000-memory.dmp
memory/3696-40-0x00007FF8FF240000-0x00007FF8FFD01000-memory.dmp
memory/972-41-0x0000000074520000-0x0000000074CD0000-memory.dmp
memory/972-43-0x0000000074520000-0x0000000074CD0000-memory.dmp
memory/3696-45-0x00007FF8FF240000-0x00007FF8FFD01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
| MD5 | 6404d3c5153ae0e1d7e242fa31eda8d1 |
| SHA1 | 138b0d7ffc3361614529ca25fb0064e187b92e51 |
| SHA256 | 790daa4b0bdb251922811cad0b9022897b871e41850aa5ab6b6075bc4313bfe1 |
| SHA512 | 92ef5b1b32ddecf45234622a5184e7bfc4288c43ac03d22d50e517096a37da1808d5fc549e917e389abe0cac3cefd9fed01ef2d538b58d528d8e3212f681d316 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9642186.exe
| MD5 | 6404d3c5153ae0e1d7e242fa31eda8d1 |
| SHA1 | 138b0d7ffc3361614529ca25fb0064e187b92e51 |
| SHA256 | 790daa4b0bdb251922811cad0b9022897b871e41850aa5ab6b6075bc4313bfe1 |
| SHA512 | 92ef5b1b32ddecf45234622a5184e7bfc4288c43ac03d22d50e517096a37da1808d5fc549e917e389abe0cac3cefd9fed01ef2d538b58d528d8e3212f681d316 |
memory/1168-49-0x0000000000500000-0x0000000000530000-memory.dmp
memory/1168-50-0x0000000074520000-0x0000000074CD0000-memory.dmp
memory/1168-51-0x0000000002700000-0x0000000002706000-memory.dmp
memory/1168-52-0x0000000005550000-0x0000000005B68000-memory.dmp
memory/1168-53-0x0000000005090000-0x000000000519A000-memory.dmp
memory/1168-54-0x00000000026E0000-0x00000000026F0000-memory.dmp
memory/1168-55-0x0000000004FD0000-0x0000000004FE2000-memory.dmp
memory/1168-56-0x0000000005030000-0x000000000506C000-memory.dmp
memory/1168-57-0x00000000051A0000-0x00000000051EC000-memory.dmp
memory/1168-58-0x0000000074520000-0x0000000074CD0000-memory.dmp
memory/1168-59-0x00000000026E0000-0x00000000026F0000-memory.dmp