Malware Analysis Report

2024-11-13 13:54

Sample ID 231205-c4vt7ahb72
Target 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0
SHA256 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0
Tags
persistence spyware stealer ducktail
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0

Threat Level: Known bad

The file 7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0 was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer ducktail

Ducktail family

Detect Ducktail Third Stage Payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-05 02:38

Signatures

Detect Ducktail Third Stage Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ducktail family

ducktail

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-05 02:38

Reported

2023-12-05 02:41

Platform

win7-20231023-en

Max time kernel

121s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2108 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2108 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2108 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe

"C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2108-0-0x0000000006750000-0x00000000070D9000-memory.dmp

memory/2108-3-0x0000000006750000-0x00000000070D9000-memory.dmp

memory/2108-4-0x0000000006240000-0x00000000062E7000-memory.dmp

memory/2108-5-0x0000000000CA0000-0x00000000014EF000-memory.dmp

memory/2108-8-0x0000000006240000-0x00000000062E7000-memory.dmp

memory/2108-9-0x00000000028F0000-0x000000000290D000-memory.dmp

memory/2108-12-0x00000000028F0000-0x000000000290D000-memory.dmp

memory/2108-13-0x0000000002960000-0x0000000002988000-memory.dmp

memory/2108-16-0x0000000002960000-0x0000000002988000-memory.dmp

memory/2108-17-0x0000000005DD0000-0x0000000005F5E000-memory.dmp

memory/2108-20-0x0000000005DD0000-0x0000000005F5E000-memory.dmp

memory/2108-21-0x0000000006130000-0x0000000006160000-memory.dmp

memory/2108-24-0x0000000006130000-0x0000000006160000-memory.dmp

memory/2108-25-0x0000000008E90000-0x00000000091E6000-memory.dmp

memory/2108-28-0x0000000008E90000-0x00000000091E6000-memory.dmp

memory/2108-29-0x0000000006670000-0x0000000006715000-memory.dmp

memory/2108-32-0x0000000006670000-0x0000000006715000-memory.dmp

memory/2108-33-0x00000000065C0000-0x00000000065D5000-memory.dmp

memory/2108-37-0x0000000008B30000-0x0000000008B84000-memory.dmp

memory/2108-36-0x00000000065C0000-0x00000000065D5000-memory.dmp

memory/2108-41-0x0000000008C40000-0x0000000008CD6000-memory.dmp

memory/2108-44-0x0000000008C40000-0x0000000008CD6000-memory.dmp

memory/2108-40-0x0000000008B30000-0x0000000008B84000-memory.dmp

memory/2108-45-0x00000000065F0000-0x000000000666A000-memory.dmp

memory/2108-48-0x00000000065F0000-0x000000000666A000-memory.dmp

memory/2108-52-0x0000000008BE0000-0x0000000008C1C000-memory.dmp

memory/2108-49-0x0000000008BE0000-0x0000000008C1C000-memory.dmp

memory/2108-53-0x0000000008BC0000-0x0000000008BD2000-memory.dmp

memory/2108-57-0x0000000008BB0000-0x0000000008BB6000-memory.dmp

memory/2108-60-0x0000000008BB0000-0x0000000008BB6000-memory.dmp

memory/2108-56-0x0000000008BC0000-0x0000000008BD2000-memory.dmp

memory/2108-64-0x0000000008BA0000-0x0000000008BAC000-memory.dmp

memory/2108-61-0x0000000008BA0000-0x0000000008BAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA768.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarA8E6.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2584-213-0x00000000736E0000-0x0000000073C8B000-memory.dmp

memory/2584-214-0x00000000736E0000-0x0000000073C8B000-memory.dmp

memory/2584-215-0x0000000002760000-0x00000000027A0000-memory.dmp

memory/2584-216-0x0000000002760000-0x00000000027A0000-memory.dmp

memory/2584-217-0x00000000736E0000-0x0000000073C8B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 0d1f176aa0a035f9fdf0457d385ae650
SHA1 7ef250e57f83797ce02eaf012043712e9a4914a6
SHA256 f869e200917ed8fcd1e14977fc71ba456e0d87bd41ad4e9b768ded464daec92a
SHA512 888786463bdd666ccbaafd268a674508f31ef01ba32a21a7f1bd04bc362cfb93f98e2f3dd135549ffed0407e7854126068ceae8755d1b46c1cc62cd6ec74c61c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B5P4HJSYNHR5HSJLBNKS.temp

MD5 0d1f176aa0a035f9fdf0457d385ae650
SHA1 7ef250e57f83797ce02eaf012043712e9a4914a6
SHA256 f869e200917ed8fcd1e14977fc71ba456e0d87bd41ad4e9b768ded464daec92a
SHA512 888786463bdd666ccbaafd268a674508f31ef01ba32a21a7f1bd04bc362cfb93f98e2f3dd135549ffed0407e7854126068ceae8755d1b46c1cc62cd6ec74c61c

memory/2328-224-0x0000000073130000-0x00000000736DB000-memory.dmp

memory/2328-225-0x00000000026A0000-0x00000000026E0000-memory.dmp

memory/2328-226-0x0000000073130000-0x00000000736DB000-memory.dmp

memory/2328-227-0x0000000073130000-0x00000000736DB000-memory.dmp

memory/2108-273-0x0000000000CA0000-0x00000000014EF000-memory.dmp

\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 c0412e74f4fc21d63271ca8bd5f6a774
SHA1 728cce759c0aaf0ebca673ad43352eecbbc1fe78
SHA256 b4ed512664a81b396582759c9cc2e0bdceaa73584c1aa86bbbd12e1f4b6cec11
SHA512 8a85f40e3124b5404ca5537702b5a5e2caad9e2cd50522a998136298f6342d2fe7fd2b1b96a5199bb21e9cafa53a441e4b9eb10703cf7834b2faf1ba15349f1d

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 c0412e74f4fc21d63271ca8bd5f6a774
SHA1 728cce759c0aaf0ebca673ad43352eecbbc1fe78
SHA256 b4ed512664a81b396582759c9cc2e0bdceaa73584c1aa86bbbd12e1f4b6cec11
SHA512 8a85f40e3124b5404ca5537702b5a5e2caad9e2cd50522a998136298f6342d2fe7fd2b1b96a5199bb21e9cafa53a441e4b9eb10703cf7834b2faf1ba15349f1d

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 c0412e74f4fc21d63271ca8bd5f6a774
SHA1 728cce759c0aaf0ebca673ad43352eecbbc1fe78
SHA256 b4ed512664a81b396582759c9cc2e0bdceaa73584c1aa86bbbd12e1f4b6cec11
SHA512 8a85f40e3124b5404ca5537702b5a5e2caad9e2cd50522a998136298f6342d2fe7fd2b1b96a5199bb21e9cafa53a441e4b9eb10703cf7834b2faf1ba15349f1d

memory/340-291-0x0000000001200000-0x0000000001A43000-memory.dmp

memory/2108-292-0x0000000000CA0000-0x00000000014EF000-memory.dmp

memory/340-293-0x0000000001200000-0x0000000001A43000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-05 02:38

Reported

2023-12-05 02:41

Platform

win10v2004-20231127-en

Max time kernel

82s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3508 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3508 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3508 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe

"C:\Users\Admin\AppData\Local\Temp\7fe5c47a1acaa5faa781ddc065e1c8b0d5e9a0bb2a508445b78a62debcbf02f0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 107.175.53.84.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 138.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3508-0-0x0000000006BD0000-0x0000000007559000-memory.dmp

memory/3508-3-0x0000000006BD0000-0x0000000007559000-memory.dmp

memory/3508-4-0x00000000001C0000-0x0000000000A0F000-memory.dmp

memory/3508-5-0x00000000065A0000-0x0000000006647000-memory.dmp

memory/3508-9-0x00000000066E0000-0x00000000066FD000-memory.dmp

memory/3508-12-0x00000000066E0000-0x00000000066FD000-memory.dmp

memory/3508-8-0x00000000065A0000-0x0000000006647000-memory.dmp

memory/3508-13-0x0000000006730000-0x0000000006758000-memory.dmp

memory/3508-16-0x0000000006730000-0x0000000006758000-memory.dmp

memory/3508-17-0x000000000AB60000-0x000000000ACEE000-memory.dmp

memory/3508-20-0x000000000AB60000-0x000000000ACEE000-memory.dmp

memory/3508-21-0x0000000006B70000-0x0000000006BA0000-memory.dmp

memory/3508-24-0x0000000006B70000-0x0000000006BA0000-memory.dmp

memory/3508-25-0x000000000B050000-0x000000000B3A6000-memory.dmp

memory/3508-28-0x000000000B050000-0x000000000B3A6000-memory.dmp

memory/3508-29-0x000000000ACF0000-0x000000000AD95000-memory.dmp

memory/3508-32-0x000000000ACF0000-0x000000000AD95000-memory.dmp

memory/3508-33-0x000000000AA80000-0x000000000AA95000-memory.dmp

memory/3508-36-0x000000000AA80000-0x000000000AA95000-memory.dmp

memory/3508-37-0x000000000AB00000-0x000000000AB54000-memory.dmp

memory/3508-40-0x000000000AB00000-0x000000000AB54000-memory.dmp

memory/3508-41-0x000000000AE50000-0x000000000AEE6000-memory.dmp

memory/3508-44-0x000000000AE50000-0x000000000AEE6000-memory.dmp

memory/3508-45-0x000000000AEF0000-0x000000000AF6A000-memory.dmp

memory/3508-48-0x000000000AEF0000-0x000000000AF6A000-memory.dmp

memory/3508-49-0x000000000ADA0000-0x000000000ADDC000-memory.dmp

memory/3508-52-0x000000000ADA0000-0x000000000ADDC000-memory.dmp

memory/3508-53-0x000000000AAE0000-0x000000000AAF2000-memory.dmp

memory/3508-56-0x000000000AAE0000-0x000000000AAF2000-memory.dmp

memory/3508-57-0x000000000AE40000-0x000000000AE46000-memory.dmp

memory/3508-60-0x000000000AE40000-0x000000000AE46000-memory.dmp

memory/3508-61-0x000000000B030000-0x000000000B03C000-memory.dmp

memory/3508-64-0x000000000B030000-0x000000000B03C000-memory.dmp

memory/1320-132-0x0000000002250000-0x0000000002286000-memory.dmp

memory/1320-131-0x0000000074070000-0x0000000074820000-memory.dmp

memory/1320-133-0x0000000004860000-0x0000000004870000-memory.dmp

memory/1320-134-0x0000000004EA0000-0x00000000054C8000-memory.dmp

memory/1320-135-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

memory/1320-136-0x00000000054D0000-0x0000000005536000-memory.dmp

memory/1320-142-0x0000000005540000-0x00000000055A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l2dxntef.gzh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1320-147-0x00000000055B0000-0x0000000005904000-memory.dmp

memory/1320-148-0x0000000005B70000-0x0000000005B8E000-memory.dmp

memory/1320-149-0x0000000005C20000-0x0000000005C6C000-memory.dmp

memory/1320-150-0x0000000004860000-0x0000000004870000-memory.dmp

memory/1320-151-0x00000000060F0000-0x0000000006186000-memory.dmp

memory/1320-152-0x0000000006070000-0x000000000608A000-memory.dmp

memory/1320-153-0x00000000060C0000-0x00000000060E2000-memory.dmp

memory/1320-154-0x0000000007120000-0x00000000076C4000-memory.dmp

memory/1320-157-0x0000000074070000-0x0000000074820000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/4832-168-0x0000000074070000-0x0000000074820000-memory.dmp

memory/4832-169-0x00000000029B0000-0x00000000029C0000-memory.dmp

memory/4832-170-0x00000000029B0000-0x00000000029C0000-memory.dmp

memory/4832-171-0x0000000005C40000-0x0000000005F94000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6e38b67e2fbf2ab4ea2cfbd867425eb7
SHA1 d1a5d18c4f4385c7ae049b7ef2f27bfea1f6356d
SHA256 6f1a74f65c5b427c801966e43a2d00741da4e2cbf7ec560e52e7d77dc9ca7c99
SHA512 b3d48f60a12690da893ab125ac943e4bd1fbdfa1c230b776b87a864233a00fe361f601319f3ef938d2d2e8a3897a89c369c878575e5385aeb9060fb523e28b8e

memory/4832-182-0x00000000029B0000-0x00000000029C0000-memory.dmp

memory/4832-184-0x0000000074070000-0x0000000074820000-memory.dmp

memory/3816-186-0x0000000074070000-0x0000000074820000-memory.dmp

memory/3816-187-0x0000000002850000-0x0000000002860000-memory.dmp

memory/3816-188-0x0000000002850000-0x0000000002860000-memory.dmp

memory/3816-198-0x0000000005D00000-0x0000000006054000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 216be0925e07e7149b050d4c29653c05
SHA1 60853e7f622fa3dba88134cd0097bb6531025663
SHA256 5b02d0f94d82279860046da009eee63220432a846a0d4d6ae39e4abdec61f9e2
SHA512 1aa6418d130ce19fbd074a16742a8dd9cf48d76650f1adf3c6f14daed599e4068efe9c6b1144f493ef7da709bc4d75eca884f40cceecb1093bb7f450fe20a4be

memory/3816-200-0x0000000002850000-0x0000000002860000-memory.dmp

memory/3816-202-0x0000000074070000-0x0000000074820000-memory.dmp

memory/3508-243-0x00000000001C0000-0x0000000000A0F000-memory.dmp

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 c0412e74f4fc21d63271ca8bd5f6a774
SHA1 728cce759c0aaf0ebca673ad43352eecbbc1fe78
SHA256 b4ed512664a81b396582759c9cc2e0bdceaa73584c1aa86bbbd12e1f4b6cec11
SHA512 8a85f40e3124b5404ca5537702b5a5e2caad9e2cd50522a998136298f6342d2fe7fd2b1b96a5199bb21e9cafa53a441e4b9eb10703cf7834b2faf1ba15349f1d

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 c0412e74f4fc21d63271ca8bd5f6a774
SHA1 728cce759c0aaf0ebca673ad43352eecbbc1fe78
SHA256 b4ed512664a81b396582759c9cc2e0bdceaa73584c1aa86bbbd12e1f4b6cec11
SHA512 8a85f40e3124b5404ca5537702b5a5e2caad9e2cd50522a998136298f6342d2fe7fd2b1b96a5199bb21e9cafa53a441e4b9eb10703cf7834b2faf1ba15349f1d

memory/3508-279-0x00000000001C0000-0x0000000000A0F000-memory.dmp

memory/3276-280-0x0000000000DB0000-0x00000000015F3000-memory.dmp

memory/3276-281-0x0000000000DB0000-0x00000000015F3000-memory.dmp