Malware Analysis Report

2025-08-05 09:55

Sample ID 231207-wlvw1sfe6z
Target 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
SHA256 142aacbf783038ea4b2a7f2d9433b1309b413330e702b8a90e300eea1bbed4c8
Tags
dcrat djvu privateloader risepro smokeloader zgrat up3 backdoor discovery evasion infostealer loader persistence ransomware rat spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

142aacbf783038ea4b2a7f2d9433b1309b413330e702b8a90e300eea1bbed4c8

Threat Level: Known bad

The file 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu privateloader risepro smokeloader zgrat up3 backdoor discovery evasion infostealer loader persistence ransomware rat spyware stealer themida trojan

Djvu Ransomware

RisePro

Detect ZGRat V1

Detected Djvu ransomware

DcRat

ZGRat

SmokeLoader

PrivateLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks BIOS information in registry

Drops startup file

Themida packer

Modifies file permissions

Deletes itself

Checks whether UAC is enabled

Looks up external IP address via web service

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 18:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 18:01

Reported

2023-12-07 18:03

Platform

win7-20231201-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f5a2415f-68be-463a-9279-19b58785f5a1\\8920.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\8920.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6D17.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6D17.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\6D17.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f5a2415f-68be-463a-9279-19b58785f5a1\\8920.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\8920.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\DB37.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6D17.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6D17.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\937D.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6D17.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
PID 2088 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
PID 2088 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
PID 2088 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
PID 2088 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
PID 2088 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
PID 2088 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
PID 1200 wrote to memory of 2760 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2760 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2760 N/A N/A C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2760 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2760 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1200 wrote to memory of 2572 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2572 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2572 N/A N/A C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2572 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2572 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1200 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D17.exe
PID 1200 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D17.exe
PID 1200 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D17.exe
PID 1200 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\6D17.exe
PID 1200 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1200 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1200 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1200 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1864 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1864 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1864 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1864 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1864 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1864 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1864 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1864 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1864 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1864 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1864 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2892 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Windows\SysWOW64\icacls.exe
PID 2892 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Windows\SysWOW64\icacls.exe
PID 2892 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Windows\SysWOW64\icacls.exe
PID 2892 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Windows\SysWOW64\icacls.exe
PID 2892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 2616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\8920.exe C:\Users\Admin\AppData\Local\Temp\8920.exe
PID 1200 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\937D.exe
PID 1200 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\937D.exe
PID 1200 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\937D.exe
PID 2956 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\937D.exe C:\Users\Admin\AppData\Local\Temp\937D.exe
PID 2956 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\937D.exe C:\Users\Admin\AppData\Local\Temp\937D.exe
PID 2956 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\937D.exe C:\Users\Admin\AppData\Local\Temp\937D.exe
PID 2956 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\937D.exe C:\Users\Admin\AppData\Local\Temp\937D.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe

"C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"

C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe

"C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\61A0.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\6421.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\6D17.exe

C:\Users\Admin\AppData\Local\Temp\6D17.exe

C:\Users\Admin\AppData\Local\Temp\8920.exe

C:\Users\Admin\AppData\Local\Temp\8920.exe

C:\Users\Admin\AppData\Local\Temp\8920.exe

C:\Users\Admin\AppData\Local\Temp\8920.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f5a2415f-68be-463a-9279-19b58785f5a1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\8920.exe

"C:\Users\Admin\AppData\Local\Temp\8920.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\8920.exe

"C:\Users\Admin\AppData\Local\Temp\8920.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\937D.exe

C:\Users\Admin\AppData\Local\Temp\937D.exe

C:\Users\Admin\AppData\Local\Temp\937D.exe

C:\Users\Admin\AppData\Local\Temp\937D.exe

C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe

"C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe"

C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe

"C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe"

C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build3.exe

"C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build3.exe"

C:\Users\Admin\AppData\Local\Temp\DB37.exe

C:\Users\Admin\AppData\Local\Temp\DB37.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1436

Network

Country Destination Domain Proto
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 172.67.167.33:443 edarululoom.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.119.84.112:80 brusuax.com tcp
HK 38.47.221.193:34368 tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 85.143.222.45:80 host-host-file8.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 185.196.8.238:80 185.196.8.238 tcp
US 104.21.65.24:443 api.2ip.ua tcp
KR 211.119.84.112:80 brusuax.com tcp
US 8.8.8.8:53 zexeq.com udp
RU 85.143.222.45:80 host-host-file8.com tcp
BA 185.12.79.25:80 zexeq.com tcp
BA 185.12.79.25:80 zexeq.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
RU 85.143.222.45:80 host-host-file8.com tcp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 genesiscarat.com udp
RU 92.118.112.94:443 genesiscarat.com tcp
RU 92.118.112.94:443 genesiscarat.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 95.217.240.71:443 95.217.240.71 tcp
FI 95.217.240.71:443 95.217.240.71 tcp
FI 95.217.240.71:443 95.217.240.71 tcp
FI 95.217.240.71:443 95.217.240.71 tcp
US 193.233.132.51:50500 tcp

Files

memory/2364-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2364-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2088-4-0x0000000000D12000-0x0000000000D25000-memory.dmp

memory/2088-6-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2364-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1200-7-0x0000000002D20000-0x0000000002D36000-memory.dmp

memory/2364-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\61A0.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\61A0.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\6421.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\6D17.exe

MD5 a3dea4c1f895c2729505cb4712ad469d
SHA1 fdfeebab437bf7f97fb848cd67abec9409adb3b2
SHA256 acfa700a776ef8622839fd22f3bcca3e7183e3ee2e21473ca0d9ccdc895c4afd
SHA512 9da049b6e9169e1079182ce04fd852e823d6bb31f0be3a814ee687047f3831c3cac58dd46b6a8592714afd102233d40a70a0b66e5f094d014c7059b119aa11c4

memory/2800-36-0x0000000000060000-0x0000000000B2A000-memory.dmp

memory/2800-37-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-39-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-38-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-40-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-41-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-42-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-43-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-44-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-45-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-46-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-47-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-48-0x00000000768C0000-0x0000000076907000-memory.dmp

memory/2800-49-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-50-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-51-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-52-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-53-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-54-0x00000000768C0000-0x0000000076907000-memory.dmp

memory/2800-55-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-56-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-57-0x00000000768C0000-0x0000000076907000-memory.dmp

memory/2800-58-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-59-0x00000000768C0000-0x0000000076907000-memory.dmp

memory/2800-60-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-61-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-62-0x00000000768C0000-0x0000000076907000-memory.dmp

memory/2800-65-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-66-0x00000000770F0000-0x00000000770F2000-memory.dmp

memory/2800-68-0x0000000000060000-0x0000000000B2A000-memory.dmp

memory/2800-69-0x0000000074140000-0x000000007482E000-memory.dmp

memory/2800-70-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2800-71-0x0000000001090000-0x00000000010D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8920.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

C:\Users\Admin\AppData\Local\Temp\8920.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/1864-78-0x0000000002080000-0x0000000002111000-memory.dmp

memory/2892-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2800-81-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/2892-85-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8920.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/1864-88-0x0000000002180000-0x000000000229B000-memory.dmp

memory/2800-89-0x00000000768C0000-0x0000000076907000-memory.dmp

memory/2800-90-0x00000000765D0000-0x00000000766E0000-memory.dmp

memory/1864-83-0x0000000002080000-0x0000000002111000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8920.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

\Users\Admin\AppData\Local\Temp\8920.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/2892-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2892-92-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\f5a2415f-68be-463a-9279-19b58785f5a1\8920.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

\Users\Admin\AppData\Local\Temp\8920.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

\Users\Admin\AppData\Local\Temp\8920.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/2892-113-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8920.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/2616-115-0x0000000000220000-0x00000000002B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\8920.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/2616-118-0x0000000000220000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8920.exe

MD5 be9ca8b74e26dc78f01bd22f50525146
SHA1 f51371b66f0220158cc2208ab9f55fa87763dd0a
SHA256 d16a9ab68ca93662dbb29848e691c234f0e82f678361c8723533deaefd89c23b
SHA512 0cdd10308a565ed6f533260c61e47d3f593eb0c859c3e88f72d58b07f5b8288be4b81297e26ae5cda3331aa66130a3cb68bf7db1e9083e6bb06fdb652351dd00

memory/892-123-0x0000000000400000-0x0000000000537000-memory.dmp

memory/892-124-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2a111a3869f046f785ce4ee1e7058390
SHA1 2cdef9efd2cbad5d9eb0827417cb6dbf405e14f6
SHA256 24c5ad6ae2289c147167a3c73ed7fa556434389ed46591172e5652aaa20b3c4c
SHA512 df8bc23e88741f87e7ee59bb9a6a6b8a78f4b43965af892c64f95c6554867edbe2c242ae9ff799512bf99ee43fb37233aa85b64b75e04417f1ef3681bb6814d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0772d19dd244b195a8c6e9e3ee14015d
SHA1 dac6279c89f774991af2f0e8c6cb78063ca4d5a6
SHA256 0393acc6e5d120983277d2962c2438d163f2c5f71799f2343e632b2b058373a3
SHA512 ba00d0bc32b4aef522765a61a3f0dbdbbcae082de7a9a7cea0ae81f5da928b736d010e073f2ec9170bcffbd27e8bd319e00f40fd8910c3c62082ac348a2cca06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 4605a165da62fbfcb953bc95f5c60588
SHA1 26d10dc22baeb6f19358ef50076b4f4cecfd625e
SHA256 ead04e8f3c9d951dd3a34014d9c2afc30055f16d191ae52e4b91c39513e5c5b3
SHA512 2c344c11cd766538df0edd82c67922365a7cce6718e505dbf6a45f8bcbb53b85b8222ac9dda90dcfbd9490371d668a85d2358e9b5a2af7f1ef113a6c19b0fb4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7df0d7bd8b545f25f1111b1e97618f0
SHA1 0e11a848704f0ae858ec17ff58117afe8ad13fc2
SHA256 cab1b126fadd73cfc92df95da78def379077cd9c133c8524c8ce2336c37e3db6
SHA512 4f5ac389439f72484b26f0725e9fce52b8f9410636fe15454edc365fb9e84e471fffdbbed37379c9ed3a7ee7c0352d3106083e725f33ffed2ea98361a4b10fd6

C:\Users\Admin\AppData\Local\Temp\Cab91D4.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/892-137-0x0000000000400000-0x0000000000537000-memory.dmp

memory/892-138-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\937D.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

C:\Users\Admin\AppData\Local\Temp\937D.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

C:\Users\Admin\AppData\Local\Temp\937D.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

memory/2956-144-0x0000000000A60000-0x0000000000B48000-memory.dmp

memory/2956-145-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/2956-147-0x000000001AF10000-0x000000001AF90000-memory.dmp

memory/2956-148-0x0000000002120000-0x00000000021FE000-memory.dmp

memory/2956-149-0x000000001ADB0000-0x000000001AE90000-memory.dmp

memory/2956-150-0x000000001B3B0000-0x000000001B478000-memory.dmp

memory/2956-151-0x000000001B480000-0x000000001B548000-memory.dmp

memory/2956-152-0x0000000000670000-0x00000000006BC000-memory.dmp

memory/892-156-0x0000000000400000-0x0000000000537000-memory.dmp

memory/892-158-0x0000000000400000-0x0000000000537000-memory.dmp

memory/892-159-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\937D.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

memory/584-161-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/584-163-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/584-165-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/584-167-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\937D.exe

MD5 f9f5b4125a5b08bc86343cb6f2d04e63
SHA1 3b0b3b9d7ded74650846762d0cc1e12c73d1b0f2
SHA256 1032ac53181871904e510c6c561fa33c0faba5557424089081f8896d49790a39
SHA512 4c93a2765f3fa9cdef6f0c2d18d94de5f61cca8cb04f84fd2721e14030dc0a0d5304846294c106fa80ecb940b7641e50cc4b170690a015b53580f1bbaf567798

memory/584-169-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/2956-172-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/2800-174-0x0000000074140000-0x000000007482E000-memory.dmp

memory/584-175-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/584-178-0x000000001B270000-0x000000001B2F0000-memory.dmp

memory/584-177-0x00000000007B0000-0x0000000000894000-memory.dmp

memory/2800-176-0x0000000001090000-0x00000000010D0000-memory.dmp

memory/584-182-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-180-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-184-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-188-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-190-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-194-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-196-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-192-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-198-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-200-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-202-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-204-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-186-0x00000000007B0000-0x0000000000890000-memory.dmp

memory/584-179-0x00000000007B0000-0x0000000000890000-memory.dmp

C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

memory/1916-298-0x0000000002BC0000-0x0000000002CC0000-memory.dmp

memory/1916-299-0x0000000000260000-0x0000000000291000-memory.dmp

C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

memory/2700-303-0x0000000000400000-0x0000000000644000-memory.dmp

\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\Temp\DB37.exe

MD5 6eafae4c4d7096a3146fb41361b88e88
SHA1 a974e4d9c0445079939cfbcef9d64dd9233b9181
SHA256 f91b309f90e29ac6938c6156c6692c74e982297a8da0496c47c8510291887409
SHA512 d6ddd6ac49158dcbcd5b6a4f4765cee09080e2581723577d890ab7f1a22e273a9a8ee2aa1359c1f2af4a43ab8d2e74a8f98a473ba63ee400061d2c01cc5a0578

C:\Users\Admin\AppData\Local\Temp\DB37.exe

MD5 6eafae4c4d7096a3146fb41361b88e88
SHA1 a974e4d9c0445079939cfbcef9d64dd9233b9181
SHA256 f91b309f90e29ac6938c6156c6692c74e982297a8da0496c47c8510291887409
SHA512 d6ddd6ac49158dcbcd5b6a4f4765cee09080e2581723577d890ab7f1a22e273a9a8ee2aa1359c1f2af4a43ab8d2e74a8f98a473ba63ee400061d2c01cc5a0578

C:\Users\Admin\AppData\Local\Temp\DB37.exe

MD5 6eafae4c4d7096a3146fb41361b88e88
SHA1 a974e4d9c0445079939cfbcef9d64dd9233b9181
SHA256 f91b309f90e29ac6938c6156c6692c74e982297a8da0496c47c8510291887409
SHA512 d6ddd6ac49158dcbcd5b6a4f4765cee09080e2581723577d890ab7f1a22e273a9a8ee2aa1359c1f2af4a43ab8d2e74a8f98a473ba63ee400061d2c01cc5a0578

C:\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe

MD5 eb16dcdaa3a2c8c7d2b5c85af7a91341
SHA1 6e8f0dc3b2fe92bef40fddc1401f398923303c8a
SHA256 17626126a624bf59c41ca10c001f2dd90e8a94abf8e2b929f63aa212feb34414
SHA512 7c7aebb2fd8433f752722e0c210984c2b9a578614ca67b790a0138450d826e36a9bbd412b4a077c6aa9fcfb9aa1899e17e68ee3677e27b93f6137df19791413a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe

MD5 eb16dcdaa3a2c8c7d2b5c85af7a91341
SHA1 6e8f0dc3b2fe92bef40fddc1401f398923303c8a
SHA256 17626126a624bf59c41ca10c001f2dd90e8a94abf8e2b929f63aa212feb34414
SHA512 7c7aebb2fd8433f752722e0c210984c2b9a578614ca67b790a0138450d826e36a9bbd412b4a077c6aa9fcfb9aa1899e17e68ee3677e27b93f6137df19791413a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe

MD5 eb16dcdaa3a2c8c7d2b5c85af7a91341
SHA1 6e8f0dc3b2fe92bef40fddc1401f398923303c8a
SHA256 17626126a624bf59c41ca10c001f2dd90e8a94abf8e2b929f63aa212feb34414
SHA512 7c7aebb2fd8433f752722e0c210984c2b9a578614ca67b790a0138450d826e36a9bbd412b4a077c6aa9fcfb9aa1899e17e68ee3677e27b93f6137df19791413a

\Users\Admin\AppData\Local\Temp\IXP000.TMP\DI2PB38.exe

MD5 eb16dcdaa3a2c8c7d2b5c85af7a91341
SHA1 6e8f0dc3b2fe92bef40fddc1401f398923303c8a
SHA256 17626126a624bf59c41ca10c001f2dd90e8a94abf8e2b929f63aa212feb34414
SHA512 7c7aebb2fd8433f752722e0c210984c2b9a578614ca67b790a0138450d826e36a9bbd412b4a077c6aa9fcfb9aa1899e17e68ee3677e27b93f6137df19791413a

C:\Users\Admin\AppData\Local\Temp\Tar4B3.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe

MD5 e99659abcb427d00a9271c2796a98184
SHA1 7c80842db9c0cf9fe814a61eff86f5ba02720cfc
SHA256 fa8efb1d9762bf57d044cd87a464b01a1a4eba4399ad522a1d0ed522cd66e976
SHA512 bbed924bc1dfa68a216106aa4a7debbdcaa5766dc08c1888858190b656a9a44aa4b8248d690695ca9588d4228faa59af8b553f5fec97aee353b99e9df5365fc3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe

MD5 e99659abcb427d00a9271c2796a98184
SHA1 7c80842db9c0cf9fe814a61eff86f5ba02720cfc
SHA256 fa8efb1d9762bf57d044cd87a464b01a1a4eba4399ad522a1d0ed522cd66e976
SHA512 bbed924bc1dfa68a216106aa4a7debbdcaa5766dc08c1888858190b656a9a44aa4b8248d690695ca9588d4228faa59af8b553f5fec97aee353b99e9df5365fc3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe

MD5 e99659abcb427d00a9271c2796a98184
SHA1 7c80842db9c0cf9fe814a61eff86f5ba02720cfc
SHA256 fa8efb1d9762bf57d044cd87a464b01a1a4eba4399ad522a1d0ed522cd66e976
SHA512 bbed924bc1dfa68a216106aa4a7debbdcaa5766dc08c1888858190b656a9a44aa4b8248d690695ca9588d4228faa59af8b553f5fec97aee353b99e9df5365fc3

\Users\Admin\AppData\Local\Temp\IXP002.TMP\lt8AE30.exe

MD5 e99659abcb427d00a9271c2796a98184
SHA1 7c80842db9c0cf9fe814a61eff86f5ba02720cfc
SHA256 fa8efb1d9762bf57d044cd87a464b01a1a4eba4399ad522a1d0ed522cd66e976
SHA512 bbed924bc1dfa68a216106aa4a7debbdcaa5766dc08c1888858190b656a9a44aa4b8248d690695ca9588d4228faa59af8b553f5fec97aee353b99e9df5365fc3

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe

MD5 ee3f589a0c7d63229a037488144b88cf
SHA1 6856e0d92e0859642bcf2d24f0c068d9f6e0acbf
SHA256 5211a0394634a7ed1a6b3f1965c24ff83c4e45986509e6cc2fb0f66c050b87a3
SHA512 dd5430e653e38868bb83a4a9780b3536e9381f52c048781e8bdb08467b2b706e32d2ad1da75eaee82c9edfdd8c5b1fa03783a6dd7b0482469e8f97bd4191f76f

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe

MD5 d786005943e737b82adefe9d4f3d63a0
SHA1 16e51832749e4922e7427d877c106900bb422fc8
SHA256 7a035732587440d56c0ace34bd486969c3bd0295ca1fe2b2330474b246c06edc
SHA512 4cbc09c30f189aab68b4423e5d6a1e1e4192a440e4e942281444d0ad23ef7c0ccea2739097be4a8008a5533bee8662dda5f06ae0963a4cd2a5c95062afb8ba5f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe

MD5 d786005943e737b82adefe9d4f3d63a0
SHA1 16e51832749e4922e7427d877c106900bb422fc8
SHA256 7a035732587440d56c0ace34bd486969c3bd0295ca1fe2b2330474b246c06edc
SHA512 4cbc09c30f189aab68b4423e5d6a1e1e4192a440e4e942281444d0ad23ef7c0ccea2739097be4a8008a5533bee8662dda5f06ae0963a4cd2a5c95062afb8ba5f

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe

MD5 d786005943e737b82adefe9d4f3d63a0
SHA1 16e51832749e4922e7427d877c106900bb422fc8
SHA256 7a035732587440d56c0ace34bd486969c3bd0295ca1fe2b2330474b246c06edc
SHA512 4cbc09c30f189aab68b4423e5d6a1e1e4192a440e4e942281444d0ad23ef7c0ccea2739097be4a8008a5533bee8662dda5f06ae0963a4cd2a5c95062afb8ba5f

\Users\Admin\AppData\Local\Temp\IXP003.TMP\1ct28YI6.exe

MD5 d786005943e737b82adefe9d4f3d63a0
SHA1 16e51832749e4922e7427d877c106900bb422fc8
SHA256 7a035732587440d56c0ace34bd486969c3bd0295ca1fe2b2330474b246c06edc
SHA512 4cbc09c30f189aab68b4423e5d6a1e1e4192a440e4e942281444d0ad23ef7c0ccea2739097be4a8008a5533bee8662dda5f06ae0963a4cd2a5c95062afb8ba5f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe

MD5 ee3f589a0c7d63229a037488144b88cf
SHA1 6856e0d92e0859642bcf2d24f0c068d9f6e0acbf
SHA256 5211a0394634a7ed1a6b3f1965c24ff83c4e45986509e6cc2fb0f66c050b87a3
SHA512 dd5430e653e38868bb83a4a9780b3536e9381f52c048781e8bdb08467b2b706e32d2ad1da75eaee82c9edfdd8c5b1fa03783a6dd7b0482469e8f97bd4191f76f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe

MD5 ee3f589a0c7d63229a037488144b88cf
SHA1 6856e0d92e0859642bcf2d24f0c068d9f6e0acbf
SHA256 5211a0394634a7ed1a6b3f1965c24ff83c4e45986509e6cc2fb0f66c050b87a3
SHA512 dd5430e653e38868bb83a4a9780b3536e9381f52c048781e8bdb08467b2b706e32d2ad1da75eaee82c9edfdd8c5b1fa03783a6dd7b0482469e8f97bd4191f76f

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ou8Kb12.exe

MD5 ee3f589a0c7d63229a037488144b88cf
SHA1 6856e0d92e0859642bcf2d24f0c068d9f6e0acbf
SHA256 5211a0394634a7ed1a6b3f1965c24ff83c4e45986509e6cc2fb0f66c050b87a3
SHA512 dd5430e653e38868bb83a4a9780b3536e9381f52c048781e8bdb08467b2b706e32d2ad1da75eaee82c9edfdd8c5b1fa03783a6dd7b0482469e8f97bd4191f76f

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 d786005943e737b82adefe9d4f3d63a0
SHA1 16e51832749e4922e7427d877c106900bb422fc8
SHA256 7a035732587440d56c0ace34bd486969c3bd0295ca1fe2b2330474b246c06edc
SHA512 4cbc09c30f189aab68b4423e5d6a1e1e4192a440e4e942281444d0ad23ef7c0ccea2739097be4a8008a5533bee8662dda5f06ae0963a4cd2a5c95062afb8ba5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6aabe4a4161b1eb33ae61368d45719f4
SHA1 015988db1025678872a2614a395c076c18525f34
SHA256 3c6ccf0215e7d860353d61f896da4cc64105d9121902ef75462fe70c7f730480
SHA512 f692a81226a93533a16eb941c0723ced8c04b6ad38124c0c3d1fb6bb5dd6b762cc629414e391b1822356e09ecc82ddfb3fc08b6d3bd85482993bfaa2722b1757

\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 d786005943e737b82adefe9d4f3d63a0
SHA1 16e51832749e4922e7427d877c106900bb422fc8
SHA256 7a035732587440d56c0ace34bd486969c3bd0295ca1fe2b2330474b246c06edc
SHA512 4cbc09c30f189aab68b4423e5d6a1e1e4192a440e4e942281444d0ad23ef7c0ccea2739097be4a8008a5533bee8662dda5f06ae0963a4cd2a5c95062afb8ba5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 135a43cc2ef062f5dca4749bb3155171
SHA1 42524f85f8eafc8559544437c48a81d6ff06a325
SHA256 aa8167d5e97a07b2dbecc580572eeb575deec7b1ace6d25c00c7c093096bcb0c
SHA512 1579aef8076707d5c4e12a55138f11fdbd7a9c0000e22c55223f43f969d0ecb4f358b989514d7134e58c428a7e116e26420222634516578e1fa4b6a71333c1da

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 946af660d15a2f3a63a2c5c83c9bf6b1
SHA1 b0b9cb337ac35d85ed882a212e1e6afb30c3ca56
SHA256 dc9c5ce1876361a715a06746bc5c62201d0ed9bac257b7b984451d4864abe17c
SHA512 0a0287638406793fe86595dca81158970b4f0ce76cb7de040888757e79219b03eb8880fd31ea85005888aa6cb7e68c987f5fd74782848155ba479e4980914422

\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

\Users\Admin\AppData\Local\8095855b-84db-4a84-a636-3a446f2efe23\build2.exe

MD5 f5f946c85bbcd85d14e984c5b2d9fdda
SHA1 dfd3e685b41e62d30395205ee9c6038081b9e875
SHA256 60f8db8893d5f127c739701a02a5cfdb78461c37a796c50467da51d1839d2b22
SHA512 2e018cd5ae9ece5a66ee232c0e15e8c1aead1d5e10255088bf5d9e3d468d797216a75b2ff07c1032be19f5882e9fddd015bb2bdf56ebab99dfd927cab53d1853

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 18:01

Reported

2023-12-07 18:03

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2284 set thread context of 1404 N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe

"C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"

C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe

"C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 226.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 222.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.117.223.173.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 85.143.222.45:80 host-host-file8.com tcp
US 8.8.8.8:53 45.222.143.85.in-addr.arpa udp
US 8.8.8.8:53 225.3.125.104.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 143.28.22.2.in-addr.arpa udp
US 8.8.8.8:53 201.3.125.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 199.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 206.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 198.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/2284-1-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

memory/2284-2-0x00000000027A0000-0x00000000027A9000-memory.dmp

memory/1404-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1404-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3144-5-0x0000000002DB0000-0x0000000002DC6000-memory.dmp

memory/1404-7-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4108-12-0x000001E343480000-0x000001E343490000-memory.dmp

memory/4108-28-0x000001E343580000-0x000001E343590000-memory.dmp

memory/4108-44-0x000001E34BB70000-0x000001E34BB71000-memory.dmp

memory/4108-45-0x000001E34BB90000-0x000001E34BB91000-memory.dmp

memory/4108-46-0x000001E34BB90000-0x000001E34BB91000-memory.dmp

memory/4108-47-0x000001E34BB90000-0x000001E34BB91000-memory.dmp

memory/4108-48-0x000001E34BB90000-0x000001E34BB91000-memory.dmp

memory/4108-49-0x000001E34BB90000-0x000001E34BB91000-memory.dmp

memory/4108-50-0x000001E34BB90000-0x000001E34BB91000-memory.dmp

memory/4108-51-0x000001E34BB90000-0x000001E34BB91000-memory.dmp

memory/4108-52-0x000001E34BB90000-0x000001E34BB91000-memory.dmp

memory/4108-53-0x000001E34BB90000-0x000001E34BB91000-memory.dmp

memory/4108-54-0x000001E34BB90000-0x000001E34BB91000-memory.dmp

memory/4108-56-0x000001E34B7B0000-0x000001E34B7B1000-memory.dmp

memory/4108-55-0x000001E34B7C0000-0x000001E34B7C1000-memory.dmp

memory/4108-58-0x000001E34B7C0000-0x000001E34B7C1000-memory.dmp

memory/4108-61-0x000001E34B7B0000-0x000001E34B7B1000-memory.dmp

memory/4108-64-0x000001E34B6F0000-0x000001E34B6F1000-memory.dmp

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

MD5 2054bc73b7290fc5ec47f67255d2b09f
SHA1 258b6bf3792d65b58a2ee92820f0e450e8bfbef6
SHA256 41c015ad6b7ed18e73a5ae2eef492029b8d0cc73fd669ac4b4e4132000438373
SHA512 6629609dd8ee244f30d711c43dfd338b1cb1c3cf9f411332ffaf5e3dbc40db72f1d69404dd9090ca8154c99f734f37dc01c63faa4bddf0815c526c585f37a2b6

memory/4108-76-0x000001E34B8F0000-0x000001E34B8F1000-memory.dmp

memory/4108-78-0x000001E34B900000-0x000001E34B901000-memory.dmp

memory/4108-79-0x000001E34B900000-0x000001E34B901000-memory.dmp

memory/4108-80-0x000001E34BA10000-0x000001E34BA11000-memory.dmp