Malware Analysis Report

2024-09-22 11:24

Sample ID 231225-ssb6pshch5
Target 28fbf26d76059fb5f277eaae5b7f894b
SHA256 97b1a0a2a2f05f22c3f9ac4152e34ad4d629c577ea9425020d5f8ce204d583d0
Tags
hawkeye collection keylogger spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97b1a0a2a2f05f22c3f9ac4152e34ad4d629c577ea9425020d5f8ce204d583d0

Threat Level: Known bad

The file 28fbf26d76059fb5f277eaae5b7f894b was found to be: Known bad.

Malicious Activity Summary

hawkeye collection keylogger spyware stealer trojan upx

HawkEye

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Uses the VBS compiler for execution

Loads dropped DLL

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-12-25 15:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 15:22

Reported

2023-12-28 18:31

Platform

win7-20231129-en

Max time kernel

142s

Max time network

121s

Command Line

C:\Windows\system32\lsass.exe

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 2520 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 2520 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 2520 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 2520 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 2520 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 2520 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 2520 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 2520 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 2520 wrote to memory of 260 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\System32\smss.exe
PID 2520 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\winlogon.exe
PID 2520 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\csrss.exe
PID 2520 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\svchost.exe
PID 2520 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\Dwm.exe
PID 2520 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\svchost.exe
PID 2520 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\svchost.exe
PID 2520 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\taskhost.exe
PID 2520 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\lsm.exe
PID 2520 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\svchost.exe
PID 2520 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\lsass.exe
PID 2520 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 2360 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe

"C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\System32\smss.exe

\SystemRoot\System32\smss.exe

C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe

"C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 secure.emailsrvr.com udp
US 146.20.161.10:587 secure.emailsrvr.com tcp
US 146.20.161.10:587 secure.emailsrvr.com tcp

Files

memory/2520-0-0x0000000074CE0000-0x000000007528B000-memory.dmp

memory/2520-1-0x0000000002290000-0x00000000022D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1106.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 f0b0edc6f6471029805701ac52117c4f
SHA1 aa23dd230f84901518656e08d14a270d56381aac
SHA256 373d211043f96705874995b04652651116e855e82e5e4432626c04730ba0f210
SHA512 f002e9f6451ee57c49d545c71efb4992c19911d5d4d532eca3b90eaa1efbf45f03556e3cf3be93509418a6b5963402c6e9be454f8b14767c0871686d60c646b1

memory/2360-158-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2360-159-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2360-169-0x0000000000400000-0x0000000000484000-memory.dmp

memory/260-172-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2360-187-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2360-191-0x0000000074CE0000-0x000000007528B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1525.tmp

MD5 aaa698721f488b181bc0f0afc5da126a
SHA1 76536a73f16ffd643ea24f8725cebfff9d49852f
SHA256 e71ba7ce01d10e60a4feac7fc5e04f34756ba621c7d88583d0f96bd3b2655647
SHA512 67d8b05678fbdc1678515c341fa8c1e26f3d1b15f2cc390bb9b1a26589a346fd57697dd3366e72d46ab265570929f1be89b8aec81112a2a98194c5886c89261d

memory/2360-225-0x0000000071890000-0x00000000718BE000-memory.dmp

memory/2520-226-0x0000000074CE0000-0x000000007528B000-memory.dmp

\Users\Admin\AppData\Local\Temp\tmp155B.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2360-185-0x0000000074CE0000-0x000000007528B000-memory.dmp

memory/2360-173-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2360-165-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2360-163-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2360-162-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2360-160-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2360-227-0x0000000000540000-0x0000000000580000-memory.dmp

memory/1548-228-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1548-230-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1548-231-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2360-232-0x0000000071890000-0x00000000718BE000-memory.dmp

memory/1548-233-0x0000000000400000-0x000000000041B000-memory.dmp

memory/908-234-0x0000000000400000-0x0000000000458000-memory.dmp

memory/908-240-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2360-242-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2360-241-0x0000000074CE0000-0x000000007528B000-memory.dmp

memory/908-236-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2360-281-0x0000000071890000-0x00000000718BE000-memory.dmp

memory/2360-283-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2360-285-0x0000000071890000-0x00000000718BE000-memory.dmp

memory/2360-286-0x0000000071890000-0x00000000718BE000-memory.dmp

memory/2360-288-0x0000000071890000-0x00000000718BE000-memory.dmp

memory/2360-290-0x0000000071890000-0x00000000718BE000-memory.dmp

memory/2360-294-0x0000000071890000-0x00000000718BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 15:22

Reported

2023-12-28 18:32

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

146s

Command Line

"dwm.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5068 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 5068 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 5068 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 5068 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 5068 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 5068 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 5068 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 5068 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe
PID 5068 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\System32\svchost.exe
PID 5068 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\System32\svchost.exe
PID 5068 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\fontdrvhost.exe
PID 5068 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\svchost.exe
PID 5068 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\DllHost.exe
PID 5068 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\System32\svchost.exe
PID 5068 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\svchost.exe
PID 5068 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\fontdrvhost.exe
PID 5068 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\svchost.exe
PID 5068 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\dwm.exe
PID 5068 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\svchost.exe
PID 5068 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5068 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\svchost.exe
PID 5068 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\svchost.exe
PID 5068 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\backgroundTaskHost.exe
PID 5068 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\system32\svchost.exe
PID 5068 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Explorer.EXE
PID 5068 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1988 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1988 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe

"C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe

"C:\Users\Admin\AppData\Local\Temp\28fbf26d76059fb5f277eaae5b7f894b.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 crl.globalsign.net udp
US 104.18.21.226:80 crl.globalsign.net tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.155.36:80 whatismyipaddress.com tcp
US 104.16.155.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 secure.emailsrvr.com udp
US 146.20.161.10:587 secure.emailsrvr.com tcp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 36.155.16.104.in-addr.arpa udp
US 8.8.8.8:53 10.161.20.146.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 146.20.161.10:587 secure.emailsrvr.com tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
GB 88.221.135.88:80 tcp
GB 88.221.135.88:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
N/A 52.165.164.15:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp

Files

memory/5068-0-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/5068-2-0x0000000000760000-0x0000000000770000-memory.dmp

memory/5068-1-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/1988-72-0x0000000001B70000-0x0000000001B80000-memory.dmp

memory/1988-74-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/5068-75-0x0000000072290000-0x00000000722BE000-memory.dmp

memory/5068-77-0x0000000072290000-0x00000000722BE000-memory.dmp

memory/5068-78-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/1988-63-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/1988-13-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4712-81-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4712-83-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4712-85-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2644-87-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2644-89-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2644-94-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1988-93-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/2644-98-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1988-100-0x0000000074890000-0x0000000074E41000-memory.dmp

memory/1988-99-0x0000000001B70000-0x0000000001B80000-memory.dmp

memory/1988-101-0x0000000001B70000-0x0000000001B80000-memory.dmp