Malware Analysis Report

2025-01-03 05:02

Sample ID 231226-m2r1maahe2
Target 69211520423fa18fde09eee360343412
SHA256 437ad80eaa637caba6237c5ecb0b4d328bb8131a45905088b2441bdfa021b598
Tags
bitrat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

437ad80eaa637caba6237c5ecb0b4d328bb8131a45905088b2441bdfa021b598

Threat Level: Known bad

The file 69211520423fa18fde09eee360343412 was found to be: Known bad.

Malicious Activity Summary

bitrat trojan upx

BitRAT

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 10:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 10:57

Reported

2024-01-06 11:12

Platform

win7-20231215-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2360 set thread context of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Windows\SysWOW64\WScript.exe
PID 2360 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Windows\SysWOW64\WScript.exe
PID 2360 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Windows\SysWOW64\WScript.exe
PID 2360 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Windows\SysWOW64\WScript.exe
PID 2396 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2396 wrote to memory of 2516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 2360 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe
PID 908 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 908 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 908 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 908 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 908 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 908 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 908 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 908 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 908 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 908 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 908 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe
PID 908 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

"C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ukvcpgfl.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\google\chrome.exe'

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

Network

Country Destination Domain Proto
N/A 127.0.0.1:49286 tcp
FR 37.187.102.186:9001 tcp
SE 171.25.193.25:443 tcp
CA 198.96.155.3:5001 tcp
N/A 127.0.0.1:45808 tcp
DE 116.202.169.25:2443 tcp
DE 51.89.2.63:9001 tcp
N/A 127.0.0.1:45808 tcp
N/A 127.0.0.1:49374 tcp
N/A 127.0.0.1:49427 tcp
DE 81.169.186.16:29001 tcp
ES 45.94.31.29:110 tcp
N/A 127.0.0.1:45808 tcp

Files

memory/2360-1-0x0000000001140000-0x00000000017CA000-memory.dmp

memory/2360-0-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2360-2-0x00000000051C0000-0x0000000005200000-memory.dmp

memory/2360-3-0x0000000000310000-0x000000000033E000-memory.dmp

memory/2360-4-0x0000000000790000-0x00000000007E4000-memory.dmp

memory/2360-5-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2360-6-0x00000000051C0000-0x0000000005200000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Ukvcpgfl.vbs

MD5 92ed2795e0152284c6cc6486516b9cf6
SHA1 d1e81202222be31f6c3197259b8ad83107598743
SHA256 65167ec718a46e872471bac93f57104853afe7de650d8c0286750c140995c673
SHA512 43e537d0d69912ffb7a48abb3b60513db7b8a29279111660a09150aeac1237e8895c2362fbabdec4abccef74391e197bb29e303c7d23b13235f85acd38f92a67

memory/908-14-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/908-16-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/908-18-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/908-19-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/908-20-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2516-23-0x0000000070860000-0x0000000070E0B000-memory.dmp

memory/908-22-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2516-25-0x0000000070860000-0x0000000070E0B000-memory.dmp

memory/2516-26-0x0000000002510000-0x0000000002550000-memory.dmp

memory/908-27-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/908-29-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/908-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/908-32-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2360-34-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/908-35-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/908-36-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2516-37-0x0000000002510000-0x0000000002550000-memory.dmp

memory/2516-38-0x0000000002510000-0x0000000002550000-memory.dmp

memory/2516-39-0x0000000070860000-0x0000000070E0B000-memory.dmp

memory/908-40-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

MD5 5cfe61ff895c7daa889708665ef05d7b
SHA1 5e58efe30406243fbd58d4968b0492ddeef145f2
SHA256 f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5
SHA512 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da

memory/908-59-0x0000000004730000-0x0000000004B34000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll

MD5 2384a02c4a1f7ec481adde3a020607d3
SHA1 7e848d35a10bf9296c8fa41956a3daa777f86365
SHA256 c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369
SHA512 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503

memory/908-60-0x0000000004730000-0x0000000004B34000-memory.dmp

memory/2108-61-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/2108-64-0x00000000745B0000-0x000000007487F000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll

MD5 2c916456f503075f746c6ea649cf9539
SHA1 fa1afc1f3d728c89b2e90e14ca7d88b599580a9d
SHA256 cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6
SHA512 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd

memory/2108-67-0x0000000074C10000-0x0000000074C59000-memory.dmp

\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll

MD5 099983c13bade9554a3c17484e5481f1
SHA1 a84e69ad9722f999252d59d0ed9a99901a60e564
SHA256 b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838
SHA512 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2

memory/2108-70-0x00000000744E0000-0x00000000745A8000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll

MD5 b0d98f7157d972190fe0759d4368d320
SHA1 5715a533621a2b642aad9616e603c6907d80efc4
SHA256 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5
SHA512 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496

memory/2108-73-0x00000000743D0000-0x00000000744DA000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll

MD5 d407cc6d79a08039a6f4b50539e560b8
SHA1 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71
SHA256 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e
SHA512 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c

memory/908-76-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2108-77-0x0000000074340000-0x00000000743C8000-memory.dmp

\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll

MD5 c88826ac4bb879622e43ead5bdb95aeb
SHA1 87d29853649a86f0463bfd9ad887b85eedc21723
SHA256 c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f
SHA512 f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3

memory/2108-81-0x0000000074270000-0x000000007433E000-memory.dmp

memory/2108-82-0x0000000074D80000-0x0000000074DA4000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc

MD5 10e4369f9761d5401203f24a43aec777
SHA1 f6237d60d66f0bdc642836387c2e9adaf60114d2
SHA256 1936b09146613154cc18a4889276cb2de96a5fd24a2c86d34a778be90f965976
SHA512 7159148f7584cd188d7f030ac1be482ebad86cba6e964fdf2d6e673823027ebbb049ad9fdac15ed556976760953216a999c5145a0816d67072ed232bdc9e4abb

memory/908-86-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/908-87-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/908-88-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/908-90-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/908-91-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2108-94-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/2108-95-0x00000000745B0000-0x000000007487F000-memory.dmp

memory/2108-96-0x0000000074C10000-0x0000000074C59000-memory.dmp

memory/2108-97-0x00000000744E0000-0x00000000745A8000-memory.dmp

memory/2108-98-0x00000000743D0000-0x00000000744DA000-memory.dmp

memory/2108-99-0x0000000074340000-0x00000000743C8000-memory.dmp

memory/2108-100-0x0000000074270000-0x000000007433E000-memory.dmp

memory/2108-101-0x0000000074D80000-0x0000000074DA4000-memory.dmp

memory/908-102-0x0000000004730000-0x0000000004B34000-memory.dmp

memory/908-103-0x0000000004730000-0x0000000004B34000-memory.dmp

memory/2108-104-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/2108-105-0x00000000013C0000-0x00000000017C4000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus.tmp

MD5 be1655451abab55a2f5fa52b099ab19a
SHA1 5f3f35bce745ddfc123465cdea7b235f8c1579c0
SHA256 ca983d5970057c5f0f2235bf5df35426d76c278e35339d5c3bed14f6b4c7edd1
SHA512 2a3f79b700138168b2eeefbdf92c7edf2fff583b48862469616ee5020b41709491351f947a2b137d448c269fad4fef756c2654e3a0968a4df64e64e78ef5d28c

memory/2108-119-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/2108-128-0x00000000013C0000-0x00000000017C4000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdescs.new

MD5 6ce5c0df1d516005f8657f81b403ebbe
SHA1 1d4389cc649f1caf41e34c6c9a335d8fe224436f
SHA256 69011b23985bbb0b75e4ec16290ccecd76784a3352e3283e2b7a6622a95d5ee6
SHA512 facf4229bbf80dad4912747c80f65be473d9425fc6c206e98493961b8944efbc7dba7dd20fae8515b5a19398f46fea18f9fcd041be80804684fcf5b1bd42cec9

memory/2108-141-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/908-173-0x0000000005450000-0x0000000005854000-memory.dmp

memory/1816-175-0x00000000013C0000-0x00000000017C4000-memory.dmp

memory/1816-179-0x0000000074C10000-0x0000000074C59000-memory.dmp

memory/1816-180-0x00000000744E0000-0x00000000745A8000-memory.dmp

memory/1816-183-0x00000000743D0000-0x00000000744DA000-memory.dmp

memory/1816-187-0x0000000074D80000-0x0000000074DA4000-memory.dmp

memory/1816-186-0x0000000074270000-0x000000007433E000-memory.dmp

memory/1816-184-0x0000000074340000-0x00000000743C8000-memory.dmp

memory/1816-177-0x00000000745B0000-0x000000007487F000-memory.dmp

memory/908-202-0x0000000005450000-0x0000000005854000-memory.dmp

memory/1540-203-0x0000000000080000-0x0000000000484000-memory.dmp

memory/1540-204-0x0000000074B50000-0x0000000074B99000-memory.dmp

memory/1540-205-0x00000000747B0000-0x0000000074878000-memory.dmp

memory/1540-206-0x00000000746A0000-0x00000000747AA000-memory.dmp

memory/1540-210-0x0000000074C30000-0x0000000074C54000-memory.dmp

memory/1540-207-0x0000000074610000-0x0000000074698000-memory.dmp

memory/1540-211-0x00000000742E0000-0x00000000745AF000-memory.dmp

memory/1540-212-0x0000000074110000-0x00000000741DE000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\state

MD5 2ad85e5321b739d36c224bc1ecd29452
SHA1 5b3f8badaf049b9cdd83b08f6cc939ab3dce3d1d
SHA256 26813496db756b98334713e7b30c6b28722324fbe3b7c7ccc9b3e90eb063ee83
SHA512 c98333e0d589c7dbf3ebd683c8899e306dcbe9d7f809d826dea114d0cc6390a7078895e054ee375f9fab29cff6399d5872352285172df7cb53bb09e0d8572fc2

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-certs

MD5 7a8e63c0aff0558e68888efa64ca4156
SHA1 3d7204e86f6c6dc764a495075235c29798610ee0
SHA256 d24fb3f0514a8444d721d98d3d606c21fcd775ad0d88bbbcc66bc49107e8ec58
SHA512 d887031f0971baf61bb524e70837f2cec9f90531e045713e15e9c4fe3397751f7b89a1cb0ee7db61ebe0d5d39a2237d9caef80b93a77a92def1f6e529aaf1163

memory/908-232-0x0000000005450000-0x0000000005854000-memory.dmp

memory/908-241-0x0000000005450000-0x0000000005854000-memory.dmp

memory/1540-242-0x0000000074610000-0x0000000074698000-memory.dmp

memory/1540-243-0x0000000000080000-0x0000000000484000-memory.dmp

memory/1540-244-0x0000000074B50000-0x0000000074B99000-memory.dmp

memory/1540-245-0x00000000747B0000-0x0000000074878000-memory.dmp

memory/1540-246-0x00000000746A0000-0x00000000747AA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 10:57

Reported

2024-01-06 11:13

Platform

win10v2004-20231222-en

Max time kernel

54s

Max time network

76s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe"

Signatures

BitRAT

trojan bitrat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

"C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ukvcpgfl.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chrome\google\chrome.exe'

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

C:\Users\Admin\AppData\Local\Temp\69211520423fa18fde09eee360343412.exe

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe

"C:\Users\Admin\AppData\Local\c3b89bbf\tor\windows32file.exe" -f torrc

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
AT 37.252.185.182:8080 tcp
DE 81.7.11.96:9001 tcp
DE 217.79.179.177:9001 tcp
US 8.8.8.8:53 177.179.79.217.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/3356-1-0x0000000000320000-0x00000000009AA000-memory.dmp

memory/3356-0-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/3356-3-0x0000000005310000-0x000000000533E000-memory.dmp

memory/3356-2-0x0000000005300000-0x0000000005310000-memory.dmp

memory/3356-4-0x00000000055D0000-0x0000000005624000-memory.dmp

memory/3356-5-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/3356-6-0x0000000005300000-0x0000000005310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Ukvcpgfl.vbs

MD5 92ed2795e0152284c6cc6486516b9cf6
SHA1 d1e81202222be31f6c3197259b8ad83107598743
SHA256 65167ec718a46e872471bac93f57104853afe7de650d8c0286750c140995c673
SHA512 43e537d0d69912ffb7a48abb3b60513db7b8a29279111660a09150aeac1237e8895c2362fbabdec4abccef74391e197bb29e303c7d23b13235f85acd38f92a67

memory/3356-10-0x0000000005530000-0x00000000055C2000-memory.dmp

memory/1072-13-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/1072-15-0x0000000002A10000-0x0000000002A46000-memory.dmp

memory/1072-18-0x00000000052D0000-0x00000000052F2000-memory.dmp

memory/1072-20-0x0000000005D00000-0x0000000005D66000-memory.dmp

memory/1072-31-0x0000000005E70000-0x00000000061C4000-memory.dmp

memory/3256-30-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3256-32-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3356-35-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/3256-34-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3256-36-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/1072-19-0x00000000053F0000-0x0000000005456000-memory.dmp

memory/1072-38-0x0000000006350000-0x000000000639C000-memory.dmp

memory/1072-37-0x0000000006320000-0x000000000633E000-memory.dmp

memory/1072-17-0x0000000005460000-0x0000000005A88000-memory.dmp

memory/1072-16-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

memory/1072-14-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

memory/1072-53-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

memory/1072-54-0x0000000007510000-0x00000000075B3000-memory.dmp

memory/1072-52-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

memory/1072-51-0x00000000074F0000-0x000000000750E000-memory.dmp

memory/1072-41-0x00000000755F0000-0x000000007563C000-memory.dmp

memory/1072-56-0x0000000007650000-0x000000000766A000-memory.dmp

memory/1072-55-0x0000000007C90000-0x000000000830A000-memory.dmp

memory/1072-57-0x00000000076B0000-0x00000000076BA000-memory.dmp

memory/1072-40-0x00000000068F0000-0x0000000006922000-memory.dmp

memory/1072-39-0x000000007FDB0000-0x000000007FDC0000-memory.dmp

memory/1072-58-0x00000000078E0000-0x0000000007976000-memory.dmp

memory/1072-59-0x0000000007850000-0x0000000007861000-memory.dmp

memory/1072-61-0x0000000007890000-0x00000000078A4000-memory.dmp

memory/1072-63-0x00000000078D0000-0x00000000078D8000-memory.dmp

memory/1072-62-0x00000000079A0000-0x00000000079BA000-memory.dmp

memory/1072-60-0x0000000007880000-0x000000000788E000-memory.dmp

memory/1072-66-0x0000000074D60000-0x0000000075510000-memory.dmp

memory/3256-67-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3256-68-0x0000000074C70000-0x0000000074CA9000-memory.dmp

memory/5104-102-0x0000000073F80000-0x0000000074048000-memory.dmp

memory/5104-104-0x0000000073F00000-0x0000000073F24000-memory.dmp

memory/5104-107-0x0000000073A90000-0x0000000073D5F000-memory.dmp

memory/5104-111-0x0000000001CC0000-0x0000000001F8F000-memory.dmp

memory/5104-113-0x0000000073D60000-0x0000000073DE8000-memory.dmp

memory/5104-112-0x0000000074050000-0x000000007411E000-memory.dmp

memory/5104-106-0x0000000001CC0000-0x0000000001D48000-memory.dmp

memory/5104-105-0x0000000073DF0000-0x0000000073EFA000-memory.dmp

memory/5104-103-0x0000000073F30000-0x0000000073F79000-memory.dmp

memory/5104-94-0x0000000000310000-0x0000000000714000-memory.dmp

memory/3256-114-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3256-116-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3256-117-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3256-118-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3256-119-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/3256-120-0x0000000073680000-0x00000000736B9000-memory.dmp

memory/3256-115-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/5104-128-0x0000000073A90000-0x0000000073D5F000-memory.dmp

memory/3256-129-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/5104-123-0x0000000073F80000-0x0000000074048000-memory.dmp

memory/5104-121-0x0000000000310000-0x0000000000714000-memory.dmp

memory/5104-132-0x0000000000310000-0x0000000000714000-memory.dmp

memory/5104-133-0x0000000000310000-0x0000000000714000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\data\cached-microdesc-consensus.tmp

MD5 b0eb45bcc1d4cc07a0e85d800632027d
SHA1 d074c572b684db4b41aef583a315d11ebd2ea17f
SHA256 c846036167d97912826a83a0976fd66ca4b034eb70316f77f30b4682295eaf1f
SHA512 01e75f00b205a06ee9cd817da0d9732e1b1045e7a6319f7976ad5a4accef09afe04d1094fcfa992103374fbf2400abda7ad7f103090f77907fd18c1252cfd550

memory/5104-147-0x0000000000310000-0x0000000000714000-memory.dmp

memory/5104-155-0x0000000000310000-0x0000000000714000-memory.dmp

memory/5104-163-0x0000000000310000-0x0000000000714000-memory.dmp

memory/5104-171-0x0000000000310000-0x0000000000714000-memory.dmp

memory/5104-181-0x0000000000310000-0x0000000000714000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libgcc_s_sjlj-1.dll

MD5 28d6e1d45404868e7c2ae8d821da1b32
SHA1 a14ce100692d469eca261c37e30999a64cb29a0f
SHA256 fad9491c560f70b324f3af59dc6b4c643d925fe921498ec24be17781e451ba61
SHA512 b19288484bdbacd09d4e274992538d6f93f1aad4241611db75c4f3bf0ff27d39b1c1cdd758d8a83cefb809d3f1da21db407f4b28ffd715e306943bc04d7b2143

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libwinpthread-1.dll

MD5 48253da36ff619aa79072cc6188082df
SHA1 66d85b35fe301b4b688f35bc5808f54a40f653c2
SHA256 24d9b0dcf7daca724da11ab16db6be2131deff78b3e536c5078ce80c73acfe5b
SHA512 50af9724de9abc5d8ba14fc8afe9ada804e05acbbff3575b83071ae93396dcededd99b295376b482b841bc236ce6caa2ec22680d9ef0e8a5eada6ed3ec56d7d0

C:\Users\Admin\AppData\Local\c3b89bbf\tor\zlib1.dll

MD5 add33041af894b67fe34e1dc819b7eb6
SHA1 6db46eb021855a587c95479422adcc774a272eeb
SHA256 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183
SHA512 bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa

memory/2208-200-0x0000000073F80000-0x0000000074048000-memory.dmp

memory/2208-205-0x0000000073DF0000-0x0000000073EFA000-memory.dmp

memory/2208-207-0x0000000073D60000-0x0000000073DE8000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\torrc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2208-203-0x0000000073F00000-0x0000000073F24000-memory.dmp

memory/2208-202-0x0000000073F30000-0x0000000073F79000-memory.dmp

memory/2208-201-0x0000000074050000-0x000000007411E000-memory.dmp

memory/2208-199-0x0000000073A90000-0x0000000073D5F000-memory.dmp

memory/2208-198-0x0000000000310000-0x0000000000714000-memory.dmp

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssp-0.dll

MD5 376450eaef23cfea317aab29b82d7b64
SHA1 c18141dcd4c235920f35df0caf7bd34a45d197e6
SHA256 5c5df77f6b7b025050407155dda6fe4cfc0ff738b16816092e79be67b5f8074f
SHA512 53aa80de0d369b60df65ce729a70fc3d2d5446cfbdf4aaeefd1b1b9a5d06ce2cdb876bf5c9a95687d5376787889e29f61fd4d28f11e59a27596e9e30a53f659b

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libssl-1_1.dll

MD5 ef5b7b6232ee4df2682cd09774d493fc
SHA1 5631b124ab37c36e88825daa95ab500b2011693f
SHA256 90fc022cdcb27b981ab7a226cc23e951ca5a0cf35c643b03b0edddb2b9d2f69a
SHA512 5fb8854a0d3b0758b844d8a3f340cb5c4f51bd03b236d06dce30cdb0b2248eb0629f8bb021f9f57b0e9e1c708411adf2b6f56cfc2daf8d8fcb2e89e57ec35210

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libevent-2-1-6.dll

MD5 2b4a7a063c3298d996a8f16a95e79df7
SHA1 ac9a90076d4d6efc74d5e31ffc795f5561bc3fb8
SHA256 d6338b98149d2608f5dba45dcc5d234a747a7d9d215b8adf7fc41dc01bc5bc96
SHA512 777da2f95ff42fd6a37528e181a0c9e9ebad0476fd27f91e88438b1021aaff71c844a358d3438af4f5af1b52f44f37786385aff0d84d9560ef22ea73ef030802

C:\Users\Admin\AppData\Local\c3b89bbf\tor\libcrypto-1_1.dll

MD5 0e959da0ee1d91809cff6a912bea97c0
SHA1 d055e9390d1dfcda415b3dee872d2e9e24728e48
SHA256 d355fdfd092ce8cf54554630c912564f2116db71a44bc3c7533dc112bea75f38
SHA512 e4ce340c1a5fb24396b0d761b6adfc31dbd0d3b6eb62cf3060ed2a327a57ae15bf0de7761a4a7b62c4b699468c8fba1041f06775412afe0a0dec67da27ecd016

memory/3256-233-0x00000000738F0000-0x0000000073929000-memory.dmp