Malware Analysis Report

2025-08-05 11:59

Sample ID 240113-tnmbjsdag5
Target 5928745f1d5cab62de613b4c5f558df1
SHA256 10cdc1c1b8112716b5aec0caba5db1cef422176c550288f4952473c216357466
Tags
redline sectoprat @lovefuckwithyourmom infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10cdc1c1b8112716b5aec0caba5db1cef422176c550288f4952473c216357466

Threat Level: Known bad

The file 5928745f1d5cab62de613b4c5f558df1 was found to be: Known bad.

Malicious Activity Summary

redline sectoprat @lovefuckwithyourmom infostealer rat trojan

RedLine payload

SectopRAT

SectopRAT payload

RedLine

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-13 16:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-13 16:12

Reported

2024-01-13 16:14

Platform

win7-20231215-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe C:\Windows\system32\cmd.exe
PID 2772 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2772 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2772 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2772 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 2772 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2772 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2772 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2772 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe
PID 2772 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe
PID 2772 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe
PID 2772 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe

"C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e file.zip -p -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "@lovefuckwithyourmom.exe"

C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe

"@lovefuckwithyourmom.exe"

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_1.zip -oextracted

Network

Country Destination Domain Proto
US 8.8.8.8:53 xetadycami.xyz udp

Files

C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

MD5 14ed47f526671c43880f44b6c4b6fc83
SHA1 687323418a481503326bf7daf95ce722adcfbec4
SHA256 7d37fd2c4ce79dd8decfb14fd1390f4d7867af812204865fc91194b63ef4c1c9
SHA512 212614fa1b92a3e5520ca91442d6d21eebfd479f50bba032b320bea3d367a26f4296e08c7474bf2e03f1720dacbd5697eb8113a7102b8a10d76273b0c93a495c

C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

MD5 0c4d8185c244c378dd2635dd5e842235
SHA1 79bed7df4511237ce5a9571dae2819b4ffe88001
SHA256 23afd877f0a4f916f69f778ad94a90a1c615625a8c55645a13285040590fec32
SHA512 c663c849b0b305ee1b40c46d4c2605640e89ba5af218f41f0d61c0248de1b74eb4bb6240dac2e1ffd5bc85884fa75af4d04adb0f7aa5601a5d5350415c6c9347

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 fd3639e8268a12e045750a3bea2e94c0
SHA1 ed32180613c3335e9e0e365b48947a1d8871966e
SHA256 fa5499591946494e41a6e63230af10c327beab1cda4cf9bfa571d342a66bcb65
SHA512 108b1bf31f6b4fe967c6a429188ae0e73f6e83018eaacc2b419bb521b02bfdd520fd02cb251c09c734e6b6896aad960d132bdbd1ad2859fcc0c23d4c54b62173

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 e7937dd57b97cefa8983a76e784a8f9c
SHA1 bf5f1c9d615b0309357fdf5b4c8a1017210d24c7
SHA256 624050639c0943244b253e7371ce0770f0ac27ec23736e7699d4924e03cb2b50
SHA512 0f147d3afd70aac0e8fe325f5b33d149443583973b00dc3865b6b3aeec0127957a9c2eb9a5beb15f7151034b04d84bca3307148eff1bc283c8198447750fc574

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 ede747df5a8ff1072cd7a76ec4460015
SHA1 30b0322866df61c3b0fec85a069085c6c18f2eba
SHA256 43db1dba9645809a890effb4303404c528601a576ef78cac58ef23c7cd52fc44
SHA512 e0393b5075e0e017079ecf4373ec879ba93a184318aa89ea6c576726debe936418573190db951eafb32930cf690642da7c1eeb61ce04e797c1e098043c4c9474

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 86d15c117cd9e112c658d5dae6ebbaad
SHA1 eb26dd6256282600d581fa0ff9b4b8392133b4c8
SHA256 00552e1ec01089fc17e6e363b9daaca689a07063e9582cc253d735a4ee37d76d
SHA512 a25d378af9a348a5de91e1bdd838b05f86aa1a80a980f16761be6222883ed52154c6157bf537d012bb921fe7939feed7db79607972b26b1f0ee930ea3bb72b6f

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 6e55341c9a0ce67ba366176da388aa04
SHA1 e794ecd906a9687daaf6b63e50bd9b45a69d594d
SHA256 b9a8642098cba990aefc2b297c70d491f956e3b29e63f1ca91c416d39f6f97c5
SHA512 8709af88259c3132c95d2cdd966ed24a257de0ff0acee7628a9c119c87e70489491c58abef0e352a26ca6867fc2ad97f587085b7a2d0741af939eb7b2e9aebcc

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

MD5 d2512657ddd302bf130294d2fb0e0de7
SHA1 42bf5e5c89945fa328960fd5357d69513ed80223
SHA256 b70df0fb66a696e92dbc92e519b105befcd34f9f0c0c01b8986b2deff2294bce
SHA512 addfaab755b1ce4b0e2941bfaee6cc33ee616885daf07e7abd0874aa82b8118d6e84ef9a03bd05e4b08ea6dc5babbb0dc8506b2adac459929ff51c6cce6d4dc4

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 37f21b197d07387261fc6c728e2562d2
SHA1 63a019358f9eb1caa0bd5927f3847e0150be0e4e
SHA256 779735a446e61fdb5773925a8ea9c21e468562ccc66d5d18953cb28ceb883a3f
SHA512 f9a0590bee7559a3ce4edb386192baedd12c454ed8de5ebc686363b4fed507693a14215ad55819648651b7b27c92b72c3e02bae6fdf85a6755606552043ca8bc

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 0ef2ed03ea1507ce522d8a8189e22cf9
SHA1 e83646afdf8c96fed1212784e013561793def91c
SHA256 49cc8266f73dd2a8771fb6ffcc6d77522ad8a78e37d8dc50afe06153a53f9e38
SHA512 1fc16f9bfb6e3d8aab79c544e06c25c2ff0387c6b117934d4d78d0dd5706afc98a2c854e1114723b95bab7a93d47e27951b2cec0829171fab1098c340d6d940c

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 7a6ff8658b727035517d2364f3c3d330
SHA1 dac86fc03309964b32f9c929060df3cd920c26eb
SHA256 9a83666f30fa552e95ccec8072fecbd16f6cc293ecd0a1bdd798fdb0b0a02588
SHA512 32b5acda35a99551da599fd4835ae95d28e306b4acddd4ab6592345d37b5444da01784ed0064137dfe6e87c49474eed5b72b42e124098c0e345f9e8f85469b4a

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 92d3f23ea3013eb5288fa129258a95d1
SHA1 e1678a1e7b6bed32deb57eaa8bd50ec208a00a3b
SHA256 a18cd1947980cfe11a62838ab8fb46b5392099eb8f3311375e0105a5b7838fd7
SHA512 f8899a1440157385e7f34c2d3935a200caf51426a2387ccee00cd4d4d9c794a34703a688b51b5c370534afce00d159488f226c483145ec8047e8988750e9f015

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

MD5 9082560582b613a65120dcde6c3c4897
SHA1 e8d50dfc85abe2aa00a51d917f35487c25e711c4
SHA256 3e324d0ff36a51529101b45bb9102260292a6bbb6ffbf55d01fea881cc038704
SHA512 180c1025f16d0e227e432ed7bb3c52ca0bcecd5a8390e6d3af28a2425cc1e31801dbd6df377c2abcc982c3a06f15940a654bd6b488e8d595ee41de5a56e1ef2f

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 a9556a9583021f75ca2567bc98b5f28e
SHA1 5af46dcd462b4ae84632e929693a547cdf04c1ea
SHA256 21f50574ee333fcc187659ed0ffa8cfe8fc62a272442a56ef24902f77df29057
SHA512 90c133d03f0904f44da501162bd531b62f2d4b985474cdb190e6a39c1ce52a9d7e6ba9db8fc780d6e99fa3888e25dea572fd814595609f90571b6d8d353fd9df

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 df991835b44cdf4a49813b2470bed70e
SHA1 f5a3aec8b312db18663d5c9eb231c3632cfeb867
SHA256 91a9aa869359f01e8078163e33a04a299fb6a3d57d255a79116e5f7a46e8068a
SHA512 1303b76c7186329149b8215f987e9a35a9bb50ed2525d392173dd15063971c2cc2b54d3e1c5ba954d1044ac8891e29290afd71eff932b681e35015537b80dd26

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 3640c9c0bbccb95531eee53bd6f49e33
SHA1 2d174c44091c73b5d486cc6a513d8d64580b20df
SHA256 24e2c8f03c401e5195e5de727fd1b5dc675992301b6d344a38906d813a9efa0d
SHA512 dee29fc01a00d165863b8cd2ace6f9f5f3f533a3da34869eb7b201cdfdffce4b96741b7d7cd38d9c46ccde278fe553eb33125bb49d38ab3edc51f155be405ea5

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

MD5 9679f15a03e532c442b86b99d901637f
SHA1 43e4579628d2201dc556ebf4d29464fb777e2238
SHA256 487f4d740ba3d9c42a5c6e624f34d3e20a330418d2925e2fec2fde37bb64a7d1
SHA512 8097846f22e81885844a42e63fc34218affad7d4cc659b94350f45955353d324d8f107eb2228606b7f14a6fedce2f1184e69c2dec07b6625d1ca00771fa03236

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 91d23974b3b147cf00786ff79be1fbb6
SHA1 ec4f7f9db4ca98084cd56b04fc5d8a3b7428c0d2
SHA256 d80c2d9352b15cba2747ee7d0dfdc85dbf7bd43a3b8ef7407ff671cc3c3762ff
SHA512 5d3fedb74ac6acdbfba520c540a19ee5b7790b489681a62938b8df78714f29e7681845e4cf53a2d3158d48af8d53c2e607ccf905faf71d424b330f21244a6d8a

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 fafd0a4a565be90cee0b1e7f3a7b27a6
SHA1 7c99b311f30d9a2247f7a72cbf6c0b376a5ee64c
SHA256 0e47473107c2d8f9578cfdc6a977de769d35ad4d234184acd7088936c97844fd
SHA512 243c84e6c2dd61916b8b3d4f626ccbd73ba52946c03e275ba26924075cbb7ed302ca24a5c148e51dd69f985a0e40991920e17f3798e8f05074ccd6795da0694b

\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 af5233f6d4c806ecc112ee4b7623e4f8
SHA1 53dcfd03b40a0dc7a6491745cfbeb8db23e3113c
SHA256 c7722d8aad2e6a1d1c300d057c3674a894fac996bbf78feba48bfabf4214ae41
SHA512 1181c1c0b4c7ef6464bf5d0be164601b3ad8c21b50ea7c1dc33fa60f0f629b7a4d1f8f2ff15298536e4c5b4a720d6d321e289e92cffe2b7a880e874ed6a1be84

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

MD5 634d6c3f5f2db3c90c31bd36cb840181
SHA1 523f20c550bcebf938f883913001feca14d12233
SHA256 841f9f9d31efcc110ad8ba8a550e285ba5398c322fe20d0843db23a9c027079a
SHA512 41c02f3d2293a775fbbc1c45b355155a89dafa62b1c8b38a0d9935c248545c9944c8d36ac4b1b58139785bdec2280d4cbdc8f5357b6187635f181755362aaa0c

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@lovefuckwithyourmom.exe

MD5 f715021bca8947192b494a037ddae36b
SHA1 d2a70a50a0258a7d471d3f8043808f962282fc7e
SHA256 3508971255c901dccbe8a461de9fa390add18675e44bfa55a2c792f62cf7db62
SHA512 ce3801a52248785a41d1db4c284b3c06f18d7753555659bbb36ac960d5cf4990c33d5981620090dbf07bd009951d0760b5c8e529ac64c973deade35d36c0d35f

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

MD5 f8fdd24daf1aa469ac0e32e9b1459ab6
SHA1 23dd9dd5b626c364a964cf583b045c8197b12d74
SHA256 e8f4204e1b3ceca11d1865e28201761c1b4017b30377ca4c1639c7ccac952949
SHA512 05843ad3518438b825c7864854e6a8f7a3538bfd76327b8fb652a073ad38df60051c1ab420e89d78b9b02a14f74a535f03b0f0340259c13c4aad200c60898aba

\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 01b4d7a25878352f6099baf08ffc4e98
SHA1 00f135b1f057aaf13c7de98f2ccf4eee83a6c538
SHA256 554b10a2d4487368d996c035c09fd521d25df2f411659abd03aff9ed91f4e641
SHA512 8a7a5e249bd2fb6c678c52bc25dca4a4d7ff9e16e962ca0dfb6d0c02b4ca27688b0163c7a146e87310d7c3b70235e5357a095a56a7c1f0024c5d31e036dd3e33

memory/2612-58-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/2612-57-0x0000000000BB0000-0x0000000000BCE000-memory.dmp

memory/2612-59-0x0000000000B40000-0x0000000000B80000-memory.dmp

memory/2612-60-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/2612-61-0x0000000000B40000-0x0000000000B80000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-13 16:12

Reported

2024-01-13 16:14

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3600 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe C:\Windows\system32\cmd.exe
PID 3600 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1572 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1572 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 1572 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 1572 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 1572 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 1572 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 1572 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 1572 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 1572 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 1572 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 1572 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
PID 1572 wrote to memory of 4260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1572 wrote to memory of 4260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1572 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe
PID 1572 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe
PID 1572 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe

"C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e file.zip -p -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe

"@lovefuckwithyourmom.exe"

C:\Windows\system32\attrib.exe

attrib +H "@lovefuckwithyourmom.exe"

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

7z.exe e extracted/file_4.zip -oextracted

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 75.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 xetadycami.xyz udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
US 8.8.8.8:53 xetadycami.xyz udp
GB 96.17.178.174:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

MD5 14ed47f526671c43880f44b6c4b6fc83
SHA1 687323418a481503326bf7daf95ce722adcfbec4
SHA256 7d37fd2c4ce79dd8decfb14fd1390f4d7867af812204865fc91194b63ef4c1c9
SHA512 212614fa1b92a3e5520ca91442d6d21eebfd479f50bba032b320bea3d367a26f4296e08c7474bf2e03f1720dacbd5697eb8113a7102b8a10d76273b0c93a495c

C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

MD5 2b2666ebfdc9adfd2fc1a0d8a84d2f75
SHA1 86a788663a2fb29441e3bb4aa823b609274d85f0
SHA256 d16f59ebdd3b51758a753c1503298fe0bd14217e0c8ca648259eff247f4cd403
SHA512 5e8ae5ec4d2a89b38f2b57408e90286ec9a4add5adc042ca95e2169f54280b7737e47dd811e53536ff0b3913b2ea692fba87cd799c168f4f51b3a696de45a2d1

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 e1fee3d3780c73637252b69e44f3e85f
SHA1 ea3255fd0b61ac92323a91e2463dd20b44edf66e
SHA256 f01b05966047f5d3931520d1ae7c85dd548e7082699dddc2503a5c42063bda3f
SHA512 cd5455f93330f03f9d0f4c2771ee32ea799332b5dc937a2e7b3cae414f22e7b4acc32225abf161c2070163f6e300fce6c5f1b25f3ac2ce51c609d0187c2a5f62

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 bdac165c36265693370205114caa5ee3
SHA1 4f5fe76e41f3cced90330b320bb8144b408f9fd5
SHA256 e1f8abc6554a84ccf75d9381de5e2c36fa87ef753195e8de9483de2c0aa3f191
SHA512 1bf1d87512878b0075a71c1fb1653fe34c3e4706d7404c89185b7adb29f83477e0d00374a3c4d54a123cf90fff8b317f9a50881b9708513b6e45fc1691e7fd3b

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 0ac45708dce897ea32d6812fe54898d3
SHA1 496f87ee4c39b8227d21d52d2d534fcec6438345
SHA256 f119981b4e6b05c6892e7bd1dea9b2673594f66daaf1176fdceaa4402928b003
SHA512 77ed189ca457a1e2632176e46ad872f8edb691ca9d675b41eb3edf096073c664cf69f7fc49d322dddc9eecc0be1f250cfc428b58262d536a271a3fae9b247acd

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

MD5 9679f15a03e532c442b86b99d901637f
SHA1 43e4579628d2201dc556ebf4d29464fb777e2238
SHA256 487f4d740ba3d9c42a5c6e624f34d3e20a330418d2925e2fec2fde37bb64a7d1
SHA512 8097846f22e81885844a42e63fc34218affad7d4cc659b94350f45955353d324d8f107eb2228606b7f14a6fedce2f1184e69c2dec07b6625d1ca00771fa03236

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 5ccdaa140e9f3518e64b6e8884df5398
SHA1 c39a7a3ecca0032e84246a4da17b6b8bab671f91
SHA256 aabadb4ab4cfb509ae8be07dae1871e8525f905252d83a57f67da616862e3b35
SHA512 ae13ec1ed7ae8b65a490b15fc6024e5051f5ef29c2f9f2daca5c616ab1924e6ed762077f2ecdd96ba2e817d1d6210fbf5d937b5b326ec2950dabbdd619ba6f8c

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 c01f69339fc0f3ef16f8ba3786a1e365
SHA1 52db3644a3dfcdff0732a3b743054b72c087283f
SHA256 67c037cce11ab150d0e447a3dfe1b502b85bd777e739c2ba4e0d23f79bc9c293
SHA512 4720c5e8cb2dc504e9780b178973a342cf805f4076254ecc08876ce609f1a8c36a4f436aae892514de42a0f4398f775f2be4629e583aceb387ac2d03dc87dcea

C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe

MD5 f715021bca8947192b494a037ddae36b
SHA1 d2a70a50a0258a7d471d3f8043808f962282fc7e
SHA256 3508971255c901dccbe8a461de9fa390add18675e44bfa55a2c792f62cf7db62
SHA512 ce3801a52248785a41d1db4c284b3c06f18d7753555659bbb36ac960d5cf4990c33d5981620090dbf07bd009951d0760b5c8e529ac64c973deade35d36c0d35f

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

MD5 2fba0ef603d9b47f29bd69bc7d742bc3
SHA1 6ef6ce5db6e19c082e7795ea9638e58b22267da7
SHA256 04cd304865c4f2a5a1a40cc60cd8a4165af1a6e299c46486d933e9f4cf9b7652
SHA512 fca6b2dbc922351cbf78cd70b37364d8f333f078f34f7cfdc34dca108004f27c3dc9accb69c5fb1469cc9344622976656a7a5979966b1ca272787e46df2713e8

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

MD5 f8fdd24daf1aa469ac0e32e9b1459ab6
SHA1 23dd9dd5b626c364a964cf583b045c8197b12d74
SHA256 e8f4204e1b3ceca11d1865e28201761c1b4017b30377ca4c1639c7ccac952949
SHA512 05843ad3518438b825c7864854e6a8f7a3538bfd76327b8fb652a073ad38df60051c1ab420e89d78b9b02a14f74a535f03b0f0340259c13c4aad200c60898aba

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 73d18262d494f3b4f7b279096b706022
SHA1 2858c5bd367f18a1936ec4fa00d2ea820af927ec
SHA256 1191f1207072a5af094b3cbf204b3575d6adf4695d0fdd6c71779a98e150cce8
SHA512 3b25da3326fa8fe1acebcb1a315e325f0525beae99114c8f672db5c736ebfd2131ced1beced6f9df71e2ce274ae66787e103c29eeb8f7ec285aab4302d1c748b

memory/2740-47-0x0000000000440000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

MD5 9082560582b613a65120dcde6c3c4897
SHA1 e8d50dfc85abe2aa00a51d917f35487c25e711c4
SHA256 3e324d0ff36a51529101b45bb9102260292a6bbb6ffbf55d01fea881cc038704
SHA512 180c1025f16d0e227e432ed7bb3c52ca0bcecd5a8390e6d3af28a2425cc1e31801dbd6df377c2abcc982c3a06f15940a654bd6b488e8d595ee41de5a56e1ef2f

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 6e7f44d7e49dd8489800f51c52cf9b42
SHA1 ab014142cae263ec1ebcada6cd9386a99f7b34e2
SHA256 941b2a461e38971206e4cc7e9c08bae0641580aaecbb12a231e12feec2598566
SHA512 6bc1f37ac57c48bd5853dd55348f89ecf0178ae4e44cdb7a0c68ec1ea59165a24a7a241fd4d164c6d9dbba5b31e43937041902a137b6f2f441986c50054e0227

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 b899b8cbf798b772b21f4a66e70d7214
SHA1 5f0c1b1d3aaaffd77f5de7ec6e1ab7ad8dad4a8c
SHA256 921e44cc8144af642e3e420d66060a97c5b0d04f415783420f7c20d391c6ca09
SHA512 2b381a80fc7cc619ffeff8df38af61e95f23b6d09c3a461533c07556285a1dd1a88fecbb7be51416ec0fd83bdebd1c590fb6580ff3c9ef87cfbbb2e5653f2dd9

memory/2740-50-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

memory/2740-51-0x0000000004E20000-0x0000000004E5C000-memory.dmp

memory/2740-49-0x0000000005320000-0x0000000005938000-memory.dmp

memory/2740-48-0x0000000073230000-0x00000000739E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 a7d8c374a1af75b4ae33ec2d676b18ab
SHA1 c569b32fb85d97d75e49570a2bcd4c4b35257e0e
SHA256 31f81296189821e78508ba43aeec6fcc36a1e8de4e408a0178802780d293cb0d
SHA512 455e6501b0dfbda71bb627ddf8532f2fa664e52ad1796bc25a2aff78766eb327f98263e32538efaf1ae1d6add0ec30f1103ac4eb93da2faabb37c86e3d7dd5dc

memory/2740-53-0x0000000004E60000-0x0000000004EAC000-memory.dmp

memory/2740-52-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

MD5 574207deb7e8e0c016fe25a825e9ed90
SHA1 c98fab2efd8a759da5e49e86644cc9ba21936d6f
SHA256 de78464ddca54d3695aa7010ed9d9972d899d76000fd4b4feaa30e756f30bdd7
SHA512 d99b762c86fd3d12fac0acb889462fe82ee9d4221b65d984a0c42fff05f14be0cbabfab7f2138eed477edd63f81e9541f386f637e767c86c7c049cfb4ff62bce

C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

MD5 a634e737a02bd2a753244cedd5c7e4c9
SHA1 4c62c69503559c20ced8e5e6c5b78e0db0489c47
SHA256 d9af7e478af877b40f6874c1c75d5738d92688f1fe94e267652b47f70a27665f
SHA512 74084f193187d3fda6f19857b8e366bb24d64e769fc3aa68d3d7c5630bdb2f061fceeaebd91b2a044b41d829539f6f3699e8e3ce462b40af99c9d3557fa1e06c

memory/2740-54-0x00000000050D0000-0x00000000051DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

MD5 14b6af849c769dca4b2767a278af1631
SHA1 0cc2c472f3e6ed2918ec5bfc9eaab2d47ba0222e
SHA256 d3a85adace40351dfbdae6be6562e0d5260356355c81663f7ce2955daa0bf24d
SHA512 e4e924e2454a849e914ce68b647193773cf7a7afa0e81b50af4c6b8b94faad065901fc33345e66aac59915e7f1b2bd4ea6161560b01d858811096a93cdd85019

memory/2740-55-0x0000000073230000-0x00000000739E0000-memory.dmp

memory/2740-56-0x0000000004EB0000-0x0000000004EC0000-memory.dmp